Getting Ready for PIPA - PowerPoint PPT Presentation


PPT – Getting Ready for PIPA PowerPoint presentation | free to view - id: 139544-NDIxZ


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Getting Ready for PIPA


Office of the Information and Privacy Commissioner of Alberta ... Birth date. Gender. Address. Education. Employment. Income. Medical history. S.I.N.. Held by: ... – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 50
Provided by: albertagov


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Getting Ready for PIPA

Getting Ready for PIPA
  • A Workshop for Organizations
  • on the Personal Information Protection Act
  • Alberta Government Services (Information
    Management, Access and Privacy Division)
  • and
  • Office of the Information and Privacy
    Commissioner of Alberta
  • With the assistance of Alberta Chambers of
  • March 2004

What we will cover today
  • What is the Personal Information Protection Act
  • Who/what does PIPA apply to?
  • Overview of PIPAs requirements
  • What to do to comply
  • Resources for organizations
  • Questions

What is Privacy?
  • …the right to be let alone the most
    comprehensive of rights and the right most valued
    by civilized men.
  • U.S. Supreme Court Justice Louis Brandeis in
    Olmstead v. U.S., 1928

Threats to privacy
  • Modern threats to privacy chiefly arise in the
    collection and use of information about us
  • Privacy used to be protected by default the
    nature of paper records
  • Electronic records diminish the barriers of time,
    distance and cost that once guarded privacy

Personal Information
  • Includes
  • Name
  • Birth date
  • Gender
  • Address
  • Education
  • Employment
  • Income
  • Medical history
  • S.I.N.
  • Held by
  • Credit unions
  • Insurance companies
  • Retailers
  • Landlords
  • Employers
  • Fundraisers
  • Credit bureaus
  • Sports clubs

What is PIPA?
  • The Personal Information Protection Act
  • the right of an individual to have his or her
    personal information protected, and
  • the need of organizations to collect, use or
    disclose personal information for purposes that
    are reasonable
  • Provides common sense rules for collection,
    use and disclosure of personal information by
    private-sector (non-government) organizations
  • The Act also provides a right of access to ones
    own personal information

  • Both focus on protecting personal information in
    the private sector
  • Substantially similar, but not necessarily the
  • Federal and Provincial Commissioners are working
    to harmonize practices and protocols

PIPA applies to…
  • Organizations, including
  • Corporations
  • Unincorporated associations
  • Trade unions (Labour Relations Code)
  • Partnerships (Partnership Act)
  • Individuals acting in a commercial capacity

PIPA does not apply to…
  • Personal information for personal or domestic
  • Personal information for journalistic, artistic,
    literary purposes
  • A public body or personal information protected
    under FOIP Act
  • In a record that is at least 100 years old, or
    about an individual dead for at least 20 years
  • Health information (as defined in HIA) collected,
    used or disclosed for health care purposes, but
    not personal employee information

Special provisions for…
  • Specified non-profit organizations carrying out
    commercial activities
  • Professional regulatory organizations

Personal Information
  • Defined as information about an identifiable
  • PIPA has broad coverage
  • Applies to personal information regardless of
    whether it is used for commercial purposes
    (except for specified non-profits)
  • Includes personal employee information

Business Contact Information
  • Information you would find on a business card or
    company letterhead
  • Includes name, position or title, business
    telephone number, address, e-mail and fax number
  • PIPA does not apply to business contact
    information when it is collected, used or
    disclosed for sole purpose of contacting
    individual in capacity as an employee or official

PIPA requires reasonableness
  • When reasonable is used in the Act, it means
  • What a reasonable person would consider
    appropriate in the circumstances

Be accountable
  • An organization is responsible for personal
    information in its custody or control
  • Must designate individual(s) to be responsible
    for compliance with the Act
  • Develop policies, practices and procedures and
    make information about them available to public
    on request
  • In meeting responsibilities under the Act,
    organizations must act in a reasonable manner

Obtain consent
  • Unless Act allows otherwise, organizations need
  • to collect, use or disclose personal information
  • to collect personal information from anyone other
    than the individual
  • Consent can be express, implied, or opt-out,
    depending on circumstances
  • Consent invalid if obtained by deception or
    misleading means

Withdraw or vary consent
  • An individual may withdraw or vary consent,
    subject to legal obligations
  • Individual must give reasonable notice to
  • Organization must advise individual of likely
    consequences, unless obvious

  • Personal information collected before January 1,
    2004 is deemed to have been collected with
  • It may be used and disclosed by the organization
    for the purpose for which it was collected
  • The general rules in the Act regarding
    safeguards, access, correction, etc. still apply
    to this information

How to collect personal information
  • Identify purposes for collection
  • Is purpose reasonable?
  • Notify individual of purposes and get consent
  • Except where inappropriate, collect personal
    information directly from the individual
  • Limit type and amount of personal information
  • Is information reasonable to fulfill purpose?

