Privacy Rights in Canada

Questions and Answers

What does the BC Freedom of Information and Protection of Privacy Act (FIPPA) allow individuals to do?

• Sue for damages related to privacy breaches
• Request information held by the BC government (correct)
• Collect personal information
• Monitor employee activities

What is the function of the Alberta statute that is of the same title of the BC Freedom of Information and Protection of Privacy Act?

• To address labour disputes specifically
• To oversee privacy legislation for the private sector
• To allow a request for information held by the Alberta government (correct)
• To monitor employee computer usage

What type of organizations does the federal PIPEDA apply to?

• Only organizations in BC and Alberta
• All organizations operating in Canada
• Only federally regulated ones (correct)
• Only provincial government agencies

In BC and Alberta, what is the name of the statute that is the provincial equivalent to the federal PIPEDA?

Personal Information Protection Act (PIPA) (B)

What did the Supreme Court of Canada do to Alberta's PIPA in November 2013?

Struck it down (A)

What was the main concern that led the Supreme Court of Canada to strike down part of Alberta's PIPA?

The Act's impact on union's freedom of expression during labour disputes (B)

What is one requirement a plaintiff must prove to establish liability for the common law privacy tort?

The defendant publicized an aspect of the plaintiff's private life (A)

Which Canadian province utilizes a statutory tort of violation of privacy through its BC Privacy Act that has been in place since 1968?

British Columbia (B)

Who does the FIPPA of BC apply to?

Provincial government ministries (D)

What is one of the stated purposes of the Freedom of Information and Protection of Privacy Act in BC?

To make public bodies more accountable and protect personal privacy (D)

What is one new requirement included in the amendment to FIPPA of BC in February 2023?

Reporting privacy breaches to individuals and the OIPC (C)

What can privacy breaches include, according to the content?

Unauthorized access, theft, loss, collection, or disclosure of personal information (B)

Why is it worthwhile to take a closer look at some features of the federal PIPEDA?

Because its requirements are relevant to provincial employers (B)

When the federal government passed PIPEDA, what did it agree regarding its application in provinces with similar legislation?

PIPEDA's requirements would not apply in those provinces (C)

What is the purpose of PIPEDA according to the content?

To balance privacy rights with organizational needs to collect information (D)

In cases where a province has comparable legislation, like BC and Alberta, to what does PIPEDA applies?

To interprovincial and international transactions involving personal information (B)

According to the content, what is personal information broadly defined to include?

Any factual or subjective information about an identifiable individual (A)

What is one of the items included as personal information that is protected under PIPEDA listed in the content?

Income (D)

Under BC's PIPA, what does personal information include?

Information about an identifiable individual and employee personal information (D)

According to the content, what should the collection, use, protection, and disclosure of personal information adhere to regardless of definition or form?

The ten PIPEDA principles (D)

According to one of the amendments to PIPEDA, what is exempt where it is collected, used and disclosed solely for the purpose of communicating with the individual for purposes related to their employment, business, or profession?

Business contact information (C)

What does Schedule 1 of PIPEDA set out, according to the content?

Ten fair information principles that underlie the collection, use, protection, and disclosure of personal information (C)

What is a consideration organizations must make when applying fair information principles is "reasonableness"?

Whether a reasonable person would consider the information appropriate in the circumstances (B)

What does it mean to be accountable, according to the content with PIPEDA and the fair information principles?

Appointing one person to oversee legislative compliance (C)

When MUST consent be obtained for consent clauses?

At the time or before the personal information is collected (C)

Under what conditions within section 7, may organizations collect personal information without an individual's knowledge?

Collection is in the interests of the individual, and consent cannot be obtained in a timely manner (C)

What should employers ensure about the information if the use or disclosure of out-of-date or incomplete information would harm the individual?

That the information is accurate and current (A)

Regarding the organization when MUST access be denied?

access MUST be denied: a, if the information would reveal personal information about another individual unless there is consent or a life-threatening situation (D)

According to the content, which role has broad powers to investigate complaints and inquire into information practices?

Privacy commissioner (B)

What is the role of the Office of the Privacy Commissioner of Canada (OPC)?

To oversee the operation of PIPEDA (C)

In provinces such as BC and Alberta where the OIPC was created as a seperate entity and independent from government, what is it's role?

To monitor and to enforce the legislation in each province that relates to the collection of information and privacy. (B)

What is an issue that privacy commissioners may be called upon to investigate?

Whether video surveillance is permissible (A)

What must complaints of privacy violations go through in BC and Alberta?

