Questions and Answers regarding the application of PIPEDA, Alberta and British Columbia's Personal Information Protection Acts (PIPAs)Questions & AnswersIntroductionThis document is intended to answer questions organizations and individuals may have about how private sector privacy laws work together. Federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), sets national standards for privacy practices in the private sector. Alberta and British Columbia have both passed similar laws, known in each province as the Personal Information Protection Act (PIPA). Their provincial laws have been declared as substantially similar to PIPEDA. This does not mean however, that PIPEDA is not relevant in British Columbia and Alberta, as questions and answers below will indicate. This document is for general guidance only and is not advice on any specific matter. Always consider getting qualified advice on the facts of any matter before proceeding. Overview
The federal Personal Information Protection and Electronic Documents Act (PIPEDA), the Alberta Personal Information Protection Act (PIPA) and the British Columbia Personal Information Protection Act (PIPA) all share the same explicitly stated purpose: To govern the collection, use and disclosure of personal information by private sector organizations in a manner that recognizes both the right of the individual to have his or her personal information protected and the need of organizations to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate. Quebec has a private sector privacy law that has been deemed substantially similar to PIPEDA. At this point, no similar general private sector laws are before a provincial legislature. An important principle in all three laws is that an organization may collect, use or disclose personal information only for a purpose that a reasonable person would consider appropriate in the circumstances. All of these laws apply to "organizations" and incorporate the following principles: Key Definitions
"Personal information" means information about an identifiable individual which includes any factual or subjective information about that individual, including, for example: An "organization" is defined a little differently in each law. An organization may or may not be incorporated. It may be an individual acting in a business capacity. It may be a non-profit association. Alberta's PIPA specifically includes professional regulatory organizations, whereas in B.C. they are covered by the B.C. Freedom of Information and Protection of Privacy Act. The following are definitions of "organization" in: PIPEDA [s.2(1)]: "organization" includes an association, a partnership, a person and a trade union. PIPA Alberta [s.1(i)]: "organization" includes: PIPA BC (s.1): "organization" includes a person, an unincorporated association, a trade union, a trust or a not for profit organization, but does not include "Individual" is not defined. However, it means a natural person. An individual does not have to be a Canadian citizen or a resident of a specific province. An individual does not have to be an adult. In some cases a legal guardian or an authorized representative may act on behalf of an individual.1 Such representatives will be asked to provide evidence of their authority. 1 Who can act for others is outlined in Alberta's PIPA in s. 61(1). In B.C. this information is contained in the PIPA Regulation, ss. 2 to 4. In terms of PIPEDA, this information is contained in Principle 4.3.6 of Schedule 1. Examples common to all include: legal guardians for incapable minors, personal representatives in the administration of a deceased person's estate, and an attorney with relevant power of attorney. "Commercial activity" is defined in PIPEDA. It is also defined in Alberta's PIPA but only as it pertains to certain non-profit organizations. "Commercial activity" is not defined in B.C.'s PIPA because the distinction between commercial and non-profit is not relevant under that law. Organizations generally thought of as non-profit may have some commercial activities. Commercial activities include, for example, the selling, bartering, or leasing of donor, membership or other fundraising lists. Money does not have to change hands for an activity to be commercial in nature. It is possible that a non-profit organization may, in part of its activities or even a single transaction, engage in a commercial activity. Under each privacy law, a Commissioner is designated for overseeing the application of the statute and investigating disputes between individuals and organizations. Each Commissioner heads an organization devoted to oversight of that law (and sometimes other laws as well). Because these officials and their offices have different names, we refer to them in this document generically as a "privacy office". "Privacy office" has no meaning in law. Application of the laws
Organizations in the Northwest Territories, Yukon and Nunavut are considered FWUBs and therefore are covered by PIPEDA. PIPEDA does not apply to provincially-regulated organizations within the province of Quebec. It will not apply to provincially-regulated organizations in Alberta or British Columbia as the privacy laws in those provinces have received substantially similar status from the Governor in Council. However, FWUBs operating in these provinces continue to be subject to PIPEDA. PIPEDA also applies to inter-provincial and international transactions involving personal information in the course of commercial activities. If your organization is a FWUB it would have to comply only with PIPEDA. FWUBs include: If your organization is not a FWUB but engages in commercial activities that involve inter-provincial or international personal information flows, it would have to comply with PIPEDA for these transactions. For example, an import and export business or credit bureau would have to comply with PIPEDA regarding cross-border personal information collection, use or disclosure. If your organization is not a FWUB and operates wholly within a province without a substantially similar private sector privacy law, it would have to comply with PIPEDA, but only for commercial transactions. Again, B.C., Alberta and Quebec have these laws in place, so PIPEDA applies in the other provinces. Firstly, what province do you operate in? Secondly, look at the definition of "organization" in the statutes you think might apply. Thirdly, look at the "application" section of the statute. Not all Alberta organizations are covered by PIPA in the same way. When Alberta organizations subject to PIPA engage in trans-border personal information flows for commercial reasons, they must follow PIPEDA for those specific transactions. Yes. However, when British Columbia organizations subject to PIPA engage in commercial trans-border personal information flows, they also have to follow PIPEDA for those specific transactions. Interprovincial and international trans-border data flows
