Back to top

BILL NO. 212

(as introduced)

2nd Session, 63rd General Assembly
Nova Scotia
68 Elizabeth II, 2019

 

Private Member's Bill

 

An Act to Enhance Privacy
and Access to Information

 

Lisa Roberts
Halifax Needham



First Reading: October 22, 2019

(Explanatory Notes)

Second Reading:

Third Reading:

Explanatory Notes

Clause 1 amends the Freedom of Information and Protection of Privacy Act to allow a public body to disclose personal information to another public body or a municipality if the public body or municipality needs the information to verify the accuracy of the personal information held by it for the purpose of notifying an individual about a privacy breach.

Clause 2

(a) requires a public body to conduct a privacy impact assessment for all new or significantly modified projects, programs, systems, enactments or activities utilizing or impacting personal information, and submit to the Review Officer under the Freedom of Information and Protection of Privacy Act assessments that involve sensitive personal information or are in respect of a single program or activity that is provided or delivered by two or more public bodies;

(b) requires a public body to notify an individual if that individual's personal information has been subject to a privacy breach, and requires a public body to maintain a record of all privacy breaches; and

(c) provides a mechanism by which a public body can retrieve information that was subject to a privacy breach and the identity of an internet user who may have been involved in an online privacy breach.

Clause 3 allows the Review Officer to compel a person to appear as a witness before the Review Officer if the Review Officer reasonably believes that the person's testimony is necessary for a review.

Clause 4 allows the Review Officer to require to be produced and examined any record that is in the custody or under the control of any person if the Review Officer believes that the record is necessary for the purpose of a review.

Clause 5

(a) allows the Review Officer, upon the completion of a review, to make orders with respect to the matter under review; and

(b) governs the content of and procedures for the Review Officer's written reports.

Clause 6 provides that an applicant, third party or head of a public body may appeal an order of the Review Officer to the Supreme Court of Nova Scotia within 30 days of receiving the Review Officer's report.

Clause 7

(a) removes the word "maliciously" from the provision making it an offence to disclose personal information in contravention of the Act; and

(b) makes it an offence to obstruct, mislead or knowingly make a false statement to the Review Officer, direct another person to destroy, alter, falsify or conceal any record containing personal information in the custody or under the control of a public body or knowingly and wilfully use personal information in contravention of the Act.

Clause 8 amends the Municipal Government Act to allow a municipality to disclose personal information to another municipality or a public body if the municipality or public body needs the information to verify the accuracy of the personal information held by it for the purpose of notifying an individual about a privacy breach.

Clause 9

(a) requires a municipality to conduct a privacy impact assessment for all new or significantly modified projects, programs, systems, enactments or activities utilizing or impacting personal information and submit assessments to a Review Officer that involve sensitive personal information or are in respect of a single program or activity that is provided or delivered by two or more municipalities;

(b) requires a municipality to notify an individual if that individual's personal information has been subject to a privacy breach, and requires a municipality to maintain a record of all privacy breaches; and

(c) provides a mechanism by which a municipality can retrieve information that was subject to a privacy breach and the identity of an internet user who may have been involved in an online privacy breach.

Clause 10 allows the Review Officer to compel a person to appear as a witness before the Review Officer if the Review Officer reasonably believes that the person's testimony is necessary for a review.

Clause 11 allows the Review Officer to require to be produced and examined any record that is in the custody or under the control of any person if the Review Officer believes that the record is necessary for the purpose of a review.

Clause 12

(a) allows the Review Officer, upon the completion of a review, to make orders with respect to the matter under review; and

(b) governs the content of and procedures for the Review Officer's written reports.

Clause 13 provides that an applicant, third party or responsible officer may appeal an order of the Review Officer to the Supreme Court of Nova Scotia within 30 days of receiving the Review Officer's report.

Clause 14

(a) removes the word "maliciously" from the provision making it an offence to disclose personal information in contravention of the Part of the Act respecting freedom of information and protection of privacy; and

(b) makes it an offence to obstruct, mislead or knowingly make a false statement to the Review Officer, direct another person to destroy, alter, falsify or conceal any record containing personal information in the custody or under the control of a municipality or knowingly and wilfully use personal information in contravention of the Part.

Clause 15 amends the Privacy Review Officer Act to allow the Privacy Review Officer to make orders with respect to privacy complaints.

