i Table of contents 181

Doing Business in Canada (11th edition)

However, whether or not the consent obtained fulfills the form and validity requirements, an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. The substantially similar provincial laws have similar form and validity requirements and limitations on collection, either expressly or by implication. BUSINESS TRANSACTIONS PIPEDA provides for an exception for use and disclosure of personal information without the knowledge or consent of the individual for the purpose of a prospective business transaction, which is defined so as to include both share and asset purchases. This exception permits the use and disclosure of personal information between the parties to a prospective transaction without consent of the individuals concerned if – the information is necessary for the parties to decide whether to proceed with the transaction and, if they decide to do so, the information is necessary to complete the transaction; and – the parties have entered into an agreement that requires the recipient organization to > use and disclose the information solely for purposes related to the transaction; > protect the information with security safeguards appropriate to the sensitivity of the information; and > return or destroy personal information if the transaction does not proceed. The exception also imposes requirements once the transaction is completed, including restrictions on use and disclosure, and an obligation to notify persons

whose information has been transferred as part of the business transaction. The substantially similar provincial laws each set out a similar exception. DATA BREACHES With the exception of British Columbia, all Canadian private sector privacy laws of general application impose statutory obligations on organizations that have experienced a data breach involving personal information. Under PIPEDA, organizations are obliged to report to the Office of the Privacy Commissioner of Canada a loss of, unauthorized access to, use of or disclosure of personal information where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individuals whose personal information is implicated in the breach. “Significant harm” can include bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. Organizations are to consider various factors (such as the sensitivity of the personal information involved and the probability of misuse of the information) in making the determination. Organizations are also required to notify affected individuals, as well as other organizations or government institutions that

104

Doing Business in Canada

Powered by