The Digital Privacy Act and PIPEDA
Summary of key changes to the Personal Information Protection and Electronic Documents Act
The Digital Privacy Act (formerly known as Bill S-4), received Royal Assent in June 2015, resulting in a number of significant amendments to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Many amendments came into force upon Royal Assent, while those relating to “breaches of security safeguards” (which generally include incidents commonly referred to as data breaches) will come into force following associated regulations being developed and put into place by the federal government.
- New language in PIPEDA regarding consent specifies what constitutes valid consent.
- Consent is considered valid only if it is reasonable to expect that individuals to whom an organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure, to which they are consenting.
- A new provision allows the Privacy Commissioner to enter into compliance agreements aimed at ensuring organizations comply with PIPEDA where the Commissioner believes on reasonable grounds that an organization has committed, is about to commit or is likely to commit an act or omission that could constitute a contravention of PIPEDA or a failure to follow a recommendation in Schedule I to the Act.
- Under a compliance agreement, an organization agrees to take certain actions to bring itself into compliance with PIPEDA. Entering into a compliance agreement would preclude the Privacy Commissioner from commencing or continuing a court application under PIPEDA in respect of any matter covered by the agreement.
- However, if an organization ultimately fails to live up to commitments in an agreement, the OPC could, after notifying the organization, either apply to the court for an order requiring the organization to comply with the terms of the agreement, or commence or reinstate court proceedings under PIPEDA as appropriate.
Public Interest Disclosures
- PIPEDA’s confidentiality provisions continue to apply, but the scope of what can be disclosed in the public interest has been broadened. The Commissioner may now make public any information that comes to his knowledge in the performance or exercise of his duties or powers under the Act if he deems that doing so is in the public interest. Previously, this discretion applied only to information “relating to the personal information management practices of an organization.”
Scope of Application
Business contact information
- Amendments specify PIPEDA does not apply in respect of business contact information–including email addresses–which an organization collects, uses or discloses solely for the purpose of communicating with a person in relation to their employment, business or profession.
Expanding definition of Federal Workplace, Undertaking or Business (FWUB)
- The definition of a FWUB has been redefined to include “an authorized foreign bank.”
- PIPEDA now applies to the personal information of applicants for employment with FWUBs as opposed to only employees of such institutions.
Exceptions to Consent
There are also a number of new situations in which personal information can be collected, used or disclosed without consent.
Investigations / Fraud detection and prevention
- Organizations may now disclose personal information without consent to another organization in certain circumstances. Firstly, the disclosure must be reasonable for the purposes of:
- investigating a breach of an agreement or contravention of a law that has been, is being or is about to be committed; or
- detecting or suppressing fraud or of preventing fraud that is likely to be committed.
- As an additional requirement, in such cases, it must be reasonable to expect that disclosure with the knowledge or consent of an individual would compromise the investigation or the ability to prevent, detect or suppress the fraud.
- PIPEDA’s previous investigative body scheme, which allowed disclosures without consent to a designated investigative body, has been repealed.
- New provisions allow use and disclosure of personal information without consent in connection with business transactions, provided certain conditions are met. Business transactions are defined in the Act and include, for example, the sale of a business, a merger or the lease of a company’s assets.
- Organizations that are parties to a prospective business transaction can only use and disclose the personal information if it is necessary to decide whether to proceed with or complete the transaction. In addition, the organization receiving personal information must enter into an agreement to use or disclose the information for the sole purpose of the transaction, to protect it, and to return or destroy the information if the transaction does not proceed.
- If the transaction is completed, the parties have to enter into an agreement to limit the use or disclosure of the information to the purposes for which it was collected, to protect it, and give effect to any withdrawals of consent. In addition, the information must be necessary for carrying on the activity that was the object of the transaction and individuals must be notified their personal information has been transferred to a new owner.
- These provisions do not apply to a business transaction which primarily involves the sale or lease of personal information.
Witness statements in insurance claims
- Amendments allow the collection, use and disclosure of personal information in witness statements without consent where “necessary to assess, process, or settle an insurance claim.”
Identifying injured, ill, deceased; communicating with next of kin
- Disclosures without consent to a government institution, individual’s next of kin, or authorized representative are permitted if necessary to identify an individual who is injured, ill or deceased. If alive, the individual has to be informed in writing that the disclosure took place.
- An organization also has the discretion to disclose personal information without consent to a government institution that has requested the information, identified its lawful authority to obtain the information, and indicated that the disclosure is requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased person.
- Organizations such as banks now have the authority to disclose personal information without consent to a government institution or an individual’s next of kin or authorized representative when they have reasonable grounds to believe the individual “has been, is or may be the victim of financial abuse.”
- Organizations may make the disclosure only for the purpose of preventing or investigating the abuse, and only if it is reasonable to expect that the disclosure with the knowledge or consent of an individual would compromise the ability to prevent or investigate the abuse.
Employment relationships in federally-regulated workplaces
- Within a federal work, undertaking or business (FWUB, such as telecommunications and broadcasting companies, airlines and banks), consent is not required for the collection, use or disclosure of personal information where necessary to establish, manage or terminate an employment relationship. The organization must, however, inform individuals in advance that their personal information could be collected, used or disclosed for such purposes.
Personal information produced in the course of employment, business or profession
- Organizations may collect, use or disclose personal information produced by an individual in the course of an individual’s employment, business or profession without the individual’s consent - as long as such collection, use or disclosure is consistent with the purpose for which the information was produced.
Time limit for court applications
- The time limit for court applications under PIPEDA has been changed from 45 days to one year (or a longer period that the Court may allow).
Breach reporting, notification and recordkeeping
IMPORTANT NOTE: While all other new provisions came into force upon the Act gaining Royal Assent, those dealing with breach reporting, notification and recordkeeping will be brought into force only after related regulations outlining specific requirements are developed and in place. Those seeking information about the regulation-making process should direct inquiries to Industry Canada.
- Once in force, a major change is a new requirement for organizations to report to our Office and notify affected individuals and relevant third parties (in certain circumstances) about “breaches of security safeguards” that pose a “real risk of significant harm” to affected individuals. “Breach of security safeguards” is defined in PIPEDA and generally includes what is commonly known as a data breach.
- The concept of “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft among others. Factors that organizations will need to consider when assessing the presence of a real risk of significant harm include the sensitivity of the information involved and probability that the information was or will be misused (or any other prescribed factor).
- Notification to affected individuals and reporting to the OPC will be required as soon as feasible after an organization determines that the breach has occurred. An organization will also be required to notify any other organization or government institution if it believes the other body may be able to reduce the risk of or mitigate the harm. For example, a retailer could notify a credit card issuing bank or law enforcement agency. The consent of individuals would not be required for such disclosures.
- Organizations will also be required to keep a record of all breaches involving personal information and provide a copy to the OPC upon request. Organizations that knowingly fail to report to the OPC or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches could face fines of up to $100,000.
- More specific requirements relating to breaches will be set out in associated regulations to be developed by the federal government.
- Until the provisions come into force, breach reporting will remain voluntary. We continue to urge organizations to report breaches to our Office by visiting our privacy breaches reporting web page and to notify affected customers where appropriate in accordance with our breach notification guidelines.
- Date modified: