New Year, New Privacy Amendments?
What May be in Store for Alberta’s Public and Private Sectors
December 2020 - 3 min read
This year has been marked by accelerated efforts to amend existing federal and provincial privacy legislation. As anticipated, the Alberta Information and Privacy Commissioner (Commissioner) has proposed a number of amendments to the Freedom of Information and Protection of Privacy Act (FOIPPA) and the Personal Information Protection Act (PIPA). As described by the Commissioner, these recommendations are intended to adapt the legislation to reflect the accelerated digitization in all sectors from the COVID-19 pandemic and enhanced societal expectations relating to access to information and privacy rights.
Recommended Amendments to FOIPPA
The FOIPPA recommended amendments are intended to digitize the freedom of information systems, improve information sharing, modernize privacy protections and accountability mechanisms, strengthen oversight, reduce court burdens, improve processes for time extensions, and ensure regular legislation reviews. The Commissioner proposed eight main amendments to FOIPPA:
- Adopt the Ontario approach for information sharing that allows for the creation of data integration units within and outside of public bodies.
- Require public bodies to complete privacy impact assessments for information sharing initiatives, when developing an information system, or where they plan to disclose personal information without consent.
- Make notification of a privacy breach that creates a real risk of harm to an individual mandatory.
- Require that requested information be provided in commonly used technological formats.
- Allow public bodies to extend the time to respond to access requests for up to 30 days or, in emergency situations, longer.
- State explicitly that the Commissioner, while not waiving privilege, may require records where privilege is claimed when necessary to perform its functions.
- Change the limitation period for prosecution of an offence under FOIPPA to 2 years after the day on which evidence of the alleged offence first came to the attention of the Commissioner.
- Require a special committee to perform a comprehensive review of FOIPPA and regulations under it in 2021 and every 6 years afterwards.
Recommended Amendments to PIPA
The PIPA measures are intended to enhance accountability measures, better enable the use of de-identified personal information for research and innovation, enhance consumer choice by exchanging business competition, strengthen oversight, and build public trust in personal information practices by expanding the scope of the law. The Commissioner proposed five main changes to PIPA:
- Require organizations to have a privacy management program proportionate to its size and its volume/sensitivity of personal information under its custody and control.
- Facilitate the use of de-identified personal information without consent for R&D purposes while making attempts to re-identify individuals using de-identified personal information an offence.
- Require all non-profit organizations and political parties to comply with PIPA.
- Include the right to data portability. In addition, the government should conduct further consultations on the right to erasure and the right to de-indexing.
- Strengthen administrative oversight and offence and penalty provisions.
Many of the Commissioner’s recommendations do not come as a surprise, as they have been raised in her prior recommendations, or follow the trend of modernization seen in Canada and across the world. Some recommendations are also meant to create greater uniformity across privacy legislation in Alberta. Privacy impact assessments (PIAs) have long been a requirement under the Health Information Act (HIA), and mandatory breach reporting is now required under both PIPA and the HIA. While these amendments to FOIPPA are recommendations at this point, it appears that at least some change is coming, and public bodies should visit their PIA and breach reporting processes if they have not already.
Other recommendations may also spark greater attention: the requirement for public bodies to provide the Commissioner with solicitor-client privileged materials to facilitate her functions like access reviews and inquiries (a power that has been denied by the courts under existing legislation), and the implementation of administrative monetary penalties for private organizations for non-compliance with PIPA.
We will need to wait to see what the government’s response to the Commissioner’s submissions will be. However, public bodies and organizations should anticipate the New Year bringing in some developments that will stress the importance of greater organizational privacy oversight and preparedness.
If you have questions about these amendments, please contact a member of the Privacy + Data Management group at Field Law.