Title: Getting Ready for PIPA
1Getting Ready for PIPA
- A Workshop for Organizations
- on the Personal Information Protection Act
- Alberta Government Services (Information
Management, Access and Privacy Division) - and
- Office of the Information and Privacy
Commissioner of Alberta - With the assistance of Alberta Chambers of
Commerce - March 2004
2What we will cover today
- What is the Personal Information Protection Act
(PIPA)? - Who/what does PIPA apply to?
- Overview of PIPAs requirements
- What to do to comply
- Resources for organizations
- Questions
3What is Privacy?
-
- the right to be let alone the most
comprehensive of rights and the right most valued
by civilized men. - U.S. Supreme Court Justice Louis Brandeis in
Olmstead v. U.S., 1928
4Threats to privacy
- Modern threats to privacy chiefly arise in the
collection and use of information about us - Privacy used to be protected by default the
nature of paper records - Electronic records diminish the barriers of time,
distance and cost that once guarded privacy
5Personal Information
- Includes
- Name
- Birth date
- Gender
- Address
- Education
- Employment
- Income
- Medical history
- S.I.N.
- Held by
- Credit unions
- Insurance companies
- Retailers
- Landlords
- Employers
- Fundraisers
- Credit bureaus
- Sports clubs
6What is PIPA?
- The Personal Information Protection Act
balances - the right of an individual to have his or her
personal information protected, and - the need of organizations to collect, use or
disclose personal information for purposes that
are reasonable - Provides common sense rules for collection,
use and disclosure of personal information by
private-sector (non-government) organizations - The Act also provides a right of access to ones
own personal information
7PIPA/PIPEDA
- Both focus on protecting personal information in
the private sector - Substantially similar, but not necessarily the
same - Federal and Provincial Commissioners are working
to harmonize practices and protocols
8PIPA applies to
- Organizations, including
- Corporations
- Unincorporated associations
- Trade unions (Labour Relations Code)
- Partnerships (Partnership Act)
- Individuals acting in a commercial capacity
9PIPA does not apply to
- Personal information for personal or domestic
purposes - Personal information for journalistic, artistic,
literary purposes - A public body or personal information protected
under FOIP Act - In a record that is at least 100 years old, or
about an individual dead for at least 20 years - Health information (as defined in HIA) collected,
used or disclosed for health care purposes, but
not personal employee information
10Special provisions for
- Specified non-profit organizations carrying out
commercial activities - Professional regulatory organizations
11Personal Information
- Defined as information about an identifiable
individual - PIPA has broad coverage
- Applies to personal information regardless of
whether it is used for commercial purposes
(except for specified non-profits) - Includes personal employee information
12Business Contact Information
- Information you would find on a business card or
company letterhead - Includes name, position or title, business
telephone number, address, e-mail and fax number - PIPA does not apply to business contact
information when it is collected, used or
disclosed for sole purpose of contacting
individual in capacity as an employee or official
13PIPA requires reasonableness
- When reasonable is used in the Act, it means
- What a reasonable person would consider
appropriate in the circumstances
14Be accountable
- An organization is responsible for personal
information in its custody or control - Must designate individual(s) to be responsible
for compliance with the Act - Develop policies, practices and procedures and
make information about them available to public
on request - In meeting responsibilities under the Act,
organizations must act in a reasonable manner
15Obtain consent
- Unless Act allows otherwise, organizations need
consent - to collect, use or disclose personal information
- to collect personal information from anyone other
than the individual - Consent can be express, implied, or opt-out,
depending on circumstances - Consent invalid if obtained by deception or
misleading means
16Withdraw or vary consent
- An individual may withdraw or vary consent,
subject to legal obligations - Individual must give reasonable notice to
organization - Organization must advise individual of likely
consequences, unless obvious
17Grandfathering
- Personal information collected before January 1,
2004 is deemed to have been collected with
consent - It may be used and disclosed by the organization
for the purpose for which it was collected - The general rules in the Act regarding
safeguards, access, correction, etc. still apply
to this information
18How to collect personal information
- Identify purposes for collection
- Is purpose reasonable?
- Notify individual of purposes and get consent
- Except where inappropriate, collect personal
information directly from the individual
concerned - Limit type and amount of personal information
collected - Is information reasonable to fulfill purpose?