An Act to Enhance Privacy
and Access to Information

Be it enacted by the Governor and Assembly as follows:

1 Section 27 of Chapter 5 of the Acts of 1993, the Freedom of Information and Protection of Privacy Act, is amended by adding immediately after clause (g) the following clause:

    (ga) to a public body or a municipality that needs the information to verify the accuracy of the personal information held by the public body or the municipality for the purpose of notifying an individual about a privacy breach in accordance with Section 31B;

2 Chapter 5 is further amended by adding immediately after Section 31 the following Sections:

    31A (1) In this Section, "privacy impact assessment" means an assessment to identify risks and mitigation strategies associated with the use of personal information.

    (2) A public body shall conduct a privacy impact assessment for all new or significantly modified projects, programs, systems, enactments and activities utilizing or impacting personal information.

    (3) A pubic body shall submit for approval to the Review Officer all privacy impact assessments that involve sensitive personal information or are in respect of a single program or activity that is provided or delivered by two or more public bodies.

    31B (1) In this Section, "privacy breach" means an event involving the disclosure of personal information that, from the perspective of a reasonable person, would

    (a) have an adverse impact on the provision of a benefit to the individual to whom the information relates;

    (b) have an adverse impact on the mental, physical, emotional, economic or social well-being of the individual; or

    (c) lead to the identification of the individual.

    (2) A public body that has custody or control of personal information about an individual shall notify the individual and the Review Officer as soon as is practical if the public body believes on a reasonable basis that a privacy breach of the individual's personal information has occurred.

    (3) Where a police force is involved in containing the privacy breach, the public body may delay notification to the affected individual until after the breach has been contained.

    (4) Notification to an affected individual regarding a privacy breach must be in writing and include

    (a) details about the cause of the breach;

    (b) information about the individual's personal information involved in the breach;

    (c) an explanation about the risks of harm to the individual as a result of the breach, if any;

    (d) information about how the individual can obtain further information regarding the breach; and

    (e) information about the individual's right to file a complaint with the Review Officer.

    (5) Where a public body fails to notify an individual of a privacy breach in accordance with this Section, the Review Officer may order the public body to provide notification to the individual.

    (6) A public body shall maintain a record of all privacy breaches involving personal information in the custody or under the control of the public body and shall make the record available to the Review Officer upon request.

    31C (1) Following a privacy breach involving a record containing personal information and upon request from the public body subject to the breach, a person who obtained the record in an unauthorized manner, whether it be by unauthorized access, error or omission, shall immediately return the record to the public body and destroy any copies made of the record, if any.

    (2) A public body may apply to the Supreme Court of Nova Scotia for an order requiring an internet service provider to disclose the identity of a user if there is reason to believe that the user was involved in an online privacy breach involving personal information in the custody or under the control of the public body.

3 Section 37 of Chapter 5, as amended by Chapter 11 of the Acts of 1999 (Second Session), is further amended by adding immediately after subsection (3) the following subsection:

    (4) Where the Review Officer reasonably believes that a person's testimony is necessary for the purpose of a review, the Review Officer may order the person to appear before the Review Officer as a witness.

4 (1) Subsection 38(1) of Chapter 5, as amended by Chapter 11 of the Acts of 1999 (Second Session), is further amended by adding immediately after clause (a) the following clause:

    (aa) require to be produced and examined any record that is in the custody or under the control of any person if the Review Officer considers the record necessary for the review;

(2) Subsection 38(2) of Chapter 5, as enacted by Chapter 11 of the Acts of 1999 (Second Session), is amended by

(a) adding "or person, as the case may be," immediately after "body" in the first line; and

(b) adding "or (aa)" immediately after "(a)" in the third line.

(3) Subsection 38(3) of Chapter 5, as enacted by Chapter 11 of the Acts of 1999 (Second Session), is amended by

(a) adding "or person, as the case may be," immediately after "body" in the first line;

(b) adding "or (aa)" immediately after (a) in the third line; and

(c) adding "person" immediately after "body" in the last line.

5 Sections 39 and 40 of Chapter 5 are repealed and the following Sections substituted:

    39 (1) On completing a review, where the Review Officer agrees with a decision, act or failure to act of the head of a public body, the Review Officer shall

    (a) prepare a written report with respect to the matter, setting out the Review Officer's reasons for agreeing with the decision, act or failure to act;

    (b) by order, confirm the decision of the head of the public body; and

    (c) send a copy of the report to the head of the public body and

      (i) where the matter was referred to the Review Officer by an applicant, to the applicant and to any third party notified pursuant to this Act, or

      (ii) where the matter was referred to the Review Officer by a third party, to the third party and to the applicant.

