Alberta's Bill 54, which came into force on May 1, 2010, fine tunes the Alberta Personal Information Protection Act (“PIPA”), which regulates how private sector organizations collect, use, disclose, protect and provide access to personal information. As a result of the amendments to PIPA prescribed by Bill 54, organizations operating in the Alberta private sector will now have to comply with more stringent privacy requirements. In this article we will briefly discuss the nature of the amendments made to PIPA and how such changes impact the franchise industry.
The provisions of Bill 54 expand the definition of “personal employee information” to include information about a former employee as well as information used for managing a post-employment relationship, providing for more consistent standards of handling personal information of employees. The compliance obligations under PIPA regarding information which is collected, used and disclosed by both franchisors and franchisees is thus broadened to include such information about prior employees (which includes, directors, officers, volunteers and contractors or agents providing services) and post-employment related information.
Other legislative changes made as a consequence of Bill 54 include:
- Organizations now have a positive obligation to destroy or anonymize personal information once the organization no longer requires it for legal or legitimate business purposes.
- The ambit of penalties for noncompliance has been widened as the “wilful” requirement has been removed such that an organization could commit an offence even if it acted unintentionally.
Perhaps the most important amendments made to PIPA are the following new notification provisions.
Transferring Personal Information Outside Canada
Organizations are now required to (1) notify individuals when they will be transferring individuals’ personal information to a service provider outside Canada, and (2) include information regarding this outsourcing practice in the organization’s policies and practices. These changes are particularly relevant for both franchisors and franchisees who are part of a systems which is controlled or managed by a foreign parent company and transfer personal information to that parent company about their respective franchisees, employees, directors, officers and other agents. In addition, any franchisors or franchisees that utilize service providers located outside of Canada will need to remain cognizant of, and compliant with, such new notification provisions. It should be noted that this new notification requirement is in addition to the requirement to notify individuals about the purposes of the collection of their personal information and to provide contact information for someone who can answer any questions.
Personal Information Lost, Accessed or Disclosed without Authorization
The new notification provisions also require organizations to notify the Privacy Commissioner of Alberta if personal information under the organization’s control is lost, accessed or disclosed without authorization in circumstances “where a reasonable person would consider that there exists a real risk of significant harm to an individual”, thus making Alberta the first Canadian jurisdiction to require mandatory security breach notification. Once notified, the Commissioner will review the information provided by the organization and determine whether affected individuals need to also be notified of the security breach in order to allow the individuals to take steps to reduce their risk of harm, or the extent of the harm, if possible.
In response to the amendments both franchisors and franchisees should take the following steps:
(1) Consider whether any foreign entities - including service providers, parent corporations and other affiliated organizations within the franchise systems - receive, store or have access to “personal information” or “personal employee information” that is subject to PIPA. If so, review the policies and practices surrounding the transfer of information and update them to incorporate the requisite information and notification requirements.
(2) Incorporate in its privacy breach protocol a step to notify the Privacy Commissioner of any serious security breach.
(3) Review current policies with respect to collecting, using or disclosing personal employee information after the employee leaves the organization.
(4) Revise record retention and destruction policies and procedures, so that personal information is destroyed or "anonymized" once no longer required.
Proposed Amendments to Federal Privacy Legislation
On May 25th, 2010, the Federal Government of Canada announced proposed amendments to the Personal Information Protection and Electronics Act ("PIPEDA") in Bill C-29 to address public concern about the increasing number of data breaches involving personal information. Bill C-29 is currently at the first reading stage in the House of Commons.
Significant changes proposed by Bill C-29 include a new requirement under PIPEDA for federally regulated organizations to report all material data breaches to the Privacy Commissioner of Canada and to notify individuals where the breach poses a real risk of "significant harm", such as identity theft or fraud, or damage to the individual's reputation. "Significant harm" includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record, and damage to or loss of property. Bill C-29 also addresses how the private sector deals with demands by governmental agencies for customer information; the proposed amendments would make it clear that organizations may collaborate with government institutions (such as law enforcement and security agencies that have requested personal information) in the absence of a warrant, subpoena or order if the institution or agency has lawful authority to request the information. Furthermore, a new provision would prohibit organizations from notifying individuals about the disclosure of personal information to law enforcement and security agencies where the government institution to whom the information was disclosed objects to the notification in order to prevent jeopardizing investigations.
Bill C-29 also proposes the addition of new exceptions to the requirement of consent for the collection, use and disclosure of personal information. Examples of when federally regulated organizations would be allowed to collect, use and disclose information without the consent of the individual employee include the following:
- Where it is necessary to establish, manage or terminate an employment relationship, provided that the employee be given notice of the purpose for which their information will be collected, used and disclosed.
- Where the information is produced by individuals in the course of their employment, business or profession (work product) provided the collection, use and disclosure of the information is consistent with the purposes for which the information was produced.
- The disclosure of information by one organization to another organization where the disclosure is necessary to investigate a breach of an agreement, a contravention of the laws of Canada or a province, or the information is disclosed to prevent, detect, or suppress fraud when it is reasonable to expect that the knowledge or consent of the individual to such disclosure would undermine the ability to prevent, detect, or suppress the fraud.
In addition, Bill C-29 proposed to expand the definition of "business contact information" to include an individual's work email address and other business contact information in addition to their name, position name or title, work address, work telephone, and work fax numbers. Business contact information will not be subject to the consent rules contained in PIPEDA provided it is collected, used or disclosed solely for the purpose of communication with the individual in relation to their employment, business or profession.