Archives

Provincial Privacy Legislation

The Privacy Commissioner of Canada is mandated to oversee compliance with the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), a number of provinces have had their own private sector privacy legislation declared as substantially similar to federal statutes. A number of provinces have Privacy Commissioners Offices and Ombudsmen who work in conjunction with the federal Privacy Commissioner of Canada. They are responsible for the protection of personal information rights of Canadians under specific provincial legislation. Thus, provincial Commissioners must negotiate concurrent or overlapping jurisdiction with the federal Privacy Commissioner.

Alberta PIPA: About

The Personal Information and Protection Act (PIPA) of Alberta was enacted January 1, 2004 and declared substantially similar to the PIPEDA on October 12, 2004. This legislation aims to protect personal information in the private sector. The Government of Alberta recognized that private sector privacy legislation had come to the forefront, as a result of numerous technological advances that allowed organizations to store and manipulate large amounts of personal information. As there already had been legislation in place to regulate the privacy in the public sector, it became increasingly important to ensure that the private sector abides by similar guidelines.

In the process of creating the PIPA, 100 organizations and business associations were consulted. The following needs were established as a result of the consultations:

  • industry and government to work together
  • harmonize legislation across jurisdictions
  • regulate management of employee information
  • minimize cost of implementation
  • government to provide resource materials

Public opinion polls were also conducted during 2002, showing strong support for such legislation.

Alberta PIPA: Purposes

The purpose of the PIPA is to regulate collection, use and disclosure of personal information by organizations in a way that recognizes the individual’s rights as well as meeting the organization’s reasonable needs.

The PIPA applies to any personal information that is not under the control of a public body. For instance, the PIPA does not apply to collection, use or disclosure of personal information that is:

  • for personal or domestic purposes only
  • for artistic, journalistic or literary purposes
  • health information
  • information contained in a court file, record of a judge, master in chambers, a justice of the peace
  • information about an individual who has been dead for at least 20 years

The PIPA of Alberta does not apply to all organizations in the same way. Non-profit organizations in Alberta are only subject to the PIPA for their commercial activities. The PIPA also specifies provisions for an approved privacy code to apply to specific professional regulatory organizations. These privacy codes replace certain sections of the PIPA. In the case of transborder flows of personal information, this would be under the jurisdiction of the PIPEDA.

Alberta PIPA: Requirements & Redress

In order to ensure compliance with the PIPA, organizations must have at least one individual that is responsible for compliance with the PIPA. The organization must also develop and implement reasonable policies and practices to help meet its responsibilities under the Act.

Other key requirements of the PIPA include:

  • Organizations may only collect personal information to an extent that is reasonable for the purposes it is being collected.
  • Organizations may use or disclose personal information for the purposes that it was originally collected, unless they obtain consent from the individual.
  • Organizations must ensure the information is complete and accurate.
  • Organizations must make reasonable security arrangements to protect the information.
  • Organizations must allow the individual access to the personal information, and make corrections, for a reasonable fee.

If an individual believes that their personal data has been collected, used or disclosed in a manner that contradicts the PIPA, this individual can make a formal complaint to Alberta’s Information and Privacy Commissioner, who has general oversight of the PIPA. The Commissioner has the authority to conduct investigations, hold inquiries and issue binding orders. The Commissioner also oversees compliance with other provincial privacy legislation – the Freedom of Information and Protection of Privacy Act and the Health Information Act.

Under the PIPA, there are three processes of redress.

  1. The individual can file a complaint to the Office of the Information and Privacy Commissioner against the organization. The Office staff would then investigate and attempt to mediate the situation. If a solution cannot be found through mediation, then the Commissioner may decide to hold an inquiry. Out of this, the Commissioner will issue an Order, determining if the organization is at fault. It is most common for complaints to be dealt with in this manner.
  2. Under the PIPA, fines may be assessed by the provincial courts. Fines would only be imposed if the organization or individual is found guilty of an offense under the PIPA. Such offenses would include deliberate actions to violate the PIPA, for example, hacking into a database to access clients’ credit card numbers.
  3. An individual may choose to sue an organization or another individual for damages of loss or injury. This would take place after the Commissioner has made an Order against the organization in question. An individual can only sue for damages if they have been convicted of an offense under the PIPA.