Process of the OIPC (C)

What does the term "employee personal information" mean in British Columbia?

Personal information that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual (D)

For what do video surveillance activities in the workplace provide unprecedented potential for employers?

To monitor employees' activities (B)

How can organization increase employee's faith and knowledge that with login screens, they are protected with policies and procedured.

Through refresher training, regular policy review sign-offs, or even policy statement reminders. (D)

What primary factor has amplified privacy concerns necessitating updated legislation?

The enhanced ability to compile and transfer personal information rapidly in the electronic age. (C)

Which statement accurately reflects the legislative approach to privacy of personal information across Canada?

Privacy legislation exists at both the federal and provincial levels, covering both government and private sector information. (A)

What characterizes the approach towards common law privacy torts in BC compared to Alberta?

BC relies on a statutory tort of violation of privacy, while Alberta has recognized a common law privacy tort. (A)

What constitutes a key element a plaintiff must demonstrate to establish liability for a common law privacy tort?

The defendant publicized an aspect of the plaintiff's private life and lacked consent. (C)

Which entities are subject to British Columbia's FIPPA?

Provincial government ministries, Crown corporations, and local governments. (D)

What is a fundamental goal of freedom of information legislation like BC's FIPPA?

To make public bodies more accountable by granting the public access to records. (D)

What critical action are public bodies in BC now mandated to perform following the February 2023 amendment to FIPPA?

Reporting privacy breaches to affected individuals and the OIPC. (A)

Which scenario exemplifies a privacy breach, according to the information provided?

A university employee accidentally discloses student grades in an email to the wrong recipient. (A)

Why is it important to examine the federal PIPEDA even when focusing on provincial private sector legislation such as PIPA?

PIPEDA's requirements are relevant to provincial employers and its principles have been adopted in BC and Alberta. (D)

What was the agreement with the federal government when PIPEDA was passed concerning its application in provinces with similar legislation?

PIPEDA does not apply in provinces that have implemented substantially similar legislation. (D)

According to the information, what is the main objective of PIPEDA?

To balance an individual's right to privacy with an organization's need to collect, use, and disclose personal information. (D)

In situations where a province possesses comparable legislation to PIPEDA, such as BC and Alberta, to what does PIPEDA apply?

Only to federally regulated organizations and interprovincial/international transactions. (A)

According to the provided details, what range of information does 'personal information' broadly encompass?

Any factual or subjective data about an identifiable individual. (A)

Which of the following items qualifies as personal information that is safeguarded under PIPEDA?

An individual's purchasing habits and credit records. (C)

Under BC's PIPA, what does the realm of personal information include?

Information about an identifiable individual, including employee personal information, but not contact or work product information. (C)

What primary consideration should dictate the collection, use, protection, and dissemination of personal information?

Adherence to ethical standards and the ten PIPEDA principles. (A)

What type of information is exempt under PIPEDA's amendments, particularly where it is collected, used, and disclosed?

Information solely for communicating with an individual for employment, business, or professional purposes. (B)

What overarching framework does Schedule 1 of PIPEDA establish?

The ten fair information principles governing collection, use, protection, and disclosure. (D)

What concept is a key part of organizations’ considerations when applying fair information principles?

Reasonableness. (A)

In the context of PIPEDA and fair information principles, what characterizes 'accountability'?

Appointing someone to oversee legislative compliance and employee awareness. (C)

When is it mandatory to obtain consent for consent clauses?

At the time or before the personal information is collected. (A)

Under Section 7, in what circumstances can organizations collect personal information without an individual's knowledge?

If obtaining consent compromises the information's availability related to a breach of contract or law. (D)

If an organization intends to use personal data likely to cause harm if out-of-date, what precaution should be taken?

Making sure the data is accurate and up-to-date. (C)

Under what specified circumstances can access to personal information be denied within an organization?

When the information would reveal personal information about another individual without consent, unless it's a life-threatening situation. (B)

Which entity is typically granted extensive authority to investigate privacy breach complaints and scrutinize information practices?

The Office of the Privacy Commissioner (OPC). (D)

In BC and Alberta, where an OIPC is independent from the government, what is its key function?

To monitor and enforce privacy legislation related to the collection of information. (D)

What situations do privacy commissioners often address when investigating complaints?

Unauthorized collection, use, or disclosure of personal information. (C)

What is the required initial step for complaints of privacy violations in BC and Alberta?

Going through the administrative process of the OIPC. (C)

Within British Columbia, how is the term 'employee personal information' defined?

Personal information collected for establishing, managing, or terminating an employment relationship. (C)

What concern arises for employers due to video surveillance activities in the workplace?