Collection from another organization with consent
  • An individual can consent to an organization
    collecting his or her personal information from
    another organization
  • The collecting organization must demonstrate that
    it has obtained consent
  • The disclosing organization must be satisfied
    that the consent complies with the Act

Collection without consent
  • The Act permits personal information to be
    collected without consent in limited
    circumstances, including
  • when clearly in the interests of the individual
  • when another Act or regulation authorizes it
  • for investigations or legal proceedings
  • to collect a debt or repay monies owed
  • to create a credit report
  • to determine suitability for honour or award
  • for archival or research purposes

Collection without consent
  • Information is publicly available
  • name, address, telephone number in public
    telephone directory, if subscriber can refuse to
    be included
  • name, title, address, telephone number in
    professional or business directory available to
    public where collection, use or disclosure
    relates directly to purpose for which information
    appears in the directory
  • personal information in government registry or
    registry operated under a statute
  • to which public has access
  • collection, use or disclosure relates directly to
    purpose for which information appears in the

Collection without consent
  • Information is publicly available
  • personal information in record of administrative
    tribunal, if
  • available to public
  • collection, use, or disclosure relates directly
    to purpose for which information appears in the
  • personal information in publication, including
    magazine, book or newspaper, in printed or
    electronic form, if
  • available to public
  • reasonable to assume that individual provided the

  • Organizations do not need consent if the
    collection, use or disclosure of personal
    information is reasonable for an investigation or
    legal proceeding
  • Investigation means an investigation related
  • a breach of agreement
  • a contravention of an enactment
  • circumstances or conduct that may result in a
    remedy or relief being available in law
  • if the breach, contravention, circumstances or
    conduct has or may have occurred or is likely to
    occur, and
  • it is reasonable to conduct an investigation

Use of personal information
  • Use personal information only with consent,
    unless otherwise permitted by the Act
  • Use personal information only for purposes that
    are reasonable
  • Use only the personal information reasonably
    needed to fulfill the purposes

Use without consent
  • The Act permits the use of personal information
    without consent for purposes including those
    listed under collection without consent, plus
  • to respond to an emergency threatening the life,
    health or security of individual or public

Disclosure of personal information
  • Disclose personal information only with consent,
    unless otherwise permitted by the Act
  • Disclose personal information only for purposes
    that are reasonable
  • Disclose only the personal information reasonably
    needed to fulfill the purposes

Disclosure without consent
  • The Act permits disclosure of personal
    information without consent for purposes
    including those listed under collection and use
    without consent, plus
  • in accordance with a treaty
  • to comply with a subpoena or court order
  • to a public body or law enforcement agency to
    assist in an investigation
  • to contact next of kin of injured or deceased
  • to a surviving spouse or relative of a deceased
    individual, if reasonable
  • to protect against fraud or market manipulation,
    to any agency empowered by legislation

Personal employee information
  • Personal employee information means
  • personal information of
  • employees or prospective employees
  • reasonably required for the purposes of
    establishing, managing or terminating the
    employment or volunteer work relationship

Personal employee information
  • Employee includes an individual employed by the
    organization who performs a service for an
    organization, including as an
  • apprentice
  • volunteer
  • participant
  • student
  • an individual under a contract or agency

Treatment of personal employee information
  • PIPA recognizes true nature of employment not
  • Act allows personal employee information to be
    collected/used/disclosed without consent when
  • reasonably required for establishing, managing or
    terminating an employment or volunteer work
  • Does not include personal information unrelated
    to the employment or volunteer relationship
  • Must give notice in case of current employees -
  • Subject to review by Commissioner

Sale of Business
  • Special recognition for purchase, sale, lease,
    merger, etc., of a business
  • Act provides for the collection, use and
    disclosure of personal information (including
    employee information) between parties involved
  • the information is necessary to decide whether to
    proceed and complete the transaction, and
  • the parties agree to use the information only
    for that purpose
  • Provision does not apply where primary purpose of
    transaction is sale, etc. of personal information

Providing access
  • Individuals can request access to
  • own personal information contained in a record
  • information about the purposes for which personal
    information has been and is being used, and
  • Information about to whom the information is
    disclosed and under what circumstances
  • Organization has a duty to assist
  • Organization must respond within 45 calendar days

Providing access
  • Organization may designate office to receive
  • Organization may charge a reasonable fee
  • Any right under the Act may be exercised by
    another person on an individuals behalf (s. 61)

Refusing access
  • Access must be refused if disclosure would
  • threaten the life or security of another
  • reveal personal information about another
  • reveal the identity of an individual who has
    provided in confidence an opinion about another
    individual (may disclose with consent)
  • An organization must provide access to remaining
    information if able to sever
  • Access may be refused if, for example
  • information is protected by legal privilege
  • disclosure would reveal confidential commercial
    information (sever)
  • information was collected for an investigation or
    legal proceeding
  • disclosure might result in that type of
    information no longer being provided

