Changes to Alberta’s Private Sector Privacy Legislation now in Force
Now that amendments to the Alberta’s Personal Information Protection Act (PIPA) have come into force, organizations operating in the province’s private sector should review their privacy policies and practices to ensure they still comply with the new requirements.
Significant changes to PIPA include:
- An obligation, if the organization uses foreign service providers to collect, use, disclose or store personal information, to include in the organization’s policies and practices information:
- identifying the countries in which the collection, use, disclosure or storage is occurring, or may occur; and
- explaining the purposes for which the service provider is authorized to handle the personal information.
- A requirement to notify individuals about the transfer of personal information to any foreign service providers. This notification must indicate:
- how to obtain written information about the organization’s policies and practices relating to its service providers outside Canada; and
- the name of a contact person within the organization who can answer questions about the handling of the personal information by the foreign service provider.
- An obligation to notify the Alberta Privacy Commissioner if personal information under an organization’s control is lost, accessed or disclosed without authorization, when the loss or breach could pose a real risk of significant harm to an individual. In such circumstances, the Privacy Commissioner may require the organization to notify affected individuals directly.
- An expansion of the definition of "personal employee information" to include information about potential, current and former employees, partners, officers and directors.
- A consent exemption for collecting, using or disclosing information for the purpose of establishing, managing or terminating an employment or volunteer-work relationship, or for managing the post-relationship.
- An obligation to destroy or anonymize personal information within a reasonable time, once no longer reasonably required for business or legal purposes.
- The removal of the wilful requirement for committing certain offences (e.g., collecting, using and disclosing personal information without consent). As a result, an organization could commit an offence under PIPA by breaching certain PIPA obligations, even if unintentionally.
- The addition of a number of new offences, including failing to notify the Privacy Commissioner of a reportable privacy breach, obstructing the Commissioner in an investigation or inquiry, and taking reprisal action against an employee for reporting a PIPA violation to the Commissioner.
- An extension of the time limit for prosecuting an offence under PIPA from six months to two years after the commission of the alleged offence.
McCarthy Tétrault Notes
With these changes, Alberta has now become the first jurisdiction in Canada with a mandatory breach notification requirement in its privacy legislation, outside the health sector. (Ontario has a mandatory notification obligation for breaches involving personal health information, as do Newfoundland and Labrador and New Brunswick, but their legislation is not yet in force.)1 The federal government is also looking to include breach notification requirements in the federal private sector privacy legislation, Personal Information Protection and Electronic Documents Act (PIPEDA). For a comparison of the breach notification provisions under PIPA and those proposed for PIPEDA, read our article on Bill C-29.
The amendments to PIPA give the legislation considerably more "bite," so organizations are advised to carefully review their current policies and practices relating to personal information and ensure they are in compliance with the new rules. For a more detailed review of an organization’s new obligations under PIPA and helpful tips on how to comply with the amendments, see our previous article on this topic.
1 The New Brunswick legislation came into force on September 1, 2010.