It was a long road, but Parliament finally passed Canada’s Digital Privacy Act, SC 2015, c32 (Bill S-4). The act received Royal Assent on June 18, with some amendments to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) going into force immediately. These are the first major amendments to PIPEDA since it was enacted 15 years ago. Although the new federal mandatory breach reporting to the Office of the Privacy Commissioner of Canada (OPC) and the new individual breach notification provisions won’t go into force until sometime in the future once regulations are drafted, there are still a number of amendments that are important for organizations to consider now.
Here’s a quick cheat-sheet of the amendments that are currently in force and their significance. In a future post, we’ll examine the breach reporting and individual notification provisions.
| Amendment | What It Does | What You Need To Know | Compliance Considerations |
| Compliance Agreements (ss. 17.1 and 17.2) | The OPC is now empowered to enter into compliance agreements with organizations. The OPC is able to enforce the compliance agreement in federal court. | The OPC can use this tool if the OPC believes on reasonable grounds that an organization has committed, is about to commit or is likely to commit an act or omission that could constitute (i) a contravention of PIPEDA or (ii) a failure to follow a recommended practice set out in PIPEDA. | There is no protection from individual actions as a result of entering into a compliance agreement with the OPC. However, a compliance agreement may be useful if an organization needs additional time to make changes that are requested by the OPC. Currently, the OPC must close an investigation within 1 year and must proceed to court within 45 days otherwise the OPC will lose jurisdiction. The compliance agreement will allow the OPC to avoid this jurisdictional problem. |
| Valid Consent (s. 6.1) | Consent of an individual is only valid if it is reasonable to expect that an individual would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. | The OPC’s view is that this isn’t really a change. However, one might ask whether this provision places an increased burden on an organization to ensure that individuals understand the risks of consenting to collection, use and disclosure of personal information. | Organizations should examine whether privacy disclosures provide clear information that would be necessary for an ordinary consumer to understand the nature, purpose and consequences of the proposed use of personal information. |
| Business Contact Information (s. 2(1)) | A new definition of “business contact information” has been added and the definition of “personal information” has been revised to refer simply to “information about an identifiable individual”. | Work contact information, including an email address (which had been omitted previously), may be collected, used and disclosed without the knowledge or consent of the individual provided the purpose for the collection, use or disclosure is communicating or facilitating communication with the individual in relation to their employment, business or profession. | Don’t forget that a business email address and other business contact information is still personal information if this information is used for purposes other than to contact or facilitate contact with the individual in respect of their employment, business or profession. For example, a business email could be a user ID or a business phone number could be used to contact the individual at work for non-work reasons. |
| Business Transactions (ss. 2(1) and 7.2) | PIPEDA now contains provisions to assist in the transfer of personal information in connection with business transactions. It applies to a broad range of transactions (e.g. asset sales, mergers, loans, securitization of assets, and leases or licences of assets) provided that the transfer of the personal information is not the primary purpose of the transaction. | PIPEDA did not have provisions that allowed organizations to share information as part of the due diligence phase of a business transaction or upon the consummation of the transaction. This provision allows for sharing subject to conditions. The information must only be used and disclosed for purposes related to the transaction. The information must be safeguarded. If the transaction is not completed, the information must be returned or destroyed. If it is completed, the individual must be notified, the use must be limited to the originally identified purposes (unless additional consent is obtained) and any withdrawal of consent must be honoured. The sharing must be necessary to determine whether to complete the transaction and, if completed, to carry on the business. | Organizations must consider carefully what information is really necessary to be shared and ultimately transferred. Create internal governance structures to ensure the Privacy Pro is engaged early to ensure that the necessary agreements are in place to share information under this provision. |
| Employee Information / Employee Work Product (ss. 7(1)(b.2), 7(2)(b.2), 7(3)(e.2), 7.3) | There are two important changes to PIPEDA. First, notice, but not consent, is required for the collection, use and disclosure of personal information that is necessary to establish, manage or terminate an employment relationship. Second, the knowledge or consent of an individual is not necessary to collect, use or disclosure information that is produced by the individual in the course of their employment, business or profession and the collection, use or disclosure is consistent with the purposes for which the information was produced. | These provisions apply to federal works, undertakings and businesses (e.g. banks, interprovincial railways, airlines, trucking companies, offshore drilling platforms, telecommunications companies, etc.). | Organizations that are subject to these provisions must still consider whether the employee information is “necessary” for the establishment, management or termination of the employment relationship. These organizations will also have to consider whether a proposed collection, use or disclosure of work product information is “consistent with the purposes for which the information was produced.” An employer and an employee may not agree on the scope of that qualification. |
| Next of Kin / Identifying a Deceased, Ill, or Injured Individual (ss. 7(3)(c.1)(iv) and 7(3)(d.4) | Personal information may be shared with a government institution that requests the information for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual. Personal information may also be shared with government institutions, next of kin or authorized representatives for the purpose of identifying an individual who is deceased, ill or injured. However, the individual (if he or she is alive) must be advised of the disclosure after it has been made. | In the case of government requests, it is still necessary to establish the lawful authority of the institution. In the case of identifying an individual, it may be necessary to notify the individual (in writing and without delay) of the disclosure. | Organizations should establish policies and procedures to ensure that the requirements of these provisions are satisfied before employees use them to make disclosures. |
| Financial Abuse (s. 7(3)(d.3)) | An organization that has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse can make a disclosure (without the knowledge or consent of the individual) to a government institution or the individual’s next of kin or authorized representative for the purpose of preventing or investigating the abuse. It must be reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse. | This provision allows for sharing of information with a government institution (such as law enforcement or a public guardian), next of kin or an authorized representative if the organization has reasonable grounds to believe that there is a risk of or has been financial abuse. | Organizations will need to develop criteria regarding when this provision can be used. A decision to disclose under this provision should be documented with the reasons why the organization had reasonable grounds and why the disclosure was necessary to investigate or prevent the abuse. Organizations should be mindful of the risk of defamation when making a disclosure to next of kin or authorized representatives. |
| Fraud Detection and Prevention (s. 7(3)(d.2)) | The knowledge or consent of an individual is not required in order to share personal information for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed. It must be reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud. | This provision allows for organizations and industry groups to directly share information to combat fraud. | Organizations should develop policies and procedures before sharing information under these provisions. Organizations should consider entering into information sharing agreements specifying the conditions under which information will be shared. |
| Investigations in Breaches of Contracts or Laws (s. 7(3)(d.1)) | Organizations may share information without the knowledge or consent of an individual to investigate past, occurring or potential breaches of an agreement or contraventions of the laws of Canada or a province. It must be reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation. | Previously, organizations could share information with law enforcement and other government institutions for law enforcement purposes. Now, they can also share information with other organizations. | An organization that intends to share information should consider whether it should impose conditions regarding how that information may be used and further disclosed. |
| Witness Statements in Insurance Claims (s. 7(1)(b.1), 7(2)(b.1), 7(3)(e.1)) | The knowledge or consent of an individual is not necessary to collect, use or disclose information contained in a witness statement that is necessary to assess, process or settle an insurance claim. | This provision facilitates sharing of witness statements following an accident or other insured event. | This provision is primarily of interest to the insurance industry. |
