Information and Privacy Commissioner, Frank Work, sees most of the amendments to the Personal Information Protection Act which have been introduced in the Legislature as positive for Albertans, but is disappointed by the failure to bring all non-profit organizations and agencies under the Act.
The Personal Information Protection Act (PIPA) provides the rules for how private sector organizations are allowed to collect, use, disclose, protect and provide access to your personal information.
The Commissioner says, “In the five years PIPA has been in force, we have found it works well, but fine tuning was needed, and many of the recommendations introduced in Bill 54 will strengthen the law and will effectively promote privacy protection of Albertans”.
Here’s what we like:
- Organizations will be required to notify the Commissioner of a privacy breach that could reasonably result in a real risk of significant harm to an individual. The Commissioner will have exclusive jurisdiction to require an organization to notify individuals of the breach.
Works says, “My office is required to establish a process to expedite determining whether or not an organization will be required to notify affected individuals. Our experience with self- reported breaches is that organizations routinely make the decision now to notify individuals. We don’t expect this to change. The Bill expressly states that organizations can continue to notify on their own initiative and they don’t have to wait to be told to by the Commissioner”.
- Organizations will be required to notify individuals when they will be transferring personal information to a service provider outside of Canada
- The Bill establishes new offence provisions – for example, it will be an offence for an organization to take adverse action against a “whistleblower” employee.
- It will also be an offence for an organization to fail to notify the Commissioner of a privacy breach that could result in a real risk of significant harm to an individual.
- Bill 54 clarifies PIPA’s existing provisions regarding personal employee information and the retention of personal information, and includes some revised consent provisions to better address longstanding business practices.
Here’s what we don’t like:
The Commissioner says, “I am extremely disappointed that a recommendation to bring all not-for-profit organizations fully under the scope of PIPA is no longer going forward. All this does is creates confusion about which non-profits are in and which are out.”
Work adds, “A large segment of society served by not-for-profit organizations is currently without privacy protection. Amending the Act to fully include not-for-profit organizations would protect the personal information of the clients, employees, volunteers and donors of these organizations and would provide effective oversight to ensure individual privacy rights are upheld. It is worth noting that many of these organizations collect highly sensitive personal information that should be subject to legislative protection.”
Work says “Albertans deserve some protection of their personal information within the non-profit sector, and hopefully the government will address this issue and fix the problem at some point in the future”.