On September 13, 2013, Manitoba joined Quebec, British Columbia
and Alberta by enacting provincial private sector privacy
Once it comes into force, Manitoba's Personal
Information Protection and Identity Theft Prevention Act
(PIPITPA) will govern the collection, use and disclosure of
personal information, including that of employees, by organizations
in the private sector.
The Manitoba legislation has been modelled closely after
the Personal Information Protection Act
("PIPA") in Alberta; however, meaningful differences
exist. The most significant differences are summarized
Breach notification – PIPITPA includes a
broad breach notification obligation that requires an organization
to notify an individual if personal information about the
individual in its custody or under its control is stolen, lost or
accessed in an authorized manner, unless it is not reasonably
possible for the personal information to be used unlawfully.
Unlike in Alberta, there is no "real risk of significant
harm" test or a requirement to notify the privacy commissioner
(who then makes a decision on whether notice to individuals needs
to be given).
Private right of actionfor privacy
breaches – PIPITPA creates a broad private right of
action that will enable an individual to claim damages arising from
an organization's failure to protect personal information in
its custody or under its control or provide a required notice of a
data breach. Unlike under PIPA, the private right of action
is not conditional upon a finding by a privacy commissioner (or
ombudsman) that the organization failed to comply with the
legislation. This, together with the broad and ambiguous
legal language that can trigger a claim, is likely to encourage the
commencement of privacy breach class actions in Manitoba.
No complaint process – There remains
uncertainty as to how PIPITPA will be enforced as there is no
formal complaint or review process, nor does PIPITPA provide for
the regulation making authority to implement one. The
legislation does, however, include offences for (among other
things) wilfully collecting, using or disclosing personal
information in contravention of the legislation. As in PIPA,
the offences are subject to fines of up to $100,000.
Security requirements – PIPITPA
authorizes the Lieutenant Governor in Council to prescribe security
arrangements that organizations will need to follow in respect of
personal information in their possession or under their control. As
PIPITPA does not contain the specific requirements regarding
destruction of personal information that PIPA does, it is possible
that such requirements could form part of prescribed security
Information about former employees –
PIPITPA does not include an exception to consent, similar to the
one found in PIPA, for the collection, use or disclosure of
personal information about former employees.
Transfers to service providers outside Canada
– PIPITPA does not include the prescriptive rules found in
PIPA regarding an organization's use of a service provider
outside Canada to collect or process personal information on its
behalf. However, there remains the possibility that such
rules could be prescribed as part of a security arrangement.
Name of person responsible for privacy –
Whereas both PIPA and PIPITPArequire that an organization notify
individuals prior to collection of personal information of the
person designated to answer questions regarding collections on
behalf of the organization,PIPITPA requires that the name
of such person (as opposed to the name or title of such
person under PIPA) be provided. Therefore, organizations subject to
PIPITPA will need to update their privacy policies and notices
every time their designated privacy officer changes.
How It Affects Your Business
Organizations who already have processes in place to comply with
Canada's existing privacy laws will largely find that PIPITPA
does not create new compliance obligations for them. Notable
exceptions are the data breach notification requirements, the
increased likelihood of related class actions, the potential for
regulations to be used to prescribe minimum security requirements
and the requirement to disclose the name of the organization's
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Finally, the guidelines indicate that although BYOD programs can be part of an organization's cost reduction strategy, using EODs to carry out both personal and business functions may introduce privacy and security risks that could impact both personal and corporate information.