The unprecedented potential for employers to monitor details of employee activities. (B)

How can organizations foster increased faith and awareness among employees regarding data protection practices?

By clearly communicating and enforcing data protection policies and procedures associated with login screens. (A)

What constitutes the most accurate description of how Canadian legislation addresses personal information privacy?

A hybrid approach exists, where federal legislation applies unless a province has established similar legislation, leading to regional variations. (B)

What is the legal recourse for individuals in British Columbia who believe their privacy has been violated, contrasting it with the approach in Alberta?

BC provides a statutory tort for privacy violations irrespective of proof of damage, contrasting with Alberta's dependence on common law principles. (D)

What core principle must a plaintiff establish to prove liability for a common law privacy tort, highlighting its significance in privacy litigation?

The publicizing of private information by the defendant would be deemed highly offensive to a reasonable person. (A)

How does the legal framework governing privacy for public bodies in British Columbia influence transparency and accountability?

By empowering the public to request governmental records, promoting openness and governmental accountability. (D)

What implications does the mandatory reporting of privacy breaches by public bodies in BC have for organizational procedures and public trust?

It increases public confidence through transparent acknowledgement and remediation of breaches, promoting responsible data handling. (C)

Regarding the definition of 'personal information,' what challenge do organizations face amidst varying legal interpretations and technological advancements?

The task of ensuring that data anonymization techniques meet legal sufficiency standards, avoiding re-identification risks. (D)

How does the 'reasonableness' standard influence an organization's approach to handling personal information under PIPEDA and similar legislation?

It compels organizations to consider the context and proportionality of their actions in collecting, using, or disclosing personal data. (C)

What is the significance of mandatory consent in the context of personal information handling, and how does it affect organizational practices?

Consent clauses must provide explicit details about data usage, reinforcing individual control and organizational accountability. (D)

Section 7 outlines exceptions to mandatory consent; how do these exceptions balance individual privacy rights with practical necessities, and what are the limits?

They require organizations to document and justify each instance of non-consensual data use to maintain accountability. (C)

What steps should employers take to ensure data accuracy, particularly when outdated data might substantially harm an individual?

Implementing a rigorous schedule for auditing and updating personal information to prevent errors. (D)

Organizations must deny access under some conditions; What scenario exemplifies a permissible denial of access to personal information, aligning privacy rights with other valid interests?

Organizations can deny if the information requested would reveal confidential commercial information. (C)

How do the powers of the Privacy Commissioner extend beyond investigation, and what limits are there?

The Privacy Commissioner typically has the power to compel organizations to implement changes to their information practices. (C)

In the context of investigating privacy complaints, what role does the Office of the Information and Privacy Commissioner (OIPC) play, and how does its function ensure accountability among organizations?

The OIPC monitors and enforces privacy legislation, applying to public and private organizations, but may not have the ability to make binding decisions. (D)

Considering the broad investigative powers of privacy commissioners, what specific issue might they address when investigating organizations?

Whether an organization adheres to fair information principles and complies with legislation. (C)

In BC and Alberta, what administrative action is essential to initiate a privacy violation complaint against a private-sector organization?

Submitting a complaint through the OIPC's processes. (B)

How is 'employee personal information' distinctly defined within British Columbia's legal framework, and what implications does this definition have for employers?

It encompasses personal data directly used for managing the employment relationship but excludes broader individual details. (A)

For employees, in what ways do video surveillance activities in the workplace present ethical and legal challenges, necessitating careful deliberation by employers?

They provide unprecedented potential for employers to monitor employee activities, but risks infringing on privacy rights. (B)

How can organizations cultivate employee trust regarding data protection practices, and what role do login screens play?

By educating employees regarding data protection policies, offering clear recourse channels for privacy concerns. (C)

Why is balancing an individual's right to privacy with an organization's need to collect, use, and disclose personal information a complex and ongoing challenge in modern data protection law?

Because the boundaries of what constitutes reasonable collection and use shift with technological and societal change. (B)

What measures should organizations implement to align their data collection practices with the principle of 'limited collection' under PIPEDA and similar statutes, especially considering potential scope creep?

Organizations must collect only what is explicitly necessary for specific, legitimate purposes; avoid unrelated data. (C)

What steps must an organization that transfers personal information to a third-party processor take to comply with accountability principles under PIPEDA?

The organization must ensure the third party provides a comparable level of protection through contractual means. (B)

What criteria must organizations meet to justify monitoring employees' computer use, and what steps must employers take to ensure practices are lawful and ethical?