Trans-border personal information flows in a commercial context are covered by PIPEDA due to the federal government's constitutional power over inter-provincial and international trade and commerce. Examples of trans-border personal information flows include: If your organization collects, uses or discloses personal information such that it flows outside provincial/territorial borders in commercial activities, PIPEDA will apply to that practice. PIPEDA may not apply to all of your organization's operations if: If there is no commercial activity then PIPEDA does not apply. Application of more than one privacy law
It may be possible that more than one privacy law applies to records created by an organization. This could be the case if you were on contract to another organization that had to follow a different privacy law than your organization ordinarily would, and your organization was obliged contractually to follow the other organization's rules. Example: Your organization (in B.C.) provides counseling services to employees of a railway or airline under an employee assistance program. You may be obliged by contract to follow PIPEDA rules regarding the personal information of the company's employees because the company is a FWUB, even though you follow B.C.'s PIPA for the rest of your own operations. It could also be the case if you are involved in cross-border personal information flows and you operate in a province with a private sector privacy law other than PIPEDA. One part of a transaction (e.g. collection) may be subject to a provincial privacy law while another part of the transaction (disclosure) may be subject to PIPEDA. Organizations faced with this kind of scenario may look at the differences between the laws. Is one more stringent or specific in a particular provision? If you follow the more stringent requirement all the time, you will very likely comply with both laws. The federal privacy commissioner and the commissioners in B.C. and Alberta are working together to ensure a harmonized approach to private sector privacy compliance. Alberta's and British Columbia's PIPAs have "grandfathering clauses" that deem information collected before January 1, 2004 to have been collected with consent. PIPEDA however, may require that organizations obtain consent to use and disclose information collected before PIPEDA came into force. If your organization has to comply with both pieces of legislation, you could ensure that you communicate with your customers to confirm their continued consent for the collection, use and disclosure of that information. You would be going further than required by PIPA, but would not be contravening it. Example, a customer in Alberta makes a retail purchase at a local branch of a national chain and charges it to her charge account with that retailer. At the point of sale, the retailer asks for the customer's telephone number. During the transaction, a brief electronic communication with the retailer's credit department database in a PIPEDA province takes place, to ensure that the purchase is within the customer's credit limit. The customer objects to the retailer collecting and recording her phone number on the receipt. In answering this question, the substance of the transaction and the subject of the complaint would be considered. From the customer's perspective, the transaction takes place in the province. The customer is likely not even aware of the trans-border data flow that took place electronically. If the substance of the complaint is about the collection and use of the telephone number then PIPA applies to both the collection and the use. The fact that a trans-border data flow took place is incidental to the complaint. Contracting
If the contract you have with the awards program administrator specifies that you have control over the customer information, then this practice is subject to the B.C. PIPA. This is true even though the contractor has temporary physical custody of the records; you continue to have informational control. The contracted organization is subject to your privacy rules for the purpose of this account. The awards program administrator is subject to PIPEDA for its own operations and maybe those of other clients If the contracted activity is one normally conducted in-house (e.g. administration of a customer awards program) and the contract makes it very clear that the information is in the control of your organization, then a trans-border data flow may be considered incidental. B.C.'s PIPA would apply to the collection, use and disclosure of personal information. Complaints
Yes. However, Commissioners' offices will coordinate their activities to reduce duplication of effort on the part of the complainant and organization. They are working to develop a harmonized approach to dealing with privacy complaints in the private sector. No. The important factors in determining where to complain are described in the question below. The important factors are: Example, an Alberta company has disclosed personal information to a separate organization in Saskatchewan. If an individual wishes to complain about the disclosure of the personal information from the Alberta company, he or she could direct the complaint to the Alberta Privacy Commissioner. If the individual is complaining about the collection in Saskatchewan of their personal information, he/she may wish to direct the complaint to the Privacy Commissioner of Canada. Lastly, if the complaint concerns the use of the personal information in Saskatchewan, it too would be directed to the Privacy Commissioner of Canada. This situation might occur when one organization discloses personal information to another organization. In order to determine the privacy office to which you should direct your complaint, the following factors may be considered: The office that originally looked into your case will return to you all the information you provided to it. Or, with consent, the original privacy office will forward these materials to the appropriate privacy office on your behalf. The privacy office will also do what it can to assist you make this transition between offices as seamless as possible, subject to the legal authority they have and their legislated confidentiality provisions. |
Date published: 2004-11-05 |
Important Notices |