Personal Information Protection Act

1
Personal Information Protection Act

• Presentation to the
• Document Management Symposium
• Jasper, Alberta
• May 14, 2004

2
Threats to privacy

• Modern threats to privacy chiefly arise in the
  collection and use of information about us
• Privacy used to be protected by default the
  nature of paper records
• Electronic records diminish the barriers of time,
  distance and cost that once guarded privacy

3
Private Sector Privacy Legislation

• Albertas Personal Information Protection Act
  applies to the handling of personal information
  within the province
• Federal Personal Information Protection and
  Electronic Documents Act (PIPEDA) applies to
  transactions of a commercial nature, crossing a
  border

4
Provincial privacy acts

• Alberta PIPA Dec. 4, 2003
• Regulation passed Dec. 10, 2003
• Proclamation date was January 1, 2004
• B.C. PIPA passed in Nov. 2003
• Quebec Act, 1992, is substantially similar to
  PIPEDA
• AB B.C. substantially similar designation
  expected in June

5
Personal Information Protection Act

• The Act balances
• The right of an individual to have his or her
  personal information protected, and
• The need of organizations to collect, use or
  disclose personal information for purposes that
  are reasonable.
• The Act provides a right of access to ones own
  personal information.

6
PIPA applies to

• Organizations
• Corporations including societies,
• Unincorporated associations,
• Trade Unions (Labour Relations Code),
• Partnerships (Partnerships Act), and
• Individuals acting in a commercial capacity
• But not an individual acting in a personal or
  domestic capacity

7
Personal Information

• Includes Held by
• Name Banks
• Birth date Insurance Companies
• Gender Retailers
• Address Landlords
• Education Employers
• Employment Fundraisers
• Income Credit Bureaus
• Medical History Sports Clubs

8
PIPA does not apply

• Act does not apply to a public body or any
  personal information that is in the custody or
  control of a public body (section 4(2)
• Act does not apply to a personal information that
  is in the custody of an organization if the
  Freedom of Information and Protection of Privacy
  (FOIP) Act applies to that information (section
  4(3)(e))

9
PIPA does not apply

• Act does not apply to a health information where
  the information is collected, used or disclosed
  by an organization for health care purposes
  (section 4(3)(f))
• However, health information does not include
  personal employee information

10
PIPA does not apply

• There are several other exclusions such as
• Business contact information collected to
  contact a representative of an organization
• Personal information of an individual dead for 20
  years or more or in a record that is 100 years
  old or more
• Personal or domestic purposes of an individual
• Artistic, literary or journalistic purposes
• Court records, MLA records

11
What is reasonable?

• When reasonable is used in the Act it means
• What a reasonable person
• would consider appropriate in the circumstances

12
Obtain consent

• Unless Act allows otherwise, organizations need
  consent to collect, use or disclose personal
  information, except where inappropriate.
• Consent can be express, implied, or opt-out
  depending on circumstances.

13
Grandfathering

• Personal information collected before January 1,
  2004, is deemed to have been collected with
  consent.
• It may be used and disclosed by the organization
  for the purpose for which it was collected.
• The general rules in the Act regarding
  safeguards, access, correction etc. still apply
  to this information.

14
Collection

• Collect personal information only for reasonable
  purposes.
• Collect only as much information as is reasonable
  for those purposes.
• Except where inappropriate, collect personal
  information directly from the individual
  concerned.
• Inform the individual of how the information will
  be used and disclosed.

15
Use and disclosure

• Use and disclose personal information only for
  the purposes for which it was collected, unless
  the individual consents or the use or disclosure
  is permitted by the Act.

16
Collection, use or disclosure without consent

• In limited circumstances, including
• when another Act or regulation authorizes it
• public body is authorized to collect from or
  disclose information to an organization
• for investigations or legal proceedings
• to collect a debt or repay monies owed
• to create a credit report
• to determine suitability for honour or award

17
Give individuals access

• On request, provide an individual with
  information about the existence, use and
  disclosure of the individuals personal
  information and provide access to that
  information if reasonable.
• PIPA permits or requires access to be refused in
  certain circumstances.
• On request, correct information that is
  inaccurate.

