Alberta's Bill 54, which came into force on May 1, 2010,
fine tunes the Alberta Personal Information Protection Act
("PIPA"), which regulates how private sector
organizations collect, use, disclose, protect and provide access to
Organizations operating in the Alberta private sector will now
have to comply with more stringent privacy requirements. The
amendments prescribed by Bill 54 clarify and expand
organizations' obligations under PIPA relating to
collecting, using or disclosing employee information. Specifically,
the definition of "personal employee information" is
expanded to include information about a former employee as well as
information used for managing a post-employment relationship,
providing for more consistent standards of handling personal
information of employees.
Further, organizations now have a positive obligation to destroy
or anonymize personal information once the organization no longer
requires it for legal or legitimate business purposes. And lastly,
the new amendments also increase the ambit of penalties for
noncompliance. The "wilful" requirement has been removed
such that an organization could commit an offence even if it acted
But perhaps the most important amendments to PIPA are
the new notification provisions requiring organizations to notify
individuals before transferring personal information to a foreign
service provider, and to notify the Privacy Commissioner of Alberta
if personal information is lost, accessed or disclosed without
authorization. We will discuss these new requirements in greater
Transferring Personal Information Outside Canada
The amendments impose additional obligations on organizations
that use service providers outside of Canada to collect, use,
disclose or store personal information. Organizations are now
required to (1) notify individuals when they will be transferring
individuals' personal information to a service provider outside
Canada, and (2) include information regarding this outsourcing
practice in the organization's policies and practices. These
changes are particularly relevant for those organizations that are
controlled by a foreign parent company and transfer personal
information to that parent company.
It should be noted that this new notification requirement is in
addition to the requirement to notify individuals about the
purposes of the collection of their personal information and to
provide contact information for someone who can answer any
Personal Information Lost, Accessed or Disclosed without
Alberta is the first Canadian jurisdiction to require mandatory
security breach notification in the private sector. PIPA,
as amended by Bill 54, requires organizations to notify the Privacy
Commissioner of Alberta if personal information under the
organization's control is lost, accessed or disclosed without
authorization. This reporting obligation arises "where a
reasonable person would consider that there exists a real risk of
significant harm to an individual". Failure to notify the
Commissioner of a breach that may pose a real risk of significant
harm to individuals is an offence.
Once the Commissioner is notified, the Commissioner will review
the information provided by the organization and determine whether
affected individuals need to also be notified of the security
breach. If so, the Commissioner can direct an organization to
notify individuals in the form and manner prescribed by the
Regulations. The fundamental purpose of notifying individuals of a
security breach is to allow the individuals to take steps to reduce
their risk of harm, or the extent of the harm, if possible. Thus,
an organization must report a security breach to the Commissioner
without unreasonable delay, as the longer the delay between the
breach and notification, the less useful the notification will
Tips for Organizations
In response to the amendments, your organization should:
(1) Consider whether a foreign entity receives, stores, or has
access to personal information or personal employee information
that is subject to PIPA. If so, review the policies and practices
surrounding the transfer of information and update them to
incorporate the requisite information and notification
(2) Incorporate in its privacy breach protocol a step to notify
the Privacy Commissioner of any serious security breach.
In addition, your organizations should also:
(3) Review current policies with respect to collecting, using or
disclosing personal employee information after the employee leaves
(4) Revise record retention and destruction policies and
procedures, so that personal information is destroyed or
"anonymized" once no longer required.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The prospect of an internal investigation raises many thorny issues. This presentation will canvass some of the potential triggering events, and discuss how to structure an investigation, retain forensic assistance and manage the inevitable ethical issues that will arise.
From the boardroom to the shop floor, effective organizations recognize the value of having a diverse workplace. This presentation will explore effective strategies to promote diversity, defeat bias and encourage a broader community outlook.
Staying local but going global presents its challenges. Gowling WLG lawyers offer an international roundtable on doing business in the U.K., France, Germany, China and Russia. This three-hour session will videoconference in lawyers from around the world to discuss business and intellectual property hurdles.
A recent Saskatchewan Court of Queen's Bench decision allowed a court-appointed receiver to sell and transfer intellectual property rights free and clear of encumbrances, finding that a license to use improvements of an invention was a contractual interest and not a property interest.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).