The passage of the Digital Privacy Act (“DPA”) enacts long-awaited changes to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The most important changes are summarized below.
1. Report Breaches of PIPEDA
Prior to the changes, upon a party breaching security safeguards surrounding personal information, that party had no obligation to inform anyone whose information may have been comprised nor any obligation to information the Privacy Commissioner.
The changes to PIPEDA require a party whose security safeguards are breached to notify those individuals affected by the breach as well as the Privacy Commissioner, if the breach poses “a real risk of significant harm” to the affected individuals. Two of the factors necessary to assess whether a real risk exists are the sensitivity of the information and whether the information has been, is being, or may be, misused. Government and other organizations will also have to be notified of the breach if they may be able to lessen or eliminate the possible damage from the breach. Parties will have to keep records of all security safeguard breaches. On request of the Commissioner, parties will have to report information about all breaches to the Commissioner. Fines of up to $100,000.00 may be levied against organizations that fail to record or report breaches.
2. Business Transactions
The majority of business purchase and sale transactions most likely did not comply with PIPEDA. Parties who were selling businesses often permitted purchasers to review everything about their business including the personal information of the clients of the vendor that were subject to PIPEDA protection.
As a result of the changes to PIPEDA, if certain conditions are met, a party conducting a business transaction will not require the consent of anyone whose personal information it holds to use and disclose such information in connection with a business transaction.
3. Business Contact Information
Business contact information is not considered “personal information” that is governed by the law if conditions are met. Those conditions include the requirement of an organization to collect, use, or disclose the business contact information solely to communicate with the person about their employment, business, or profession.
The amendments define “business contact information” as any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address.
4. Employee Information
Organizations who tell their employees that they may use, collect, or disclose their personal information are permitted to do so if it is necessary to establish, manage, or terminate an employment relationship between the organization and the employee. It is important to note that PIPEDA and the amendments only apply to the employees of federally-regulated employers.
5. Employee Produced Information
Employee produced personal information can be collected, used, and disclosed by the employer organization without the consent of the employee. The amendments say that an organization may collect, use, and disclose personal information without consent if the information was produced by the individual in the course of their employment, business, or profession, and the collection, use, and disclosure are consistent with the purposes for which the information was produced.
PIPEDA permits the use of personal information provided you obtain the consent of the person whose personal information you propose to use. That notion of “consent” is clarified in the amendments so that valid consent means consent where it is reasonable to expect that the person providing their consent understands the nature, purpose, and consequences of the collection, use, and disclosure of their personal information to which they are consenting.
* * * * *
Ryan K. Smith is a Lawyer and Trade-mark Agent at Feltmate Delibato Heagle LLP. He is a corporate and commercial lawyer with expertise in all manner of intellectual property matters including trade-marks, copyrights, domain names, and confidential information. You can reach Mr. Smith at (905) 287-2215 and firstname.lastname@example.org.