What is PIPA-AB?
The Personal Information Protection Act - Alberta (PIPA-AB) is the data protection law that applies in the province of Alberta, Canada, regulating “the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of an individual to have his or her personal information protected and the need of organizations to collect, use or disclose personal information for purposes that are reasonable.”
Just like its counterpart in British Columbia, it works alongside several other legislative acts that govern data protection, namely:
- Freedom of Information and Protection of Privacy Act, RSA 2000 c F-25,
- Health Information Act, RSA 2000 c H-5,
- Traffic Safety Act: Access to Motor Vehicle Information Regulation (Alberta Regulation 140/2003),
- The Privacy Act, RSC 1985 c P-21,
- Personal Information Protection and Electronic Documents Act, SC 2000 c 5 (PIPEDA) in the federal privacy realm.
What is Personal Information and what are other key definitions?
PIPA-AB defines ‘personal information’ as “information about an identifiable individual,” which broadly can mean any information that can ultimately be used to identify someone, such as, for example, an individual’s
- name, address, telephone numbers, e-mail address;
- age, date of birth, birthplace;
- weight, height, gender;
- marital status, race, ethnic origin, citizenship;
- blood type, medical history, DNA code, biometric identifiers;
- educational, employment or criminal history;
- income, financial history, purchases, spending habits;
- unique identification numbers or account numbers.
The law also mentions ‘business contact information,’ in essence a subset of personal information, which can be “an individual’s name, position name or title, business telephone number, business address, business email address, business fax number and other similar business information.”
PIPA-AB also takes into account ‘commercial activity’ defined as “any transaction, act or conduct, or any regular course of conduct, that is of a commercial character and, without restricting the generality of the foregoing, includes the following:
- the selling, bartering or leasing of membership lists or of donor or other fund-raising lists;
- the operation of a private school or an early childhood services program as defined in the Education Act;
- the operation of a private post-secondary institution as defined in the Post-secondary Learning Act.”
Also, just like its counterpart in British Columbia, it offers a definition for ‘business transaction,’ namely “a transaction consisting of the purchase, sale, lease, merger or amalgamation or any other type of acquisition or disposal of, or the taking of a security interest in respect of, an organization or a portion of an organization or any business or activity or business asset of an organization and includes a prospective transaction of such a nature” for those situations where one organization or its assets are sold to another organization.
Who has to comply with the PIPA-AB?
PIPA-AB applies to any private sector organization and, in a limited way, to non-profit organizations to the extent that they are involved in commercial activities, as defined in the previous section.
According to PIPA-AB ‘organization’ includes
- “a corporation,
- an unincorporated association,
- a trade union as defined in the Labour Relations Code,
- a partnership as defined in the Partnership Act, and
- an individual acting in a commercial capacity,
but does not include an individual acting in a personal or domestic capacity.”
If PIPA-AB comes into conflict with another Act in Alberta, it supersedes it unless said act is the FOIP or it states otherwise.
Who is excluded from PIPA-AB compliance?
