Canada's House of Commons has recessed. Members of
Parliament aren't scheduled to return until September 17, 2012.
By then, Bill C-12, An Act to amend the Personal Information
Protection and Electronic Documents Act (short title:
SafeguardingCanadians' Personal Information
Act) will have been on the order paper for almost a year,
having been introduced in the House of Commons on September 29,
2011. The Bill doesn't appear to be moving any quicker than its
predecessor, which died when Parliament was dissolved in March
Bill C-12 would give effect some of the legislative reforms
recommended following the last 5-year review of PIPEDA (which
happened more than 5 years ago!). If the Bill could ever get some
traction and make it into force, it would (among other things):
Create a new definition of "business contact
information". "Business contact
information" is defined as an individual's name, position
or title, work address, work telephone number, work facsimile
number, work e-mail address and any similar information about the
individual. This information would not be subject to PIPEDA if the
business contact information is collected, used or disclosed
solely for the purpose of communicating or facilitating
communication with the individual in relation to their employment,
business or profession. Although still an important reform, the
regulation of the use of this information (particularly e-mail
addresses) may be overtaken for practical purposes by Canada's
Anti-Spam Legislation (CASL) when that legislation comes into
force. My colleague, Margot Patterson, has some excellent
explanations of CASL on this blog.
Specify that consent means informed consent.
Consent to collection, use or disclosure of their personal
information is valid only if "it is reasonable to expect that
the individual understands the nature, purpose and consequences of
the collection, use or disclosure to which they are
Provide for broader disclosure exceptions for law
enforcement purposes. Organizations would be permitted to
disclose personal information without consent where the disclosure
is requested "for the purpose of performing policing
services". "Policing services" is undefined.
Organizations would also be permitted to disclose information to
other organizations (not just government institutions) to
investigate a breach of an agreement or the laws of Canada or
province or, in certain circumstances, to prevent, detect or
Add a prospective business transaction
exception. Businesses could disclose personal information
to determine whether to proceed with a business transaction (such
as a merger or asset sale) and then to complete it.
Enact breach notificationprovisions. Organizations would be required to
notify the Privacy Commissioner of a material breach of security of
personal information. In addition, organizations would be required
to notify the affected individuals if it is reasonable to believe
that the breach creates a real risk of significant harm to the
FMC is one of Canada's leading business and litigation law
firms with more than 500 lawyers in six full-service offices
located in the country's key business centres. We focus on
providing outstanding service and value to our clients, and we
strive to excel as a workplace of choice for our people. Regardless
of where you choose to do business in Canada, our strong team of
professionals possess knowledge and expertise on regional, national
and cross-border matters. FMC's well-earned reputation for
consistently delivering the highest quality legal services and
counsel to our clients is complemented by an ongoing commitment to
diversity and inclusion to broaden our insight and perspective on
our clients' needs. Visit:
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A credit union (the "Employer") dismissed a helpdesk analyst (the "Analyst") with cause after discovering the Analyst had, without permission or authorization, remotely accessed another employee’s confidential document stored on the Employer’s network.
With security breaches being on the rise, the requirement to have organizations notify the relevant privacy commissioners and affected individuals upon a security breach taking place is becoming increasingly important.
The Office of the Privacy Commissioner of Canada has announced that the Federal Trade Commission, the UK Information Commissioner’s Office, the OPC and the Office of the Information and Privacy Commissioner for British Columbia and 15 other enforcement authorities worldwide are participating in an "Internet Privacy Sweep".