The federal government has re-introduced legislation to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-12, Safeguarding Canadians’ Personal Information Act, which was introduced on September 29, 2011, had been previously introduced in Parliament in 2010, but failed to be passed into law because of the intervening federal election.
The legislation includes some significant changes:
- – An exemption in having to obtain consent from employees’ to the release of their personal information in the context of business transactions,
- – A new requirement to notify the Privacy Commissioner and affected individuals of any material breaches in security of personal information, and
- – An exclusion of “business contact information” from the obligations in PIPEDA in certain circumstances.
Exemption in Business Transactions
The bill provides an exemption for use and disclosure of employees’ personal information when it is disclosed in the context of a business transaction. In order for this exemption to apply, several criteria must be met. First, the information must be necessary for the parties to determine whether or not to proceed with and/or complete the transaction. Second, the business parties must have entered into a confidentiality agreement that requires that the information be used solely for the purposes related to the transaction, that the information be destroyed if the transaction is not concluded, and appropriate security measures are taken to protect the personal information.
The bill also provides that the Privacy Commissioner must be notified of any material breaches in security, and further requires that individuals be notified, including employees, if it is reasonable to believe that such breach creates a “real risk of significant harm to the individual”. The bill provides some factors to be considered in determining whether or not a breach is serious enough to be considered a “material” breach. These include the number of individuals affected, the sensitivity of the information, and whether the breach is indicative of a systematic problem.
Business Contact Information
The bill clarifies that business contact information is to be excluded from the obligations of PIPEDA if it is collected, used or disclosed solely for the purpose of communications relating to the individuals employment, business, or profession.
The bill has not yet passed first reading but is expected to become law sometime in the New Year.