British Columbia PIPA: About

British Columbia has had its own provincial privacy legislation – the Freedom of Information and Protection of Privacy Act (FOIPPA) – since 1993. The FOIPPA regulates collection, use and disclosure of personal information by public bodies. Concern was raised that the province also required a separate legislative framework that applied to the protection of personal information for the private sector.

In response to the federal government’s enactment of the PIPEDA, the province of British Columbia decided to introduce its own Personal Information Protection Act (PIPA) which regulates collection, use and disclosure of personal information by private organizations. The PIPA of British Columbia was declared substantially similar to the PIPEDA on October 12, 2004.

British Columbia PIPA: Redress

Should there be a dispute as to the application of the PIPA an individual may decide to file a complaint with the Information and Privacy Commissioner of British Columbia. The Commissioner is responsible for monitoring how the PIPA is being administered to ensure it achieves its purposes. The mandate of the Commissioner includes the following authorities:

  • complaints against organizations
  • reviews of decisions made by organizations
  • inquiries relating to complaints and reviews
  • extend the period of time for responding to requests for access to or correction of personal data
  • authorization to disregard requests for access or correction of personal information

The Commissioner’s central objective is to achieve direct communication between the individual and the organization in question. This method of resolution will be the initial and priority method in the case of complaints under the PIPA.

Similarities & Differences

The PIPAs of Alberta and British Columbia share many similarities and key requirements. Both pieces of legislation apply to provincially-regulated private sector organizations. Both also cover employee information that is held by provincially-regulated organizations.

Unlike the PIPA of Alberta, the PIPA of British Columbia applies in the same way to all organizations that are subject to it. However, in the case of transborder personal information flows, these would fall under the jurisdiction of the PIPEDA.

Managing Interprovincial Transborder Data Flows

Interprovincial transborder data flows occur when personal information is transmitted from one province to another. Some examples may include:

  • Selling a mailing list from one province to another
  • Sending customer data to a loyalty program in another province
  • Processing client accounts in at a branch located in another province

The federal PIPEDA applies to organizations conducting commercial activities internationally. The PIPEDA will not apply to organizations if the organization:

  • Operates in a province with private sector privacy legislation (e.g. Alberta, British Columbia).
  • Has other operations which are not commercial in nature.
  • Is not a federal work, undertaking or business and the information is the personal data of employees.

In certain cases, the collection, use or disclosure of personal information may be subject to both provincial privacy legislation as well as the PIPEDA. For instance, one part of a transaction (e.g. the collection of information) falls under the Alberta PIPA, while another part of the transaction (e.g. the use) is subject to the PIPEDA. The organization would have to compare the provincial and federal legislation. Usually there will be one that is more stringent. The rule of thumb is to comply with the more stringent requirement, as it would likely ensure compliance with both federal and provincial legislations.

In the event that a complaint falls under the jurisdiction of more than one Privacy Commissioner’s Office, the Offices are responsible for coordinating efforts to ensure that there is a productive, harmonized approach to conflict resolution. The federal Office has a Memorandum of Understanding with the Offices in Alberta and British Columbia to ensure cooperation and collaboration, and to prevent duplication of efforts.

Summary

This article discusses two substantially similar provincial legislations that protect private sector privacy rights. These are the PIPA of Alberta and the PIPA of British Columbia. The article describes the purposes, regulations and means of redress for each piece of legislation. It also explores situations which may be regulated by a number of laws, such as transborder data flows.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

  • Personal Information Protection Act of Alberta (III.A.b.)
  • Personal Information Protection Act of British Columbia (III.A.c.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>