On September 28, 2017, the Privacy Commissioner of Canada created a draft guidance document providing clarification on inappropriate data practices, specifically focusing on subsection 5(3) of the Personal Information Protection and Electronic Documents Act (PIPEDA). This provision is entitled, “Appropriate purposes”, and states that, “an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. Essentially, the document explains how courts interpret the provision and provides solid examples of inappropriate purposes (no-go zones). The Privacy Commissioner of Canada was seeking feedback regarding this document, with a deadline for feedback of December 4, 2017.
Draft guidance document
More specifically, the draft guidance document states that subsection 5(3) of PIPEDA must be read in light of the underlying purpose of the statute: to balance individuals’ right of privacy regarding their personal information and organizations’ right to collect, use and disclose personal information.
When examining the provision, the main goal is to engage in a balancing of interests between individuals and organizations by viewing a situation through the lens of a reasonable person. Moreover, it is important to keep in mind the overarching requirement that organizations must ensure that their purposes for collecting, using and disclosing personal information are limited to only those which a reasonable person would consider appropriate in the circumstances. Courts conduct this analysis in a contextual manner looking at the particular facts of the case. When analyzing the collection, use or disclosure at issue, decision-makers consider the degree of sensitivity of the personal information, whether the purpose represents a legitimate need, whether it would be effective in meeting this need, whether there are less invasive ways of achieving the same goal, and whether the loss of privacy is proportional to the benefits.
What does this mean practically speaking? An organization may be of the view that it has complied because it has demonstrated compliance with other provisions of PIPEDA; for example, an organization may be under the impression that it has received the required consent for collecting, using or disclosing personal information and therefore it has met all requirements. However, it is still necessary for the organization to show that its purpose is for collecting, using or disclosing the personal information in the first place is what a reasonable person would consider appropriate in the circumstances. Likewise, compliance with subsection 5(3) of PIPEDA does not automatically mean that an organization has complied with the other provisions in PIPEDA.
Plainly put, there are some purposes that have been established as being considered completely inappropriate by a reasonable person, such that they would never be regarded as acceptable to justify the collection, use or disclosure of personal information. These are the no-go zones: (1) collection, use or disclosure that is otherwise unlawful; (2) profiling or categorization that leads to unfair, unethical or discriminatory treatment; (3) Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual; (4) Publishing personal information with the intended purpose of charging individuals for its removal; (5) Requiring passwords to social media accounts for the purpose of employee screening; and (6) Surveillance by an organization through audio or video functionality of the individual’s own device.
Let us discuss the last two points in further detail.
With respect to requiring passwords to social media accounts for the purpose of employee screening, the Privacy Commissioner of Canada has clearly stated that job applicants and employees who are captured under PIPEDA are protected from this type of employee screening. The reason for this statutory protection is twofold. First, there is a significant risk that employers will use to their advantage the unequal positions of power in the employment relationship and ask for more information than is required in order to assess a person’s merit regarding the particular job in question. Second, job applicants and employees may feel unduly pressured to provide the information for fear of not getting the job for which they are applying or losing their current job. Certainly, requiring passwords in order to access private parts of social media accounts allows for employers to learn a great deal of sensitive information that is completely irrelevant in the employment context, and therefore is considered inappropriate.
In regards to surveillance by an organization through audio or video on a person’s device is considered highly inappropriate. In fact, the Privacy Commissioner stated:
Nothing can be more privacy-invasive than being tracked through the audio or video functionality of an individual’s device either covertly, that is without their knowledge or consent, or even with so-called consent, when doing so is grossly disproportionate to the business objective sought to be achieved”
Clearly, spyware applications are considered “vastly disproportionate” to the possible benefits that can be gained. That said, it is permissible to have audio and video functionality of a device constantly turned on, as long as the information is not recorded, used, disclosed or retained except for the specific purpose of providing the service.
As can be seen from the above discussion, assessing situations from the viewpoint of a reasonable person is not always easy to understand or define because of the flexible nature of the concept; however, the Privacy Commissioner has provided some clarification regarding reasonableness and no-go zones in this recent document.
The Privacy Commissioner of Canada was seeking feedback regarding this draft guidance document. The deadline for feedback, though now passed, had been extended to December 4, 2017.
The Privacy Commissioner was curious to learn about answers to these questions: (1) Is the guidance clear?; (2) Is the guidance useful to your organization, in terms of guiding behaviour, or to you as an individual in exercising your rights?; (3) Of the solutions identified in this guidance, have we struck an appropriate balance between individuals’ right to privacy and companies’ legitimate need for personal information? Why or why not?; (4) Are there gaps that have not been identified in the guidance that require further direction from the Privacy Commissioner?; (5) Are there any areas of the proposed guidance that your organization would have serious difficulty implementing? If so, please explain why and whether this can be mitigated; and (6) How long will it take for your organization to implement the guidance recommendations into your policies and practices?
You may wish to review the contents of the annual report prepared by the Privacy Commissioner of Canada, where topics discussed above are referred to, including no-go zones.
Interested individuals can view the document here.