In December, we informed you about pending amendments to
Alberta's Personal Information Protection Act (PIPA).
Effective May 1, 2010, the amendments are now in force.
The new and notable requirements applicable to organizations are
as follows:
Notification respecting service providers outside of Canada
Organizations that use service providers outside of Canada to
collect personal information about individuals or that transfer
personal information to service providers outside of Canada must
notify individuals of:
- the ways in which they may obtain access to written information
about the organization's policies and practices with respect to
service providers outside of Canada; and
- the person who is able to answer questions on behalf of the organization about the collection, use, disclosure or storage of personal information by service providers outside Canada.
Such notification must be provided before personal information is
collected by, or transferred to, the service provider.
Additionally, organizations that use service providers outside of
Canada, must develop and follow policies and practices that
identify:
- the countries outside of Canada in which collection, use,
disclosure or storage of personal information is occurring or may
occur; and
- the purposes for which service providers have been authorized to collect, use or disclose personal information for or on behalf of the organization.
Expanded definitions of "employee" and "personal employee information"
The definition of "employee" now includes individuals
who perform a service for organizations as partners, directors or
officers. This amendment allows organizations to collect, use and
disclose personal information about their partners, directors and
officers under PIPA's special provisions for personal employee
information.
PIPA's definition of "personal employee information"
has also been expanded to include personal information reasonably
required for the purposes of "managing a post-employment or
post-volunteer-work relationship." The expansion allows
employers to collect, use and disclose personal information about
former employees under PIPA's special provisions for personal
employee information.
Retention and destruction of personal information
A new provision has been added to PIPA requiring organizations
to destroy records containing personal information (or to render
such information non-identifying) when such information is no
longer reasonably required for legal or business purposes.
Notice to Individuals of security breach
The Alberta Information and Privacy Commissioner has been given
the authority to require organizations that suffer a privacy breach
to notify individuals to whom there is a real risk of significant
harm. The Commissioner is able to exercise this power at any time
and an individual complaint need not be filed.
If notification is ordered, the notice must include a description
of the incident that led to the privacy breach, the time the
incident occurred, a description of the personal information
involved, information about any steps taken to reduce the risk of
harm and contact information for a person who can answer questions
about the breach.
New offence provisions
There are two new offence provisions. It is now an offence under
PIPA to:
- fail to notify the Commissioner of a privacy breach that poses
a real risk of significant harm to individuals; and
- take any adverse employment action against individuals who disclose a contravention of PIPA by their employer or fellow employees, who take action in order to avoid having any person contravene PIPA, or who refuse to do anything in contravention of PIPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.