Now that amendments to the Alberta's Personal
Information Protection Act (PIPA) have come into
force, organizations operating in the province's private sector
should review their privacy policies and practices to ensure they
still comply with the new requirements.
Significant changes to PIPA include:
An obligation, if the organization uses foreign service
providers to collect, use, disclose or store personal information,
to include in the organization's policies and practices
identifying the countries in which the collection, use,
disclosure or storage is occurring, or may occur; and
explaining the purposes for which the service provider is
authorized to handle the personal information.
A requirement to notify individuals about the transfer of
personal information to any foreign service providers. This
notification must indicate:
how to obtain written information about the organization's
policies and practices relating to its service providers outside
the name of a contact person within the organization who can
answer questions about the handling of the personal information by
the foreign service provider.
An obligation to notify the Alberta Privacy Commissioner if
personal information under an organization's control is lost,
accessed or disclosed without authorization, when the loss or
breach could pose a real risk of significant harm to an individual.
In such circumstances, the Privacy Commissioner may require the
organization to notify affected individuals directly.
An expansion of the definition of "personal employee
information" to include information about potential, current
and former employees, partners, officers and directors.
A consent exemption for collecting, using or disclosing
information for the purpose of establishing, managing or
terminating an employment or volunteer-work relationship, or for
managing the post-relationship.
An obligation to destroy or anonymize personal information
within a reasonable time, once no longer reasonably required for
business or legal purposes.
The removal of the wilful requirement for committing certain
offences (e.g., collecting, using and disclosing personal
information without consent). As a result, an organization could
commit an offence under PIPA by breaching certain
PIPA obligations, even if unintentionally.
The addition of a number of new offences, including failing to
notify the Privacy Commissioner of a reportable privacy breach,
obstructing the Commissioner in an investigation or inquiry, and
taking reprisal action against an employee for reporting a
PIPA violation to the Commissioner.
An extension of the time limit for prosecuting an offence under
PIPA from six months to two years after the commission of
the alleged offence.
McCarthy Tétrault Notes
With these changes, Alberta has now become the first
jurisdiction in Canada with a mandatory breach notification
requirement in its privacy legislation, outside the health sector.
(Ontario has a mandatory notification obligation for breaches
involving personal health information, as do Newfoundland and
Labrador and New Brunswick, but their legislation is not yet in
force.) The federal government is also looking to include breach
notification requirements in the federal private sector privacy
legislation, Personal Information Protection and Electronic
Documents Act (PIPEDA). For a comparison of the
breach notification provisions under PIPA and those
proposed for PIPEDA, read our article on Bill C-29.
The amendments to PIPA give the legislation
considerably more "bite," so organizations are advised to
carefully review their current policies and practices relating to
personal information and ensure they are in compliance with the new
rules. For a more detailed review of an organization's new
obligations under PIPA and helpful tips on how to comply
with the amendments, see our previous article on this topic.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).