Proposed amendments to PIPEDA: Affecting employers and business transactions

Proposed amendments to PIPEDA: Affecting employers and business transactions

introduction

On September 29, 2011, Bill C-12, Safeguarding Canadians’ Personal Information Act was introduced by the federal government. If the bill is passed, it will amend the Personal Information Protection and Electronic Documents Act (“PIPEDA“).[1] Bill C-12 is a re-introduction of Bill C-29, which expired due to the dissolution of Parliament in March 2011. The stated purpose of the bill according to a press release from Industry Canada is “…to help protect consumers and businesses from the misuse of their personal information…”[2]

PIPEDA’s history

Initially, PIPEDA only affected personal information collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses, such as banks and airlines. In 2004, application of the statute was extended to the collection, use or disclosure of personal information that arose during the course of any commercial activity. PIPEDA also applies to all personal information in all interprovincial and international transactions by all organizations subject to PIPEDA in the course of their commercial activities.

why have new amendments been proposed?

This Bill implements responses to concerns raised by the government’s first Parliamentary review of PIPEDA. The proposed amendments are intended to:

• Protect and empower consumers;
• Clarify and streamline rules for business organizations;
• Improve investigation and enforcement of the privacy law; and
• Improve the language of legislation and technical drafting corrections.

significant proposed amendments to PIPEDA

Currently, PIPEDA requires that any personal information collected, used or disclosed, requires the individuals’ knowledge and consent, unless a legislated exception applies. The amendments are aimed at clarifying the rules that organizations must abide by, and the significant amendments are as follows:

• Valid consent is defined for the purpose of collecting, using or disclosing personal information
• Personal information can be collected, used or disclosed, without the consent or knowledge of the individual for the following prescribed purposes:

o It is produced in the course of their employment;
o It is required to manage, establish or terminate employment relationships; or
o It is related to business transactions

• Organizations must report material breaches to the Privacy Commissioner and notify affected individuals and organizations

discussion of the proposed amendments

definition of valid consent

Consent is considered valid when it is reasonable to expect that an individual grasps the nature, purpose, and consequences of their consent.

information produced in the course of an individual’s employment

Currently, PIPEDA does not articulate any exception for the collection, use, or disclosure of personal information, without consent, if the information is produced in the course of an individual’s employment. The proposed exception permits an organization to collect, use, or disclose personal information produced during the course of an individual’s employment, business, or profession. This requires, however, that the personal information is used for a purpose consistent with the purpose to which the information was produced.

information for the management, establishment, or termination of an employment relationship

The proposed amendment introduces an exception to the consent requirement if the following two requirements are met:

• The collection, use or disclosure of the personal information is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and
• The individual was informed that the personal information would be or may be collected, used or disclosed for the purposes described above.

exclusions related to business transactions

Bill C-12 also introduces a disclosure exception for personal information in the context of prospective or completed business transactions. The proposed amendments introduce a non-exhaustive definition of a “business transaction”. This exception would permit disclosure of personal information, without consent or knowledge, if:

• The information is necessary for the parties to determine whether to proceed with the transaction, and the information is necessary to complete the transaction; and
• The parties have entered into a confidentiality agreement requiring the recipient organization to: (i) use and disclose information solely for purposes related to the transaction, (ii) use security safeguards to protect the information, and (iii) return or destroy the information to the disclosing organization, if the transaction does not proceed.

This disclosure exception does not apply if the primary purpose or result of the transaction is the acquisition of personal information.

material breaches of security safeguards must be reported

A significant amendment to PIPEDA is the mandatory reporting provision that requires any “material breach of security safeguards” to be reported to the Information and Privacy Commissioner. An organization must determine whether it is required to report the breach, having regard for the sensitivity of the disclosed personal information, the number of individuals affected by the breach, and whether the cause of the breach indicates a systemic problem.

The amendments further require organizations to notify the affected individual if it is reasonable to believe the breach “creates a real risk of significant harm to the individual.” The legislation defines “significant harm” non-exhaustively, and includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.” It can be seen from this definition that the legislature is attempting to capture offences that have developed as a result of the current marketplace. A real risk of significant harm is determined by considering the sensitivity of the information and the probability that the personal information is being or will be misused.

conclusion

Bill C-12 re-introduces substantive amendments that will clarify a business’ responsibility under PIPEDA, and these changes will impact existing approaches to privacy. As technology is swiftly changing, the ongoing changes to Canada’s legislation will require continued compliance efforts and review of information practices.

by George Waggott and Katherine Ng, student-at-law

¹ Personal Information Protection and Electronic Documents Act, SC 2000, c 5.

² Industry Canada, Press Release, “Government of Canada Moves to Enhance Privacy of Individuals during Commercial Transactions” (29 September 2011)

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2011