Alberta's Bill 54, which came into force on May 1, 2010, fine tunes the Alberta Personal Information Protection Act (“PIPA”), which regulates how private sector organizations collect, use, disclose, protect and provide access to personal information.
Organizations operating in the Alberta private sector will now have to comply with more stringent privacy requirements. The amendments prescribed by Bill 54 clarify and expand organizations’ obligations under PIPA relating to collecting, using or disclosing employee information. Specifically, the definition of “personal employee information” is expanded to include information about a former employee as well as information used for managing a post-employment relationship, providing for more consistent standards of handling personal information of employees.
Further, organizations now have a positive obligation to destroy or anonymize personal information once the organization no longer requires it for legal or legitimate business purposes. And lastly, the new amendments also increase the ambit of penalties for noncompliance. The “wilful” requirement has been removed such that an organization could commit an offence even if it acted unintentionally.
But perhaps the most important amendments to PIPA are the new notification provisions requiring organizations to notify individuals before transferring personal information to a foreign service provider, and to notify the Privacy Commissioner of Alberta if personal information is lost, accessed or disclosed without authorization. We will discuss these new requirements in greater detail below.
Transferring Personal Information Outside Canada
The amendments impose additional obligations on organizations that use service providers outside of Canada to collect, use, disclose or store personal information. Organizations are now required to (1) notify individuals when they will be transferring individuals’ personal information to a service provider outside Canada, and (2) include information regarding this outsourcing practice in the organization’s policies and practices. These changes are particularly relevant for those organizations that are controlled by a foreign parent company and transfer personal information to that parent company.
It should be noted that this new notification requirement is in addition to the requirement to notify individuals about the purposes of the collection of their personal information and to provide contact information for someone who can answer any questions.
Personal Information Lost, Accessed or Disclosed without Authorization
Alberta is the first Canadian jurisdiction to require mandatory security breach notification in the private sector. PIPA, as amended by Bill 54, requires organizations to notify the Privacy Commissioner of Alberta if personal information under the organization’s control is lost, accessed or disclosed without authorization. This reporting obligation arises “where a reasonable person would consider that there exists a real risk of significant harm to an individual”. Failure to notify the Commissioner of a breach that may pose a real risk of significant harm to individuals is an offence.
Once the Commissioner is notified, the Commissioner will review the information provided by the organization and determine whether affected individuals need to also be notified of the security breach. If so, the Commissioner can direct an organization to notify individuals in the form and manner prescribed by the Regulations. The fundamental purpose of notifying individuals of a security breach is to allow the individuals to take steps to reduce their risk of harm, or the extent of the harm, if possible. Thus, an organization must report a security breach to the Commissioner without unreasonable delay, as the longer the delay between the breach and notification, the less useful the notification will be.
Tips for Organizations
In response to the amendments, your organization should:
- Consider whether a foreign entity receives, stores, or has access to personal information or personal employee information that is subject to PIPA. If so, review the policies and practices surrounding the transfer of information and update them to incorporate the requisite information and notification requirements.
- Incorporate in its privacy breach protocol a step to notify the Privacy Commissioner of any serious security breach.
In addition, your organizations should also:
- Review current policies with respect to collecting, using or disclosing personal employee information after the employee leaves the organization.
- Revise record retention and destruction policies and procedures, so that personal information is destroyed or "anonymized" once no longer required.