On April 8th the federal government introduced Bill S-4, the Digital Privacy Act. Bill S-4 received second reading on May 8th and was referred to the Standing Senate Committee on Transportation and Communications for further consideration. If passed, Bill S-4 will amend the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and introduce new requirements for an organization’s collection, use and disclosure of personal information.
Perhaps the most important of the proposed amendments is the regime relating to breaches of security safeguards. Bill S-4 defines such a breach to include the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards, or the failure of the organization to establish such safeguards.
If a breach occurs and it is reasonable to believe that there is a risk of significant harm to an individual, the organization will be required to keep records of the breach, and to report details of the breach to the federal Privacy Commissioner. The term “significant harm” is defined broadly and includes bodily harm, humiliation, financial loss, loss of employment, business or professional opportunities, identity theft, negative effects on credit records, damage to or loss of property, and even damage to reputation or relationships. Organizations will be required to evaluate the risk of significant harm based on the sensitivity of the personal information involved in the breach, and the probability that the personal information will be misused. Upon a breach of a security safeguard, organizations will also be required to notify the individuals whose personal information has been compromised. Where an organization knowingly fails to keep the prescribed records or to report breaches, it could be subject to a fine of up to $100,000.00.
For employers that fall within federal jurisdiction, Bill S-4 will change the manner in which the personal information of employees is collected, used and disclosed. Most notably, the definition of “personal information” will be amended to remove the exclusion in respect of the name, title, business address or telephone number of an employee. Under the amendments in Bill S-4, that information will be considered personal. The proposed amendments will also expand the application of PIPEDA to include applicants for employment. Bill S-4 will set out an exemption from the requirements of PIPEDA for business contact information of an individual that is collected, used and disclosed solely for the purpose of communicating with the individual in relation to their employment, business or profession.
Bill S-4 will also set out additional circumstances in which organizations may disclose personal information, without the knowledge or consent of the individual. These additional circumstances contemplate investigations involving breaches of agreements, illegality, fraud, and financial abuse.
The Privacy Commissioner will be granted new authority under Bill S-4 to enter into compliance agreements with organizations if the Commissioner believes that the organization may breach the requirements of PIPEDA. The Commissioner is granted the authority to include any term it considers necessary in a compliance agreement and may enforce compliance through a court order.
Organizations should begin a review of their privacy policies and the manner in which personal information is collected, used and disclosed, with a view to ensuring compliance with the proposed legislation.