19Collection from another organization with consent
- An individual can consent to an organization
collecting his or her personal information from
another organization - The collecting organization must demonstrate that
it has obtained consent - The disclosing organization must be satisfied
that the consent complies with the Act
20Collection without consent
- The Act permits personal information to be
collected without consent in limited
circumstances, including - when clearly in the interests of the individual
- when another Act or regulation authorizes it
- for investigations or legal proceedings
- to collect a debt or repay monies owed
- to create a credit report
- to determine suitability for honour or award
- for archival or research purposes
21Collection without consent
- Information is publicly available
- name, address, telephone number in public
telephone directory, if subscriber can refuse to
be included - name, title, address, telephone number in
professional or business directory available to
public where collection, use or disclosure
relates directly to purpose for which information
appears in the directory - personal information in government registry or
registry operated under a statute - to which public has access
- collection, use or disclosure relates directly to
purpose for which information appears in the
registry
22Collection without consent
- Information is publicly available
- personal information in record of administrative
tribunal, if - available to public
- collection, use, or disclosure relates directly
to purpose for which information appears in the
record - personal information in publication, including
magazine, book or newspaper, in printed or
electronic form, if - available to public
- reasonable to assume that individual provided the
information
23Investigations
- Organizations do not need consent if the
collection, use or disclosure of personal
information is reasonable for an investigation or
legal proceeding - Investigation means an investigation related
to - a breach of agreement
- a contravention of an enactment
- circumstances or conduct that may result in a
remedy or relief being available in law - if the breach, contravention, circumstances or
conduct has or may have occurred or is likely to
occur, and - it is reasonable to conduct an investigation
24Use of personal information
- Use personal information only with consent,
unless otherwise permitted by the Act - Use personal information only for purposes that
are reasonable - Use only the personal information reasonably
needed to fulfill the purposes
25Use without consent
- The Act permits the use of personal information
without consent for purposes including those
listed under collection without consent, plus - to respond to an emergency threatening the life,
health or security of individual or public
26Disclosure of personal information
- Disclose personal information only with consent,
unless otherwise permitted by the Act - Disclose personal information only for purposes
that are reasonable - Disclose only the personal information reasonably
needed to fulfill the purposes
27Disclosure without consent
- The Act permits disclosure of personal
information without consent for purposes
including those listed under collection and use
without consent, plus - in accordance with a treaty
- to comply with a subpoena or court order
- to a public body or law enforcement agency to
assist in an investigation - to contact next of kin of injured or deceased
person - to a surviving spouse or relative of a deceased
individual, if reasonable - to protect against fraud or market manipulation,
to any agency empowered by legislation
28Personal employee information
- Personal employee information means
- personal information of
- employees or prospective employees
- reasonably required for the purposes of
establishing, managing or terminating the
employment or volunteer work relationship
29Personal employee information
- Employee includes an individual employed by the
organization who performs a service for an
organization, including as an - apprentice
- volunteer
- participant
- student
- an individual under a contract or agency
relationship
30Treatment of personal employee information
- PIPA recognizes true nature of employment not
consent-based - Act allows personal employee information to be
collected/used/disclosed without consent when - reasonably required for establishing, managing or
terminating an employment or volunteer work
relationship - Does not include personal information unrelated
to the employment or volunteer relationship - Must give notice in case of current employees -
transparency - Subject to review by Commissioner
31Sale of Business
- Special recognition for purchase, sale, lease,
merger, etc., of a business - Act provides for the collection, use and
disclosure of personal information (including
employee information) between parties involved
if - the information is necessary to decide whether to
proceed and complete the transaction, and - the parties agree to use the information only
for that purpose - Provision does not apply where primary purpose of
transaction is sale, etc. of personal information
32Providing access
- Individuals can request access to
- own personal information contained in a record
- information about the purposes for which personal
information has been and is being used, and - Information about to whom the information is
disclosed and under what circumstances - Organization has a duty to assist
- Organization must respond within 45 calendar days
33Providing access
- Organization may designate office to receive
requests - Organization may charge a reasonable fee
- Any right under the Act may be exercised by
another person on an individuals behalf (s. 61)
34Refusing access
- Access must be refused if disclosure would
- threaten the life or security of another
individual - reveal personal information about another
individual - reveal the identity of an individual who has
