The Changing Face of Privacy

Written By Stephen D. Burns

Effective May 1, 2010, Alberta's Personal Information Protection Act and its Regulations have been amended by the Personal Information Protection Amendment Act and the corresponding Personal Information Protection Act Amendment Regulation.

Of the many amendments to the Personal Information Protection Act, we draw your attention to the following:

• A new requirement for organizations to provide notice to the Commissioner of any incident involving the loss of or unauthorized access to or disclosure of personal information, where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure; the Commissioner may require the organization to notify affected individuals. Section 19 of the amended Regulations specifies the form and details of such notices.
• A new requirement that organizations which use a service provider (including a parent, subsidiary or other affiliate) outside of Canada to:
  • include in its policies and practices information regarding:
    • the countries outside Canada in which the collection, use, disclosure or storage is occurring or may occur; and
    • the purposes for which the service provider outside Canada has been authorized to collect, use or disclose personal information for or on behalf of the organization;
     
  • notify individuals at or before the collection or transfer, in writing or orally:
    • how individuals may obtain access to written information about the organization's policies and practices with respect to service providers outside Canada; and
    • the name or position name or title of a person who is able to answer the individual's questions.
     
   
• A new requirement that organizations, within a reasonable period of time after an organization no longer reasonably requires personal information for legal or business purposes, destroy the records containing the personal information, or revise the records so that the information remaining can no longer be used to identify an individual.
• Clarification that provisions related to personal employee information apply to potential, current and former employees of an organization and include the management of post-employment or post-volunteer work relationships.
• Clarification of provisions permitting disclosure without notice or consent in connection with the prevention, detection or suppression of fraud; including, the specific inclusion of the investigative offices of the Insurance Bureau of Canada and the Canada Banker's Association.
• A new deemed consent for the collection, use or disclosure of personal information in connection with an individual's enrolment in or coverage under an insurance policy, pension, benefit or similar plan.
• A new requirement to retain records related to an investigation by the Commissioner for a period of one year.

As these amendments include both new obligations (such as destruction, notice of loss, and notice of the service providers outside of Canada) and clarifications in certain key areas (such as the application of the Act to the employment relationship), now may be an opportune time for the review of your current policies and practices and to consider what, if any, amendments may now be required by as a result of these amendments.