Bill S-4, An Act to Amend the Personal Information Protection and Electronic Documents Act and to Make a Consequential Amendment to Another Act has been wending its way through the Senate and the House of Commons since its introduction in April of 2014, when it was first introduced. As the name states, this legislation amends the Personal Information Protection and Electronic Documents Act (PIPEDA). The consequential amendment is to the Access to Information Act.
The Bill received second reading on June 2nd and should be passed before Parliament rises for the summer.
The Bill adds definitions to s. 2.
- Business Contact Information – the definition of personal information as “information about an identifiable individual” stays, but the wording excluding the business contact information of employees (name, title, address, telephone number) has been removed. A new definition for business contact information is created and PIPEDA’s application to personal information does not extend to business contact information (clause 4, which creates new section 4.01)
- Applicants for jobs – the bill expands PIPEDA’s coverage to the personal information of applicants for employment with federal works, undertakings and businesses, in addition to employees, who were already covered;
- Consent -a new section 6.1 clarifies that an individual’s consent to the collection, use or disclosure of personal information must be “reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”;
- Exceptions to Consent
- Employment – another exception is for personal information produced in the course of an individual’s employment, business or profession when the collection, use or disclosure is “consistent” with the purposes for which the information was produced;
- Insurance – a new exception is added for personal information contained in a witness statement and “whose collection, use or disclosure is necessary to assess, process or settle an insurance claim”;
- Communicating About an Injured, Ill or Deceased Individual – disclosure is allowed when requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual or to identify the individual who was injured, ill or deceased. If the individual is alive, the organization must inform the individual without delay in writing of the disclosure;
Breaches of Agreements or Laws, Fraud and Financial Abuse – Disclosure without consent to another organization is allowed in order to investigate a breach of an agreement or a contravention, or anticipated contravention, of a federal or provincial law if it is reasonable to expect that obtaining the consent from the individual for the disclosure would compromise the investigation. A disclosure provision is also provided for the purposes of detecting or suppressing fraud, and disclosure without consent is permitted to a government institution or to the individual’s next of kin or authorized representative if there are reasonable grounds to believe that the individual has been the victim of “financial abuse,” and where it is reasonable to expect that obtaining the consent from the individual for the disclosure would compromise the ability to prevent or investigate the abuse;
- Business Transactions and Employee Information – organizations will be permitted to share personal information without consent for the purpose of engaging in a due diligence process for a “prospective business transaction” if the information is necessary to determine whether to proceed with the transaction or to complete it. The organization receiving the information must use and disclose it solely for purposes related to the transaction; protect it with appropriate security safeguards; and return the information or destroy it within a reasonable time if the transaction does not proceed. Once the transaction is completed, the organizations that have exchanged personal information may use and disclose it without the knowledge or consent of the individuals involved if the information is needed to carry on the business or activity that was the object of the transaction. It must be used and disclosed solely for the original reasons it was collected. The exchange of personal information without knowledge or consent cannot take place if the primary purpose or result of the business transaction is to buy, sell, acquire, dispose of or lease personal information;
- Collection, Use and Disclosure Personal Information of Employees of Federal Works, Undertakings and Businesses – these employers will be able to collect, use and disclose employee information without consent if it is needed to “establish, manage or terminate” employment The employee must notified why the information is being or may be collected, used or disclosed;
Bill S-4 also contains new provisions regarding breaches of security safeguards and standards which we will review tomorrow