    (2) On completing a review, where the Review Officer does not agree with a decision by the head of a public body to give or to refuse to give access to all or part of a record, the Review Officer shall

    (a) prepare a written report with respect to the matter, setting out the Review Officer's reasons for disagreeing with the decision of the public body to give or refuse to give access to all or part of a record;

    (b) by order, require the head to provide the applicant access to all or part of the record; and

    (c) send a copy of the report to the head of the public body and

      (i) where the matter was referred to the Review Officer by an applicant, to the applicant and to any third party notified pursuant to this Act, or

      (ii) where the matter was referred to the Review Officer by a third party, to the third party and to the applicant.

    (3) On completing a review, where the Review Officer does not agree with a decision, act or failure to act of the head of a public body, other than a decision referred to in subsection (2), the Review Officer shall

    (a) prepare a written report with respect to the matter, setting out the Review Officer's reasons for disagreeing with the decision, act or failure to act;

    (b) by order, do one or more of the following:

      (i) deny or authorize an extension of a time limit under subsection (1) of Section 9,

      (ii) reduce a fee or order a refund, in the appropriate circumstances, including if a time limit is not met,

      (iii) specify how personal information is to be corrected,

      (iv) require a public body to stop collecting, using or disclosing personal information in contravention of this Act,

      (v) require the head of a public body to destroy personal information collected in contravention of this Act; and

    (c) send a copy of the report to the head of the public body and

      (i) where the matter was referred to the Review Officer by an applicant, to the applicant and to any third party notified pursuant to this Act, or

      (ii) where the matter was referred to the Review Officer by a third party, to the third party and to the applicant.

    (4) A report of the Review Officer referred to in clause (a) of subsection (1) must include a statement setting out the appeal rights of an applicant and a third party under Section 41.

    (5) An order of the Review Officer may be made an order of the Supreme Court of Nova Scotia by filing a certified copy of it with the prothonotary of the Supreme Court and, on filing, that order is enforceable in the same manner as an order of the Supreme Court.

    40 Subject to subsection (1B) of Section 41, within thirty days of receiving the written report and order of the Review Officer pursuant to subsection (2) or (3) of Section 39, the head of the public body shall comply with the order.

6 (1) Subsection 41(1) of Chapter 5 is repealed and the following subsections substituted:

    (1) Where the Review Officer agrees under subsection (1) of Section 39 with a decision, act or failure to act of the head of a public body, within thirty days after receiving a copy of the report, the applicant or third party may appeal the Review Officer's order to the Supreme Court of Nova Scotia in such form and manner as may be prescribed by the Nova Scotia Civil Procedure Rules or by the regulations.

    (1A) Where the Review Officer does not agree under subsection (2) or (3) of Section 39 with a decision, act or failure to act of the head of a public body, within thirty days after receiving a copy of report, the head of the public body may appeal the Review Officer's order to the Supreme Court of Nova Scotia in such form and manner as may be prescribed by the Nova Scotia Civil Procedure Rules or by the regulations.

    (1B) Where an appeal to the Supreme Court of Nova Scotia is made before the end of the thirty-day period referred to in Section 40, the order of the Review Officer is stayed until the application is dealt with by the Supreme Court.

(2) Section 41 of Chapter 5, as amended by Chapter 11 of the Acts of 1999 (Second Session), is further amended by renumbering subsections (1A) and (1B) as (1C) and (1D).

(3) Subsection 41(6) of Chapter 5, as enacted by Chapter 11 of the Acts of 1999 Second Session), is amended by striking out "recommendations" in the fourth line and substituting "orders".

7 (1) Subsection 47(1) of Chapter 5 is amended by striking out "maliciously" immediately after "who" in the first line.

(2) Section 47 of Chapter 5, as amended by Chapter 11 of the Acts of 1999 (Second Session), is further amended by adding immediately after subsection (1A) the following subsections:

    (1B) Every person who

    (a) obstructs, misleads or knowingly makes a false statement to the Review Officer;

    (b) directs another person to destroy, alter, falsify or conceal a record containing personal information in the custody or under the control of a public body; or

    (c) knowingly and wilfully uses personal information in contravention of this Act,

    is guilty of an offence and liable on summary conviction to a fine of not more than two thousand dollars or to imprisonment for six months, or both.

    (1C) A prosecution may not be brought against a person under this Section after two years from the day on which the offence is discovered.

