On May 24, 2018, the Office of the Privacy Commissioner of Canada released an important guidance document concerning inappropriate data practices. Organizations should note that the Privacy Commissioner will begin applying this guidance on July 1, 2018. The document sets out helpful information for organizations aiming to comply with the requirements set out in the Personal Information Protection and Electronic Documents Act (PIPEDA).
More specifically, the Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) has been created following extensive consultations with stakeholders in order to improve the current consent model under PIPEDA.
The relevant section of PIPEDA, section 5(3), states:
“An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”
This means that organizations may be prohibited from collecting, using and disclosing personal information depending on their purposes. When balancing the interests of individuals and organizations, is important to view the situation through the lens of the reasonable person. To that end, the purposes for collection, use and disclosure of personal information are limited to only those which a reasonable person would consider appropriate in the circumstances.
This is so, even if the organization has complied with other provisions of PIPEDA – it is still necessary for an organization to also be able to show that the purposes for collecting, using or disclosing personal information are ones that a reasonable person would consider appropriate in the circumstances.
When considering what might be appropriate in the circumstances, the Privacy Commissioner states that the analysis must be conducted in a contextual manner to ensure flexibility and variability in accordance with the circumstances. Some relevant factors include whether there was a bona fide business interest or legitimate business need, and whether the loss of privacy was proportional to any benefit gained.
Accordingly, in its guidance document, the Privacy Commissioner has set out some specific purposes for collection, use and disclosure of personal information that would generally be considered inappropriate to a reasonable person, and which may evolve over time. They have been classified as “No-Go Zones”:
- Collection, use or disclosure that is otherwise unlawful: organizations must comply with all applicable regulatory and legislative requirements that govern their business activities so that individuals remain safe and are assured that collection, use or disclosure of their personal information will not be conducted for purposes that contravene the laws of Canada or its provinces
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law: it is inappropriate for organizations to use data analytics or any other type of profiling or categorization that results in inferences being made about individuals or groups, with a view to profiling them in ways that could lead to discrimination based on prohibited grounds contrary to human rights laws
- Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual: although individuals choose to sacrifice some privacy in order to enjoy convenience and choice as consumers, it is not appropriate for organizations to require an individual to undergo significant privacy harm such as a known or probable cost for products or services. A “significant harm” is considered to be bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record, and damage to or loss of property
- Publishing personal information with the intended purpose of charging individuals for its removal: it is unacceptable to publish sensitive personal information online for the primary purpose of charging individuals to have it removed. Certainly, it is not reasonable for a person to consider “blackmail” an appropriate purpose
- Requiring passwords to social media accounts for the purpose of employee screening: employers may be tempted to request more information from job applicants or current employees than is necessary, such as requesting access to password-protected areas of their social media accounts. However, this has the potential of exposing considerable amounts of highly sensitive personal information that are neither relevant nor necessary for employers’ legitimate business purposes. Therefore, this would generally not be considered appropriate by a reasonable person
- Surveillance by an organization through audio or video functionality of the individual’s own device: this conduct is extremely privacy-invasive, since it occurs without a person’s knowledge or consent – this is grossly disproportionate to the business objective sought to be achieved and is considered inappropriate. However, it may be permissible for the audio or video functionality of a device to regularly or constantly be turned on in order to provide a service if the individual is both fully aware and in control of this fact, and the captured information is not recorded, used, disclosed or retained except for the specific purpose of providing the service
What can employers take from this development?
As can be seen from the above discussion, it is important to view a situation involving the collection, use and disclosure of personal information with the goal of balancing interests between individuals and organizations and considering what is reasonable in the circumstances using a contextual approach.
The Privacy Commissioner has outlined several “No-Go Zones”, and organizations are recommended to avoid collection, use and disclosure of personal information for these inappropriate purposes. It is also important to keep in mind that the list is not exhaustive and can evolve over time. Therefore, organizations are recommended to pay particular attention to any further guidance documents relating to this issue.
Latest posts by Christina Catenacci, BA, LLB, LLM, PhD (see all)
- Security considerations for organizations’ websites - January 4, 2022
- Ontario’s Right to Disconnect—Bill 27 Royal Assent - December 7, 2021
- What is Zero Trust? - November 2, 2021