Canadians have privacy rights associated with their personal information. This even applies when one’s personal information is held by someone else – like with hospital medical records. Patient ownership of personal data was illustrated in the 1992 Supreme Court of Canada (‘SCC’) decision, McInerney v. MacDonald, where the Court verified that despite the physician having physical possession of the patient’s medical records, they still have a fiduciary relationship to the patient. Therefore, the owner of the physical record is liable for controlling access to such personal information and governments have created regulations that must be followed; for example, Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA, R.S.O 1990, c.F.31). Although these regulations exist, there is still a great deal of ambiguity in the handling of personal information, including how to properly collect it and keep it secure. This ambiguity is exacerbated by modern technology, where electronic devices play a major role in our communication and data collection. Consequently, there have been several judicial decisions that focus on privacy in the context of technology, such as computers and cell phones. The Office of the Privacy Commissioner of Canada (OPC) has attempted to clarify some of the ambiguity in this space by publishing guidelines for companies to follow when collecting data from Canadians.
The first guideline applied as of July, 2018 and uses subsection 5(3) of the Personal Information Protection and Electronic Documents Act (PIPEDA), to provide rules on how organizations must appropriately handle personal information throughout commercial activities. S. 5(3) states that “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. It is important to note that the application of s. 5(3) has led to courts concluding that the release of personal information is justified in certain situations, as in the 2005 Federal Court case of Turner v. Telus Communications Inc. Here, the Court of Appeal set out 5 factors to consider when determining whether an organization’s behaviour complies with s. 5(3):
- The degree of sensitivity of the personal information;
- Whether the organization’s purpose represents a legitimate need;
- Whether the collection, use or disclosure would effectively meet the organization’s need;
- Whether there are less invasive means of achieving the same goals; and
- Whether the loss of privacy is proportional to the benefits
In an attempt to build on these factors, the OPC’s guideline describes how to interpret s. 5(3) of PIPEDA and lists inappropriate information management practices that organizations should avoid. The principles are summarized below:
- 5(3) must balance the privacy rights of individuals and the need for organizations to collect, use or disclose personal information.
- The balancing of the individual’s interest against the organization’s interest should be done from the perspective of a reasonable person.
- 5(3) is “an overarching requirement” that is added to the organization’s other obligations, ensuring the purposes of collecting, using and disclosing personal information is appropriate in certain circumstances.
- Compliance with other parts of PIPEDA does not automatically mean that an organization has complied with s. 5(3).
The second guideline became effective as of January, 2019. It addresses the importance of obtaining meaningful consent for the use of one’s personal information and sets out what organizations should do to ensure that they obtain such consent. In the guideline, meaningful consent is described as an essential aspect of Canadian privacy legislation. To maintain this, the guideline emphasizes 7 principles that organizations should incorporate in their policies, summarized as follows:
- Emphasize Key Elements
- The personal information that is being collected;
- Who can access the information;
- Purpose of collecting, using or disclosing the personal information; and
- Risk of harm or other consequences that may arise from the use of personal information
- A User-Controlled Review Process
Individuals have different approaches to reviewing policy information. Some prefer to look at a summary of the information, while others prefer an in-depth explanation of the organization’s privacy practices. Furthermore, individuals may differ in how they choose to review the policy. For example, some individuals review the full policy in one sitting, while others choose to review the information in multiple, smaller segments. The guideline recommends that information be presented in a user-controlled fashion, allowing the individual to choose the level of detail described in the privacy information and having the information remain accessible throughout the individual’s engagement with the organization.
- Clear “Yes” or “No” Options
This principle stresses that individuals must be given a clear choice when consenting to the collection, use or disclosure of personal information that is beyond what is necessary to provide the product or service. When the information is essential for providing the product or service, the organization should be ready to explain to the individual why the use of their personal information is required in the situation.
- Creativity in Explaining Privacy Policies
The digital environment has the potential to be much more dynamic than the traditional paper-based model. Organizations are encouraged to do more than transpose their written policies into digital form, by taking advantages of digital communication strategies like “just-in-time notices”, interactive tools, and customized mobile interfaces.
- The Consumer’s Perspective
Meaningful consent is given when the consenting individual understands the contractual implications of their consent. Therefore, organizations should consider the consumer’s perspective when making privacy communications and improving user accessibility. Furthermore, privacy communications should be accessible across different devices, like digital health technologies, smart phones, and laptops.
- Ongoing and Dynamic Consent
This principle stresses how consent is an ongoing process. Organizations should keep their users informed of changes to privacy practices and obtain consent prior to making any significant changes.
- Demonstrating Compliance
Organizations should implement privacy practices that are always ready for scrutiny. These practices should be compliant with legal consent obligations and the OPC guideline.
In addition to the above principles, the guideline also touches on the appropriate forms of consent that should be used when handling personal information. This will depend on various factors, such as the sensitivity of the information being given and what reasonable expectations should be put on the individual giving the information.
As evident from the case law and legislation, Canadian privacy law is a dynamic field that continues to evolve with our use of the digital space. The OPC’s guidelines are the latest step in this process and it will be interesting to see how the field is impacted by their enforcement. The guidelines’ suggestions may seem clear-cut, however, it maybe difficult for some companies to implement procedures that fulfill these requirements. This may be due to obstacles that are already present in the company’s industry or a reluctance by management to change policies that have worked well for their company in the past. However, one can only speculate on the effects of these new guidelines at this time, for their true impact will be realized after years of practice under this modified privacy law regime.
Written by Imtiaz Karamat and Neda Foroughian, JD Candidates at Osgoode Hall Law School.