From the Office of the Information and Privacy Commissioner of Alberta:
Recommendations focus on need to update legislation to protect privacy in the midst of vast and fast-moving changes in the handling of information around the world
The Office of the Information and Privacy Commissioner (OIPC) of Alberta has made a series of key recommendations to update and strengthen a law that is critical to the advancement of the province’s interests in the information and digital economy. The OIPC has provided a comprehensive submission to the Alberta legislature’s Standing Committee on Resource Stewardship as part of the committee’s review of the Personal Information Protection Act (PIPA), which is more than two decades old.
PIPA applies primarily to private sector organizations, providing individuals with the right to request access to their own personal information while also setting a framework for private sector organizations to collect, use and disclose personal information.
“This review comes at a crucial time,” said Information and Privacy Commissioner Diane McLeod. “Since PIPA came into force in January 2004, the state of technology and the amount of personal information shared by individuals with organizations has changed monumentally. In the early 2000s, less than seven percent of the world was online. By 2020, this had increased to more than 50 percent. Dramatically expanded use of cell phones, apps, social media and online shopping has created a world in which technology touches everything we do. Vast amounts of personal information are shared by individuals and collected, used and disclosed by private sector organizations, mostly for profit. More recently, the development and use of artificial intelligence, or AI, is ushering in even more changes, including effects on education and children.”
The OIPC submission also describes the impact of generative AI and quantum computing, noting that these technological changes have immense potential benefits for societies, but also great potential for harm.
“PIPA needs to be amended to protect Albertans’ privacy in our evolving information-based society, while also enabling commerce, especially where it relates to the development and deployment of innovative technologies,” said McLeod. “Alberta needs a modernized private sector privacy law that aligns with leading global privacy laws and achieves a proper balance between protecting privacy and enabling the use of technology by businesses in order to prosper.”
Amongst other things, the OIPC’s key recommendations are that PIPA should include:
- recognition of the protection of personal information as a fundamental human right;
- application to political parties and not-for-profit organizations;
- the right of Albertans to access their own personal information;
- the “right to be forgotten”;
- the right to data portability and mobility;
- rules about automated decision-making, including that individuals be granted the right to contest automated decision-making;
- specific protection for children’s personal information;
- specific requirements for privacy management programs and privacy impact assessments, and modifications regarding mandatory breach notification;
- requirements for compliance by service providers and downstream service providers;
- enhanced requirements for organizations to use security safeguards to protect personal information commensurate with its sensitivity;
- requirements for communication in plain language;
- requirements for de-identification and anonymization of personal information;
- provisions for the creation and use of a regulatory sandbox operated by the OIPC; and
- enhanced provisions for enforcement of PIPA.
“Our goals include ensuring that there are no gaps in the protection of personal information in Alberta that may create unacceptable risks to Albertans, ensuring adequate protection of personal information now and into the future, and promoting a foundation of trust on which to effectively grow the digital economy in Alberta,” added McLeod.
The public is invited to read the OIPC submission on PIPA in its entirety. It is available online on the OIPC website here.
Through the OIPC, the Information and Privacy Commissioner performs the responsibilities set out in PIPA, the Health Information Act and the Freedom of Information and Protection of Privacy Act. The Commissioner operates independent of government.