Personal Information Protection and Electronic Documents Act

Overview

The Personal Information Protection and Electronic Documents Act (SC 2000, c. 5) protects employees who, on reasonable grounds, notifies the Privacy Commissioner of a potential privacy breach. During this process, employees can request for their identity to be kept confidential. The Act prohibits reprisal against an employee who acts in good faith and on the basis of reasonable belief when disclosing information about a person contravening any of the Act’s provisions.

The Act, and therefore this protection, does not apply to organizations operating exclusively within Alberta, British Columbia, and Quebec. The Act does not apply in the health sectors in Ontario, New Brunswick, Newfoundland and Labrador and Nova Scotia that are governed by their respective provincial health privacy legislations.

What kind of disclosure is protected?

The Act s. 27(1) protects any person who, while acting in good faith and on the basis of reasonable belief, has disclosed information about an organization having contravened to the Act, with respect to provisions regarding personal information protections [Division 1] or breaches of security safeguards [Division 1.1].

Who is eligible for protection?

This Act protects any person who acts in good faith and on the basis of reasonable belief when disclosing information to the Privacy Commissioner s. 27(1).

In the event of a reprisal, the Act protects employees, including independent contractors, who have made a protected disclosure under the Act s. 27.1 (3).

How are whistleblowers protected?

Under the Act, the Privacy Commissioner must keep the identity of the person disclosing the information confidential. The Privacy Commissioner must also provide an assurance of confidentiality s.27(2)

The Act prohibits any kind of reprisal against an employee who has made a protected disclosure under the Act s. 27.1(1) or who refuses, or demonstrates their intention to refuse any actions in violation of the Act s.27.1(1). Specifically, an employer shall not dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee, or deny an employee a benefit of employment s. 27.1(1).

Any person who knowingly takes any kind of reprisal against an employee who has disclosed information to the Privacy Commissioner is guilty of either s. 28:

  • an offence punishable on summary conviction and liable to a fine of no more than $ 10 000; or
  • an indictable offence and liable to a fine of no more than $100 000.

How should disclosures be made?

Be careful! Despite presenting some challenges for follow ups, one of the best protections for whistleblowers is their anonymity. Be cautious when providing any information through electronic means, especially emails! Read the security tips section.

Protected disclosure should be made to the Office of the Privacy Commissioner of Canada through the PIPEDA breach report form either by email at notification@priv.gc.ca or by mail or in person at:

PIPEDA Breach Response Officer
Office of the Privacy Commissioner of Canada
30 Victoria Street, 1st Floor Gatineau, QC K1A 1H3

Individuals can also call the Office’s breach response officers at 819-994-5444 or toll-free at 1-800-282-1376 (TTY: (819) 994-6591).