Making corrections
  • Individuals can ask that their personal
    information be corrected
  • If it is wrong - correct it promptly
  • Notify those to whom the information has been
  • If you cannot agree that it is wrong, annotate
    that the information is disputed
  • You cannot correct expert opinions
  • No fees for correction

Safeguarding Ensuring Accuracy
  • Organization must
  • Protect personal information in its custody or
    control by making reasonable security
    arrangements against such risks as unauthorized
    access, collection, use, disclosure, copying,
    modification, disposal or destruction
  • Make reasonable efforts to ensure that any
    personal information collected, used or disclosed
    by or on behalf of an organization is accurate
    and complete

Records management implications
  • Privacy compliance requires sound records
    management practices
  • Need to locate records quickly in order to
    process requests within time limit
  • In deciding how long to keep a record, an
    organization should be guided by legal and
    business purposes

Oversight by Commissioner
  • PIPA enforced by the Information and Privacy
    Commissioner of Alberta
  • same Commissioner for the FOIP Act and the Health
    Information Act
  • independent Officer of the Legislature
  • The Commissioner can
  • investigate complaints
  • initiate own investigations issue Orders
  • authorize an organization to disregard access
    requests from individuals
  • extend time limit to respond to access request
  • provide non-binding advice and advance rulings

  • Once an individual has brought a case to the
    OIPC, the Commissioner can
  • refer an individual to another grievance,
    complaint or review process before handling the
  • attempt mediation
  • conduct an inquiry
  • issue binding orders
  • publish those orders (including the name of the

Whistleblower protection
  • An organization cannot take adverse employment
    action against an employee who, acting in good
    faith and on reasonable belief, informs the
    Commissioner of a possible breach of the Act

What to do to comply
  • Put someone in charge of privacy
  • Become familiar with the Act
  • Review how your organization handles personal
  • Put your practices to the test
  • Develop privacy policies and practices

What to do to comply
  • Develop an access and complaints handling process
  • Review and revise forms, and create notice
  • Review and revise contracts
  • Consider employees personal information
  • Train staff

What you might have to change
  • Forms
  • Add collection, use and disclosure notification
  • Use appropriate form of consent
  • Is all the personal information you ask for
    directly connected to its use and is reasonable?
  • Systems
  • Add database fields to indicate the
    uses/disclosures individuals consented to
  • Rethink access controls
  • Records management practices
  • New security
  • New retention schedule

What happens if organizations dont comply with
  • Commissioner may make an Order if
  • complaint or request for review is made
  • Orders will name the organization will be
  • Damaging to reputation of organization
  • Commit an offence if dont comply with order,
    wilfully contravene PIPA or obstruct Commissioner
  • If convicted of an offence, fines are
  • up to 10,000 for individuals
  • up to 100,000 for businesses
  • An individual can pursue damages in court for
    loss or injury suffered as a result of breach of

Non-profit organizations
  • Non-profit organizations are defined as
    organizations incorporated under the
  • Societies Act
  • Agricultural Societies Act
  • Part 9 of the Companies Act
  • PIPA only applies to non-profit organizations
    collection, use or disclosure personal
    information in connection with a commercial
  • All other not-for-profit organizations must
    comply with PIPA for all their activities

Commercial activity of non-profit organizations
  • Commercial activity means any transaction, act
    or conduct, or any regular course of conduct,
    that is of a commercial character, and includes
  • the selling, bartering or leasing of membership
    lists or donor or other fund-raising lists
  • operation of a private school or early childhood
    services program (School Act)
  • operation of a private college (Post-secondary
    Learning Act)
  • PIPA does not apply to personal employee
    information of non-profit organizations unless
    part of a commercial activity

Professional regulatory organizations
  • Are considered organizations under PIPA
  • Have the option of creating a personal
    information code to govern the collection, use
    and disclosure of personal information
  • An individual would still be able to complain to
    the Commissioner
  • Details are in the Regulation

PIPA Resources for Organizations
  • PIPA Websites (including links)
  • OIPC - http//
  • Access and Privacy Branch - http//
  • Access and Privacy Branch Information Line (780)
    644-PIPA (7472)
  • OIPC (403) 297-2728
  • Consultants List
  • Jointly developed by Access and Privacy Branch
  • Workshops in key centres throughout Province
  • Guides and other publications

PIPA Publications for Organizations
  • PIPA on a Page
  • Summary for Organizations 4-page summary of
    organizations key obligations
  • Getting Ready for PIPA outlines steps
    organizations should consider to prepare for PIPA
  • Guide for Organizations and Business on PIPA
    Detailed guide to help organizations understand
    the Act and their obligations
  • Information Sheet on Non-profit Organizations
  • Guidelines for Developing a Personal Information
    Code for Professional Regulatory Organizations