They must demonstrate a legitimate business need, implement clear policies. (C)

Given variations in privacy legislation across Canada, how should multi-jurisdictional organizations ensure comprehensive compliance?

By tailoring approaches to meet specifications in all relevant jurisdictions, focusing on comprehensive coverage. (C)

What distinguishes British Columbia's approach to addressing privacy violations from those in other Canadian provinces, highlighting specific legal provisions and remedies available?

British Columbia provides a statutory tort, allowing individuals to sue for privacy invasion, even without proof of specific harm. (C)

Reflecting on evolving legal interpretations and the emphasis on “reasonableness”, how can organizations ensure their privacy policies are both compliant and practical?

Ensuring they are reviewed regularly. (A)

How should organizations balance the benefits of video surveillance for security with respect for employee privacy rights?

By adopting less privacy invasive measures whenever reasonably possible. (B)

When must organizations conduct privacy impact assessments (PIA), and what criteria should they consider to ensure it's appropriately comprehensive?

When planning any new project that involves collecting personal information. (C)

How do the BC and Alberta Personal Information Protection Act (PIPA) differ in their definition of 'employee personal information'?

Alberta's PIPA specifies the inclusion of potential, current, and former employees as well as volunteer-work relationships, aspects not explicitly mentioned in the BC legislation. (C)

Given the dual requirements of protecting employee privacy and enabling employers to manage their workplaces effectively, how might the legal standard of ‘reasonableness’ be interpreted in cases concerning covert video surveillance?

Reasonableness involves balancing the employer's need for surveillance against employees’ privacy rights, considering whether the surveillance is the least intrusive means to achieve a legitimate objective. (D)

What common corrective action has the Information and Privacy Commissioner of Alberta ordered organizations who contravene Alberta's PIPA to do?

Cease disclosing personal information about the complainant, and to educate employees about its obligations to them under PIPA. (B)

Which conditions must be met before a trade union can enact the collection, use, or disclosure of personal information without the consent of the individual?

The collection, use, or disclosure is reasonably necessary to persuade the public about a matter of significant public interest relating to a labour relations dispute involving the trade union. (D)

Under what conditions can an arbitrator consider video surveillance to be admissible in a unionized workplace?

The surveillance must be a reasonable exercise of management rights. (C)

What recommendations does the text suggest an organization do to protect itself in a BYOD (bring your own device) environment?

Allow an organization to state in no uncertain terms that its monitoring is allowed, explain the reason for it, and indicate how the information collected might be used. (B)

What is a key aspect of protecting biometric data?

Collection, use, retention, disclosure, and disposal of biometric data is done in a reasonable fashion consistent with privacy legislation. (C)

What did the Federal Court of Appeal confirm about the exceptions to collection, use, and disclosure of information without consent set out exhaustively in section 7 of PIPEDA?

Those exceptions may apply to employee data. (C)

How can an organization ensure they are reasonably protecting personal information?

Implementing lockdown codes on computers, laptops, photocopiers, printers, and all similar devices to prevent sensitive information from being misappropriated (B)

In BC and Alberta, what are the factors employers should take into account when electing whether or not to monitor the personal information of employees by video surveillance, email, keystroke monitoring, or biometric data?

The underlying principles of PIPEDA and their reflections in the BC and Alberta statutes. (A)

What can an organization do to increase the chances of succeeding while trying to police email through policy?

Consistent enforcement, communicating the policy, and communicate such intent to employees early and often. (D)

What has the Supreme Court stated about the degree of privacy an employee can expect?

The degree of privacy an employee can expect is diminished when the employer not only owns the equipment the employee is using, but also has policies that state the employer owns data, including messages, on the computer and can monitor all computer usage. (C)

Why was district of Saanich's collection of personal information not permissible under PIPA?

The commissioner found that the collection of this much information was not necessary for that purpose. The strongest argument was based on section 26(c), which allows collection of "information that relates directly to and is necessary for a program or activity of the public body." (C)

In what circumstances is it most permissible for an employer to collect private information?

An employer is not entitled to monitor personal information unless that information is somehow relevant to the employment relationship (e.g., discovery of the leaking of confidential information). (D)

Which statements accurately reflect the impact of Alberta privacy act amendments on the rights of trade unions during labour disputes?

The amendments struck a balance, allowing unions to collect, use, and disclose personal information under specific conditions related to informing the public about labour disputes, subject to reasonableness standards. (A)

What criteria must be met for an employer to be justified in carrying out covert surveillance of an employee, balancing their rights with the employer's need to manage effectively?

