In passing the Personal Information Protection and Identity Theft Prevention Act (Act), Manitoba became the fourth Canadian province to pass private-sector privacy legislation, joining British Columbia, Alberta and Quebec (other provinces continue to be governed by PIPEDA, Canada’s federal private-sector privacy legislation). The Act is not yet in force, but when it is, it will establish rules for the collection, use and disclosure of personal information – broadly defined as information about an identifiable individual, including employee information. It will apply to most for-profit and non-profit organizations in Manitoba, but will not apply to public organizations. Like many other private-sector privacy laws, the Act generally provides that organizations must obtain an individual’s consent before collecting, using or disclosing personal information. However, consent will not be required in all cases. For example, an employer will not require consent for the reasonable collection, use or disclosure of personal employee information. Also, parties to a business transaction will not require consent if they have agreed in writing to restrict use and disclosure of personal information to the purposes of the business transaction. Unlike other private-sector privacy laws, the Act contains a broad breach-notification obligation. If an individual’s personal information is lost, accessed or disclosed without authorization and it is reasonably possible for the information to be used unlawfully, the organization must directly report the breach to the individual. By comparison, Alberta’s Personal Information Protection Act requires the organization to notify the regulator of a breach if there is a real risk of significant harm to an individual as a result of the breach. An individual may claim damages under the Act against an organization if, in the event of a breach, it failed to protect the individual’s personal information or failed to properly notify the individual of the breach. Also, an organization will be subject to a fine of up to $100,000 if it intentionally destroyed, altered, or concealed personal information in order to evade a request for access to the information. Interestingly, the Act does not yet include an enforcement mechanism allowing individuals to file a complaint with the Ombudsman (the regulator), but this omission is expected to be resolved before the Act is proclaimed in force. The Act is a significant development in Canadian privacy law and will have an impact on the practices of most organizations in Manitoba relating to personal information and security of that information. For a link to the Act in its current form, see: http://tinyurl.com/ncu37fu Summary by: Darren Hall
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.