bill c-29 pipeda reform oba nov 30 2010

8/8/2019 Bill C-29 Pipeda Reform Oba Nov 30 2010

1/22

Proposed Changes to PIPEDA

What You Should Know

OBA Information Technology and E-Commerce

November 30, 2010Mark Hayes, Hayes eLaw LLP


2/22

Legislative History

PIPEDA introduced 2001

May 2007: Reviewed by Standing Committee

on Access to Information, Privacy and Ethics 25 recommendations

May 2010: Bill C-29 introduced

2nd

reading October 2010 Not yet in committee


3/22

Legislative History

Government says 4 categories of changes:

protect and empower consumers

clarify and streamline rules for business support effective law enforcement and security

investigations

address technical issues


4/22

My Classification

Consent

Consent exceptions

Business contact information and businesstransactions

Employment information

Computer information collection

Breach notification

Commissioner investigations


5/22

Consent

Valid consent (new s. 6.1)

individual must understand nature, purpose and

consequences of the collection, use or disclosure

of personal information to which they are

consenting

Precise effect of new provision unclear

Likely that more detailed disclosures will berequired about proposed uses of personal

information


6/22


7/22

New Consent Exceptions

Disclosure:

To communicate with next-of-kin (s. 7(3)(c.1)(iv))

For purpose of policing services (not otherwise

exempted) (s. 7(3)(c.1)(v))

To another organization and disclosure is necessary

to investigate breach of agreement or contravention of the

Canadian law that has been, is being or is about to be

committed, or

to prevent, detect or suppress fraud when reasonable to

expect that notifying individual would undermine

prevention, detection or suppression of fraud (s. 7(3)(d.1))


8/22

New Consent Exceptions

Disclosure:

To government or next of kin to prevent, detect orsuppress fraud or financial abuse (s. 7(3)(d.2))

To government or next of kin where necessary to identifyinjured, ill or deceased individuals (s. 7(3)(d.3))

If individual alive, must give notice in writing of disclosure

This last requirement seems odd

PI contained in witness statement related to insurance

claim (s. 7(3)(e.1) PI produced in course of employment or to establish,

manage or terminate and employment relationship (s.7(3)(e.2))


9/22

Lawful Authority

Some clarification in s. 7(3.1)

Not required to:

Obtain subpoena, warrant or court order beforedisclosing personal information required as part ofa formal government investigation

Verify the validity of lawful authority beforedisclosing information

Debate about what lawful authority policehave will likely continue


10/22

Business Contact Information (BCI)

Currently, BCI narrowly defined but

completely excluded from definition of PI

Information excluded limited to specially listed

categories (name, title, business address or

telephone number)

May not include business e-mail


11/22


New s. 4.01 would:

Provide a non-exhaustive definition of BCI

name, position name or title, work address, work

telephone number, work facsimile number, workelectronic mail address

Plus any similar information

Require that collection, use or disclosure of BCI

must be solely for the purpose of communicatingor facilitating communication with the individualin relation to their employment, business orprofession


12/22


Unclear how far definition of BCI will extend

Probably has to be information that could be usedto contact individual

Effect of qualifying as BCI is to exempt allcollection, use and disclosure from PIPEDA

What happens if use goes beyond restrictions?

Is information no longer BCI forever? Must read this change in conjunction with

FISA (C-28) discussed by Fraser


13/22

Business Transactions

New s. 7.11 gives broad exception to allow useand disclosure of PI without consent

Prospective or completed business transactions

Include mergers and acquisitions, financings, leases,licenses and securitizations

Not applicable if primary purpose of transaction ispurchase, sale or lease of personal information

Must have agreement requiring PI disclosure PI must be necessary to considering or

completing transaction


14/22

Business Transactions

PI use in transactions potentially much simpler

Purchaser may use and disclose PI if:

Parties enter into agreement to: Use after closing same as before transaction

Apply appropriate security safeguards

Give effect to any withdrawal of consent

PI necessary to carry on business

One party notifies individuals post-closing about

transaction and disclosure of PI


15/22

Employment Information

New s. 7.2: Organization may collect, use and disclosePI without consent if:

Collection, use or disclosure necessary to establish,manage or terminate employment relationship

Employer has informed the individual that PI will be ormay be collected, used or disclosed for those purposes

Welcome addition to remedy glaring omission inoriginal PIPEDA

New s. 7.3: Employer may use and disclose PI thatqualifies under s. 7.2 for purposes other than those forwhich PI was collected


16/22

Computer Information Collection

New s. 7.1: Consent exemptions for collectionand use do not apply to:

Collection of electronic addresses by means of a

specialized computer search program PI collected by accessing a computer system in

contravention of federal law

Probably referring to Sections 342.1 and 326 of

Criminal Code Note that this overrides journalism exception in s.

7(1)(d) has been little objection this far


17/22

Breach Notification

New s. 10.1: Organization must report any

material breach of security safeguards to PCC

Materiality depends on: Sensitivity of PI

Number of individuals whose PI was involved

If cause of breach indicates systemic problem


18/22

Breach Notification

New s. 10.2: Must also notify individual if it isreasonable in the circumstances to believe thatthe breach creates a real risk of significant harmto the individual Significant harm includes bodily harm, humiliation,

damage to reputation or relationships, loss ofemployment, business or professional opportunities,financial loss, identity theft, negative effects on thecredit record and damage to or loss of property

Factors for significant harm are sensitivity of PIand probability that the personal information hasbeen, is being or will be misused


19/22

Breach Notification

Both 10.1 and 10.2 require notification to be

given in accordance with regulations and to

be done as soon as feasible

This timing requirement may be too stringent

New s. 10.3 permits further notification to

another organization or government body if

they can reduce the potential harm

Again subject to unspecified regulations


20/22

Commissioner Investigations

Several minor tweaks

PCC given more discretion in s. 12.1 to decide

whether to investigate a complaint and whatto do in the course of an investigation

S. 22 adjusted to make clear the extent of

defamation exemption for PCC relating to

investigations and reports


21/22

In Conclusion.

In general, proposed changes are relatively

uncontroversial and welcome fixes

Employment and business transactionchanges make PIPEDA more business friendly

and dovetail with Alberta and BC PIPAs

Breach notification seems to have struck the

right compromise questions remain about

how PCC will handle notification volume


22/22

Thank you!

If you would like a copy of

these slides, please leaveme a card or email me at

[email protected]

bill c-29 pipeda reform oba nov 30 2010

Documents