Articles & Media

Personal Information Protection Act Amendments


In November 2009, Royal Assent was given to Bill 54. This Bill will come into force upon Proclamation and will make some significant changes to the Personal Information Protection Act.

Some of the changes simply codify interpretations the Privacy Commissioner has already given to certain sections of the legislation. For example, the definition of personal employee information is clarified to include personal information about former employees when it is reasonably required to manage a post-employment relationship. Similarly, there are new provisions which confirm that organizations can collect, use, and disclose personal information without consent if the collection, use, or disclosure is necessary to comply with the terms of a collective agreement. However, there are also some substantive changes of which organizations need to be aware.

Any organization which uses a service provider located outside of Canada to collect, use, disclose, or store personal information will now be required to include information about that service provider in its privacy policy. In addition, in situations where individual consent is required for the collection of personal information, any organization using a service provider located outside Canada for the collection or processing of that information must provide notification that a foreign service provider will be used. In addition, individuals must be advised how to obtain access to information about the privacy policies and practices of the foreign service provider.

All organizations must be aware of new provisions which require organizations to provide notice to the Privacy Commissioner of any incident involving the loss of, or unauthorized access to or disclosure of, personal information when a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure. Previously, notification of such breaches of security was voluntary. Under the amended provisions of the legislation, however, it will be an offence, with fines of up to $100,000.00, if an organization fails to provide notification as required. It is also important to note that as part of the Privacy Commissioner's powers in dealing with a breach of security, the Commissioner will be able to order an organization to provide notice of the unauthorized access, loss, or disclosure to the affected individuals.

Also important are the amendments which provide for proactive destruction of records when they are no longer required by an organization for legal or business purposes. Previously, although the legislation provided that organizations could only retain personal information for as long as it was reasonably required, there was no positive requirement to actually take steps to destroy the personal information.

These amendments will come into force upon Proclamation. We will notify you when this occurs.

Labour & Employment - This update is a general overview of the subject matter and cannot be regarded as legal advice. Please contact Teresa Haykowsky in Edmonton, Tom Ross in Calgary, Glenn Tait in Yellowknife, or any member of our Labour & Employment Practice Group for advice on this or any other labour & employment law topic.

  Search Articles & Media

 Register to receive Articles & Media via email


Real Time Web Analytics