On September 13, 2013, the Manitoba Personal Information Protection and Identity Theft Prevention Act (the Act)—the first broadly applicable private-sector privacy statute to be enacted in Canada since 2004—received Royal Assent. The statute establishes rules for the collection, use and disclosure of personal information, including employee information, and includes a broader breach notification obligation than similar legislation in other provinces. The Act will apply to "every organization and in respect of all personal information", and organizations will include corporations, unincorporated associations, unions, partnerships and individuals when they act in a commercial capacity. While the Act will impact both private and non-profit sectors, it will not apply to public bodies or to personal information under the control of a public body.
The Act, still awaiting proclamation, is not yet in force. Upon proclamation, Manitoba will join British Columbia, Alberta and Quebec as those provinces with provincial privacy legislation. The Privacy Commissioner of Canada has not yet confirmed that the Act will be considered "substantially similar" to the Personal Information Protection and Electronic Documents Act.
Overview of the Act
In many respects, the Act is similar to privacy legislation in Alberta and British Columbia. The Act broadly defines "personal information" as information about an identifiable individual. Under the Act, an individual’s personal information may only be collected, used and disclosed with the informed consent of that individual.
One of the main differences between the Act and other similar provincial legislation is breach notification. Under the Act, an organization is obligated to notify an individual directly (as opposed to notifying a regulator) if his or her personal information is lost, accessed or disclosed without authorization. Unlike Alberta’s Personal Information Protection Act (which contains a notification requirement that is only triggered if a reasonable person would consider that a real risk of significant harm to an individual exists), the Act does not contain an express harm threshold.
The breach notification requirement will not apply if an organization is satisfied that it is not reasonably possible for personal information to be used unlawfully—or if a law enforcement agency is conducting an investigation of the breach and instructs an organization not to disclose.
Claims and Offences under the Act
Under the Act, a right of action is established for an individual to claim damages against an organization if it fails to protect personal information in its custody or control, or if it fails to provide reasonable notice in the event that the organization was not satisfied that lost, stolen or accessed information would be used lawfully. It is an offence under the Act to dispose or alter, falsify, conceal or destroy personal information or any record relating to personal information, or to direct another person to do so, with an intent to evade a request for access to the information or the record.
These offences will be subject to a summary conviction and fines of up to $10,000 for an individual and $100,000 for a person other than an individual. The Act contains a due diligence defense. To comply with the Act, organizations operating in Manitoba must now develop policies to address the Act’s requirements, obtain the consent to collect, use and disclose personal information, and establish processes to ensure that personal information is only collected, used and disclosed for reasonable purposes.
Manitoba Ombudsman to Enforce the Act
Manitoba does not have a Privacy Commissioner. Consequently, the Manitoba Ombudsman, currently responsible for enforcing Manitoba’s Freedom of Information and Protection of Privacy Act, is tasked with enforcing the Act. However, the Act does not appear to contain a complaint mechanism and Manitoba’s Ombudsman does not have order-making powers.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2017 by Torys LLP.
All rights reserved.