First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Overarching limit on the collection, use and disclosure of personal information

personal informationThere is an overarching limit on the collection, use and disclosure of personal information—organizations may collect, use and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. This overarching limit is imposed by section 5(3) of the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Office of the Privacy Commissioner of Canada (OPC) has issued two new guidelines based on years of practical experience with PIPEDA. One of guidelines clarifies the overarching requirement of reasonableness in section 5(3) and was effective July 1, 2018. Both guidelines are meant to improve the current consent model under PIPEDA.

In Guidance on inappropriate data practices: Interpretation and application of subsection 5(3), the OPC has clarified that as far as section 5(3) of PIPDEA is concerned, the following are not reasonable purposes, are “No-Go Zones” and are offside PIPEDA:

  1. Collection, use or disclosure that is otherwise unlawful, for example, collection that would violate credit reporting laws;
  2. Profiling or categorization leading to unfair, unethical or discriminatory treatment contrary to human rights law, for example, using data analytics in ways that lead to discrimination;
  3. Collection, use or disclosure for purposes known or likely to cause significant harm (including bodily harm, humiliation, and financial loss);
  4. Publishing personal information with the intended purpose of charging individuals for its removal (essentially, blackmail);
  5. Requiring passwords to social media accounts for current or prospective employee screening; and
  6. Video or audio surveillance through an individual’s own device. For example, rent-to-own companies’ installation of spyware to covertly trace missing laptops surreptitiously recorded user information, and was offside PIPEDA.

The guideline recommends that organizations consider the following factors when evaluating whether their purposes for collecting, using and disclosing personal data comply with section 5(3):

  1. The degree of sensitivity of the personal information;
  2. Whether the organization’s purpose represents a legitimate need or bona fide business interest;
  3. Whether the collection, use and disclosure would be effective in meeting the organization’s need;
  4. Whether there are less invasive means of achieving the same ends at comparable cost and with comparable benefits; and
  5. Whether the loss of privacy is proportional to the benefits.

A key takeaway for organizations is that it is not enough to comply with other provisions in PIPEDA, for example, obtaining meaningful consent. Organizations must still show that their purposes for collecting, using or disclosing personal information are those that a reasonable person would consider appropriate in the circumstances.

By the same token, compliance with section 5(3) does not relieve organizations of complying with the other requirements of PIPEDA. For example, organizations must also comply with PIPEDA’s requirements to safeguard the personal information within their control.

The second of the two new guidelines will be effective January 1, 2019 and includes 7 guiding principles for obtaining meaningful consent. Read more on the OPC’s website, here: Guidelines for obtaining meaningful consent.

Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)

Apolone Gentles is a CPA,CGA and Ontario lawyer and editor with over 20 years of business experience. Apolone is leveraging 20 years of business and accounting experience to build a commercial litigation practice with an emphasis on construction law. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools. Read more here

Latest posts by Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) (see all)

, , , ,

Comments are currently closed.