FAQ: Personal Information International Disclosure Protection Act


 


What is PIIDPA?

PIIDPA stands for the Personal Information International Disclosure Protection Act. This Act provides additional protection to the personal information held by Nova Scotia "public bodies" and municipalities when that personal information is being collected, used or disclosed by those organizations. This law builds upon the privacy protection provided by other provincial legislation, including the Freedom of Information and Protection of Privacy Act. It also provides privacy protection where a service provider acts on behalf of either of them in those activities. It does not relate to personal information held by individuals, businesses, and organizations in the private sector unless they are doing work on behalf of a public body or municipality.

What is personal information?

Personal information is information about an identifiable individual as defined in the Freedom of Information and Protection of Privacy Act. It can include their name, address, phone number, health care history or financial data, as well as their views or opinions on a subject.

What is a "public body"?

A public body is any government department, (or government-appointed agency, board, or commission), regional education centre, university, community college, district health authority, or children's aid society. It also includes any other organization that fits the definition of a "public body" in the Freedom of Information and Protection of Privacy Act.

What is a "service provider"?

A service provider is an individual or a company that is retained under a contract to perform services for a public body, and in performing those services, uses, discloses, manages, stores or accesses personal information in the custody or under the control of that public body.

How does it provide additional protection for personal information?

Under PIIDPA, public bodies and municipalities are required to ensure that any personal information held by them (or any service provider acting on their behalf), remains in Canada, is accessed, and is disclosed only in Canada, unless certain circumstances exist. These protections will be in place immediately for contracts of public bodies that come into effect on, or after, December 15, 2006, and one year after that date in the case of municipalities.

How does it work?

PIIDPA makes it illegal for public bodies and municipalities to disclose information outside of Canada, or store personal information at (or allow it to be accessed from), locations outside Canada, unless certain circumstances exist.

What circumstances would allow storage, access, or disclosure outside Canada?

If the head of a public body, or the responsible officer of a municipality, determines that it "meets the necessary requirements" of the organization's operation, they can permit storage and access outside the country. However, if they do so, they must report this to the Minister of Justice and explain the reasons why they have determined that it is necessary. Also, they may disclose information outside of Canada, for example, if there is a law enforcement agreement or treaty in effect, to collect a debt, if there are dangerous situations where the health or safety of individuals need to be protected, or for research purposes as outlined in the Act.

Does this affect the use of laptop computers and other electronic devices, outside Canada?

The personal information held by public bodies and municipalities may be transported temporarily on, or accessed from the laptop computers, cell phones, and other electronic devices (e.g. smartphones, laptops, etc.) outside Canada if the head of the organization determines it is necessary to meet the operational requirements of the organization, or is necessary for the work of its employees.

Are there any other protections in the law for personal information?

Yes, this law also makes it illegal to provide any personal information if you are served by a court order, warrant, subpoena, or other legal instrument from a foreign country, unless the authority of that document has been recognized by a Canadian Court. It also provides protection from any disciplinary action for any employee of a private sector company doing work for a public body or municipality, if the employee attempts to comply with this law.

Are there offences for violating this law?

Any individual employee who violates the provisions of this law is liable on conviction to a fine of up to $2,000. For a business that is not a corporation, the penalty would be a fine of up to $25,000 and for any corporation a fine of up to $500,000.

How does this new law affect me and my personal information?

This law means that if a public body or municipality, or their service providers (inside or outside Canada), stores your information outside of Canada, or allows anyone to view your files, they must tell the Minister of Justice why it is necessary to do so. Otherwise they will be in violation of the Act and may face prosecution.

I am not a Canadian citizen, or I do not live in Nova Scotia. Does this law affect me?

Yes. This law applies to all personal information held by public bodies and municipalities regardless of the nationality and location of the individuals whom the information is about.

What will be in the reports by public bodies and municipalities to the Minister of Justice?

The report's format is designated by regulation, and the report will require a description of the access or storage of personal information that has occurred to meet the necessary requirements of the organizations operation, and the reasons.

What should I do if I think my personal information has been sent out of Canada or accessed outside of Canada contrary to this law?

An individual suspecting that such action has occurred, may first contact the public body or municipality who has their personal information to determine if the access or storage outside Canada is appropriate. In the alternative, an individual may contact the Nova Scotia Department of Justice for the same purpose. They may also make a complaint to the Nova Scotia Ombudsman, or if they believe the situation involved the committing of an offense under this law they may contact their local law enforcement agency (e.g. municipal police or the RCMP).

How will public bodies and municipalities ensure that the law is enforced?

The Nova Scotia government now recommends that government departments, agencies, boards, and commissions conduct a privacy impact assessment for any new collection, use, and disclosure of personal information. This would help to determine whether foreign storage or access of the information is anticipated and to ensure such storage is in compliance with the law. Other public bodies and municipalities will be encouraged to adopt similar practices.

I work for an information technology company. Should I know about this law?

Yes. If your company is in the business of providing services to public bodies and municipalities for software applications, data bases, or record storage, you should become familiar with the provisions of this new legislation. External service providers to public bodies and municipalities are subject to this legislation if there is collection, use, or disclosure of personal information involved in their work.

What contracts with companies who process my personal information on behalf of the Nova Scotia government, other public bodies and municipalities are affected?

This law immediately affects contracts, or contract renewals, of public bodies that come into effect on, or after, December 15, 2006, and contracts or contract renewals of municipalities that come into effect on or after December 15, 2007. In addition, public bodies and municipalities are required under the law to make "reasonable efforts to come into compliance" with respect to new disclosure rules.

Where can I obtain more information about this law?

You may call the Freedom of Information and Protection of Privacy Office at the Nova Scotia Department of Justice at (902) 424-6836 or email PIIDPA@gov.ns.ca.