The Government of Canada re-introduced amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), on September 29, 2011, providing the Government response to the first (2006) statutory review of the federal privacy legislation. Bill C-12, the Safeguarding Canadians' Personal Information Act (the “Bill”), implements the Response to the Report of the Standing Committee on Access to Information, Privacy and Ethics. A preliminary overview of Bill C-12 is set out below.
Highlights of Bill C-12
1. Data breach notification
If passed, the Bill will add a new breach notification requirement to PIPEDA.
“Breach of security safeguards” is defined in subsection 2(1) as “the loss of, unauthorized access to, or unauthorized disclosure of, personal information resulting from a breach of an organization’s security safeguards that are referred to in clauses 4.7 to 4.7.5 of Schedule 1 or from a failure to establish those safeguards.”
ii. Report to Commissioner
The Bill provides in section 10.1 that organizations shall report to the Commissioner “any material breach of security safeguards involving personal information under its control.” The factors relevant to determining materiality are said to include:
- the sensitivity of the personal information;
- the number of individuals whose personal information was involved; and
- an assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.
The report must be made “as soon as feasible after the organization determines that a material breach of its security safeguards has occurred.” The nature and content of the report will be prescribed in Regulations.
iii. Notification to individual
The Bill provides in section 10.2 that organizations shall notify an affected individual “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” It should be noted that this is the same test as can be found in the Alberta PIPA for notification both to the Commissioner and the individual.
“Significant harm” is defined as inclusive of “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” The factors relevant to determining significance include:
- the sensitivity of the personal information involved in the breach; and
- the probability that the personal information has been, is being or will be misused.
Notification must be given “as soon as feasible after the organization confirms that the breach has occurred and concludes that it is required.” The form, manner and content of the notification will be prescribed in Regulations, however, at a minimum, the notice must contain “sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of the harm that could result from it or to mitigate the harm.”
iv. Notification to organizations
The Bill provides in section 10.3 that organizations that notify an individual under section 10.2 shall notify “another organization, a government institution or a part of a government institution of the breach if that organization, government institution or part may be able to reduce the risk of harm that could result from it or mitigate that harm.” This section also provides for Regulations that may set out additional considerations.
Subsection 10.3(3) provides that organizations that notify other organizations, a government institution or a part of a breach may do so without the knowledge or consent of the individual.
It should be noted that the legislation provides for no administrative monetary penalties should an organization fail to notify the Commissioner, an individual or organization of a data breach.
2. Business contact information
A new section 4.01 excludes “business contact information” from the application of Part 1 of PIPEDA, where this information is collected, used or disclosed by an organization solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession. “Business contact information” is defined in the Bill to include “an individual’s name, position name or title, work address, work telephone number, work facsimile number, work electronic mail address and any similar information about the individual.”
3. Law enforcement
A key focus of the Bill relates to law enforcement and national security interests, with amendments that clarify that organizations may collaborate with government institutions that have requested personal information, in the absence of a warrant, subpoena, or order.
A new paragraph 7(3.1)(a) clarifies what is meant by “lawful authority” stating that, for the purposes of paragraph 7(3)(c.1) lawful authority means “lawful authority other than:
- a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or
- rules of court relating to the production of records.”
A new paragraph 7(3.1)(b) states, further, that an organization that discloses personal information is “not required to verify the validity of the lawful authority” identified by the government institution.
In introducing the new section 7.5, the Government’s Backgrounder states, “to avoid jeopardizing investigations, new provisions … prohibit organizations from notifying an individual about the disclosure of their personal information to law enforcement ... where the government institution to whom the information was disclosed objects.” Organizations that intend, “on their own initiative,” to inform an individual about the disclosure of their personal information to law enforcement or to give an individual access to this information must notify the government institution of their intention and not take the action before the earlier of 30 days after notification or upon hearing from the government institution that it does not object.
Subsection 7.5(3) makes clear that government institutions may object only if “it is of the opinion that the action could reasonably be expected to be injurious to
- national security, the defence of Canada or the conduct of international affairs;
- the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or
- the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.”
In the event that an organization is notified that a government institution objects to the disclosure of the information under the new 7.5(3), the organization must notify the Commissioner, “in writing and without delay,” of the objection. None of this information may be disclosed to the individual.