18
Accuracy, security, retention

• Ensure that personal information is as accurate
  as necessary for the purposes for which it was
  collected.
• Protect the personal information appropriately.
• Retain the information only as long as reasonable
  for business and legal reasons.

19
Accountability

• An organization is responsible for personal
  information in its custody or control
• Must designate individual(s) to be responsible
  for compliance with the Act
• Develop policies, practices and procedures and
  make information about them available to public
  on request
• In meeting responsibilities under the Act,
  organizations must act in a reasonable manner

20
Employee information

• Allows certain personal employee information to
  be collected/used/disclosed without consent when
• reasonably required for purposes of establishing,
  managing or terminating an employment or
  volunteer work relationship.
• Does not include personal information unrelated
  to the employment or volunteer relationship.
• Requires notice to be given to current employees

21
Non-profit organizations

• Non-profit organizations are defined as
• Societies incorporated under the
• Societies Act
• Agricultural Societies Act
• Part 9 of the Companies Act
• May also be defined in regulation if needed in
  the future.

22
Non-profit organizations

• PIPA applies to personal information
  collected/used/disclosed in connection with a
  commercial activity carried out by a non-profit
  organization.
• PIPA does not apply to personal employee
  information unless part of commercial activity.

23
Non-profit organizations

• Commercial activity means
• Any transaction, act or conduct, or any regular
  course of conduct, that is of a commercial
  character, and includes
• The selling, bartering or leasing of membership
  lists or donor or other fund-raising lists
• Operation of a private school or early childhood
  services program (School Act)
• Operation of a private college (Post-secondary
  Learning Act)

24
Professional regulatory organizations

• Are organizations under the Act
• Have the option of creating a personal
  information code governing the
  collection/use/disclosure of personal information
  consistent with ss.1-35
• An individual would still be able to request a
  review or complain to the Commissioner.

25
Sale of Business

• Special recognition for purchase, sale, lease,
  merger, etc., of a business
• Act provides for the collection, use and
  disclosure of personal information (including
  employee information) between parties involved
  if
• the information is necessary to decide whether to
  proceed and complete the transaction, and
• the parties agree to use the information only
  for that purpose
• Provision does not apply where primary purpose of
  transaction is sale, etc. of personal information

26
The Information and Privacy Commissioner

• Same Commissioner as the FOIP Act and Health
  Information Act
• The Commissioner can
• refer an individual to another grievance,
  complaint or review process before dealing with
  the complaint
• authorize mediation to settle a complaint
• conduct an inquiry
• issue binding orders
• authorize an organization to disregard requests

27
Implementing PIPA

• Put someone in charge
• Become familiar with the Act
• Review how your organization handles personal
  information
• Put your practices to the test
• Develop privacy policies and practices

• Train staff
• Develop an access and complaints handling process
• Review and revise forms, and create notice
  statements
• Review and revise contracts
• Consider employees personal information

28
Questions - PIPA

• Access Privacy Branch
• Alberta Government Services
• 3D, Commerce Place,
• 10155 102 Street
• Edmonton, AB T5J 4L4
• Web site www.pipa.gov.ab.ca
• Phone 780-644-PIPA (7472)
• Toll free dial 310-0000 first
• E-mail pspinfo_at_gov.ab.ca

• Office of the Information and Privacy
  Commissioner
• 500, 640 5th Ave. S. W.
• Calgary, AB T2P 3G4
• Web site www.oipc.ab.ca/pipa/
• Phone 1-888-878-4044
• E-mail generalinfo_at_oipc.ab.ca

29
Resources

• PIPA on a Page
• PIPA, A Summary for Organizations
• Getting Ready for PIPA
• A Guide for Businesses and Organizations
• Frequently Asked Questions
• Links to web sites

30
Questions - PIPEDA

• Privacy Commissioner of Canada
• Web site www.privcom.gc.ca
• Phone 1-800-282-1376
• E-mail info_at_privcom.gc.ca
• Industry Canada
• www.strategis.gc.ca, e-commerce pages