Bill C-29: Amendments to Federal Private Sector Privacy Legislation
On May 25th, 2010, the Government of Canada introduced Bill C-29, which will alter the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The changes to the federal private sector privacy legislation are the result of a parliamentary review of the legislation that occurred in 2007.
Among the proposed amendments are changes which include:
- mandatory reporting of data breaches;
- provisions allowing for personal information to be disclosed for business transaction purposes, and
- consent exceptions for employee information and work product information.
The Bill provides a clarification of the meaning of “consent”, and adds a security breach disclosure requirement. The Bill requires that a report be made to the Privacy Commissioner in the event of a “material breach of security safeguards involving personal information”. The organization is responsible for determining if the breach is material, and must examine the sensitivity of the information and the number of individuals affected by the breach, and detect whether or not the problem is systemic.
Another proposed requirement is that the breach must be reported to individuals if there is a reasonable belief that the breach could create a “real risk of significant harm” to those persons. It is left to the organization to determine whether or not there is a real risk. This notification must be given “as soon as feasible”. At present, there is no requirement to disclose security breaches, and it is clear that the proposed amendments set a high threshold for disclosure.
With respect to the disclosure of personal information for the purposes of business transactions, the new business transaction exception permits use and disclosure of personal information for the purpose of carrying out business transactions. The amendment is a response to concerns that PIPEDA could create obstacles for businesses wanting to carry out certain transactions. There are, however, limitations on the use of the information.
In terms of business exceptions, the Bill adds a new work product exception, which applies to the collection, use and disclosure of information produced by employees during the course of their employment. Another exception exists for the collection, use and disclosure of information used to “establish, manage or terminate an employment relationship”.
Further business exceptions allow for voluntarily disclosure of personal information to organizations for the purposes of investigating a breach of an agreement that has been, is, or may be committed. The exception also exists as an aid to prevent, detect or suppress fraud.
Bird Richard will monitor this Bill and provide you with updates as it passes through the legislative stages.