This post was written prior to our January 2017 merger, under our previous firm name, MacPherson Leslie & Tyerman LLP.
On Wednesday, June 17, 2015, the House of Commons passed Bill S-4, An Act to Amend the Personal Information Protection and Electronic Documents Act and to Make a Consequential Amendment to Another Act (commonly referred to as the “Digital Privacy Act“). The bill subsequently received royal assent on Thursday, June 18, 2015, to become law.
Background to the Digital Privacy Act or “Bill S-4″
The Digital Privacy Act makes, as its complete title would suggest, a number of important amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). These amendments are intended to modernize the privacy rights and obligations contained in PIPEDA, and include several notable changes that will affect private organizations across Canada. While some of the key amendments will not come into effect until a later date, private sector organizations should review their privacy policies and practices to ensure that they take these important amendments into account. The following is a summary of the key amendments organizations should consider.
Key Amendments to PIPEDA
While there are a number of amendments to PIPEDA, the following are some of the key items that will impact private organizations:
- Clarification on what it means to have “Valid Consent”: The amendments clarify the requirements for obtaining valid consent from individuals. In particular, an individual’s consent is only valid when it is reasonable to expect that the individual understands the nature, purpose, and consequences of the collection, use, or disclosure of personal information. In order to comply with this requirement, organizations should review how they are obtaining and recording consent, and confirm that such practices are aligned with this new requirement.
- Employee Information and Work Product: The amendments:
- Extend the application of PIPEDA to the personal information of employees of a federal work, undertaking, or business, to also include applicants for employment with a federal work, undertaking, or business.
- Permit federal works, undertakings, or businesses to collect, use, and disclose personal information “necessary to establish, manage, or terminate an employment relationship”.
- Permit the collection, use, and disclosure, without consent, of information “produced by the individual in the course of their employment, business, or profession”, or information which is typically referred to as “work product”.
- Remove “business contact information” from the application of PIPEDA when it is collected, used, or disclosed for the purpose of communicating with the individual in relation to their employment, business, or profession. Business contact information is defined as an individual’s name, position name or title, work address, work telephone number, work facsimile number, work electronic mail address, and any similar information about the individual.
- In order to comply with these requirements, organizations should consider their privacy policies with respect to employees, and ensure that such policies are aligned with the additional obligations placed on employers by these amendments.
- Business Transactions: Notably, the amendments introduce a new “business transaction” exception to enable use and disclosure of personal information without consent for certain purposes related to anticipated or completed “business transactions”. Business transactions include the sale or transfer of business assets, mergers or amalgamations of organizations, the provision of financing, the creation of security interests, leases or licensing of assets, or other arrangements that will be prescribed by regulation. This is a welcome addition, and will clarify the obligations of parties in a business transaction, particularly with respect to due diligence requirements and where sharing of information is necessary to carry on the relevant business or activity following completion of the transaction. Organizations should keep in mind that the ability to share personal information in this context is subject to a requirement to enter into confidentiality agreements to protect such personal information, including by implementing appropriate safeguards.
- Disclosures Without Consent: The amendments introduce various additional “disclosure without consent” provisions. Such provisions include, among others, the ability to disclose personal information without consent for purposes of: communicating with next of kin of an injured, ill, or deceased individual, identifying injured, ill, or deceased persons, investigating breaches of agreements or laws, detecting, suppressing, or preventing fraud, or detecting or preventing financial abuse. Organizations should review the permitted disclosures in the context of their own activities to ensure that they have a clear understanding of how and when personal information can be disclosed without consent.
- Compliance Agreements: The amendments provide additional enforcement power to the Privacy Commissioner of Canada in the form of compliance agreements. In particular, the amendments (not yet in force) permit the Commissioner to enter into compliance agreements with an organization if the organization has, is about to, or is likely to commit an act or omission that could constitute a contravention of PIPEDA. If an organization does not comply with a compliance agreement, the Commissioner can seek an order from the Federal Court to require the organization to comply with the terms of the compliance agreement. While these provisions and enforcement powers are new, they are largely a formalization of the Office of the Privacy Commissioner’s current practices. However, organizations should take note of the possibility of compliance agreements in the context of breaches of PIPEDA.
- Breach Notifications (not yet in force): One of the most notable concepts that the amendments introduce is the concept of mandatory breach notification obligations for organizations that have experienced a breach of security safeguards involving personal information under their control. In certain circumstances, organizations will be required to provide notice of the breach: (a) to the Office of the Privacy Commissioner of Canada, (b) to an individual whose personal information is involved, and/or (c) to other organizations or government institutions who can assist in reducing harms associated with the breach. The amendments will require organizations to assess breaches on a case-by-case basis to determine whether breach notifications are required. The key question in determining whether notifications are necessary will be to determine whether the breach creates “a real risk of significant harm” to an individual. Harms can include bodily injury, humiliation, financial loss, identify theft, and others. This determination is based on various factors outlined in PIPEDA (including the sensitivity of the personal information involved and the probability that it has been, is being, or will be misused). The amendments also create offences and significant penalties for failures to comply with breach notification obligations. As such, organizations should carefully monitor the status of this obligation and begin preparing to implement the concept of breach notifications into their existing privacy policies and practices to ensure that they are appropriately prepared when these obligations come into effect.
All of the foregoing amendments, except those relating to breach notifications, are already in force. Organizations should review their existing policies and procedures to determine what revisions are necessary to that take into account and implement the new obligations imposed by these amendments. In almost all cases, this will require organizations to tweak their existing privacy policies and practices.