Copyright 2010, Blake, Cassels & Graydon LLP
Originally published in Blakes Bulletin on Privacy, May 2010
Alberta's Personal Information Protection Amendment Act, 2009 amending the Personal Information Protection Act (PIPA), as well as the Personal Information Protection Act Amendment Regulation amending The Personal Information Protection Act Regulation (the Regs) will come into force on May 1, 2010. The changes reflect most of the recommendations made by the Select Special Personal Information Protection Act Review Committee (Committee)
Two of the amendments are particularly significant.
- requirements for notification of data breach; and
- a requirement that organizations provide information about the use of service providers in foreign jurisdictions
Data Breach Notification
This amendment will require organizations to report certain data breaches to the Alberta Information and Privacy Commissioner (Commissioner).
Any organization that has personal information under its control must provide notice to the Commissioner without unreasonable delay of any incident involving loss of, unauthorized access to, or disclosure of, personal information. Notice is required where "a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss of or unauthorized access or disclosure". The Commissioner then decides whether individuals should be notified and how they should be notified. If the Commissioner determines that the data breach poses a real risk of significant harm to individuals, the organization may be required to notify those individuals. These changes to PIPA give the Commissioner more control over the notification process in that he controls the amount and type of notifications the public receives, how notifications are made, and the information that is ultimately provided. Organizations do still have the ability to notify individuals as they deem necessary and will still need to consider whether they need to provide any additional notification to avoid liability for failure to warn or to meet other relevant statutory standards.
Access and Privacy, Service Alberta (Access and Privacy) – which co-ordinates the province-wide administration of PIPA and assists private sector organizations that are subject to PIPA – has interpreted "significant harm" to mean "a material harm; it has nontrivial consequences or effects, examples of which may include possible financial loss, identity theft, physical harm, humiliation or damage to one's professional or personal reputation". Further, Access and Privacy has indicated that a "real risk of harm" must be more than merely speculative; it is not simply "hypothetical or theoretical". Access and Privacy has also emphasized that "control" of personal information is not limited to physical possession. For example, if an organization contracts with another business to manage its online sales and the contractor suffers a security breach, the principal organization remains responsible for ensuring that the Commissioner is notified of the breach if the requisite threshold is met. (See Service Alberta, "Notification of a Security Breach", Personal Information Protection Act Information Sheet 11 (April 2010): http://pipa.alberta.ca/resources/pdf/infosheet11.pdf.
As a result of these requirements, it is important to ensure that all service contracts explicitly require the contractor to immediately inform the organization of any possible or suspected data breach, so that the organization can satisfy its PIPA obligations.
Personal Information Crossing Borders
The next major change to PIPA relates to use of a service provider outside of Canada to collect, use, disclose or store personal information for, or on behalf of, the organization. The definition of a "service provider" is very broad and includes a subsidiary or affiliate of an organization and the trigger is the transfer of information to a service provider across borders, where the organization required consent from the individual to collect the personal information. Organizations that use foreign service providers to collect personal information or that transfer personal information to foreign jurisdictions must, either prior to or at the time of the collection or transfer, notify individuals of their policies and practices with respect to those providers.
Access and Privacy has stated that notification is required only when personal information is collected with the individual's consent. "If the organization is collecting personal information without consent (and is authorized to do so under section 14 PIPA), the organization is not required to notify the individual." "Personal employee information" which is transferred to a service provider in another country will also not trigger the requirement for notification, as the organization was not required to obtain the individual's consent to collect, use and disclose this information in the first place. In addition, Access and Privacy has indicated that notifications, where required, may be given orally or in writing and may be included on the form used to collect personal information or on a regular statement or newsletter or through a recorded message or email. Finally, it is important to note that the requirement, where applicable, is only to notify individuals; organizations are not required to obtain an individual's consent to use a service provider outside Canada. (See Service Alberta, "Service Providers Outside Canada: Notification, Policies and Practices", Personal Information Protection Act Information Sheet 12 (April 2010): http://pipa.alberta.ca/resources/pdf/infosheet12.pdf
Under existing legislation, some non-profit organizations are only covered when they engage in a commercial activity, for example, organizations incorporated under the Societies Act, Agricultural Societies Act or registered under Part 9 of the Companies Act. Other non-profit organizations are subject to PIPA regardless of the activities in which they engage. However, contrary to the Committee's recommendations, the amendments to PIPA do not contain a provision to include all nonprofit organizations in Alberta under PIPA. As such, it is still necessary to carefully analyze whether a non-profit organization will be covered under PIPA.
Other amendments to PIPA include:
- Individuals are deemed to consent to the collection, use, or disclosure of personal information for the purposes of enrolment in or under an insurance policy, pension plan, pension benefit, or similar plan;
- Extension of the limitation period for prosecution of an offence to two years;
- It is no longer necessary to prove that a person acted "wilfully" in order to be convicted of an offence under PIPA;
- Personal information can now be collected, used, or disclosed without consent where it is necessary for compliance with a collective bargaining agreement, audits, or investigations;
- Failure to respond to an access request within 45 days will be deemed to be a refusal of access;
- Organizations may provide the name, position name, or title of an individual who can respond to questions about an organization's information-handling practices;
- The provisions discussing collection, use, or disclosure of personal employee information are now similar to those in the Personal Information Protection Act of British Columbia;
- Organizations must have consent to collect, use or disclose personal information about a former employee, except that an organization may now disclose personal information about a former employee without consent where it was collected as personal employee information and it is reasonably necessary for an employment reference;
- Where information is no longer needed for legal or business purposes, organizations must destroy personal information or render it non-identifiable;
- The Commissioner may now refuse to conduct or discontinue an investigation or review where a complaint is frivolous, vexatious, not made in good faith or where circumstances warrant;
- Legal privilege is not lost where the Commissioner requires disclosure of such information; and
- The Commissioner shall not be compelled to provide evidence in a court with respect to information obtained in performing responsibilities under the Act. The Commissioner may disclose information to the Minister of Justice and the Attorney General relating to the commission of an offence under the laws of Alberta or Canada, where the Commissioner considers there is evidence of an offence.
The revisions to the Alberta PIPA are the most significant amendments so far to Canadian private sector privacy legislation. Organizations with any presence in Alberta should be considering whether they need to amend their policies and practices to align with the Alberta requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.