Similar to PIPA-BC, Alberta’s privacy law excludes certain types of personal information as follows:
- the collection, use or disclosure of personal information for personal or domestic purposes of the individual and for no other purpose;
- the collection, use or disclosure of personal information for artistic or literary purposes and for no other purpose;
- the collection, use or disclosure of personal information, other than personal employee information that is collected, used or disclosed pursuant to sections 15, 18 or 21, if the collection, use or disclosure, as the case may be, is for journalistic purposes and for no other purpose;
- the collection, use or disclosure of an individual’s business contact information if the collection, use or disclosure, as the case may be, is for the purposes of enabling the individual to be contacted in relation to the individual’s business responsibilities and for no other purpose;
- personal information that is in the custody of an organization if the Freedom of Information and Protection of Privacy Act applies to that information;
- health information as defined in the Health Information Act to which that Act applies;
- the collection, use or disclosure of personal information by officers of the Legislature if the collection, use or disclosure, as the case may be, relates to the exercise of that officer’s functions under an enactment;
- personal information about an individual if the individual has been dead for at least 20 years, or that is contained in a record that has been in existence for at least 100 years;
- personal information contained in any record that was archived before PIPA-AB became effective;
- personal information contained in a court file, a record of a judge of the Court of Appeal of Alberta, the Court of Queen’s Bench of Alberta or The Provincial Court of Alberta, a record of an applications judge of the Court of Queen’s Bench of Alberta, a record of a justice of the peace other than a non-presiding justice of the peace under the Justice of the Peace Act, a judicial administration record or a record relating to support services provided to the judges of any of the courts referred to in this clause;
- personal information contained in a record of any type that has been created by or for a Member of the Legislative Assembly, or an elected or appointed member of a public body;
- the collection, use or disclosure of personal information by, or for, a registered constituency association or a registered party as defined in the Election Finances and Contributions Disclosure Act or in respect of an office or a position in a registered constituency association or a registered party;
- the collection, use or disclosure of personal information by, or for, an individual who is a bona fide candidate for public office or for an office or a position in a registered constituency association or a registered party as defined in the Election Finances and Contributions Disclosure Act where the information is being collected, used or disclosed, as the case may be, for the purposes of campaigning for that office or position and for no other purpose;
- personal information contained in a personal note, communication or draft decision created by or for a person who is acting in a judicial, quasi-judicial or adjudicative capacity.
Public bodies that are subject to FOIP are not regulated by the PIPA-AB, since it does not apply to personal information held by public bodies. These include government departments, municipalities, universities, public colleges, and public school boards.
How can I keep my organization PIPA-AB compliant?
In order to be compliant with Alberta’s privacy law, your organization should:
You are responsible for personal information that is in your custody or under your control. You must designate one or more individuals that are responsible for ensuring that your organization is and stays compliant with the law. Simply put, you must have a Data Protection Officer (DPO). In addition to this, make sure to inform individuals of your policies and procedures that you have put in place for the purpose of compliance with data protection. Your policy should contain the following:
- what personal information you collect;
- how you obtain consent for collecting, using and disclosing personal information;
- how you use and disclose personal information;
- how you ensure that adequate security measures are in place;
- how you process access requests;
- how you respond to enquiries and complaints.
Make sure that you get consent
Because PIPA-AB is an opt-out jurisdiction, with limited exceptions,, you must obtain consent at the time that personal information is collected. Keep in mind that just like with PIPA-BC, consent can be express, implied or consent by not opting out, and you should always be able to prove consent was given so as a best practice, aim for express consent.
Your organization’s services cannot be limited by an individual’s refusal to give consent and obtaining consent by deception is illegal.
There are some exceptional cases, outlined in section 14 of the law, where information can be collected without consent.
Follow the rules for personal information collection
You may collect personal information only for purposes that are reasonable and may only collect information that is reasonable for carrying out those purposes. The guiding principle for what reasonable means, according to the law, is “what a reasonable person would consider appropriate in the circumstances.”
Follow the rules for personal information usage and disclosure
Your organization “may use personal information only for purposes that are reasonable” and where you use personal information, you may do so “only to the extent that is reasonable for meeting the purposes for which the information is used.”
There are some exceptional cases, outlined in section 17 of the law, where information can be used without consent.
Regarding disclosure of personal information, “you may only do so “to the extent that is reasonable for meeting the purposes for which the information is disclosed.”
There are some exceptional cases, outlined in section 20 of the law, where information can be disclosed without consent.
Follow the special rules regarding employee personal information
You may collect, use and disclose employee information without consent for reasonable purposes related to recruiting, managing or terminating personnel.
The collection, use and disclosure must be reasonable for the purpose, and the personal information must be limited to the work or volunteer work relationship. Before collecting the information about a current employee, you must advise the employee that you will collect the information and the purposes for the collection. If the information is about a potential employee (a job candidate), notification is not required.
Regarding business transactions, you may collect, use and disclose personal information without consent for “business transaction” purposes. Business transactions relate to a change in ownership of a business as detailed in section 22 of the law.
Follow the rules regarding individuals’ right to access and correct their personal information
Individuals have the right to request from you access to their personal information that you have about them and to request the correction of this personal information.
With limited exceptions, you are required to answer these requests.
