On September 13, 2013, Manitoba joined Quebec, British Columbia and Alberta by enacting provincial private sector privacy legislation.
Once it comes into force, Manitoba’s Personal Information Protection and Identity Theft Prevention Act (PIPITPA) will govern the collection, use and disclosure of personal information, including that of employees, by organizations in the private sector.
The Manitoba legislation has been modelled closely after the Personal Information Protection Act (“PIPA”) in Alberta; however, meaningful differences exist. The most significant differences are summarized below.
- Breach notification – PIPITPA includes a broad breach notification obligation that requires an organization to notify an individual if personal information about the individual in its custody or under its control is stolen, lost or accessed in an authorized manner, unless it is not reasonably possible for the personal information to be used unlawfully. Unlike in Alberta, there is no “real risk of significant harm” test or a requirement to notify the privacy commissioner (who then makes a decision on whether notice to individuals needs to be given).
- Private right of action for privacy breaches – PIPITPA creates a broad private right of action that will enable an individual to claim damages arising from an organization’s failure to protect personal information in its custody or under its control or provide a required notice of a data breach. Unlike under PIPA, the private right of action is not conditional upon a finding by a privacy commissioner (or ombudsman) that the organization failed to comply with the legislation. This, together with the broad and ambiguous legal language that can trigger a claim, is likely to encourage the commencement of privacy breach class actions in Manitoba.
- No complaint process – There remains uncertainty as to how PIPITPA will be enforced as there is no formal complaint or review process, nor does PIPITPA provide for the regulation making authority to implement one. The legislation does, however, include offences for (among other things) wilfully collecting, using or disclosing personal information in contravention of the legislation. As in PIPA, the offences are subject to fines of up to $100,000.
- Security requirements – PIPITPA authorizes the Lieutenant Governor in Council to prescribe security arrangements that organizations will need to follow in respect of personal information in their possession or under their control. As PIPITPA does not contain the specific requirements regarding destruction of personal information that PIPA does, it is possible that such requirements could form part of prescribed security arrangements.
- Information about former employees – PIPITPA does not include an exception to consent, similar to the one found in PIPA, for the collection, use or disclosure of personal information about former employees.
- Transfers to service providers outside Canada – PIPITPA does not include the prescriptive rules found in PIPA regarding an organization’s use of a service provider outside Canada to collect or process personal information on its behalf. However, there remains the possibility that such rules could be prescribed as part of a security arrangement.
- Name of person responsible for privacy – Whereas both PIPA and PIPITPA require that an organization notify individuals prior to collection of personal information of the person designated to answer questions regarding collections on behalf of the organization, PIPITPA requires that the name of such person (as opposed to the name or title of such person under PIPA) be provided. Therefore, organizations subject to PIPITPA will need to update their privacy policies and notices every time their designated privacy officer changes.
How It Affects Your Business
Organizations who already have processes in place to comply with Canada’s existing privacy laws will largely find that PIPITPA does not create new compliance obligations for them. Notable exceptions are the data breach notification requirements, the increased likelihood of related class actions, the potential for regulations to be used to prescribe minimum security requirements and the requirement to disclose the name of the organization’s privacy officer.