Organizations that interact with personal information in Alberta may want to dust off their privacy policies after the recent enactment of key amendments to the province’s Personal Information Protection Act.
The changes, which came into law May 1, include Canada’s first breach-reporting and notification requirements. The law forces organizations to notify Alberta’s privacy commissioner should individuals’ personal information be lost or improperly accessed, and a reasonable person would view the incident as presenting “a real risk of significant harm” to an individual. The commissioner may then force the organization to notify those affected by the breach.
“Our experience has been that most businesses already notify people affected by losses and we encourage this,” said Alberta Information and Privacy Commissioner Frank Work. “This is not necessarily a matter of making businesses liable for losses of information; it is about warning people so that they can take precautions. Hopefully it will make businesses more aware of the need for reasonable security measures.”
Another key change is a requirement for organizations using a service provider outside Canada to include details of that relationship in policies and practices. The requirement applies to parents, subsidiaries, and other affiliates.
Specifically, organizations dealing with personal information within Alberta must now include in their policies and practices particulars of countries in which the collection, use, disclosure, or storage is taking place, or may take place in the future. They must also specify why that service provider has been allowed to manage personal information.
Stephen Burns, an information and privacy law practitioner and partner at Bennett Jones LLP’s Calgary office, says while those are the most glaring changes to the legislation, in-house counsel will want to take note of several other tweaks.
“There are significant changes in the act,” he says. “There’s lots of little rewrites here and there. . . . Definitions have been changed, and lots and lots of clarifications are in the legislation, which means you should have a closer look at it when you’re looking at what you do in your agreements.”
Brian Thiessen, who practises privacy law at Blake Cassels & Graydon LLP’s Calgary office, notes the Alberta update is the first comprehensive legislative review with followup amending legislation on Canadian privacy law since the bulk of regulations came online in 2004.
That means organizations that are not regulated by Alberta’s privacy legislation may still want to take note of these amendments.
“It’s a bit of a guide, especially given that Frank Work, the Alberta privacy commissioner, and the others are very closely in touch, and they work together,” says Thiessen. “It’s a bit of a telltale on what other provinces, other jurisdictions, might be thinking and gives a bit of a sign about what the privacy commissioners are concerned about.”
Meanwhile, Osler Hoskin & Harcourt LLP Toronto partner Michael Fekete says the new Alberta laws signal a growing awareness of the risks surrounding data breaches in the private sector. He believes most large institutions have invested adequately in guarding against the threat, but suggests smaller companies may still be vulnerable.
“There’s probably more room for improvement among smaller and mid-sized organizations, because they may not have the same resources to invest in improving their information security and data-handling practices,” says Fekete. “They don’t have the same sophistication on what best practices would be.”
The new Alberta legislation will force companies to tweak internal and external documents, so Burns believes this is an ideal time for in-house counsel to consider an overhaul of their organization’s privacy regime.
“In our view, it’s a great time to just look at your privacy documentation, what individuals you’re interacting with are seeing, what you’re publishing to the world, and ensure that you’re refreshing it for the amendments in Alberta, to the extent to which the amendments apply to you,” says Burns.
More information on the amendments is available at oipc.ab.ca.