On May 25, 2010, the Government of Canada introduced significant amendments to the federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). The amendments, introduced as Bill C-29, reflect recommended changes to PIPEDA made after a parliamentary review of the legislation in 2007. Amendments of particular significance for businesses include the mandatory reporting of data breaches, provisions permitting personal information to be used and disclosed for business transactions an expanded carve-out for business contact informationand new consent exceptions for employee information and work product information. Highlights of the proposed amendments and our recommendations for businesses about how to respond to the changes are set out below.
Mandatory Data Breach Notification
- Businesses will be required to report any "material breach of security safeguards" involving personal information under their control to the Privacy Commissioner "as soon as feasible" after discovery that a breach has occurred. Breaches include the loss, unauthorized access to or disclosure of personal information resulting from a breach of security safeguards or a failure to establish those safeguards.
- In determining whether a breach is material, businesses must consider the sensitivity of the information, the number of individuals involved, and whether the cause of the breach or a pattern of breaches indicates a systemic issue.
- Notification to affected individuals will be required if it is reasonable in the circumstances to believe that the breach creates a "real risk of significant harm" to the individuals whose personal information is involved.
- "Significant harm" includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property. Factors relevant to determining whether there is a real risk of significant harm include the sensitivity of the information and the probability that the information has been, is being or will be misused.
- Notification to other organizations or government institutions will also be required if such other organizations or institutions may be able to reduce or mitigate the risk of harm to affected individuals.
- Notifications will be required to contain enough information to allow individuals to understand the significance to the individual of the breach and the need to take mitigating steps to reduce or avoid harm where necessary. Notices must be given as soon as feasible and must be given directly to those individuals, except where direct notice is not feasible and regulations under PIPEDA permit indirect notice to be given.
- Individuals will be able to complain to the Privacy Commissioner of Canada about data breaches and failures to notify, and to launch Federal Court reviews of failures to comply with PIPEDA's security standards and data breach notification requirements. Court remedies can include orders to cease or change data processing, handling and security safeguards, notification (public and direct) of the breach and damages.
'Business Transaction' Exception to Consent
- PIPEDA will include a "business transactions" exception to the consent requirement similar to privacy legislation in Alberta and British Columbia. The amendments will permit personal information that is necessary to be disclosed for the due diligence process for prospective and completed business transactions to be used and disclosed without notice to or consent from individuals. In order to rely on this exception, the parties to the transaction must agree to limit the use and disclosure of the receiving organization to purposes solely related to the transaction, to protect the shared information by appropriate security safeguards (confidentiality), and to the return or destruction of the data if the transaction does not proceed.
- Upon completion of the transaction, the receiving organization will be able to continue to use and disclose the shared information, provided the information is necessary for carrying on the business, one of the parties has notified affected individuals that their personal information has been disclosed in connection with the transaction within a reasonable time after the transaction is completed, and the parties have an agreement that requires each party to only use and disclose the personal information under its control for same the purposes as before the completion of the transaction, to protect the information with appropriate safeguards and to honour any withdrawals of consent by individuals.
- The business transaction exception will not apply where the primary purpose or result of the transaction is the purchase, sale or other acquisition or disposition, or lease, of personal information (i.e., the primary or sole asset is a customer database).
Exclusion of "Business Contact Information"
- The "business contact information" exclusion from PIPEDA will be broadened to include an individual's work email address and other business contact information in addition to their name, position name or title, work address, work telephone and fax numbers. Business contact information will not be subject to PIPEDA provided it is collected, used or disclosed solely for purposes of communication with the individual in relation to their employment, business or profession.
'Employment Relationship' and 'Work Product" Exceptions to Consent
- An exception to the consent requirement will exist for federally regulated employers in respect of the collection, use and disclosure of personal information about employees that is necessary to establish, manage or terminate an employment relationship, provided the employees have been given notice of the purposes for which their information will be collected, used and disclosed.
- A further exception to the notice and consent requirement will exist for information produced by individuals in the course of their employment, business or profession (work product) if the collection, use and disclosure are consistent with the purposes for which the information was produced.
- Additional amendments have been introduced that:
- Specify the criteria for valid consent under PIPEDA, including that it must be reasonable to expect that individuals understand the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting;
- Strengthen the consent exception for detection, suppression and prevention of fraud and financial abuse; and
- Expand the consent exception for disclosure of personal information to law enforcement, regulatory authorities and government institutions, including broader prohibitions against informing individuals about the disclosure of their personal information to government institutions without approval of the government institution, law enforcement or regulatory body.
How Bill C-29 Affects Your Business
Bill C-29 is currently at the first reading stage in the House of Commons. If, and when the provisions of the bill come into force, businesses with a presence in Canada will need to review their privacy policies and procedures to ensure compliance with the amendments. Businesses should:
- Implement a notification protocol (to the Privacy Commissioner and to individuals) and mitigation strategies for material data breaches. As part of this exercise, current security and retention measures should also be reviewed to ensure these are appropriate given the sensitivity of the information;
- Monitor the regulations under PIPEDA that will specify the form and content of data breach notifications, and the ability, if any, of businesses that are service providers to provide indirect notice of data breaches;
- Review and revise current standard form non-disclosure agreements used in business transactions to incorporate the PIPEDA conditions for disclosures of personal information related to business transactions;
- Review employee privacy policies and notices (in the case of federally regulated employers) to ensure they meet the notice requirements for collection, use and disclosure of employee personal information;
- Review and amend current privacy notices and consent forms to ensure they meet the criteria for valid consent under PIPEDA; and
- Update privacy policies to reflect the broadened consent exceptions for business contact information, work product, disclosure to law enforcement, regulatory and government bodies, and for fraud and financial abuse prevention, detection and suppression.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.