provided in confidence an opinion about another
individual (may disclose with consent) - An organization must provide access to remaining
information if able to sever - Access may be refused if, for example
- information is protected by legal privilege
- disclosure would reveal confidential commercial
information (sever) - information was collected for an investigation or
legal proceeding - disclosure might result in that type of
information no longer being provided
35Making corrections
- Individuals can ask that their personal
information be corrected - If it is wrong - correct it promptly
- Notify those to whom the information has been
disclosed - If you cannot agree that it is wrong, annotate
that the information is disputed - You cannot correct expert opinions
- No fees for correction
36Safeguarding Ensuring Accuracy
- Organization must
- Protect personal information in its custody or
control by making reasonable security
arrangements against such risks as unauthorized
access, collection, use, disclosure, copying,
modification, disposal or destruction - Make reasonable efforts to ensure that any
personal information collected, used or disclosed
by or on behalf of an organization is accurate
and complete
37Records management implications
- Privacy compliance requires sound records
management practices - Need to locate records quickly in order to
process requests within time limit - In deciding how long to keep a record, an
organization should be guided by legal and
business purposes
38Oversight by Commissioner
- PIPA enforced by the Information and Privacy
Commissioner of Alberta - same Commissioner for the FOIP Act and the Health
Information Act - independent Officer of the Legislature
- The Commissioner can
- investigate complaints
- initiate own investigations issue Orders
- authorize an organization to disregard access
requests from individuals - extend time limit to respond to access request
- provide non-binding advice and advance rulings
39Complaints
- Once an individual has brought a case to the
OIPC, the Commissioner can - refer an individual to another grievance,
complaint or review process before handling the
case - attempt mediation
- conduct an inquiry
- issue binding orders
- publish those orders (including the name of the
organization)
40Whistleblower protection
- An organization cannot take adverse employment
action against an employee who, acting in good
faith and on reasonable belief, informs the
Commissioner of a possible breach of the Act
41What to do to comply
- Put someone in charge of privacy
- Become familiar with the Act
- Review how your organization handles personal
information - Put your practices to the test
- Develop privacy policies and practices
42What to do to comply
- Develop an access and complaints handling process
- Review and revise forms, and create notice
statements - Review and revise contracts
- Consider employees personal information
- Train staff
43What you might have to change
- Forms
- Add collection, use and disclosure notification
- Use appropriate form of consent
- Is all the personal information you ask for
directly connected to its use and is reasonable? - Systems
- Add database fields to indicate the
uses/disclosures individuals consented to - Rethink access controls
- Records management practices
- New security
- New retention schedule
44What happens if organizations dont comply with
PIPA?
- Commissioner may make an Order if
- complaint or request for review is made
- Orders will name the organization will be
public - Damaging to reputation of organization
- Commit an offence if dont comply with order,
wilfully contravene PIPA or obstruct Commissioner - If convicted of an offence, fines are
- up to 10,000 for individuals
- up to 100,000 for businesses
- An individual can pursue damages in court for
loss or injury suffered as a result of breach of
privacy
45Non-profit organizations
- Non-profit organizations are defined as
organizations incorporated under the - Societies Act
- Agricultural Societies Act
- Part 9 of the Companies Act
- PIPA only applies to non-profit organizations
collection, use or disclosure personal
information in connection with a commercial
activity - All other not-for-profit organizations must
comply with PIPA for all their activities
46Commercial activity of non-profit organizations
- Commercial activity means any transaction, act
or conduct, or any regular course of conduct,
that is of a commercial character, and includes - the selling, bartering or leasing of membership
lists or donor or other fund-raising lists - operation of a private school or early childhood
services program (School Act) - operation of a private college (Post-secondary
Learning Act) - PIPA does not apply to personal employee
information of non-profit organizations unless
part of a commercial activity
47Professional regulatory organizations
- Are considered organizations under PIPA
- Have the option of creating a personal
information code to govern the collection, use
and disclosure of personal information - An individual would still be able to complain to
the Commissioner - Details are in the Regulation
48PIPA Resources for Organizations
- PIPA Websites (including links)
- OIPC - http//www.oipc.ab.ca/pipa/
- Access and Privacy Branch - http//www.psp.gov.ab.
ca/ - Access and Privacy Branch Information Line (780)
644-PIPA (7472) - OIPC (403) 297-2728
- Consultants List
- Jointly developed by Access and Privacy Branch
OIPC - Workshops in key centres throughout Province
- Guides and other publications
49PIPA Publications for Organizations
- PIPA on a Page
- Summary for Organizations 4-page summary of
organizations key obligations - Getting Ready for PIPA outlines steps
organizations should consider to prepare for PIPA
- Guide for Organizations and Business on PIPA
Detailed guide to help organizations understand
the Act and their obligations - Information Sheet on Non-profit Organizations
- Guidelines for Developing a Personal Information
Code for Professional Regulatory Organizations