In May, the Standing Committee on Access to Information, Privacy and Ethics presented its report in connection with the five-year statutory review of the Personal Information Protection and Electronic Documents Act (the “Act”) to the House of Commons. The dissenting opinions of the Conservative and Bloc Quebecois members of the Committee were also presented with the Committee’s Report. While the Conservative dissenting opinion focuses on one of the Committee’s recommendations, described in this bulletin, the Bloc Quebecois’ dissent expresses disagreement with PIPEDA as a whole on jurisdictional grounds. The Committee did not recommend wholesale changes to the Act; instead, its recommendations focus on fine-tuning and clarifying the basic privacy principles and are modelled, to a large extent, on the “second-generation” private sector privacy laws of British Columbia and Alberta.
The following is an overview of some of the Committee’s key recommendations:
(i) Business Contact Information
The Act applies to “personal information”, which currently excludes only the name, title, business address or telephone number of an employee of an organization. The Committee has recommended excluding the broader category of “business contact information” from the scope of the Act, when this information is collected, used or disclosed for the purpose of contacting an individual in that individual’s capacity as an employee or official of an organization, and for no other purpose. The suggested definition of business contact information includes business phone numbers, addresses, email addresses and fax numbers, and is intended to accommodate additional means of contacting individuals that will be developed in the future.
(ii) Work Product
The Committee has recommended clarifying the distinction between information about an individual, which is personal information, and information generated in the course of a business activity, which is not personal information, by excluding “work product”, from the definition of personal information.
(i) Types of Consent
The Committee has responded to complaints that the Act does not currently provide sufficient guidance as to when different types of consent (express, opt-out or implied) are appropriate, and how they are to be obtained. It has recommended that the Act specify when consent will be implied, when opt-out consent is appropriate and how opt-out consent should be obtained.
(ii) Exceptions to Consent Requirement
The Committee recommended the following four additional exceptions to the general requirement that consent must be obtained in order to collect, use or disclose personal information:
- Employee Personal Information: information that an employer collects solely for the purpose of establishing, managing or terminating the employment relationship. An employer using this exemption should be required to take into account employee dignity and the degree of intrusion onto the employee’s life. This exception will likely allow certain types of employee surveillance.
- Business Transactions: information disclosed, under conditions of confidentiality, in the context of business transactions, for the purpose determining whether to proceed with the transaction and to carry out the transaction. If the transaction does not proceed, the information must be returned or destroyed. As well, disclosure must be limited to the least amount of identifiable information possible. Following a transfer of ownership, the individuals whose information has been disclosed must be notified, and the new owner must observe the original owner’s privacy policies until all the individuals have had an opportunity to choose whether to continue their relationships with the new owner.
- Agency: information collected, used or disclosed by one organization (the agent) of behalf of another (the principal), when the individual has given consent to the principal, the information is disclosed or collected for the same purpose, and the information is used to assist the agent in carrying out work on behalf of the principal.
- Litigation Process: information legally available to a party to a legal proceeding. This exception is intended to address concerns that privacy protection should not interfere with established legal processes.
The Committee also proposed: (i) replacing the existing exceptions for investigative bodies with an exception for information collected, used or disclosed for the purpose of an investigation; (ii) broadening the exception for information required for an emergency that threatens an individual’s life, health or security, to include other individual, family or public interest exemptions; (iii) clarifying the exception for disclosure to government institutions having lawful authority and making such disclosure mandatory; and (iv) deleting the recently added exception for collecting information for the purpose of making a disclosure when there is a suspicion that the information relates to national security, the defence of Canada or international affairs, or that is required by law. The Conservative members of the Committee have dissented from this last recommendation, on the basis that removal of this exception could threaten the safety of Canada’s civil aviation system and that the recommendation is premature and should not have been made in the absence of input from affected stakeholders.
The Committee has also recommended the following:
- Notification of Breach: in the case of a certain privacy breaches (specifics have not been provided), organizations should be required to report the breach to the Privacy Commissioner, who will decide whether the affected individuals and others should be notified, and if so, in what manner.
- Destruction of Information: a definition of destruction should be introduced, to clarify how organizations should destroy how personal information, in paper and electronic form.
- Transborder Data Flows: the Committee was of the view that the principle of accountability, which provides that an organization is accountable for the manner in which information is used by a third party, is sufficient to address any concerns about protecting personal information that is transferred to a third party outside of Canada
When the Committee presented its report to the House of Commons, it requested a comprehensive response from government. However, given the summer recess, a response may not be provided until the fall. Further, it is not certain that the government will endorse all of the Committee’s recommendations, especially given the Conservative Committee members’ dissenting opinion. We will monitor developments in the ongoing reform process and provide additional updates as events unfold.