Several amendments were made last week to PIPEDA, the federal private sector privacy legislation. This has been sitting around in draft for a long time. Except for sections creating a new mandatory breach notification scheme, the amendments are now in force. The breach notification scheme requires some regulations before it comes into effect. More on that at the end of this post.
Several of these changes were long overdue, and bring PIPEDA more in line with some of the Provincial Acts that were drafted after PIPEDA.
Here are some of the highlights that are in force now:
- The business contact exception from the definition of personal information has been broadened.
- Provisions have been added to allow the transfer of personal information to an acquiring business for both diligence and closing purposes. Most have been approaching this in a similar way, but vendors/purchasers, and their counsel should make sure they comply with the exact requirements.
- A new section says consent is only valid if the individual would understand what they are consenting to. This speaks to the clarity of the explanation, and is particularly important when dealing with children.
- Several new exceptions to the collection, use and disclosure of personal information without consent have been added. Such as witness statements, communication to next of kin of ill or deceased persons, and fraud prevention.
- The Commissioner now has a compliance agreement remedy.
The breach notification sections that come into effect at a later date include:
- Mandatory reporting to the Commissioner of a breach where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” That test is somewhat subjective, and will no doubt cause some consternation in practice. Guidance is included on relevant factors to consider and what constitutes “significant harm”.
- The report must contain certain information and be on a form that will be in the regulations yet to be released.
- Affected individuals must be similarly notified.
- Businesses will be required to maintain records of “… every breach of security safeguards involving personal information under its control”, and provide a copy to the Commissioner on request. Note that this is “every” breach without regard to a harm threshold. This could pose a challenging compliance issue for large organizations.
- The whistleblowing provision has been amended to allow a complainant to “request” that their identity be kept confidential.
- The section with the $100,000 fine for interfering with an investigation has been amended to make it an offence to contravene the reporting requirements. That will make the decision of whether a breach passes the reporting threshold a serious matter to ponder.