CANADA—Government reintroduces PIPEDA amendment bill
By John Jager, CIPP, CIPP/C
On September 29, the government of Canada reintroduced a bill that will amend the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The previous attempt to amend PIPEDA—Bill C-29—died when the last Parliamentary session ended. Bill C-12, titled the Safeguarding Canadians’ Personal Information Act, contains many of the same provisions found in Bill C-29.
One of the key amendments will require organizations to report to the Privacy Commissioner of Canada any material breach of security safeguards involving personal information under its control. Factors to be considered in determining whether a breach is material include the sensitivity of the personal information, the number of individuals affected and an assessment by the organization that the cause of the breach, or a pattern of breaches, indicates a systemic problem.
Organizations must also notify affected individuals of the breach (unless otherwise prohibited by law) if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual. Significant harm can include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record or damage to or loss of property. Factors to consider in determining whether there is a real risk of significant harm include the sensitivity of the personal information and the probability that the personal information has been, is being or will be misused.
Notice must be given as soon as feasible after the organization confirms that the breach has occurred and concludes that it is required to give the notification. Organizations that provide notice to individuals subsequent to a breach must also notify other organizations or government institutions that may be able to reduce the risk of the harm that could result or that may be able to help mitigate that harm.
Changes affecting the employment context
The bill amends Section 4 (Application) such that Part 1 of the act does not apply to “business contact information” that an organization collects, uses or discloses solely for the purpose of communicating with the individual in relation to their employment, business or profession. Business contact information is defined as an individual’s name, position name or title, work address, work telephone number, work facsimile number, work electronic mail address and any similar information about the individual.
A new section is added that permits a federal work, undertaking or business to collect, use and disclose personal information without the consent of the individual when necessary to establish, manage or terminate an employment relationship and the individual has been informed that the personal information will be or may be collected, used or disclosed for those purposes.
A new Section 6.1 provides that the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting. Industry Canada notes that this proposed amendment to PIPEDA's consent regime will provide further protection for children online by requiring organizations to consider the ability of their target audience to comprehend the consequences of sharing their personal information.
Sharing of personal information
The bill amends section 7(3)—which deals with disclosures without the knowledge or consent of the individual—to add disclosures made to other organizations where the disclosure is necessary to investigate a breach of an agreement or a contravention of the laws of Canada or a province, or to prevent, detect or suppress fraud.
The bill also provides clarity for Section 7(3)(c.1) noting “lawful authority” for the purposes that section refers to lawful authority other than a subpoena or warrant issued, or an order made by a court, person or body with jurisdiction to compel the production of information or rules of court relating to the production of records. It also provides that the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.
To address the sharing of personal information for the purposes of a prospective business transaction, the bill proposes a new Section 7.2(1), which provides that parties to such a transaction may use and disclose personal information without the knowledge or consent of the individual if the organizations have entered into an agreement that requires the organization that receives the personal information to use and disclose that information solely for purposes related to the transaction and protect that information by security safeguards appropriate to the sensitivity of the information. If the transaction does not proceed, the personal information must be returned to the organization that disclosed it, or destroyed, within a reasonable time. The personal information must be necessary for the purposes of determining whether to proceed with the transaction and, if so, to complete it.
Impact to organizations
As noted above, the amendment that is most likely to impact all businesses subject to PIPEDA is the breach notification requirement. It can be anticipated that this bill will largely pass as introduced; therefore, it is strongly recommended that organizations review their breach response protocols to ensure that such programs are robust enough to meet the new notification requirements.
John Jager, CIPP, CIPP/C, is vice president of research services at Nymity, Inc., which offers Web-based privacy support to help organizations control their privacy risk. He can be reached at email@example.com.