Long anticipated amendments to the federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), were made with the passing into law of the Digital Privacy Act in late June.
In the employment context, PIPEDA applies to federally regulated employers (including banks, telecommunication companies, airlines and other interprovincial businesses) and private sector employers operating in the Yukon, Northwest Territories and Nunavut.
Privacy Breach Provisions (not yet in force)
A key amendment to PIPEDA is the addition of mandatory breach notification provisions similar to the mandatory breach notifications in Alberta's Personal Information Protection Act. The mandatory breach notification provisions will come into force via regulations that have not yet been tabled.
The mandatory breach notification provisions require organizations to notify the Office of the Information and Privacy Commissioner of Canada (the "Commissioner") of any breaches of privacy that may cause "a real risk of significant harm to an individual". "Significant harm" is defined to include "bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property".
If there is a real risk of significant harm, organizations must also notify: (i) any individuals affected by the privacy breach; and (ii) other organizations or government institutions if notification to such organizations could reduce the risk of harm caused by the breach.
Organizations can be fined up to $100,000 for knowingly failing to comply with the breach notification provisions.
Organizations will be required to maintain a record of every breach of security safeguards involving personal information under its control. This requirement applies to all breaches not just those with a real risk of "significant harm". There is currently no time limit on the retention period; we hope that this indefinite time period will be limited in the future through regulations.
Additional Important Amendments (in force)
For employers subject to PIPEDA, the amendments contain a much welcome exception to the requirement for consent if the collection, use or disclosure of personal information is necessary to establish, manage or terminate an employment relationship with the individual and the individual is informed of the collection, use and disclosure. This is similar to the provisions that already exist in the provincial privacy legislation in Alberta and BC.
Collection, use or disclosure of personal information without consent is now permissible if the personal information is:
- Contained in a witness statement used in an insurance claim; or
- Produced by the individual in the course of employment, business or professional services and the collection is consistent with the purpose of collecting that information.
Further, disclosure without consent is allowed if it is made:
- To identify an ill, injured or deceased individual or to communicate with the individual's next of kin;
- To investigate a breach of an agreement or a contravention of a federal or provincial law that has been committed or is about to be committed, if disclosure with knowledge or consent of the individual would compromise the investigation;
- To prevent or investigate financial abuse; or
- To detect or prevent fraud, if knowledge or consent of the individual would compromise the investigation.
Where consent is required, PIPEDA now stipulates that consent will only be valid "if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequence of the collection, use or disclosure of the personal information to which they are consenting".
Previously organizations only required the consent of an individual to collect, use or disclose the individual's personal information. The new sliding scale of consent suggests that the form of consent will vary depending on the type of information collected, used or disclosed and the sophistication of the individual who gives the consent.
Business Transaction Exemption
Similar to the privacy statutes in BC and Alberta, PIPEDA now allows parties to a prospective business transaction to use and disclose an individual's personal information without their consent if the information is necessary to determine whether to proceed with a transaction, subject to appropriate safeguards.
The Digital Privacy Act extends the Commissioner's power to allow the Commissioner to enter into a "compliance agreement" with an organization that has committed, is about to commit, or is likely to commit an act or omission in contravention of PIPEDA. This provision should assist organizations in resolving privacy complaints without a formal hearing process.
The Commissioner now has broadened power on the scope of information it can make publically available, including the ability to make public any information that: (i) comes to his or her knowledge in the performance or exercise of any part of his or her duties or powers; and/or (ii) is obtained by the Commissioner in response to a security breach notification.
Impact on Employers
As a result of these amendments, we recommend employers governed by PIPEDA review their privacy policies and procedures to ensure that they comply with the amendments to PIPEDA. We also recommend that organizations take steps to prepare for the mandatory breach notification provisions coming into force including drafting internal policies and procedures with respect to how to respond to privacy breaches and provide employees with the necessary training.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.