Manitoba has recently enacted private sector privacy legislation titled The Personal Information Protection and Identity Theft Prevention Act (PIPITPA), and is now the fourth province to pass a private sector law of this scope, following Alberta, Québec, and British Columbia.
While PIPITPA is similar to its federal and provincial counterparts, in particular, Alberta's Personal Information Protection Act (PIPA), the Act contains several key differences, including:
- A breach notification provision that requires organizations to assess the reasonable possibility that personal information would be used "unlawfully";
- A private right of action against organizations who fail to protect personal information under their custody and/or control;
- No clear complaint and enforcement mechanism, aside from the private right of action.
PIPITPA has not received royal proclamation and as such is not currently in force. The Federal Personal Information Protection and Electronic Documents Act (PIPEDA) will continue to apply to the private sector in Manitoba until: i) PIPITPA receives royal proclamation; and ii) the Act is declared "substantially similar" to PIPEDA by the Governor in Council (should this ever occur). If not declared "substantially similar," both PIPITPA and PIPEDA may apply to Manitoba private actors.
Although PIPITPA is not currently in force, organizations carrying on business in Manitoba should commence a review of their internal and external privacy policies and practices in anticipation of the Act's enforcement.
Notable aspects of the new legislation are as follows:
- Application and Consent : PIPITPA applies to the collection, use, and disclosure of personal information by private sector organizations, including corporations, unincorporated associations, unions, partnerships and individuals acting in a commercial capacity. The Act does not apply to public bodies or personal information under the control of a public body.
- Breach Notification : Under PIPITPA,
organizations must, as soon as reasonably practicable and in a
prescribed manner, notify an individual if personal information in
its custody or control is stolen, lost or accessed in an
unauthorized manner. Organizations are not required to inform
individuals of breaches in circumstances including:
- if a law enforcement agency instructs an organization to withhold notification;
- if the organization is satisfied that it is not reasonably possible for the personal information to be used unlawfully.
- Right of Action: PIPITPA creates a right of action against organizations for damages related to the failure to protect personal information in their custody, care or control. In addition, a right of action exists if an organization did not act reasonably in concluding that personal information stolen, lost or accessed in an unauthorized manner would not be used unlawfully.
- Personal Employee Information: Similar to the provincial privacy legislation in British Columbia and Alberta, PIPITPA contains an exception for the collection of personal employee information without consent. However, the definition of personal employee information pursuant to PIPITPA does not include former employees. In addition, employee consent may be required under PIPITPA for activities unrelated to establishing, managing, or terminating an employment or volunteer work relationship.
- Penalties: Individuals guilty of an offence under PIPITPA will be subject to summary conviction and fines up to $10,000 for an individual and $ 100,000 for a person other than an individual. Organizations and individuals will not be found guilty of an offence under the Act, if it is established, to the satisfaction of the court, that the organization or individual "acted reasonably in the circumstances that give rise to an offence".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
