On March 21, 2018, Private Members’ Bill 14, Personal Information Protection Act, 2018 received first reading in the Ontario legislature. Subsequently, Bill 14 received second reading and was ordered to the Standing Committee on Justice Policy on March 22, 2018.
What does Bill 14 say?
Bill 14 would apply to every “organization”, which is defined as including persons, unincorporated associations and other organizations but does not include certain individuals, public bodies (some of which include the government, a municipality, or a municipal board of Ontario) and Ontario courts. The Act would not apply to personal information that is already subject to certain information protection statutes, including the Freedom of Information and Protection of Privacy Act. It would also not apply in some other circumstances such as the collection, use or disclosure of personal information for personal, domestic, journalistic, artistic or literary purposes.
The main goal of the statute would be to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. The aim would also be to protect the privacy of individuals’ personal information held by private enterprises when it is in the interest of the safety and security of individuals, infrastructure, the public, Ontario, or Canada.
Bill 14 would define “personal information” as information about an identifiable individual and would include employee personal information; however, it would not include contact information or work product information.
“Employee personal information” would mean personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual (this means that it would not include personal information that is unrelated to an individual’s employment). Under Bill 14, “employment” would include working under an unpaid volunteer work relationship.
Organizations would have several requirements with which to comply, including: constantly considering what a reasonable person would consider appropriate in the circumstances; remaining responsible for personal information under its control; developing policies and practices that are necessary for the organization to meet its obligations; developing processes to respond to complaints; making information available on request regarding policies and practices and complaint processes; as well as designating one or more individuals to ensure compliance and making available that person’s contact information to the public.
Of utmost importance, organizations would not be allowed to collect, use or disclose personal information about an individual unless that individual consents, the legislation authorizes it, or the legislation deems it to be acceptable. With respect to consent, it would not be considered to be validly given if an organization attempts to obtain the consent by providing false or misleading information respecting the collection, use or disclosure of the information or using deceptive or misleading practices. Further, individuals would be allowed to withdraw consent, in which case the organization must stop collecting, using or disclosing the personal information (unless it is otherwise permitted under the statute).
Before collecting the information, organizations would be required to first disclose verbally or in writing the purposes for the collection of the information, and on request by the individual, the position name or title and the contact information for an officer or employee of the organization who is able to answer questions about the collection. Additionally, if the collection about an individual is from another organization without the consent of the individual, an organization would have to provide the other organization with sufficient information regarding the purpose of the collection to allow that other organization to determine whether the disclosure would be in accordance with the statute. However, it is important to note that this notification requirement would not apply in situations involving implicit or deemed consent.
Bill 14 contains several provisions that involve the collection (sections 11–13), use (sections 14–16) and disclosure (17–19) of personal information without consent of the individual. The sections for collection, use and disclosure are similar in structure; let us examine collection in this discussion. Generally speaking, organizations would only be allowed to collect personal information for purposes that a reasonable person would consider appropriate in the circumstances and that fulfill the purposes that the organization discloses when providing proper notification or that are otherwise permitted under the statute.
More specifically, under Bill 14, organizations would be allowed to collect personal information about an individual without consent or from a source other than the individual, if:
- the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way
- the collection is necessary for the medical treatment of the individual and the individual is unable to give consent
- it is reasonable to expect that the collection with the consent of the individual would compromise the availability or the accuracy of the personal information and the collection is reasonable for an investigation or a proceeding
- the personal information is collected by observation at a performance, a sports meet or a similar event at which the individual voluntarily appears and that is open to the public
- the personal information is available to the public from a prescribed source
- the collection is necessary to determine the individual’s suitability to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or to be selected for an athletic or artistic purpose
- the organization is a credit reporting agency that collects the personal information to create a credit report and the individual consents at the time the original collection takes place to the disclosure for this purpose
- the collection is required or authorized by law
- the information was disclosed to the organization under sections 18 to 22 (provisions dealing with disclosure without consent)
- the personal information is necessary to facilitate the collection of a debt owed to the organization or the payment of a debt owed by the organization
- the personal information is collected for the purposes of the organization providing legal services to a third party and the collection is necessary for the purposes of providing those services, or
- the personal information is collected for the purposes of the organization providing services to a third party if: the third party is an individual acting in a personal or domestic capacity; the third party is providing the information to the organization; and the information is necessary for the purposes of providing those services
Furthermore, organizations would be able to collect personal information from or on behalf of another organization without consent of the individual to whom the information relates, if: the individual previously consented to the collection of the personal information by the other organization; and the personal information is disclosed to or collected by the organization solely for the purposes for which the information was previously collected and to assist that organization to carry out work on behalf of the other organization.
There are some noteworthy provisions relating specifically to employment that involve the collection of employee personal information. That is, organizations would be able to collect employee personal information without the consent of the individual in some situations. For instance, organizations would not be able to collect employee personal information without the consent of the individual unless:
- one of the above bulleted-situations applies, or
- the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual
In the second situation involving establishing, managing or terminating the employment relationship, organizations would have to notify individuals that they would be collecting employee personal information about the individual, and provide the purposes for the collection before collecting the employee personal information without the consent of the individual.
Organizations would also be responsible for: ensuring that individuals can access their personal information and request correction if applicable; making a reasonable effort to ensure that the personal information collected is accurate and complete; protecting personal information in its custody or control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal; retaining information for at least one year so the individual has a reasonable chance to obtain access to it; and destroying documents that contain personal information as soon as the purpose for which that personal information collected is no longer being served by retention of the personal information and retention is no longer necessary for legal or business purposes.
If passed, Bill 14 would come into force three months after the date it receives Royal Assent.
What does this mean for employers?
Time will tell whether Bill 14 progresses in the legislature. If Bill 14 passes, it will become effective three months after Royal Assent, and employers who fall under the scope of the statute will be expected to remain in compliance with these provisions. It is anticipated that, given Bill 14’s likeness to the Personal Information Protection and Electronic Documents Act (PIPEDA), there is a possibility that Ontario may join in Alberta, British Columbia, and Quebec in being declared substantially similar to PIPEDA.
If and when this declaration is made, the Governor in Council exempts by order substantially similar provincial legislation from the application of PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province.
Although organizations that are subject to provincial legislation deemed substantially similar are exempt from PIPEDA with respect to the collection, use or disclosure of personal information occurring within that province, PIPEDA continues to apply to the collection, use or disclosure of personal information in connection with the operations of a federal work, undertaking or business in the respective province, as well as to the collection, use or disclosure of personal information outside the province.
For more information, refer to “Provincial legislation deemed substantially similar to PIPEDA” by the Privacy Commissioner of Canada here.