May 31, 2018
Sabrina Kellenberger, Senior Manager, Regulatory Policy, Canadian Credit Union Association
The Office of the Privacy Commissioner of Canada (OPC) has now released the final versions of its Guidance on Inappropriate Data Practices, which comes into effect on July 1, 2018, and its Guidelines on Obtaining Meaningful Consent, which will take effect on January 1, 2019. Both documents are a result of the OPC’s work to improve the current consent model under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Guidance on Inappropriate Data Practices
The Guidance on Inappropriate Data Practices describes the OPC’s guiding principles for interpreting subsection 5(3) of PIPEDA which stipulates that even with consent, “an organization may collect, use and disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”
In this regard, the OPC has identified the following “no-go zones” where it would be considered “inappropriate” by a reasonable person to collect, use, or disclose personal information:
- The collection, use or disclosure that is otherwise unlawful;
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law;
- Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual;
- Publishing personal information with the intended purpose of charging individuals for its removal;
- Requiring passwords to social media accounts for the purpose of employee screening; and
- Surveillance by an organization through audio or video functionality of the individual’s own device.
The OPC intends to periodically revisit and update this list.
Guidelines on Obtaining Meaningful Consent
The Guidelines on Obtaining Meaningful Consent are somewhat more complex and are being jointly issued by the Privacy Commissioners of Canada, Alberta and British Columbia, although organizations remain responsible for understanding and meeting the specific obligations imposed by the legislation under which they function.
Seven “principles” to follow when obtaining consent are offered:
- Emphasize key elements.
- Allow individuals to control the level of detail they get and when.
- Provide individuals with clear options to say “yes” or “no”.
- Be innovative and creative.
- Consider the consumer’s perspective.
- Make consent a dynamic and ongoing process.
- Be accountable: stand ready to demonstrate compliance.
In addition, to assist organizations with compliance, a quick reference, ‘check list’ that separates the measures into “must-dos”—the obligations stemming from legal requirements—and
“should dos”—those that arise from best practices, is presented.
To learn more, please visit CCUA’s Regulatory Compliance webpage on Privacy