On May 2, 2007, the Standing Committee on Access to Information, Privacy and Ethics (the Committee) presented to the House of Commons its report arising from the statutory review of the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
The recommendations of the Committee reflect extensive consultations with various stakeholders and, for the most part, represent a "fine-tuning" of PIPEDA rather than wholesale amendments. As noted by the Committee, much of the fine-tuning is premised on the need for greater harmonization between PIPEDA and the laws of the provinces of Québec, Alberta and British Columbia, all of which have substantially similar private sector data protection laws. It was argued, in various stakeholders’ submissions to the Committee, that British Columbia and Alberta’s "‘second generation’ privacy laws provide a more practical and updated reflection of privacy protection today."
The following are some highlights from the recommendations:
- amend PIPEDA to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner
- include a provision permitting organizations to collect, use and disclose personal information, without consent, for the purposes of a business transaction
- include a definition of "work product" that is explicitly recognized as not constituting personal information
- clarify the form and adequacy of consent required by PIPEDA, distinguishing between express, implied and deemed/opt-out consent
- incorporate into PIPEDA amendments to address the collection, use and disclosure of personal information in the employment context
- no amendments should be made to PIPEDA with respect to trans-border flows of personal information
- the Federal Privacy Commissioner should not be granted order-making powers at this time
- no amendment should be made with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest
Many of the changes recommended by the Committee will be welcomed by organizations that are subject to PIPEDA’s privacy protection requirements.
First, many of the proposed changes would address compliance obligations that have proven unwieldy to organizations that are subject to PIPEDA. One example is the failure of PIPEDA to permit the collection, use and disclosure of personal information about employees, without consent, as is required to manage the employment relationship. The absence of such an exemption to the consent requirements of PIPEDA has proven a challenge for federally regulated employers.
Second, many of the amendments would have the practical effect of harmonizing PIPEDA with the current provincial privacy legislation (such as British Columbia or Alberta’s Personal Information Protection Act or Québec’s An Act Respecting the Protection of Personal Information in the Private Sector). For example, introduction of an exemption for "work product information" and further definition of PIPEDA’s exemption for business contact information would enhance the ability of organizations that operate in multiple provinces to implement consistent privacy practices and processes throughout Canada.
Many organizations will also welcome the Committee’s recommendation that no amendments be made to PIPEDA with respect to trans-border flows of personal information. Consistent with the recommendations of the Privacy Commissioner of Canada, the Committee noted that "[PIPEDA] already contains sufficient accountability and allows for the necessary flexibility for businesses to ensure that personal information is privacy protected when it crosses our borders," and encouraged the Commissioner to continue to provide guidance to organizations regarding the implementation of appropriate safeguards.
Another hot topic considered by the Committee was whether PIPEDA should be amended to expressly require that organizations report breaches of privacy – i.e. in circumstances where personal information that is under the control of the organization has been subject to unauthorized access or use. Despite the potential drain on resources that such a mechanism could put on the Commissioner’s office and despite the lack of a power to make binding orders, the Committee recommended a requirement that organizations report certain defined breaches to the Privacy Commissioner, who would in turn make a determination as to whether or not affected individuals and others should be notified and, if so, in what manner. This approach differs from that taken in other jurisdictions, including many US states, which require direct notification of the affected individuals in the event of certain breaches.
Although it will be some time before the Committee’s recommendations translate into amendments to PIPEDA, organizations should at the very least be revisiting their internal privacy processes to ensure that an internal escalation mechanism has been implemented with respect to privacy breaches, including requiring service providers to notify of breaches relating to personal information that has been provided to the service providers by the organization and ensuring that their IT staff, risk management professionals, human resources personnel and other relevant individuals are prepared to respond to breaches.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.