The surveillance should be based on 'reasonable' grounds that effectively balance legitimate rights; 'reasonableness' has to effectively line up legal rights – one of those rights may be the right of the union for a set picket line and communicate its cause during a lawful strike – with privacy rights. (A)

What consideration is central to determining whether there has been an actionable privacy breach in Canada?

Organizations must use any information for the designated purpose. (D)

How could an organization provide the best security over personal information?

Medical information or other claims be limited to access from employee's general file. (D)

What is required of an organization if a complainant goes to the privacy commissioner?

Although the privacy commissioner cannot issue a binding order against an organization, the commissioner or the individual may apply to a court for an order for damages or an order requiring the organization to change its practices related to personal information. (D)

What action could cause the privacy commissioner to feel that an organization is acting criminally?

To obstruct the privacy commissioner by “knowingly dispose” of personal information with an intent to evade a request for access to the personal information, and to retaliate against employees for asserting their rights under the legislation. (B)

What does section 57 of the BC PIPA and section 60 of the Alberta PIPA entail?

It allows employees to pursue compensation for damages if the OIPC finds a violation of the Act and the employee has suffered harm due to the violation. (B)

What is a consideration for video surveillance of an employee outside of work?

It is necessary to determine whether that evidence is admissible. (C)

What considerations must an arbitrator make to determine whether evidence is admissible?

Was it reasonable, in all the circumstances, to request surveillance; was the surveillance conducted in a reasonable manner; were there other alternatives open to the employer to obtain the evidence it sought. (D)

How can a company monitor an employee's computer and still comply with ethical and policy standards?

They must use the least amount of data possible (A)

Can an employee have private emails on a work computer and expect no violation of privacy?

A deliberate discovery by an employer or co-worker of private information that occurs while the discoverer is carrying out a reasonable work duty is much less likely to be a violation. (B)

Flashcards

Freedom of Information and Protection of Privacy Act (FIPPA)

Legislation in BC and Alberta allowing individuals to request information held by the government and public bodies.

Personal Information Protection and Electronic Documents Act (PIPEDA)

Federal law covering personal information held by organizations in the private sector.

Personal Information Protection Act (PIPA)

BC and Alberta law covering personal information held by organizations in the private sector.

Fair Information Principles

The ten principles that guide the collection, use, and disclosure of personal information, outlined in Schedule 1 of PIPEDA

Personal Information

Factual or subjective details about an identifiable person.

Employee Personal Information

Information about an individual reasonably required to manage an employment relationship.

Solicitor-Client privilege

Protects client's confidential communications with their lawyer from disclosure.

Privacy Commissioner

An official with the power to hear privacy violation complaints.

Keystroke Monitoring and Screenshot Capture

Monitoring employee actions using keystroke logs and screen captures.

BYOD

Using personal devices for work.

Informed consent

When a company says it's okay to collect and share your data.

Limited collection

The data collected should only be what's needed, nothing more.

Provide safeguards

Companies must guard your info and keep it safe.

Be open

Companies must tell you about their privacy practices.

Invasion of privacy

The tort of invading someone's privacy.

Be accountable

Requires that personal information handling practices be overseen.

Identify the purpose of collection

Organizations must tell people why they're collecting data.

Be accurate

The accuracy and currency of personal data must be ensured.

Give individuals access

Giving individuals access to their personal information.

Provide recourse

Setting up a procedure to handle complaints.

Reasonable expectation of privacy

Having a reasonable expectation of privacy on employer-issued devices.

Digital Privacy Act

Requires reporting loss or unauthorized access to personal information.

Tort of invasion of privacy

A tort involving intentional harm that may affect employers in Ontario and other provinces.

BC Privacy Act statutory tort

Permits a person to sue for invasion of privacy, even if no specific harm is caused.

Reasonableness Test

States that an organization may only collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate.

Limit use, disclosure, and retention

Organizations can't use information for any purpose other than stated, unless a new consent authorizes the disclosure.

Bill S-4

New Digital Privacy Act on June 18, 2015 that amends PIPEDA.

Consumer Privacy Protection Act

New Act (not proclaimed) that would replace part 1 of PIPEDA entitled "Protection of Personal Information in the Private Sector".

Personal Information and Data Protection Tribunal Act

A tribunal that hears appeals of certain decisions by the privacy commissioner of Canada under Consumer Privacy Protection Act.

Artificial Intelligence and Data Act

Act that would regulate international and interprovincial trade and commerce in artificial intelligence.

Personal employee information

The definition of 'personal employee information' from Alberta's PIPA.

