Bill 54 Proposes New Notification Requirements for Privacy Breaches and for Using Foreign Service Providers
Employers operating in the Alberta private sector will have to comply with more stringent privacy legislation once amendments to the province’s Personal Information Protection Act (PIPA) come online.
The upcoming changes flow from the Personal Information Protection Amendment Act, 2009 (Bill 54), which received Royal Assent late last year and will come into force on proclamation. Although we do not know when Bill 54 will become law, once it does, the PIPA’s offences and penalties provisions will have bigger teeth. Bill 54 also clarifies and expands organizations’ obligations under the PIPA relating to:
- transferring personal information to service providers outside Canada;
- collecting, using or disclosing employee information;
- personal information that is lost, or that is accessed or disclosed, without authorization; and
- personal information that is no longer reasonably required.
Transferring Personal Information outside Canada
Bill 54 imposes additional obligations on organizations that use service providers outside Canada to collect, use, disclose or store personal information. Changes are also relevant for those organizations that are controlled by a foreign parent company and transfer personal information to that parent company.
If your organization uses foreign service providers you will have to:
- Include in your privacy policies and practices information about the countries of those service providers, and the purposes for authorizing them to handle the personal information. This notification must indicate:
- how to obtain written information about the organization’s privacy policies and practices relating to its service providers outside Canada, and
- who within the organization can answer questions about the handling of the personal information by the foreign service provider.
- Notify individuals, orally or in writing, before or at the time their personal information is transferred to, or collected by, the foreign service provider.
Collecting, Using or Disclosing Employee Information
Bill 54 expands an employer’s ability to collect, use or disclose employee personal information without an individual’s consent. The definition of "personal employee information" is expanded to include information about a former employee as well as information used for managing a post-employment relationship. This will provide more consistent standards for handling the personal information of employees post-employment. Employers are often concerned about what information is appropriate to disclose during reference checks, and Bill 54 provides some direction about communications that will not require a former employee’s consent.
Personal Information Lost, or Accessed or Disclosed, without Authorization
The PIPA, as amended by Bill 54, will also require organizations to notify the Privacy Commissioner of Alberta if personal information under their control is lost, accessed or disclosed without authorization. This reporting requirement arises when the loss or breach could pose a real risk of significant harm to an individual.
Destruction of Personal Information as a Positive Obligation
Where consent is not an issue, the PIPA currently allows organizations to keep personal information as long as it is reasonable to do so for legal or business purposes.
Once Bill 54 takes effect, organizations will have a positive obligation to either destroy the information or make it such that it can no longer be used to identify an individual. Personal information must be destroyed, within a reasonable time, once the organization no longer reasonably requires it.
In an employment setting, this may include deleting reference to particular individuals from investigation reports and records that an employer wishes to keep on file for policy reasons beyond the length of time usually recommended for legal protection.
Penalties and Offences
Bill 54 will remove the "wilful" requirement for committing certain offences under the PIPA (e.g., collecting, using and disclosing personal information without consent). So, an organization could commit an offence under the PIPA by breaching certain PIPA obligations, even if unintentionally. Employers should take careful note of this risk.
The bill also proposes new offences for failing to notify the Privacy Commissioner of a significant security breach and for obstructing the Commissioner in its investigations of privacy breaches.
Tips for Employers
To prepare for the amendments, your organization should:
- Consider whether a foreign entity receives personal information, or personal employee information. If so, review the policies and practices surrounding the transfer of information and update them to incorporate the requisite information and notification requirements.
- Review current policies with respect to collecting, using or disclosing employee personal information after the employee leaves the organization, in light of the new changes.
- Revise record retention and destruction policies and procedures, so that personal information is destroyed or "anonymized" once no longer required.
- Incorporate in its privacy breach protocol a step to notify the Privacy Commissioner of any serious security breach.