On April 8th, the Senate of Canada introduced Bill S-4, which proposes various amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). The short title of this Bill is the Digital Privacy Act.
PIPEDA applies to all organizations that collect, use or disclose personal information in the course of commercial activities. A commercial activity is defined as, essentially, any transaction, act or conduct that has a “commercial character”, including the selling, bartering or leasing of donor, membership or fundraising lists. To the extent that charities or non-profit organizations engage in the sale of goods or services, or otherwise engage in commercial activities, any personal information collected, used or disclosed in the context of that activity will be subject to PIPEDA. PIPEDA imposes various requirements, including the requirement to obtain informed consent for the collection, use and disclosure of personal information, as well as limitations on the use of personal information and requirements for the safekeeping of such information.
The Digital Privacy Act proposes several amendments to PIPEDA. One of these amendments specifies the elements of valid consent for the collection, use and disclosure of personal information. This amendment provides that the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting. Thus, it is very important that consent be informed.
Permitted Disclosure of Personal Information without Consent
The Digital Privacy Act also sets out certain circumstances in which personal information can be disclosed without the knowledge or consent of an individual. Such personal information may be disclosed by an organization:
(a) to another organization where it is reasonable for the purposes of investigating a breach of an agreement or a contravention of laws, and it is reasonable to expect that if the individual knew about the disclosure, it would compromise the investigation;
(b) to another organization where it is reasonable for the purposes of detecting, suppressing or preventing fraud that is likely to be committed, and it is reasonable to expect that if the individual knew about the disclosure, the ability to detect, suppress or prevent the fraud would be compromised; or
(c) to a government institution, a part of a government institution or the individual’s next of kin or authorized representative, where:
(i) the organization has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse;
(ii) the disclosure is made solely for the purposes relating to preventing or investigating the abuse; and
(iii) it is responsible to expect that if the individual knew about the disclosure, the ability to prevent or investigate the abuse would be compromised; and
(d) to a government institution, a part of a government institution or the individual’s next of kin or authorized representative, where it is necessary to identify an individual who is injured, ill or deceased; however, if the individual is alive, the individual must be promptly advised, in writing, of the disclosure by the organization.
The proposed amendments to PIPEDA would also permit the collection, use and disclosure of personal information that is:
(a) contained in a witness statement and necessary to assess, process or settle an insurance claim, or
(b) produced by an individual in the course of his or her employment, business or profession, and the collection, use and disclosure is consistent with the purposes for which the information was produced.
Organizations would also be permitted to collect, use and disclose personal information for purposes related to prospective and completed business transactions. Federal works, undertakings and businesses will also be permitted to collect, use and disclose personal information about an individual, without his or her knowledge or consent, as is necessary to establish, manage or terminate their employment relationship with the individual.
New Obligations in the Event of Security Safeguard Breaches
The Digital Privacy Act creates new obligations for organizations pertaining to breaches of security safeguards. In the event of any breach of security safeguards involving personal information under the control of an organization, the organization must promptly:
(a) report the breach to the Canadian Privacy Commissioner if it is reasonable to believe that the breach creates a real risk of significant harm to an individual;
(b) notify affected individuals if it is reasonable to believe that the breach of security safeguards creates a real risk of significant harm to an individual. The notification must contain sufficient information to allow individuals to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm; and
(c) after notifying an individual, notify any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization, the government institution or part concerned may be able to reduce the risk of harm that could result from it or to mitigate that harm.
In determining whether a breach of security safeguards creates a real risk of significant harm to an individual, a number of facts will be considered, including: (a) the sensitivity of the personal information involved in the breach; (b) the probability that the personal information has been, is being, or will be misused; and (c) other factors that may be set out in regulations. The Digital Privacy Act also defines “breach of security safeguards” and “significant harm”.
If the Digital Privacy Act becomes law, organizations will also be required to keep and maintain a record of every breach of security safeguards involving personal information under its control, and the Canadian Privacy Commissioner has the right to access or copy the records.
New Powers for Privacy Commissioner
The Digital Privacy Act also gives the Canadian Privacy Commissioner the power, in certain circumstances, to enter into a compliance agreement with an organization to ensure compliance with Part 1 (Protection of Personal Information in the Private Sector) of PIPEDA.
The Commissioner may now also, if the Commissioner considers it to be in the public interest, make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties or powers under Part 1. Previously, the Commissioner was only permitted to make public any information relating to the personal information management practices of an organization. This will increase the reputation risk associated with a breach of the standards in PIPEDA.
Furthermore, the Commissioner may disclose, or may authorize any person acting on behalf or under the direction of the Commissioner, to disclose to a government institution, any information that is contained in a report that it receives in respect of the disclosure of a breach of security safeguards, if the Commissioner has reasonable grounds to believe that the information could be helpful in the investigation of a contravention of laws.
As the Digital Privacy Act makes its way through the Canadian Senate and the Canadian Parliament, we will provide further updates on the progress of the legislation and how it will affect charitable and not-for-profit organizations. J. Andrew Sprague can also be followed on Twitter® @canadaprivacy.