By Brenda Barnhill – June 4, 2018
The Personal Information Protection and Electronic Document Act
The overarching federal law that addresses data privacy in Canada is the Personal Information Protection and Electronic Documents Act, PIPEDA, enacted on April 13, 2000. The Act strives “to support and promote electronic commerce by protecting personal information that is collected, used or disclosed” and, in certain circumstances, provide for the use of electronic means to communicate or record information or transactions.
The PIPEDA governs “the collection, use and disclosure of personal information by private sector organizations in a manner that recognizes both the right of the individual to have his or her personal information protected and the need of organizations to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate.” As the court opined in Citi Cards Canada Inc. v. Pleasance, PIPEDA is “consumer protection legislation for the digital economy.” However, it should not be interpreted to “unduly prioritize privacy interests over the legitimate business concerns” given that the overall intent of PIPEDA is “to promote both privacy and legitimate business concerns.”
Consent under the PIPEDA was amended by the Digital Privacy Act in June 2015 adding the following language “consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.”
How to obtain a consumer’s consent
Examples of ways in which individuals can give consent are: on application forms, using check boxes, over the telephone and at the time of use. All of these actions imply that the consent is given at the time personal information is collected and before it is used.
PIPEDA provides in Principle 4.3.7 that consumers can give consent in many ways. For example:
a. an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;
b. a check box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;
c. consent may be given orally when information is collected over the telephone; or consent may be given at the time that individuals use a product or service.
The form of the consent sought by an organization, and the way in which an organization seeks consent, may vary, depending on the circumstances and the type of information. In obtaining consent, the reasonable expectations of the individual are relevant. Implied consent would generally be appropriate when the information is less sensitive.
When is consent valid?
Under the PIPEDA consent is only considered valid if it is reasonable to expect that an organization’s customers would understand the nature, purpose and consequences of the collection, use or disclosure they are consenting to.
Knowledge and consent means informed and voluntary agreement.
Consent can be either express or implied. Express consent is given explicitly, either orally, in writing, or through a specific online action, such as clicking on “I agree”. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent.
Implied consent arises where consent may reasonably be inferred from the action or inaction of a customer. Consent does not waive an organization’s other responsibilities under PIPEDA, such as overall accountability, safeguards, and having a reasonable purpose for processing personal information.
Collecting information without consent
The PIPEDA provides that organizations may collect personal information without a consumer’s knowledge or consent only:
- if it is clearly in the individual’s interests and consent is not available in a timely way;
- if knowledge and consent would compromise the availability or accuracy of the information and collection is required to investigate a breach of an agreement or violation of a federal or provincial law;
- for journalistic, artistic or literary purposes;
- if it is publicly available as specified in the regulations;
- when it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim;
- where it is produced by individuals in the course of their employment, business or profession–as long as the collection is consistent with the purpose for which the information was produced;
- when an individual is employed by a federal work, undertaking or business and the collection is necessary to establish, manage or terminate an employment relationship. The employer must, however, inform individuals in advance that their personal information could be collected for such purposes.
Using information without consent
Organizations may use personal information without the individual’s knowledge or consent only:
- if the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
- for an emergency that threatens someone’s life, health or security;
- for statistical or scholarly study or research (the organization must notify the Privacy Commissioner of Canada before using the information);
- if it is publicly available as specified in the regulations;
- if the use is clearly in the individual’s interest and consent is not available in a timely way;
- when it is contained in a witness statement, and the use is necessary to assess, process, or settle an insurance claim;
- where it is produced by individuals in the course of their employment, business or profession–as long as the use is consistent with the purpose for which the information was produced;
- if knowledge and consent would compromise the availability or accuracy of the information and collection was required to investigate a breach of an agreement or contravention of a federal or provincial law; or
- when the organization is a federal work, undertaking or business and the use is necessary to establish, manage or terminate an employment relationship. The organization must, however, inform individuals in advance that their personal information could be used for such purposes.
Disclosing information without consent
Organizations may disclose personal information without the individual’s knowledge or consent only:
- to a lawyer representing the organization;
- to collect a debt the individual owes to the organization;
- to comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
- to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act;
- to a government institution that has requested the information, identified its lawful authority to obtain the information, and indicated that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law;
- to a government institution that suspects that the information relates to national security, the defense of Canada or the conduct of international affairs; or is for the purpose of administering any federal or provincial law;
- to a government institution or an individual’s next of kin or authorized representative when there are reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse.
- (Organizations however may make such a disclosure only for the purpose of preventing or investigating the abuse, and only if it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse);
- to another organization in instances where it is reasonable for the purposes of:
- investigating a breach of an agreement or contravention of a federal or provincial law that has been, is being or is about to be committed; or
- detecting or suppressing or preventing fraud that is likely to be committed.
- in connection with a business transaction (for example, the sale or merger of a business, or the lease of a company’s assets), provided certain conditions are met to, among other things, protect the information and limit its use;
- when it is contained in a witness statement, and the disclosure is necessary to assess, process, or settle an insurance claim;
- where it is produced by individuals in the course of their employment, business or profession–as long as the disclosure is consistent with the purpose for which the information was produced;
- when the organization is a federal work, undertaking or business (such as telecommunications and broadcasting companies, airlines and banks) and disclosure is necessary to establish, manage or terminate an employment relationship.
- The organization must, however, inform individuals in advance that their personal information could be disclosed for such purposes;
- in an emergency threatening an individual’s life, health, or security (the organization must inform the individual of the disclosure);
- to a government institution, individuals’ next of kin, or authorized representative if necessary to identify an individual who is injured, ill or deceased (and if alive, the individual has to be informed in writing that the disclosure took place);
- for statistical, scholarly study or research (the organization must notify the Privacy Commissioner before disclosing the information); to an archival institution;
- 20 years after the individual’s death or 100 years after the record was created;
- if it is publicly available as specified in the regulations; or if required by law.
Although it is most important to clearly specify what personal information an organization is collecting and what exactly is being collected, PIPEDA advises informing the customer in a meaningful way of the purposes for the collection and use or disclosure of personal data.
Even though there are several circumstances which allow for the use of personal information without consent, obtaining the individual’s consent before or at the time of collection, as well as when a new use of personal information is identified is preferred.
Final tips for fulfilling the consent requirement under PIPEDA
- Obtain informed consent from the individual whose personal information is collected, used or disclosed;
- Explain how the information will be used and with whom it will be shared. This explanation should be clear, comprehensive, and easy to find if presented in written form. Retain proof that consent has been obtained.
- Never obtain consent by deceptive means;
- Do not deny a product or service to an individual who does not consent to the collection, use or disclosure of information beyond what is required to fulfill an explicitly specified and legitimate purpose; and
- Explain to individuals the implications of withdrawing their consent.