Interpretation Bulletin: Openness

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. The Commissioner’s findings will depend on the facts of each case and will be informed by the evolving jurisprudence. Over time, findings on certain key issues crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretation Bulletins on certain key concepts in PIPEDA. These Interpretation Bulletins are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretation Bulletins may evolve and be further refined over time.

I. Relevant Statutory Provisions

Principle 4.8: “An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.”

Principle 4.8.1: “Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable”.

Principle 4.8.2: “The information made available shall include
(a) the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by the organization;
(c) a description of the type of personal information held by the organization, including a general account of its use;
(d) a copy of any brochures or other information that explain the organization's policies, standards, or codes; and
(e) what personal information is made available to related organizations (e.g., subsidiaries).”

Principle 4.8.3: “An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number”.

Principle 4.2.1: “The organization shall document the purposes for which personal information is collected in order to comply with the Openness principle (Clause 4.8) and the Individual Access principle (Clause 4.9)”.

Principle 4.4.1: “Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle (Clause 4.8)”.

II. General Interpretations by the Courts

Organizations may meet the requirement for openness through the availability of brochures and tools about their privacy practices. In many cases, these materials may only be available after collection or use of personal information, and therefore cannot be relied on for knowledge and consent. However, if customers are aware of the materials at the time they subscribe for a company’s services, this “openness” can lead to a finding of implied consent.

Englander v TELUS Communications Inc (FCA) 2004 FCA 387, [2005] 2 FCR 572

III. Application by the OPC in Different Contexts

Whether an organization can be said to meet its openness obligations under PIPEDA will vary depending on the facts of each complaint and investigation. The following examples illustrate how the openness principle has been interpreted and applied by the OPC and some of its general findings derived from different contexts.

Availability

Organizations must make readily available clear and specific information about their privacy policies and procedures.
- PIPEDA Report of Findings #2012-003 Job Seeker Not Adequately Informed about Purpose of Personal Information Collection
- PIPEDA Case Summary #2006-348 Disclosure of diagnosis was inappropriate, but insurance company considered to be open about its privacy policies and practices
Organizations must provide sufficient information about its collection, use, disclosure and retention of personal information.

In order to satisfy the openness principle, organizations must clearly outline the means available for individuals to gain access to their personal information, including the steps needed to make an access request.
- PIPEDA Report of Findings #2006-334 Bank requires piece of identification before responding to request for access to personal information
Organizations are not required to disclose details of their privacy policies and procedures if disclosure would compromise their ability to safeguard personal information.
- PIPEDA Case Summary #2003-183 Bank not required to publicize detailed privacy policies and procedures
Organizations must make information about their personal information management practices available to all their customers in the same consistent manner, whether in person, on paper, by telephone or via its website.
- PIPEDA Case Summary # 2008-388 Ticketmaster Canada Limited revised its practices with respect to PIPEDA to protect customers’ personal information

Accessibility

Individuals must be able to acquire information about an organization’s policies and practices and find information regarding less privacy-invasive options without unreasonable effort.

PIPEDA Case Summary 2014-007 Apple called upon to be more open about its collection and use of information for downloads

Organizations must have mechanisms in place to respond to inquiries from individuals seeking information about their privacy policies and procedures.
- PIPEDA Case Summary #2004-274 Telco takes action to improve how its privacy policies are disseminated
Organizations that provide their privacy policies on their website should also make available paper copies to individuals who request one.
- PIPEDA Case Summary #2005-304 Movie theatre chain strengthens personal information handling practices
When an organization makes its privacy policy available in English and French, both versions must be regularly and equally updated to ensure that existing users continue to be adequately informed of any changes.
- PIPEDA Case Summary 2014-011 Investigation into personal information handling practices of Ganz Inc.
An organization must be open about less privacy-invasive options available and offer these options to all its customers, not just the customers who complain or object to its practices.
- PIPEDA Report of Findings #2013-009 Bank Over-Collects Client’s Personal Information for Credit Increase

Clarity

Information about an organization’s personal information management practices must be presented in a way that is sufficiently prominent, in a font that is easy to read and in a manner that is reasonably clear and understandable.
- PIPEDA Case Summary 2013-003 Profiles on Positive Singles.com dating website turn up on affiliated dating websites
Privacy policies must be clear and consistent.
- PIPEDA Case Summary # 2008-388 Ticketmaster Canada Limited revised its practices with respect to PIPEDA to protect customers’ personal information
The content of privacy policies should be consolidated and not spread across multiple, hard-to-find locations. The organization’s privacy policy should integrate information about the organization’s privacy-related practices, including how these may vary across different services or websites, even if these are explained in whole or in part elsewhere.
Information about an organization’s privacy policies should be presented in a language and format appropriate to its user base.
- PIPEDA Report of Findings #2012-001 Social networking site for youth, Nexopia, breached Canadian privacy law

Inclusion of Contact Information

Organizations must provide the name and contact information of the designated officials responsible for their compliance with privacy laws.

An organization collecting personal information via video surveillance must give clear and sufficient notice to prospective customers at the entrance of its premises, explaining the purpose for the video surveillance and providing a telephone number that patrons can call if they have questions or want access to their personal information.

PIPEDA Case Summary #2011-003 Personal Information Collected in Company’s Defence of Damage Claim Falls Under PIPEDA

Publicly Available Information

Organizations that collect, use and disclose personal information that is publicly available remain nonetheless subject to the openness principle under PIPEDA.
- PIPEDA Case Summary #2009-004 No Consent Required for Using Publicly Available Personal Information Matched with Geographically Specific Demographic statistics

Information Shared with Other Organizations

Even if organizations are not required to obtain consent before transferring customers’ personal information to a third-party processor for a service directly related to the primary purpose for which the personal information was originally collected, they are nonetheless required to make every reasonable effort to inform individuals about the transfer.
- PIPEDA Case Summary #2007-386 Credit Card Information Printed on Paper Airline Ticket not a Proper Safeguard; Transfer of Personal Information to Travel Wholesaler Questioned
Where an organization transfers personal information to a foreign country for processing, the organization must notify its clients of the risk that their personal information may be lawfully accessed under the laws of that country. This notification should be given when the personal information is collected.

Date modified:: 2015-08-18

Language selection

Search and menus

Search