A Special Committee recently presented to the Legislative Assembly of British Columbia its report arising from the statutory review of B.C.’s Personal Information Protection Act (PIPA). Appointed in 2007, the committee was commissioned to examine the provincial legislation governing the collection, use and disclosure of personal information by private sector organizations. Generally speaking, the recommendations in the committee’s report represent only a minimal tweaking of the existing legislation and reflect a perception that the legislation is working well for both individuals and organizations.
The recommendations include:
- expressly requiring organizations to notify affected individuals of privacy breaches in particular circumstances (such as regarding unauthorized disclosure or use of sensitive financial or health information);
- expressly requiring organizations to be responsible for personal information that they transfer to a third party for processing outside Canada;
- restricting the use of “blanket” consent forms by provincially regulated financial institutions;
- streamlining PIPA’s complaints processes; and
- strengthening the powers of the Information and Privacy Commissioner.
McCarthy Tétrault Notes:
For many organizations subject to PIPA, the most significant proposed change may be the addition of an express breach notification requirement. The recommendation is similar, though, to those recently tabled on Canada’s federal Personal Information Protection and Electronic Documents Act and Alberta’s private sector privacy legislation. In addition, many organizations have already started the process of developing and implementing policies and procedures for detecting, responding to, and notifying individuals and regulators about the occurrence of privacy breaches.
Although it may be some time before the committee’s recommendations are implemented as amendments to PIPA, organizations should revisit their current privacy policies to ensure that the appropriate mechanisms are in place. This may include, for example: (i) requiring that service providers notify the organization of any breaches involving personal information provided to the service providers by the organization; and (ii) ensuring that IT staff, risk management professionals, human resources personnel and other relevant individuals are prepared to respond to breaches.