A look at Bill 54

During the past years, a number of Canadian privacy laws have been undergoing statutory review. A review of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) commenced in the fall of 2006, a review of the Alberta Personal Information Protection Act (AB PIPA) commenced in 2007 and a review of the British Columbia Personal Information Protection Act (BC PIPA) began in 2008. While all of these reviews have resulted in committee reports to the respective legislatures, only the government of Alberta has tabled a bill to amend its private-sector privacy legislation. On October 27, 2009, the government of Alberta introduced Bill 54—Personal Information Protection Amendment Act, 2009. The bill contains an extensive number of amendments. This dispatch focuses on some key issues that will impact private-sector organizations going forward.

Bill 54 creates a statutory requirement for notification when personal information (PI) is lost or has been subject to unauthorized access or disclosure. Rather than creating a mandatory requirement for organizations to notify affected parties, Bill 54 requires that organizations having PI under their control must, without unreasonable delay, provide notice to the privacy commissioner of any incident involving the loss of or unauthorized access to or disclosure of the PI, where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure. If an organization suffers a loss of or unauthorized access to or disclosure of PI where the organization would be required to provide notice to the privacy commissioner, the commissioner may require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure. The notification to affected individuals would have to be in a form and manner as prescribed by the regulations, and within a time period determined by the commissioner. Under the bill, the commissioner must establish an expedited process for determining whether to require an organization to notify individuals in circumstances where the real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure is obvious and immediate.

Bill 54 includes a number of amendments to the sections relating to access and correction, and includes a number of clarifications and the reorganization of some sections. On the matter of fees, Bill 54 proposes that organizations may not charge a fee in respect of a request for personal employee information. Section 33, which requires organizations to make reasonable efforts to ensure that PI is accurate and complete, is amended by adding the words “to the extent that is reasonable for the organization’s purposes in collecting, using, or disclosing the information.”

Currently PIPA permits the collection, use, and disclosure of personal information of employees and prospective employees if the information is to be used for a purpose that is reasonable and related to an employment relationship. Bill 54 amends these relevant sections to extend the collection, use, and disclosure of employee personal information to the management of the post-employment relationship.

Bill 54 adds a new section which deals with notification requirements respecting service providers outside Canada. Organizations using foreign service providers to collect PI with the consent of an individual must notify the individual of that collection. If the organization transfers PI, directly or indirectly, to a service provider outside Canada, individuals must be so notified. The notifications must be made at or before the collection or transfer, in writing or orally, and must include how individuals can obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada. The notification must also include the name or title of a person who is able to answer, on behalf of the organization, an individual’s questions. A copy of Bill 54 is available at the Alberta government Web site, or at the following URL:

.