Tort of privacy invasion

The unjustified intrusion on someone's private affairs, causing distress.

Workplace Electronic Monitoring

Using advanced observation of employees' activities in an unprecedented fashion

Provide notice

This dictates that employers need to notify the employee in which you intend to disclose and why you intend to disclose it.

Legal investigations

Requires that personal information about an individual must not be obtained without an individuals knowledge and consent, unless the info reasonably can be used in investigating a contravention of law.

The Digital Privacy Act

Federal legislation that was proclaimed on June 18, 2015. and amends PIPEDA for digital privacy.

Use for the designated purpose

This section states that personal information may be used only for the purpose for which consent was obtained.

The Artificial Intelligence and Data Act

An Act which would regulate international and interprovincial trade and commerce in artificial intelligence and prohibit certain conduct in relation to artificial intelligence.

The Consumer Privacy Protection Act

An Act that would replace part 1 of PIPEDA entitled "Protection of Personal Information in the Private Sector".

FIPPA Application

FIPPA applies to provincial government ministries, Crown corporations, local governments, universities and colleges, school boards, municipal police forces, health boards and hospitals, and the self-governing professions

PIPEDA Application

PIPEDA applies to all federally regulated organizations and affects how they collect, use, disclose, and retain personal information concerning their employees, customers, patients, and suppliers

BC and Alberta PIPA

The provincial equivalent of the federal PIPEDA legislation. The purpose of this legislation is summarized in section 3 of the Alberta PIPA and in section 2 of the BC PIPA in virtually identical language

Data protection rules

Enacted the Personal Information and Data Protection Tribunal Act, which establishes an administrative tribunal to hear appeals of certain decisions that are made by the privacy commissioner.

Study Notes

Privacy and Privacy Rights

• There is a need for greater protection for personal information and other privacy rights
• The right to privacy has historically not been a separate right under Canadian common law

Electronic Age Paramount Privacy Concerns

• Privacy concerns are paramount because personal information can be compiled and transferred quickly
• Legislation and legal decisions now safeguard personal information privacy
• Legislation and legal decisions restrict admissibility of evidence gained through electronic means
• Canada's original privacy legislation pertained to personal information held by governments only
• British Columbia (BC) and Alberta passed legislation in the 1990s covering personal information held by the provincial government and other public bodies like hospitals

Freedom of Information and Protection of Privacy Act (FIPPA)

• Enacted by BC in 1992, it allows individuals to request information held by the BC government and other public bodies
• The Alberta legislature passed a parallel statute in 1994 with a similar function
• Every province and territory has privacy legislation for the collection, use, and disclosure of personal information held by government agencies
• The federal government and several provincial governments, including BC and Alberta, passed the first private sector privacy legislation in 2000

Personal Information Protection and Electronic Documents Act (PIPEDA)

• Federal law covers personal information held by organizations in the private sector
• In BC and Alberta, the statute is called the Personal Information Protection Act (PIPA) and is the provincial equivalent of the federal PIPEDA
• Both provincial Acts were enacted in 2004
• PIPEDA balances an individual's right to have personal information kept private with an organization's need to collect, use, and disclose personal information where necessary
• It applies to all organizations—both federally and provincially regulated—in Canada that collect, use, or disclose personal information in commercial activities, unless the province has comparable legislation

Alberta's Personal Information Protection Act (PIPA)

• The Supreme Court of Canada struck down PIPA in November 2013 and gave the province one year to align its law with the Canadian Charter of Rights and Freedoms (Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401)
• In a 9–0 decision,Alberta's privacy law was ruled unconstitutional in a dispute over the right of a union to photograph people crossing a picket line
• Amendments to PIPA came into force on December 17, 2014, addressing collection, use, and disclosure of personal information by unions during lawful labor disputes

Privacy Rules

• Employers and employees should be aware of potential liability for the tort of invasion of privacy beyond FIPPA, PIPA, and PIPEDA
• Ontario courts first recognized a common law privacy tort affecting employers
• Other provinces, including Nova Scotia and Alberta, have followed suit
• The information captured by the common law privacy tort includes private data that employers may collect about their employees, such as financial and health records, and relationship details
• In ES v Shillington, the Court determined a plaintiff must prove four conditions to establish liability for the tort

Shillington Test

• The plaintiff's private life was publicized by the defendant
• The plaintiff did not consent to the publication
• The publicized matter was highly offensive to a reasonable person in the plaintiff's position
• The publication was not of legitimate concern to the public

