On May 25, 2010, the Minister of Industry tabled amendments to the federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA was introduced in 2001 and has been applicable to many private sector enterprises since 2004. Section 29 of PIPEDA requires Parliament to review Part 1 of PIPEDA every five years and the House Standing Committee on Access to Information, Privacy and Ethics (ETHI) undertook that review in 2006, issuing its final report and recommendations in May of 2007. Over three years later, this bill will amend PIPEDA in several significant ways, including to:
- require organizations to report material breaches of security safeguards to the Privacy Commissioner and to notify certain individuals and organizations of breaches that create a real risk of significant harm, and
- permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of the individual, personal information related to prospective or completed business transactions.
The most significant proposed amendments are the breach notification requirements. Breach will be defined as loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of the organization's security safeguards or from a failure to establish those safeguards. Only the Alberta statutory equivalent to PIPEDA currently has a breach notification requirement, but unlike the Alberta statute which requires breaches to be reported to the Alberta privacy commissioner if there is the possibility of harm to even one individual whereupon the Alberta privacy commissioner will then determine if individual notification is required, the PIPEDA amendments will require organizations to report to the Privacy Commissioner any breaches of security safeguards which the organization has determined are material. Materiality will be assessed on criteria that include sensitivity of the information, the number of individuals affected and whether the breach is indicative of a systematic failure of security. A second notification provision would require the organization to also notify affected individuals and organizations of breaches if the breach creates a "real risk" of significant harm to them, with real risk to be defined non-exhaustively as including bodily harm, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft negative effects on the credit record and damage to or loss of property. As a result, under PIPEDA a breach could result in a notification to the individual but not the Privacy Commissioner and vice versa.
The proposed bill also remedies a flaw in the current legislation that makes certain aspects of due diligence in business transactions difficult, if not impossible, by restricting the ability of a vendor to disclose to a potential purchaser personal information relevant to the transaction (such as information relating to employees and customers) without the consent of the affected individual. Under the amendments, an organization will be permitted to use and disclose personal information without the knowledge or the consent of the individual if the information is essential to the completion of the business transaction and provided that contractual confidentiality safeguards are in place as between the parties to the transaction. The transactions include purchase or sale of a business, mergers, amalgamations, financings, leases and joint ventures. If the proposed transaction successfully completes, there would be a post-closing notification to affected individuals whose personal information may have been disclosed or transferred. However, transactions where the primary purpose is the purchase and sale, or other transfer, of personal information will not benefit from this exemption.
The amendments will clarify what constitutes valid consent for the collection, use or disclosure of personal information. Currently under PIPEDA, a consent to the collection, use and disclosure of personal information must be an informed consent in order to be valid. The amendments would add a provision that consent of an individual is only valid if it is reasonable to expect the individual understands the nature, purpose and consequences of the collection, use or disclosure of the personal information to which he/she is consenting, although arguably understanding the conquences of consent is a factor of informed consent. It may be that this addition will at least in part address the ETHI recommendation that the treatment under PIPEDA of the consent of a minor be revisited.
Other proposed amendments will:
- permit the disclosure of personal information without the knowledge or consent of the individual for the purposes of identifying an injured, ill or deceased individual and communicating with their next of kin; performing police services; preventing, detecting or suppressing fraud; or protecting victims of financial abuse.
- clarify the meaning of lawful authority for the purpose of disclosures to government institutions of personal information without the knowledge or consent of the individual;
- permit federal works, undertakings and businesses to collect, use and disclose personal information without the knowledge or consent of the individual to establish, manage or terminate employment relationships;
- provide a framework for organizations to notify individuals proactively about disclosures of their personal information made in certain circumstances to government institutions;
- permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of the individual, personal information contained in witness statements related to insurance claims, or produced by the individual in the course of their employment, business or profession.
The amendments also provide that an individual's "business card" information (name, title, business telephone number and email) is not, when used in the business context, subject to PIPEDA, finally drawing a clearer line between personal information, which has the protection of PIPEDA, and business information, which does not. Similarly, an organization will be permitted to gather and use personal information without the knowledge or consent of the subject individual, if the information is produced for work purposes.
In making its recommendations, ETHI benefitted from the experience of Alberta and British Columbia under their privacy statutes, both of which were enacted after PIPEDA, and also looked to the equivalent Québec legislation, in assessing amendments to PIPEDA. While the amendments do not address every recommendation of ETHI and may not fully satisfy the federal Privacy Commissioner, who, among other positions put forward, advocated that her office not be restricted to responding to individual complaints and be given a general public interest authority to investigate privacy issues, the proposed amendments will bring the federal private sector privacy statute more in line with the equivalent provincial statutes of Alberta and British Columbia and represent a necessary upgrading and updating of a statute that impacts many private sector enterprises on a daily basis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.