Effective May 1, 2010, Alberta's Personal Information
Protection Act and its Regulations have been amended by the
Personal Information Protection Amendment Act and the
corresponding Personal Information Protection Act Amendment
Of the many amendments to the Personal Information
Protection Act, we draw your attention to the following:
A new requirement for organizations to provide notice to the
Commissioner of any incident involving the loss of or unauthorized
access to or disclosure of personal information, where a reasonable
person would consider that there exists a real risk of significant
harm to an individual as a result of the loss or unauthorized
access or disclosure; the Commissioner may require the organization
to notify affected individuals. Section 19 of the amended
Regulations specifies the form and details of such notices.
A new requirement that organizations which use a service
provider (including a parent, subsidiary or other affiliate)
outside of Canada to:
include in its policies and practices information
the countries outside Canada in which the collection, use,
disclosure or storage is occurring or may occur; and
the purposes for which the service provider outside Canada has
been authorized to collect, use or disclose personal information
for or on behalf of the organization;
notify individuals at or before the collection or transfer, in
writing or orally:
how individuals may obtain access to written information about
the organization's policies and practices with respect to
service providers outside Canada; and
the name or position name or title of a person who is able to
answer the individual's questions.
A new requirement that organizations, within a reasonable
period of time after an organization no longer reasonably requires
personal information for legal or business purposes, destroy the
records containing the personal information, or revise the records
so that the information remaining can no longer be used to identify
Clarification that provisions related to personal employee
information apply to potential, current and former employees
of an organization and include the management of post-employment or
post-volunteer work relationships.
Clarification of provisions permitting disclosure without
notice or consent in connection with the prevention, detection or
suppression of fraud; including, the specific inclusion of the
investigative offices of the Insurance Bureau of Canada and the
Canada Banker's Association.
A new deemed consent for the collection, use or disclosure of
personal information in connection with an individual's
enrollment in or coverage under an insurance policy, pension,
benefit or similar plan.
A new requirement to retain records related to an investigation
by the Commissioner for a period of one year.
As these amendments include both new obligations (such as
destruction, notice of loss, and notice of the service providers
outside of Canada) and clarifications in certain key areas (such as
the application of the Act to the employment relationship), now may
be an opportune time for the review of your current policies and
practices and to consider what, if any, amendments may now be
required by as a result of these amendments.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).