Proposed Changes to PIPEDA –

What You Should Know

OBA Information Technology and E-Commerce

November 30, 2010
Mark Hayes, Hayes eLaw LLP
 Legislative History
• PIPEDA introduced 2001
• May 2007: Reviewed by Standing Committee
on Access to Information, Privacy and Ethics
– 25 recommendations
• May 2010: Bill C-29 introduced
• 2nd reading October 2010
• Not yet in committee
 Legislative History
• Government says 4 categories of changes:
– protect and empower consumers
– clarify and streamline rules for business
– support effective law enforcement and security
investigations
– address technical issues
 My Classification
• Consent
• Consent exceptions
• Business contact information and business
transactions
• Employment information
• Computer information collection
• Breach notification
• Commissioner investigations
 Consent
• “Valid” consent (new s. 6.1)
– individual must understand “nature, purpose and
consequences of the collection, use or disclosure
of personal information to which they are
consenting”
• Precise effect of new provision unclear
• Likely that more detailed disclosures will be
required about proposed uses of personal
information
 New Consent Exceptions
• Collection:
– PI contained in witness statement related to insurance claim
(s. 7(1)(b.1)
– PI produced in course of employment or to establish, manage
or terminate and employment relationship (s. 7(1)(b.2))
• Use:
– PI contained in witness statement related to insurance claim
(s. 7(2)(b.1)
– PI produced in course of employment or to establish, manage
or terminate and employment relationship (s. 7(2)(b.2))
 New Consent Exceptions
• Disclosure:
– To communicate with next-of-kin (s. 7(3)(c.1)(iv))
– For purpose of policing services (not otherwise
exempted) (s. 7(3)(c.1)(v))
– To another organization and disclosure is necessary
• to investigate breach of agreement or contravention of the
Canadian law that has been, is being or is about to be
committed, or
• to prevent, detect or suppress fraud when reasonable to
expect that notifying individual would undermine
prevention, detection or suppression of fraud (s. 7(3)(d.1))
 New Consent Exceptions
• Disclosure:
– To government or next of kin to prevent, detect or suppress
fraud or financial abuse (s. 7(3)(d.2))
– To government or next of kin where necessary to identify
injured, ill or deceased individuals (s. 7(3)(d.3))
• If individual alive, must give notice in writing of disclosure
• This last requirement seems odd
– PI contained in witness statement related to insurance claim
(s. 7(3)(e.1)
– PI produced in course of employment or to establish, manage
or terminate and employment relationship (s. 7(3)(e.2))
 Lawful Authority
• Some clarification in s. 7(3.1)
• Not required to:
– Obtain subpoena, warrant or court order before
disclosing personal information required as part of
a formal government investigation
– Verify the validity of lawful authority before
disclosing information
• Debate about what lawful authority police
have will likely continue
Business Contact Information (BCI)
• Currently, BCI narrowly defined but
completely excluded from definition of PI
– Information excluded limited to specially listed
categories (name, title, business address or
telephone number)
– May not include business e-mail
Business Contact Information (BCI)
• New s. 4.01 would:
– Provide a non-exhaustive definition of BCI
• “name, position name or title, work address, work
telephone number, work facsimile number, work electronic
mail address”
• Plus “any similar information”
– Require that collection, use or disclosure of BCI must
be “solely for the purpose of communicating or
facilitating communication with the individual in
relation to their employment, business or profession”
Business Contact Information (BCI)
• Unclear how far definition of BCI will extend
– Probably has to be information that could be used
to contact individual
• Effect of qualifying as BCI is to exempt all
collection, use and disclosure from PIPEDA
– What happens if use goes beyond restrictions?
– Is information no longer BCI forever?
• Must read this change in conjunction with FISA
(C-28) discussed by Fraser
 Business Transactions
• New s. 7.11 gives broad exception to allow use and
disclosure of PI without consent
• Prospective or completed business transactions
– Include mergers and acquisitions, financings, leases,
licenses and securitizations
– Not applicable if primary purpose of transaction is
purchase, sale or lease of personal information
• Must have agreement requiring PI disclosure
• PI must be necessary to considering or completing
transaction
 Business Transactions
• PI use in transactions potentially much simpler
• Purchaser may use and disclose PI if:
– Parties enter into agreement to:
• Use after closing same as before transaction
• Apply appropriate security safeguards
• Give effect to any withdrawal of consent
– PI necessary to carry on business
– One party notifies individuals post-closing about
transaction and disclosure of PI
 Employment Information
• New s. 7.2: Organization may collect, use and disclose PI
without consent if:
– Collection, use or disclosure necessary to establish, manage or
terminate employment relationship
– Employer has informed the individual that PI will be or may be
collected, used or disclosed for those purposes
• Welcome addition to remedy glaring omission in original
PIPEDA
• New s. 7.3: Employer may use and disclose PI that
qualifies under s. 7.2 for purposes other than those for
which PI was collected
 Computer Information Collection
• New s. 7.1: Consent exemptions for collection
and use do not apply to:
– Collection of “electronic addresses” by means of a
specialized computer search program
– PI collected by accessing a computer system in
contravention of federal law
• Probably referring to Sections 342.1 and 326 of Criminal
Code
– Note that this overrides journalism exception in s.
7(1)(d)  has been little objection this far
 Breach Notification
• New s. 10.1: Organization must report any
material breach of security safeguards to PCC
• Materiality depends on:
– Sensitivity of PI
– Number of individuals whose PI was involved
– If cause of breach indicates systemic problem
 Breach Notification
• New s. 10.2: Must also notify individual if “it is reasonable
in the circumstances to believe that the breach creates a
real risk of significant harm to the individual”
– ““Significant harm” includes bodily harm, humiliation, damage
to reputation or relationships, loss of employment, business or
professional opportunities, financial loss, identity theft,
negative effects on the credit record and damage to or loss of
property”
• Factors for significant harm are sensitivity of PI and
probability that the personal information has been, is
being or will be misused
 Breach Notification
• Both 10.1 and 10.2 require notification to be
given in accordance with regulations and to
be done “as soon as feasible”
– This timing requirement may be too stringent
• New s. 10.3 permits further notification to
another organization or government body if
they can reduce the potential harm
– Again subject to unspecified regulations
 Commissioner Investigations
• Several minor tweaks
• PCC given more discretion in s. 12.1 to decide
whether to investigate a complaint and what
to do in the course of an investigation
• S. 22 adjusted to make clear the extent of
defamation exemption for PCC relating to
investigations and reports
 In Conclusion….
• In general, proposed changes are relatively
uncontroversial and welcome “fixes”
• Employment and business transaction changes
make PIPEDA more business friendly and
dovetail with Alberta and BC PIPAs
• Breach notification seems to have struck the
right compromise  questions remain about
how PCC will handle notification volume
 Thank you!

If you would like a copy of

these slides, please leave
me a card or email me at
mark@hayeselaw.com