Federal government reintroduces proposed PIPEDA amendments

December 21, 2011

On September 29, 2011 the federal government introduced Bill C-12, entitled the “Safeguarding Canadians’ Personal Information Act.”  The bill, which is currently in the “first reading” stage, reintroduces the amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) proposed in Bill C-29 relating to what constitutes valid consent and various circumstances in which personal information can be collected without consent.  Bill C-29 expired in March 2011 when Parliament was dissolved.

PIPEDA establishes rules for the management of personal information by organizations involved in commercial activities. Currently, PIPEDA provides that unless a legislative exception applies, an individual’s personal information cannot be collected, used, or disclosed without that individual’s knowledge or consent.  Bill C-12 would clarify business’ obligations under PIPEDA and will undoubtedly affect employers’ approaches to privacy issues.  Below is a brief summary of the major changes proposed by Bill C-12.

Definition of Valid Consent

If passed, Bill C-12 will codify what constitutes “valid consent” in regards to the collection, use, or disclosure of personal information.  Consent will be “valid” when an individual understands the nature, purpose, and consequences of their consent.  In the event that Bill C-12 passes, this codification would provide employers with greater certainty as to the validity of any obtained employee consent.  However, as the definition is quite broad, whether any obtained consent is valid or invalid will still largely turn on the facts of each case.

Permitted Collection, Use, and Disclosure of Personal Information

Notably, Bill C-12 would also expand the number of circumstances where personal information may be collected, used, or disclosed without an individual’s knowledge or consent. 

First, the collection, use, and disclosure of personal information would be permitted in instances where such information is produced in the course of an individual’s employment, business, or profession.  In order for this exception to apply, the personal information must be used for a purpose consistent with the purpose to which the information was produced.  This exception would provide greater flexibility to employers in regards to the collection, use, and disclosure of personal “work product” information. 

Second, the collection, use, and disclosure of personal information by federal works, undertakings, and businesses would be permitted where the information is necessary to establish, manage, or terminate an employment relationship.  This exception could be relied upon only where the collection, use, or disclosure is necessary and the individual has been informed that their personal information would be or may be collected, used, or disclosed for these purposes.  The focus then, for federal sector employers, should shift away from employee consent and instead be directed to considering whether collecting, using, or disclosing employee personal information is necessary.  If such use, collection, or disclosure is necessary, then employers should then ensure that proper notification has been given to the employees at issue. 

Last, collecting, using, and disclosing personal information would be allowed where such information is related to business transactions.  Thankfully, Bill C-12 provides a definition of what constitutes a “business transaction,” though this definition is non-exhaustive.  Transactions involving the purchase, sale, or other acquisition or disposition of an organization or a portion of an organization or its assets, the financing of an organization or portion of an organization, or the leasing or licensing of any of an organization’s assets are but three instances that would qualify as “business transactions” under Bill C-12.  This exception should prove helpful to employers selling their business, especially in the preliminary “due diligence” phase. 

The “business transaction” exception could only be used where the personal information is necessary for the parties to determine whether to proceed with the transaction and also to complete the transaction.   The parties would also be required to enter into a confidentiality agreement requiring the recipient organization to (i) use and disclose information solely for the purposes related to the transaction, (ii) use security safeguards to protect such information, and (iii) to destroy or return the personal information to the disclosing organization if the transaction did not proceed.  This exception would not apply if the primary purpose or result of the transaction was the acquisition of personal information.

Mandatory Reporting of a “Material Breach of Security Safeguards”

Notably, Bill C-12 also proposes mandatory reporting of “material breaches of security safeguards” to the Information and Privacy Commissioner.  Factors to be used in determining whether such a breach is “material” include the sensitivity of the personal information, the number of individuals affected, and last, whether the cause of the breach or a pattern of breaches indicates a systemic problem.

Organizations would also be required to notify affected individuals if it reasonable to believe that the breach creates a “real risk of significant harm” to the individual.  The bill defines “significant harm” as including bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.  In determining whether a particular situation presents a “real risk” of significant harm, organizations will have to consider the sensitivity of the personal information involved in the breach and the probability that the information has been, is being, or will be misused.

Assuming Bill C-12 is passed, these amendments will undeniably have an impact on organizations’ privacy policies.  Employers would be wise to turn their attention to considering how their workplace privacy policies can be revised in the event that Bill C-12 is passed into law.

DISCLAIMER: This publication is intended to convey general information about legal issues and developments as of the indicated date. It does not constitute legal advice and must not be treated or relied on as such. Please read our full disclaimer at www.stikeman.com/legal-notice.

Stay in Touch with Knowledge Hub