BC Privacy Act

• BC courts do not recognize a common law privacy tort because of the BC Privacy Act, which has been in place since 1968 and creates a statutory tort of violation of privacy
• Section 1 permits suing for invasion of privacy, even without specific harm ("actionable without proof of damage")
• Employers can be vicariously liable for employee privacy invasions

Freedom of Information and Protection of Privacy Act (British Columbia and Alberta)

• British Columbia's FIPPA applies to government ministries, Crown corporations, local governments, universities, colleges, school boards, municipal police forces, health boards, hospitals, and self-governing professions
• Alberta’s FIPPA applies to public bodies listed in section 1(p) of the Act
• BC section 2 states the legislation aims to increase public body accountability and protect personal privacy by granting public access to records
• The philosophy in both provinces is that free access to government records ensures fair, transparent, and credible government
• FIPPA limits the type and amount of information that provincial government and other public bodies can collect from individuals
• The legislation puts very definite limits on what information about individual citizens can be obtained, stored, or passed on to third parties and how it can be used
• FIPPA provides citizens with numerous opportunities to gain access to their information held by agencies and government bodies
• The Atwell report is an example of FIPPA’s application to workplace privacy, in the case of a public body as employer

FIPPA Amendments (BC, February 2023)

• Public bodies must report privacy breaches to individuals and the Office of the Information and Privacy Commissioner (OIPC)
• Privacy breaches include unauthorized access, theft, loss, collection, use, or disclosure of personal information
• Public bodies must develop privacy management programs
• Such programs should include a privacy officer, privacy impact assessments, complaint response processes, privacy awareness education, policy availability, service provider obligations, and program monitoring/updating
• PIPA, the provincial private sector legislation, is more relevant to employment disputes involving privacy than FIPPA in most cases

PIPEDA Principles

• The principles adopted in the PIPA of BC and Alberta
• PIPEDA directly affects how these organizations collect, use, disclose, and retain personal information concerning employees, customers, patients, and suppliers,
• Federal law of PIPEDA does not directly affect personal employee information held by provincially regulated employers because the federal government doesn't have jurisdiction over the employment relationship in those workplaces
• On the other hand, the federal government can directly apply PIPEDA to all personal information collected, used, or disclosed by provincially regulated organizations in the course of commercial activity

PIPEDA Application

• The federal government agreed it wouldn't apply its requirements in provinces with substantially similar legislation when PIPEDA was passed
• BC and Alberta have implemented substantially similar legislation (their respective PIPAs) giving PIPEDA narrower application in those jurisdictions
• The PIPAs of BC and Alberta are "comparable" pieces of legislation, so PIPEDA's principles in handling personal employee information apply
• Employers in these provinces must be aware of those principles

Key PIPEDA Features

• Balance an individual's privacy right with an organization's need to collect, use, and disclose information when necessary
• Apply to federally and provincially regulated organizations in Canada that collect, use, or disclose personal information for commercial activities, unless provincial law applies
• For interprovincial and international transactions, apply to ones involving personal information that occur in the course of commercial activities
• Not directly apply federal legislation to personal employee information in provincially regulated workplaces
• Broadly define "personal information" to include any factual or subjective information about an identifiable individual
• Requires consent from individuals before personal information is collected, used, or disclosed, and can only be used for the purpose the consent was obtained (unless further content is obtained)
• Organisations take precautions to safeguard personal information in their possession.
• There are exceptions to individuals rights to gain access to their information but challenge an employer's treatment of it or its accuracy
• An individual may make a complaint to the Office of the Privacy Commissioner of Canada regarding how information is handled. The individual or the Commissioner may apply to the Federal Court for an order requiring the organization to change its practices or award damages

"personal information" (PIPEDA Section 2)

• Any factual or subjective information about an identifiable individual, whether recorded or not

• Age, home address, identification numbers (including social insurance number), and residential telephone and email addresses

• Sex, religion, ethnicity, social status, and marital status

• Employee files (formal and informal), performance appraisals, disciplinary actions, and evaluations

• Photographs, opinions, and income

• Relevant dates, such as birth date

• Credit records, loan records, purchasing and spending habits

• Blood type, genetic information, and medical records

• According to the Office of the Privacy Commissioner:

• Also include pay and benefit records, video and audiotapes, websites visited, emails, and keystrokes

• Collected in many forms including on paper, electronically, in a recording, or on a fax machine

BC, Alberta and Personal Information

• In section 1 of BC's PIPA, "personal information" is defined as Information about an identifiable individual and includes employee personal information, but exclude contact/work product information
• Section 1(k) of Alberta's PIPA means information about an identifiable individual, though no exceptions exist for work products or contact information business information does arise with specific exception under section 4(3)(d)
• Collection, use, protection, and disclosure should adhere to the ten PIPEDA principles regardless of definition or form of personal information

