There is an overarching limit on the collection, use and disclosure of personal information—organizations may collect, use and disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. This overarching limit is imposed by section 5(3) of the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Office of the Privacy Commissioner of Canada (OPC) has issued two new guidelines based on years of practical experience with PIPEDA. One of guidelines clarifies the overarching requirement of reasonableness in section 5(3) and was effective July 1, 2018. Both guidelines are meant to improve the current consent model under PIPEDA.
In Guidance on inappropriate data practices: Interpretation and application of subsection 5(3), the OPC has clarified that as far as section 5(3) of PIPDEA is concerned, the following are not reasonable purposes, are “No-Go Zones” and are offside PIPEDA:
- Collection, use or disclosure that is otherwise unlawful, for example, collection that would violate credit reporting laws;
- Profiling or categorization leading to unfair, unethical or discriminatory treatment contrary to human rights law, for example, using data analytics in ways that lead to discrimination;
- Collection, use or disclosure for purposes known or likely to cause significant harm (including bodily harm, humiliation, and financial loss);
- Publishing personal information with the intended purpose of charging individuals for its removal (essentially, blackmail);
- Requiring passwords to social media accounts for current or prospective employee screening; and
- Video or audio surveillance through an individual’s own device. For example, rent-to-own companies’ installation of spyware to covertly trace missing laptops surreptitiously recorded user information, and was offside PIPEDA.
The guideline recommends that organizations consider the following factors when evaluating whether their purposes for collecting, using and disclosing personal data comply with section 5(3):
- The degree of sensitivity of the personal information;
- Whether the organization’s purpose represents a legitimate need or bona fide business interest;
- Whether the collection, use and disclosure would be effective in meeting the organization’s need;
- Whether there are less invasive means of achieving the same ends at comparable cost and with comparable benefits; and
- Whether the loss of privacy is proportional to the benefits.
A key takeaway for organizations is that it is not enough to comply with other provisions in PIPEDA, for example, obtaining meaningful consent. Organizations must still show that their purposes for collecting, using or disclosing personal information are those that a reasonable person would consider appropriate in the circumstances.
By the same token, compliance with section 5(3) does not relieve organizations of complying with the other requirements of PIPEDA. For example, organizations must also comply with PIPEDA’s requirements to safeguard the personal information within their control.
The second of the two new guidelines will be effective January 1, 2019 and includes 7 guiding principles for obtaining meaningful consent. Read more on the OPC’s website, here: Guidelines for obtaining meaningful consent.