8 Subsection 485(2) of Chapter 18 of the Acts of 1998, the Municipal Government Act, as amended by Chapter 25 of the Acts of 2008, is further amended by adding immediately after clause (g) the following clause:

    (ga) to a municipality or a public body, as defined by the Freedom of Information and Protection of Privacy Act, that needs the information to verify the accuracy of the personal information held by the municipality or the public body for the purpose of notifying an individual about a privacy breach in accordance with Section 486B;

9 Chapter 18 is further amended by adding immediately after Section 486 the following Sections:

    486A (1) In this Section, "privacy impact assessment" means an assessment to identify risks and mitigation strategies associated with the use of personal information.

    (2) A municipality shall conduct a privacy impact assessment for all new or significantly modified projects, programs, systems, by-laws and activities utilizing or impacting personal information.

    (3) A municipality shall submit for approval to a review officer all privacy impact assessments that involve sensitive personal information or are in respect of a single program or activity that is provided or delivered by two or more municipalities.

    486B (1) In this Section, "privacy breach" means an event involving the disclosure of personal information that, from the perspective of a reasonable person, would

    (a) have an adverse impact on the provision of a benefit to the individual to whom the information relates;

    (b) have an adverse impact on the mental, physical, emotional, economic or social well-being of the individual; or

    (c) lead to the identification of the individual.

    (2) A municipality that has custody or control of personal information about an individual shall notify the individual and a review officer as soon as is practical if the municipality believes on a reasonable basis that a privacy breach of the individual's personal information has occurred.

    (3) Where a police force is involved in containing the privacy breach, the municipality may delay notification to the affected individual until after the breach has been contained.

    (4) Notification to an affected individual regarding a privacy breach must be in writing and include

    (a) details about the cause of the breach;

    (b) information about the individual's personal information involved in the breach;

    (c) an explanation about the risks of harm to the individual as a result of the breach, if any;

    (d) information about how the individual can obtain further information regarding the breach; and

    (e) information about the individual's right to file a complaint with the review officer.

    (5) Where a municipality fails to notify an individual of a privacy breach in accordance with this Section, a review officer may order the municipality to provide notification to the individual.

    (6) A municipality shall maintain a record of all privacy breaches involving personal information in the custody or under the control of the municipality and shall make the record available to a review officer upon request.

    486C (1) Following a privacy breach involving a record containing personal information and upon request from the municipality subject to the breach, a person who obtained the record in an unauthorized manner, whether it be by unauthorized access, error or omission, shall immediately return the record to the municipality and destroy any copies made of the record, if any.

    (2) A municipality may apply to the Supreme Court of Nova Scotia for an order requiring an internet service provider to disclose the identity of a user if there is reason to believe that the user was involved in an online privacy breach involving personal information in the custody or under the control of the municipality.

10 Section 490 of Chapter 18, as amended by Chapter 9 of the Acts of 2003, is further amended by adding immediately after subsection (3) the following subsection:

    (4) Where a review officer reasonably believes that a person's testimony is necessary for the purpose of a review, the review officer may order the person to appear before the review officer as a witness.

11 (1) Subsection 491(1) of Chapter 18, as amended by Chapter 9 of the Acts of 2000 and Chapter 9 of the Acts of 2003, is further amended by adding immediately after clause (a) the following clause:

    (aa) require to be produced and examined any record that is in the custody or under the control of any person if the review officer considers the record necessary for the review;

(2) Subsection 491(2) of Chapter 18, as enacted by Chapter 9 of the Acts of 2003, is amended by

(a) adding "or person, as the case may be," immediately after "municipality" in the first line; and

(b) adding "or (aa)" immediately after "(1)(a)" in the second line.

(3) Subsection 491(3) of Chapter 18, as enacted by Chapter 9 of the Acts of 2003, is amended by

(a) adding "or person, as the case may be," immediately after "municipality" in the first line;

(b) adding "or (aa)" immediately after "(1)(a)" in the second line; and

(c) adding "person" immediately after "municipality" in the last line.

12 Sections 492 and 493 of Chapter 18 are repealed and the following Sections substituted:

    492 (1) On completing a review, where the review officer agrees with a decision, act or failure to act of the responsible officer, the review officer shall

    (a) prepare a written report with respect to the matter, setting out the review officer's reasons for agreeing with the decision, act or failure to act;

    (b) by order, confirm the decision of the responsible officer; and

    (c) send a copy of the report to the responsible officer and

      (i) where the matter was referred to the review officer by an applicant, to the applicant and to any third party notified pursuant to this Part, or

      (ii) where the matter was referred to the review officer by a third party, to the third party and to the applicant.

