EMERGENCY: Alberta has declared a Public Health Emergency to protect the health care system from COVID-19. Indoor social gatherings are the top source of transmission. All indoor social gatherings have now been banned. This ban will be enforced with $1,000 fines. Learn more
The Personal Information Protection Act (PIPA) primarily relies on an individual’s consent and sets limits around what information organizations may collect and how they can collect it in order to allow individuals to control how their information is collected, used and disclosed.
There are special rules in PIPA for the collection, use and disclosure of employee information.
Under PIPA, organizations can only collect personal information for reasonable purposes and to the extent reasonably needed for that purpose.
Most of the time an organization needs an individual’s consent when they collect their personal information. There are limited and specific exceptions to the requirement for consent.
To review a copy of the legislation, see the Personal Information Protection Act and Regulation.
Collection and consent
Types of consent
Before collecting personal information, an organization must usually:
- get a person’s consent
- collect the information directly from that person
A person can consent to the collection, use or disclosure of personal information for reasonable purposes (which is what a reasonable person would consider appropriate under the circumstances).
Someone may consent verbally or in writing, including via electronic communications.
Someone is ‘deemed to consent’ if he or she, without actually giving consent, voluntarily provides the information to the organization and it is reasonable for that purpose. This is also called ‘implied consent’.
Someone can also consent if they do not ‘opt out’ in a reasonable time when he or she receives clear and understandable notification and is given a reasonable opportunity to decline by the organization.
Even if an organization gets consent, it can only collect, use, or disclose personal information for the purposes provided in the notice and to the extent reasonable for that purpose. An organization may not provide false or misleading information in its notice.
Withdraw or change consent
Individuals have the right to withdraw or change their consent, subject to legal limitations. As soon as an organization is notified of this, the organization must inform the individual of the likely consequences it they are not obvious.
If a person changes his or her consent, the organization must abide by the new terms of consent. If the person withdraws his or her consent the organization must stop collecting, using or disclosing his or her personal information immediately.
Collect with consent and notice
An organization can ask for a person’s consent to collect, use or disclose his or her personal information for reasonable purposes. In most cases, the organization must collect the personal information directly from that person.
Before or while collecting the information, the organization must:
- give notice that it intends to collect personal information and provide the purposes for the collection
- give the name, position or title of the person who is able to answer the individual’s questions
The organization must give the person a reasonable opportunity to decline his or her consent.
Service providers outside of Canada
Subject to PIPA’s regulations, an organization that uses a service provider outside of Canada to collect information must, before or while collecting the information, tell the person:
- how the person may get access to the organization’s policies and practices about the service provider
- the name, position name or title of a person who can answer questions about the collection, use, disclosure or storage of personal information by the service provider
This also applies if the organization transfers previously-collected information to a service provider outside of Canada.
Collect without consent
In some cases an organization may collect personal information about someone without his or her consent.
An organization can only collect personal information without consent if:
- it is clearly in the person’s interests, and
- that person’s consent cannot be obtained in a timely way, or
- that person would not reasonably be expected to withhold consent
- there is a legal authority for the collection
- it is authorized by a statute of Alberta or Canada, a regulation of Alberta or Canada, a bylaw of a local government body, or a legislative instrument of a professional regulatory organization
- it is in accordance with a form provided under a statute or regulation of Alberta
- if it is for a collective agreement
- the collection of information is necessary to comply with a collective agreement that is binding on the organization under section 128 of the Labour Relations Code
- it is for an inspection or audit
- if the audit is either of or by the organization and is authorized by a statute or regulation of Alberta or Canada
- if it is by another organization and it is not practical to collect non-identifying information for the purpose of the audit
- it is reasonable for the purposes of an investigation or legal proceeding
- the information is publicly available, as prescribed in the regulations, such as:
- the information is contained in a telephone directory available to the public and the subscriber can refuse to have the personal information appear in the directory
- the information is business contact information
- the information is contained in a registry
- the information in contained in a public record of a quasi-judicial body and is being collected for a purpose for which the record was created
- the information is in a publication and it is reasonable to assume the individual provided that information to the publication
- when the information may be disclosed by an organization without consent
- if the information may be disclosed by an organization without the consent of the individual under section 20 of PIPA
- it is for an award, honour, benefit, scholarship, or similar prize
- it is necessary to determine a person’s suitability to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary
- it is to create a credit report
- it is collected by a credit reporting agency to create a credit report where the individual consented to the disclosure by the organization that originally collected the information
- it is to collect or pay a debt
- it is necessary to collect a debt owed to the organization
- it is necessary to pay a debt owed by the organization to the person
- it is for archival or research purposes
- the organization collecting the information is an archival institution and the collection of the information is reasonable for archival purposes or research
- the collection of the information meets the requirements respecting archival purposes or research set out in the regulations and it is not reasonable to obtain the consent of the individual the information is about
- it is in accordance with section 22: PIPA’s disclosure respecting acquisition of a business
- an organization may collect, use and disclose personal information on a limited basis with other organizations for the purposes of a business transaction
- it is by a trade union relating to a labour relations dispute
- the collection is for the purpose of informing or persuading the public about a matter of significant interest or importance relating to a labour relations dispute involving the trade union,
- the collection is reasonably necessary for that purpose, and
- it is reasonable to collect without consent considering all relevant circumstances including the nature and sensitivity of the information
Under PIPA, when 2 organizations share personal information about someone without their consent, the organization collecting the information must provide sufficient information to inform the organization disclosing the information about the purpose for the collection. The organization disclosing the information must then determine if sharing the information is in accordance with PIPA.
All persons reviewing Service Alberta’s Personal Information Protection Act site are reminded that it has no legislative sanction, and has been provided for guidance and convenience of reference only. The official Statutes and Regulations should be consulted for all purposes of interpreting and applying the law.