Copyright 2010, Blake, Cassels & Graydon LLP
Originally published in Blakes Bulletin on Privacy, June 2010
A bill to enact the Safeguarding Canadians' Personal Information Act, has been introduced in Parliament. The bill, if enacted, would make a number of changes to Canada's federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Business Transaction Exemption. The business transaction exemption, in particular, will be welcomed by the business community. It would permit the reasonable use and disclosure of personal information without consent, both in the due diligence phase and after closing, provided the organizations enter into a data protection agreement containing certain required terms, such as to use and disclose the information solely for purposes related to the transaction. On closing, one of the parties must notify affected individuals within a reasonable time after the transaction is completed that their personal information has been disclosed.
Data Breach Reporting Obligation. A significant change would be a requirement that organizations notify the Federal Privacy Commissioner of any material breach of security safeguards involving personal information under their control. The factors relevant to determining materiality would be defined to include: (a) the sensitivity of the personal information; (b) the number of individuals affected; and (c) an assessment by the organization that the cause of the breach or pattern of breaches indicates a systemic problem. Organizations would also be required to notify individuals of such breaches if they create a real risk of significant harm. Significant harm would be defined to include bodily harm, humiliation, damage to reputation or relationships, financial loss, identity theft and negative credit effects.
Employee Personal Information. PIPEDA only applies to the employment information of a limited group of federal works, such as banks and airlines. The bill would remove the consent requirement for collection, use or disclosure of employee personal information to the extent necessary to establish, manage or terminate an employment relationship in those federally regulated organizations. Both the business transaction exemption and the use of employee personal information without consent, but on notice, reflect regimes already in place in the Alberta and British Columbia Personal Information Protection Acts.
Business Contact Information. Business contact information would be expanded to include all business contact information, including work electronic mail address. However, business contact information would only be exempt from consent requirements where that information is used solely for the purpose of communicating with the individual in relation to their employment, business or profession. In other words, business contact information would not be exempt if used for non-business purposes.
Consent. The bill would more precisely set out the standard for consent by providing that consent is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of the personal information. While this concept was already in PIPEDA and required both knowledge and consent, the change will further heighten the need for careful consideration of the wording of all personal information disclosures and policies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
