This morning the Parliamentary Committee released its report on the review of the Personal Information Protection and Electronic Documents Act.

There are 25 recommendations:

Recommendation 1
The Committee recommends that a definition of “business contact information” be added to PIPEDA, and that the
definition and relevant restrictive provision found in the
Alberta Personal Information Protection Act be considered for
this purpose.
Recommendation 2
The Committee recommends that PIPEDA be amended to
include a definition of “work product” that is explicitly
recognized as not constituting personal information for the
purposes of the Act. In formulating this definition, reference
should be added to the definition of “work product
information” in the British Columbia Personal Information
Protection Act, the definition proposed to this Committee by
IMS Canada, and the approach taken to professional
information in Quebec’s An Act Respecting the Protection of
Personal Information in the Private Sector.
Recommendation 3
The Committee recommends that a definition of “destruction”
that would provide guidance to organizations on how to
properly destroy both paper records and electronic media be
added to PIPEDA.
Recommendation 4
The Committee recommends that PIPEDA be amended to
clarify the form and adequacy of consent required by it,
distinguishing between express, implied and deemed/opt-out
consent. Reference should be made in this regard to the
Alberta and British Columbia Personal Information Protection
Acts.
Recommendation 5
The Committee recommends that the Quebec, Alberta and
British Columbia private sector data protection legislation be
considered for the purposes of developing and incorporating
into PIPEDA an amendment to address the unique context
experienced by federally regulated employers and employees.
Recommendation 6
The Committee recommends that PIPEDA be amended to
replace the “investigative bodies” designation process with a
definition of “investigation” similar to that found in the Alberta
and British Columbia Personal Information Protection Acts
thereby allowing for the collection, use and disclosure of
personal information without consent for that purpose.
Recommendation 7
The Committee recommends that PIPEDA be amended to
include a provision permitting organizations to collect, use
and disclose personal information without consent, for the
purposes of a business transaction. This amendment should
be modeled on the Alberta Personal Information Protection Act
in conjunction with enhancements recommended by the
Privacy Commissioner of Canada.
Recommendation 8
The Committee recommends that an amendment to PIPEDA be
considered to address the issue of principal-agent
relationships. Reference to section 12(2) of the British
Columbia Personal Information Protection Act should be made
with respect to such an amendment.
Recommendation 9
The Committee recommends that PIPEDA be amended to
create an exception to the consent requirement for information
legally available to a party to a legal proceeding, in a manner
similar to the provisions of the Alberta and British Columbia
Personal Information Protection Acts.
Recommendation 10
The Committee recommends that the government consult with
the Privacy Commissioner of Canada with respect to
determining whether there is a need for further amendments to
PIPEDA to address the issue of witness statements and the
rights of persons whose personal information is contained
therein.
Recommendation 11
The Committee recommends that PIPEDA be amended to add
other individual, family or public interest exemptions in order
to harmonize its approach with that taken by the Quebec,
Alberta and British Columbia private sector data protection
Acts.
Recommendation 12
The Committee recommends that consideration be given to
clarifying what is meant by “lawful authority” in section
7(3)(c.1) of PIPEDA and that the opening paragraph of section
7(3) be amended to read as follows: “For the purpose of clause
4.3 of Schedule 1, and despite the note that accompanies that
clause, an organization shall disclose personal information
without the knowledge or consent of the individual but only if
the disclosure is […]”
Recommendation 13
The Committee recommends that the term “government
institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA
to specify whether it is intended to encompass municipal,
provincial, territorial, federal and non-Canadian entities.
Recommendation 14
The Committee recommends the removal of section 7(1)(e)
from PIPEDA.
Recommendation 15
The Committee recommends that the government examine the
issue of consent by minors with respect to the collection, use
and disclosure of their personal information in a commercial
context with a view to amendments to PIPEDA in this regard.
Recommendation 16
The Committee recommends that no amendments be made to
PIPEDA with respect to transborder flows of personal
information.
Recommendation 17
The Committee recommends that the government consult with
members of the health care sector, as well as the Privacy
Commissioner of Canada, to determine the extent to which
elements contained in the PIPEDA Awareness Raising Tools
document may be set out in legislative form.
Recommendation 18
The Committee recommends that the Federal Privacy
Commissioner not be granted order-making powers at this
time.
Recommendation 19
The Committee recommends that no amendment be made to
section 20(2) of PIPEDA with respect to the Privacy
Commissioner’s discretionary power to publicly name
organizations in the public interest.
Recommendation 20
The Committee recommends that the Federal Privacy
Commissioner be granted the authority under PIPEDA to share
personal information and cooperate in investigations of
mutual interest with provincial counterparts that do not have
substantially similar private sector legislation, as well as
international data protection authorities.
Recommendation 21
The Committee recommends that any extra-jurisdictional
information sharing, particularly to the United States, be
adequately protected from disclosure to a foreign court or
other government authority for purposes other than those for
which it was shared.
Recommendation 22
The Committee recommends that PIPEDA be amended to
permit the Privacy Commissioner to apply to the Federal Court
for an expedited review of a claim of solicitor-client privilege in
respect of the denial of access to personal information
(section 9(3)(a)) where the Commissioner has sought, and
been denied, production of the information in the course of an
investigation.
Recommendation 23
The Committee recommends that PIPEDA be amended to
include a breach notification provision requiring organizations
to report certain defined breaches of their personal
information holdings to the Privacy Commissioner.
Recommendation 24
The Committee recommends that upon being notified of a
breach of an organization’s personal information holdings, the
Privacy Commissioner shall make a determination as to
whether or not affected individuals and others should be
notified and if so, in what manner.
Recommendation 25
The Committee recommends that in determining the specifics
of an appropriate notification model for PIPEDA, consideration
should be given to questions of timing, manner of notification,
penalties for failure to notify, and the need for a “without
consent” power to notify credit bureaus in order to help
protect consumers from identity theft and fraud.