    (2) On completing a review, where the review officer does not agree with a decision by the responsible officer to give or to refuse to give access to all or part of a record, the review officer shall

    (a) prepare a written report with respect to the matter, setting out the review officer's reasons for disagreeing with the decision of the responsible officer to give or refuse to give access to all or part of a record;

    (b) by order, require the responsible officer to provide the applicant access to all or part of a record; and

    (c) send a copy of the report to the responsible officer and

      (i) where the matter was referred to the review officer by an applicant, to the applicant and to any third party notified pursuant to this Part, or

      (ii) where the matter was referred to the review officer by a third party, to the third party and to the applicant.

    (3) On completing a review, where the review officer does not agree with a decision, act or failure to act of the responsible officer, other than a decision referred to in subsection (2), the review officer shall

    (a) prepare a written report with respect to the matter, setting out the review officer's reasons for disagreeing with the decision, act or failure to act;

    (b) by order, do one or more of the following:

      (i) deny or authorize an extension of a time limit under subsection 469(1),

      (ii) reduce a fee or order a refund, in the appropriate circumstances, including if a time limit is not met,

      (iii) specify how personal information is to be corrected,

      (iv) require a municipality to stop collecting, using or disclosing personal information in contravention of this Part,

      (v) require the municipality to destroy personal information collected in contravention of this Part; and

    (c) send a copy of the report to the responsible officer and

      (i) where the matter was referred to the review officer by an applicant, to the applicant and to any third party notified pursuant to this Part, or

      (ii) where the matter was referred to the review officer by a third party, to the third party and to the applicant.

    (4) A report of the review officer referred to in clause (1)(a) must include a statement setting out the appeal rights of an applicant and a third party under Section 494.

    (5) An order of the review officer may be made an order of the Supreme Court of Nova Scotia by filing a certified copy of it with the prothonotary of the Supreme Court and, on filing, that order is enforceable in the same manner as an order of the Supreme Court.

    493 Subject to subsection 494(1B), within thirty days of receiving a written report and order of the review officer pursuant to subsection 492(2) or (3), the responsible officer shall comply with the order.

13 (1) Subsection 494(1) of Chapter 18 is repealed and the following subsections substituted:

    (1) Where the review officer agrees under subsection 492(1) with a decision, act or failure to act of the responsible officer, within thirty days after receiving a copy of the report, the applicant or third party may appeal the review officer's order to the Supreme Court of Nova Scotia in such form and manner as may be prescribed by the Nova Scotia Civil Procedure Rules or by the regulations.

    (1A) Where the review officer does not agree under subsection 492(2) or (3) with a decision, act or failure to act of the responsible officer, within thirty days after receiving a copy of report, the responsible officer may appeal the review officer's order to the Supreme Court of Nova Scotia in such form and manner as may be prescribed by the Nova Scotia Civil Procedure Rules or by the regulations.

    (1B) Where an appeal to the Supreme Court of Nova Scotia is made before the end of the thirty-day period referred to in Section 493, the order of the review officer is stayed until the application is dealt with by the court.

(2) Section 494 of Chapter 18, as amended by Chapter 9 of the Acts of 2003 and Chapter 55 of the Acts of 2005, is further amended by renumbering subsections (1A) and (1B) as (1C) and (1D).

(3) Subsection 494(6) of Chapter 18, as enacted by Chapter 9 of the Acts of 2003, is amended by striking out "recommendations" in the third line and substituting "orders".

14 (1) Subsection 500(1) of Chapter 18 is amended by striking out "maliciously" immediately after "who" in the first line.

(2) Section 500 of Chapter 18, as amended by Chapter 9 of the Acts of 2003, is further amended by adding immediately after subsection (1A) the following subsections:

    (1B) Every person who

    (a) obstructs, misleads or knowingly makes a false statement to a review officer;

    (b) directs another person to destroy, alter, falsity or conceal any record containing personal information in the custody or under the control of a municipality; or

    (c) knowingly and wilfully uses personal information in contravention of this Part,

    is guilty of an offence and liable on summary conviction to a fine of not more than two thousand dollars or to imprisonment for six months, or both.

    (1C) A prosecution may not be brought against a person under this Section after two years from the day on which the offence is discovered.

15 Clause 5(1)(c) of Chapter 42 of the Acts of 2008, the Privacy Review Officer Act, is amended by adding "and orders" after recommendations in the first line.

 


This page and its contents published by the Office of the Legislative Counsel, Nova Scotia House of Assembly, and © 2019 Crown in right of Nova Scotia. Created October 22, 2019. Send comments to legc.office@novascotia.ca.