Several amendments are proposed to PIPEDA, (Bill C-12) the federal private sector privacy legislation. It is sitting now at first reading stage, and we are not yet sure how long it will be before it is passed.
This post summarizes an IT.Can teleconference on the subject presented today by David Fraser of McInnes Cooper and Lisa Lifshitz of Gowling Lafleur Henderson LLP.
The definition of personal information has been changed slightly. It is now simply defined as: “information about an identifiable individual”. Along with that comes a new definition of “business contact information”, which expands the “business card” exception that does not now include e-mail address. It also adds a requirement that the reason for the use or disclosure of business contact information be “in relation to their employment, business or profession”.
A new section 6.1 clarifies “valid consent” in terms of the need for the individual to understand what they are consenting to – including the nature, purpose and consequences. This may lead to some practical challenges in how to communicate that effectively – particularly “consequences”.
It will add mandatory breach notifications in certain situations, the provisions for which are very detailed.
Material breaches of “security safeguards” must be reported to the Privacy Commissioner.
Notifications must be made to individuals involved if the breach could lead to a “real risk of significant harm to the individual”.
There is also a 3rd possible notification to a third party organization if that organization could reduce the risk of harm. It is unclear who that might be.
It adds a business transactions exemption, which is long overdue. Most practitioners have proceeded as if these amendments were already there.
It includes a broad definition of “business transaction” (business sale, merger, financing…), and allows personal information to be transferred without consent, provided that certain safeguards are complied with. These rules do not apply if the primary purpose of the transaction is the disposition of the personal information. If that is the case (such as the sale of a customer list), then the basic PIPEDA requirements come into play.
PIPEDA has the concept that information can be given to “investigative bodies” as approved by regulation. That concept will be removed, and replaced with a more flexible arrangement that allows disclosure to another organization if “necessary” to investigate a breach of an agreement or law, or to prevent, detect or suppress fraud.