Recent Amendments to PIPEDA

Digital Privacy Act (Bill S-4, June 18, 2015)

• Organizations must report security breaches involving loss or unauthorized access to personal information that carries a risk of significant harm and keep records of the breach
• The definition of "personal information" has been changed to eliminate the exception regarding the name, title, business address, or telephone number of an employee
• PIPEDA now covers job applicants as well as employees
• Business contact information is exempt where it is collected, used, and disclosed solely for the purpose of communicating with the individual for purposes related to their employment, business, or profession
• Circumstances allowing personal information disclosure without individual knowledge or consent have broadened to illegality, fraud, and financial abuse, and can disclose to third-party organizations
• The privacy commissioner can enter compliance agreements that include terms necessary for statutory compliance

Amendments to PIPEDA: Digital Charter Implementation Act, 2022 (Bill C-27, June 16, 2022)

• Includes enacting the Consumer Privacy Protection Act (replaces part 1 of PIPEDA entitled "Protection of Personal Information in the Private Sector")
• enacting the Personal Information and Data Protection Tribunal Act (establishes an administrative tribunal to hear appeals and imposes penalties)
• Includes enacting the Artificial Intelligence and Data Act, which would regulate international and interprovincial trade and commerce in artificial intelligence and prohibit certain conduct

Ten Fair Information Principle Breakdown

Be Accountable

• Orgs that collect personal information must appoint an individual to oversee legislative compliance, give the appointee authority to intervene when a privacy issue arises, and ensure employees know their name and title
• The appointee is responsible for analyzing information handling practices such as what and how information is being collected, used, secured, accessed, disclosed, and disposed of
• Develop and implement policies and procedures to protect personal information
• Front-line staff must be trained about the procedures and respond to inquiries
• When transferring information to a third party, ensure the level of comparable protection is maintained

Purpose Identification

• An organization must let an individual know why personal information is being collected
• Include forms that explain why the information is needed and how it will be used as well as a list with explanation of all those who the data will be disclosed to
• Only use this information for the designated purpose

Informed Consent

• The individual to whom the personal information relates must consent to its collection, with limited exceptions
• Consent must be voluntary and the individual must be aware of what is being collected and for what reason
• Clauses should be easy to find and understand
• Typically, the more sensitive informaton the more formal the consent
• To continue using or disclosing information collected before the legislation, the organization must go back to the individual and obtain consent

Consent Exceptions

• The information collection would be for the best interest of the individual and consent cannot be attained in a timely manner
• The individual is unable to give consent through compromise and accuracy of information
• Information is contained and related to witness statement to settle an insurance claim
• Collection is for artistic, literary or journalistic purposes and is publicly available

Limited Collection

• Organizations must only collect the necessary data with the intention to accomplish its stated purposes
• For example, when processing a credit check, an organization should not consider collecting information pertaining to an individual's religious affiliation
• For example, the Privacy Commissioner in Alberta ordered Mark's Work Warehouse (MWW) to not process personal credit information for job applicants

Limited Use, Disclosure, and Retention

• Organizations can only utilize the information collected for the expressed intention that it was authorized to disclose to third parties
• Disclosure of certain information can not occur unless it authorizes a new consent
• After an information is no longer needed, it must be disposed of

Exceptions to the Organization May Not Use Personal Information

• Contravation or breach of law
• Information is used in an emergency
• The information is used for statistics or scholarly purposes in which the Commissioner notified by Canada
• The information is published
• When an individuals consent, the availability or accuracy of obtaining the information that is disclosed will cause a breach of an agreement

Exceptions to Disclosures

• To a lawyer with representing for the organization
• To conduct the debt that is owed to the organization by that individual
• Meet a subpoena or a court order.

Accuracy

• If the use or disclosure of incomplete or out-of-date information of any employees being harmed and the employer will verify and correct errors in information
• Employers must give opportunity for corrective actions of individuals information

Providing Safeguards

• An organization that is being responsible must protect the data from loss, theft unauthorized access.
• Sensitive information should receive top level protection

Openness

• Transparency of practices and policies from the business

Individual Access

• Organization must supply detail of the retained data from request of its employees

Federal Privacy Commissioner and BC and Alberta information

• Role is to enforce/oversee laws
• created in both BC and Alberta from the government

FIPPA and PIPA

• FIPPA Applies to bodies of public
• Monitor and information collection