The Manitoba Legislature recently enacted the Privacy Information Protection and Identity Theft Prevention Act ("PIPITPA"), making Manitoba the fourth Canadian province to enact general private sector privacy protection legislation (the others are British Columbia, Alberta and Quebec). PIPITPA will come into force on a date to be set by proclamation.
The Manitoba PIPITPA is worded very similarly to Alberta's Personal Information Protection Act ("PIPA").
A key feature of the Manitoba PIPITPA is the breach notification provision: Under PIPITPA, an organization must notify affected individuals if personal information under the organization's control is lost, accessed or disclosed without authorization.
Alberta PIPA requires notification be given to the Alberta Information and Privacy Commissioner in instances where a reasonable person would consider that a "real risk of significant harm to an individual exists" – this is a higher threshold for notification.
The Manitoba PIPITPA breach notification requirement will not apply if an organization is satisfied that it is not reasonably possible for personal information to be used unlawfully – or if a law enforcement agency is conducting an investigation of the breach and instructs an organization not to disclose.
It will be interesting to see how the Manitoba PIPITPA breach notification requirement is applied in practice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
