Insights Header image
Insights Header image
Insights Header image

Proposed amendments to PIPEDA: Affecting employers and business transactions

October 2011 Employment and Labour Bulletin 4 minute read

introduction

On September 29, 2011, Bill C-12, Safeguarding Canadians’ Personal Information Act was introduced by the federal government. If the bill is passed, it will amend the Personal Information Protection and Electronic Documents Act (“PIPEDA“).[1] Bill C-12 is a re-introduction of Bill C-29, which expired due to the dissolution of Parliament in March 2011. The stated purpose of the bill according to a press release from Industry Canada is “…to help protect consumers and businesses from the misuse of their personal information…”[2]

PIPEDA’s history

Initially, PIPEDA only affected personal information collected, used, or disclosed in the course of commercial activities by federal works, undertakings, and businesses, such as banks and airlines. In 2004, application of the statute was extended to the collection, use or disclosure of personal information that arose during the course of any commercial activity. PIPEDA also applies to all personal information in all interprovincial and international transactions by all organizations subject to PIPEDA in the course of their commercial activities.

why have new amendments been proposed?

This Bill implements responses to concerns raised by the government’s first Parliamentary review of PIPEDA. The proposed amendments are intended to:

  • Protect and empower consumers;
  • Clarify and streamline rules for business organizations;
  • Improve investigation and enforcement of the privacy law; and
  • Improve the language of legislation and technical drafting corrections.

significant proposed amendments to PIPEDA

Currently, PIPEDA requires that any personal information collected, used or disclosed, requires the individuals’ knowledge and consent, unless a legislated exception applies. The amendments are aimed at clarifying the rules that organizations must abide by, and the significant amendments are as follows:

  • Valid consent is defined for the purpose of collecting, using or disclosing personal information
  • Personal information can be collected, used or disclosed, without the consent or knowledge of the individual for the following prescribed purposes:

o It is produced in the course of their employment;
o It is required to manage, establish or terminate employment relationships; or
o It is related to business transactions

  • Organizations must report material breaches to the Privacy Commissioner and notify affected individuals and organizations

discussion of the proposed amendments

definition of valid consent

Consent is considered valid when it is reasonable to expect that an individual grasps the nature, purpose, and consequences of their consent.

information produced in the course of an individual’s employment

Currently, PIPEDA does not articulate any exception for the collection, use, or disclosure of personal information, without consent, if the information is produced in the course of an individual’s employment. The proposed exception permits an organization to collect, use, or disclose personal information produced during the course of an individual’s employment, business, or profession. This requires, however, that the personal information is used for a purpose consistent with the purpose to which the information was produced.

information for the management, establishment, or termination of an employment relationship

The proposed amendment introduces an exception to the consent requirement if the following two requirements are met:

  • The collection, use or disclosure of the personal information is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and
  • The individual was informed that the personal information would be or may be collected, used or disclosed for the purposes described above.

exclusions related to business transactions

Bill C-12 also introduces a disclosure exception for personal information in the context of prospective or completed business transactions. The proposed amendments introduce a non-exhaustive definition of a “business transaction”. This exception would permit disclosure of personal information, without consent or knowledge, if:

  • The information is necessary for the parties to determine whether to proceed with the transaction, and the information is necessary to complete the transaction; and
  • The parties have entered into a confidentiality agreement requiring the recipient organization to: (i) use and disclose information solely for purposes related to the transaction, (ii) use security safeguards to protect the information, and (iii) return or destroy the information to the disclosing organization, if the transaction does not proceed.

This disclosure exception does not apply if the primary purpose or result of the transaction is the acquisition of personal information.

material breaches of security safeguards must be reported

A significant amendment to PIPEDA is the mandatory reporting provision that requires any “material breach of security safeguards” to be reported to the Information and Privacy Commissioner. An organization must determine whether it is required to report the breach, having regard for the sensitivity of the disclosed personal information, the number of individuals affected by the breach, and whether the cause of the breach indicates a systemic problem.

The amendments further require organizations to notify the affected individual if it is reasonable to believe the breach “creates a real risk of significant harm to the individual.” The legislation defines “significant harm” non-exhaustively, and includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.” It can be seen from this definition that the legislature is attempting to capture offences that have developed as a result of the current marketplace. A real risk of significant harm is determined by considering the sensitivity of the information and the probability that the personal information is being or will be misused.

conclusion

Bill C-12 re-introduces substantive amendments that will clarify a business’ responsibility under PIPEDA, and these changes will impact existing approaches to privacy. As technology is swiftly changing, the ongoing changes to Canada’s legislation will require continued compliance efforts and review of information practices.

by George Waggott and Katherine Ng, student-at-law

1 Personal Information Protection and Electronic Documents Act, SC 2000, c 5.

2 Industry Canada, Press Release, “Government of Canada Moves to Enhance Privacy of Individuals during Commercial Transactions” (29 September 2011)

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2011

Insights (5 Posts)View More

Featured Insight

Unpacking Ontario’s Proposed Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024

Unpacking Ontario's Bill 194: Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. Key changes & compliance strategies detailed.

Read More
May 17, 2024
Featured Insight

Navigating International Student Worker Restrictions: Post-Expiry Guidelines for Employers

On April 30, 2024, Canada’s temporary waiver allowing international students to exceed 20 hours of work per week expired.

Read More
May 14, 2024
Featured Insight

Understanding the Consumer-Driven Banking Framework: Key Insights from the Budget Implementation Act, 2024, No.1

On April 30, the federal government introduced the Budget Implementation Act, 2024, No. 1, which provides the legislative framework for open banking in Canada.

Read More
May 13, 2024
Featured Insight

Legal Risk Assessments – An Essential Risk Management Tool

The best way to address the legal issues that arise in any business is to focus on their identification and resolution before they become legal problems.

Read More
May 9, 2024
Featured Insight

Jury’s Out: Bench Trials Are In

Ontario courts are leaning towards the elimination of civil jury trials, as evidenced in recent decisions out of the Ontario Superior Court of Justice.

Read More
May 8, 2024