4. Investigative bodies and fraud prevention
The current process for designating investigative bodies, which the Government’s Backgrounder describes as being “burdensome for small and medium-size organizations” and is generally recognized as being cumbersome for applicants who need this designation under the Act to conduct investigations, has been streamlined. However, the government has chosen not to adopt the approach taken in the Alberta and B.C. Personal Information Protection Acts (PIPAs) by introducing a definition of “investigation.”
With respect to fraud prevention, the new paragraph 7(3)(d.1) provides that organizations may disclose personal information to another organization to “prevent, detect or suppress fraud when it is reasonable to expect that the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud.” Further, under paragraph 7(3)(d.2), organizations may, on their own initiative, disclose personal information to a government institution or the individual’s next of kin or authorized representative where there are “reasonable grounds to believe the individual has been, is or may be the victim of financial abuse” and the disclosure is made solely to prevent or investigate the abuse.
5. Individual, family and public interest exceptions
The Bill proposes exceptions to consent in paragraphs 7(3)(c.1)(iv) and 7(3)(d.3) to allow for the disclosure of personal information to help locate missing persons and to identify injured, ill or deceased individuals.
6. Business transactions
Consistent with the approach taken in the Alberta and B.C. PIPAs, the Bill allows organizations to use and disclose personal information without the knowledge or consent of the individual where the organization has entered into a “business transaction,” defined in subsection 2(1) as including:
- the purchase, sale or other acquisition or disposition of an organization or a portion of an organization, or any of its assets;
- the merger or amalgamation of two or more organizations;
- the making of a loan or provision of other financing to an organization or a portion of an organization;
- the creating of a charge on, or the taking of a security interest in or a security on, any assets or securities of an organization;
- the lease or licensing of any of an organization’s assets; and
- the arrangement between two or more organizations to conduct a business activity other than the processing of personal information referred to in clause 4.1.3 of Schedule 1.
The Bill sets parameters for the use and disclosure of personal information without consent in the context of a business transaction. Specifically, among other things, the new section 7.2 stipulates that the personal information must be (i) used and disclosed solely for purposes related to the transaction; (ii) protected by appropriate security safeguards; and (iii) returned or destroyed if the transaction does not proceed.
These considerations continue to apply in the event the transaction is completed. Under the new paragraph 7.2(2)(a)(iii), organizations must give effect to any withdrawal of consent by an individual and, under the new paragraph 7.2(2)(c), one of the parties to the transaction must notify “the individual, within a reasonable time after the transaction has been completed, that the transaction has been completed and that their personal information has been disclosed.”
In spite of the above, the new subsection 7.2(4) makes clear that these provisions do not apply to business transactions where “the primary purpose or result of the transaction is the purchase, sale or other acquisition or disposition, or lease, of personal information.”
7. Employer/employee relationship
The Bill responds to calls from various stakeholders, including the Privacy Commissioner of Canada, to better address consent in the context of employer/employee relationships.
As noted above, a new section 4.01 is added to exclude business contact information from application of Part 1 of the Act, where this information is collected, used or disclosed by an organization “solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.”
In addition, a new section 7.3 makes clear that a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if “the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship,” and the organization “has informed the individual that the personal information will be or may be collected, used and disclosed for those purposes.”
A new section 7.2 further clarifies that an organization may use and disclose employee personal information for purposed other than those for which it was collected in the context of a business transaction (see Business transactions, above).
Personal information about an employee in paragraph 4(1)(b) now includes information about an applicant for employment with an organization.
8. Work product
While the amendments do not include a definition of “work product” or otherwise exempt work product information from application of the Act, new paragraphs 7(1)(b.2), 7(2)(b.2) and 7(3)(e.2) have been added to clarify that an organization may collect, use and disclose personal information, respectively, without the knowledge or consent of the individual if the information was produced by the individual in the course of their employment, business or profession and the collection, use or disclosure is consistent with the purposes for which the information was produced.
9. Valid consent
A new section 6.1 is added providing for a definition of “valid consent,” as follows:
6.1 For the purposes of clauses 4.3 to 4.3.8 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting.
Industry Canada has stated that the enhancements to the consent provisions of the Act are designed to “further protect the personal information of minors.”