What data access rights does PIPA-AB grant?
PIPA-AB, just like British Columbia’s law, grants individuals two data subject access rights, but mentions several others, though not expressly.
The Right to Be Informed is not specifically mentioned in the law, however, in order for consent to be obtained legally, individuals have to be informed about what personal information is being collected about them and for what purpose(s).
Individuals have the Right to Access their personal information as well as information about the use or disclosure of their personal information. In addition to this, individuals have the Right to Rectification of “an error or omission in their personal information” that is under your organization’s control.
While there is no Right to Erasure under PIPA-AB, organizations are required to destroy any personal information that is no longer required to fulfill the purposes for which it was collected initially.
Just as with British Columbia, the Alberta privacy law doesn’t provide individuals with the Right to Data Portability or the Right to Not be Subject to Automated Decision-Making. Although the Right to Opt-Out/Object is not expressly defined in the law, individuals can withdraw consent at any time but they must be informed of the implications of withdrawing consent.
How to address data subject access requests under PIPA-AB?
Part 3 of the law provides the required steps to handle data subject access requests as follows:
- Individuals, named in the text of the law ‘applicants,’ have to submit a request in writing in which they must “include sufficient detail to enable the organization, with a reasonable effort, to identify any record in the custody or under the control of the organization containing the personal information in respect of which the request is made.”
- You must “make every reasonable effort (i) to assist applicants, and (ii) to respond to each applicant as accurately and completely as reasonably possible, and, at the request of an applicant making a request, provide, if it is reasonable to do so, an explanation of any term, code or abbreviation used in any record provided to the applicant or that is referred to.”
- You must make a record of an applicant’s personal information if the information is in electronic format and you can make the requested record using your normal computer equipment and programs, if this would not unreasonably interfere with your operations.
- You must respond to an applicant’s request no later than 45 days after receiving the request.
- You can provide a copy of a record instead of allowing an individual to examine a record if:
- the records may be damaged, for example, if they are fragile historical documents,
- other information would be disclosed that is not permitted by the Act, such as personal
information of another individual, or
- allowing inspection would unreasonably interfere with the operations of the organization
- If the request is refused you must provide the applicant with the following information:
- the reasons for the refusal;
- the name of the person who can answer on behalf of your organization to the applicant’s questions about the refusal;
- that they can ask for a review as stated in section 46 of the law.
- You may extend the time for responding to a request by another 30 days or, with the Commissioner’s permission, for a longer period of time if the applicant has failed to provide sufficient information for you to identify them, if the personal information requested is too large and gathering it all would interfere with your organization’s operations, or if you need more time to consult with other organizations or public bodies before you can decide whether to grant the applicant access or not to the personal information.
- Charging fees for access is not allowed when the applicant requests access to their employee personal information. However, when the applicant requests access to their personal information, the law allows for charging “a reasonable fee for access to the applicant’s personal information or for information about the use or disclosure of the applicant’s personal information.” If you charge the applicant a fee for services provided while responding to their access request you must give the applicant a written estimate of the costs before providing said services and you may also require them to pay a deposit for all or part of the fee.
Enforcement and penalties
PIPA-AB is also enforced by the Office of the Information and Privacy Commissioner (OIPC) who handles complaints from individuals and organizations.
The Commissioner will handle complaints in Alberta similar to British Columbia. In the initial stages of receiving a complaint, “if the Commissioner is satisfied that there are other grievance, complaint or review procedures available for the purposes of resolving issues for which a review may be requested or a complaint may be initiated under this Part, the Commissioner may require that an individual asking for a review or initiating a complaint under this Part must first exhaust those other procedures with a view to resolving the matter before the Commissioner proceeds to hear or otherwise deal with the review or complaint.” Next, he will try to use mediation, then hold an inquiry, issue orders that are binding, or give an advance ruling on a matter that could be investigated under PIPA-AB.
Offenses under PIPA-AB incur fines of no more than CAD 10,000 for individuals and no more than CAD 100,000 for organizations.
Data Subject Rights - GDPR vs. PIPA-AB
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- Right to access
- Right to rectification
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.