Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy legislation, was amended in 2015.
Among the amendments, PIPEDA’s previous investigative body scheme, which allowed disclosures without consent to a designated investigative body, was repealed. This is replaced with paragraphs 7(3)(d.1) and 7(3)(d.2), which allow, in certain circumstances, organizations to disclose personal information without the knowledge or consent of the individual to another organization.
These new amendments resulted in a change in the accountability, transparency and grounds for disclosures without consent. Given the invisible nature of these disclosures, and that there is no longer a public listing of designated investigative bodies, the Office of the Privacy Commissioner of Canada (OPC) is providing guidance on these provisions to remind organizations that these exceptions, while permissible under certain circumstances, do not permit the indiscriminate disclosure of personal information.
Paragraphs 7(3)(d.1) and 7(3)(d.2):
- Are not to be applied in an overly broad manner.
- Do not allow for widespread disclosures and casual sharing of personal information.
- Are limited to certain purposes, under defined circumstances, and given specific conditions.
In overseeing these provisions, the OPC will expect organizations to:
- Carry out due diligence and exercise good judgement when availing themselves of these exceptions.
- Carefully consider each of the requirements explicitly outlined in the provisions.
- Take care to ensure the limits set out in these provisions are respected.
Paragraphs 7(3)(d.1) and 7(3)(d.2)
7(3) …an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
- (d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
- (d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;
A: Requirements Under Paragraphs 7(3)(d.1) and 7(3)(d.2)
Disclosures require responsible consideration and accountability
- Prior to making a disclosure under paragraphs 7(3)(d.1) or 7(3)(d.2):
- Organizations must ensure that the precise requirements set out in the relevant paragraph have been met and should document their rationale before initiating a disclosure.
- In addition, where requests for disclosure of personal information are received, claims from requesting organizations should not be taken at “face value”.Footnote 1 The organization receiving such requests should take certain measures, such as asking for and documenting the rationale and bona fide nature of a claim from the requesting organization.
Disclosures can only be made to “another organization”
- Disclosures under paragraphs 7(3)(d.1) and (d.2) are limited to disclosures made to other organizations.
- They are not broad exceptions that permit disclosure without consent to other parties such as law enforcement or clients’ family members.
Disclosures must be “reasonable for the purposes”
- Paragraphs 7(3)(d.1) and (d.2) require the disclosure to be “reasonable for the purposes” specified in each provision.
- Under paragraph 7(3)(d.1) the disclosure must be “reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed”.
- Organizations must ensure that the investigation referred to in paragraph 7(3)(d.1) pertains to a specific breach of an agreement or contravention of the laws of Canada or a province that “has been, is being or is about to be committed”.
- In other words, the disclosing organization must be satisfied that the breach of agreement or contravention of a law has already taken place, is ongoing, or is about to happen.
- An “investigation” can be defined as a formal inquiry or systematic inquiry to discover and examine the facts of an incident, so as to establish the truth.Footnote 2 It is not a fishing expedition.
- Organizations must ensure that disclosures of personal information are reasonably related and proportionate to a specified purpose and should not over-reach in their scope.
- An investigation might include, for example, an investigation of professional misconduct by a professional regulatory body, or an investigation by a bank into fraudulent mortgage transactions.
- A “breach of an agreement” generally involves a violation of, or failure to meet, the terms of a binding agreement. A breach of an agreement might include, for example, a breach of a tenancy agreement or a breach of an employment contract.Footnote 3
- A “contravention of a law of Canada or a province” means a contravention of a Canadian law. It does not include contraventions of foreign laws.
- Under paragraph 7(3)(d.2) the disclosure must be “reasonable for the purpose of detecting or suppressing fraud or of preventing fraud that is likely to be committed”. While paragraphs 7(3)(d.1) contemplates a specific breach of a law or agreement, paragraph 7(3)(d.2) is not as specific. However:
- Organizations must ensure that disclosures are limited to “detecting or suppressing fraud or of preventing fraud that is likely to be committed”.
- Preventing fraud that is likely to be committed means that the risk of fraud must be probable and not merely possible.
- Here too, organizations must ensure that disclosures of personal information for the purposes of detecting or suppressing fraud or of preventing fraud are reasonably related and proportionate to a specified purpose and should not over-reach in their scope.
It must be reasonable to expect that disclosure with the knowledge or consent of the individual concerned would compromise the activity in question
- To help mitigate against the risk of over-disclosure, organizations relying on paragraphs 7(3)(d.1) or 7(3)(d.2) must also evaluate whether it would be reasonable to expect that informing the individual concerned of the disclosure or seeking the individual’s consent to the disclosure would compromise the activity in question.
- Before disclosing personal information under paragraph 7(3)(d.1), an organization must turn its mind to and have formed a reasonable expectation that disclosure with the knowledge or consent of the individual would compromise the investigation.
- Before disclosing personal information under paragraph 7(3)(d.2), an organization must turn its mind to and have formed a reasonable expectation that knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud.
B: Other Relevant Considerations
Demonstrate due diligence
- An organization should document, and be able to demonstrate, on a case-by-case basis, the reasons why it determined that each disclosure met all of the requirements under paragraphs 7(3)(d.1) or 7(3)(d.2).
- For example, organizations should be able to demonstrate, if/when called upon to do so, how each disclosure is reasonable for the stated purposes and why it is reasonable to expect that the disclosure with the knowledge or consent of the individual concerned would compromise the investigation or ability to detect, suppress or prevent the fraud.
Ensure accountability and openness
- An organization should develop policies and procedures setting out how it requests and/or responds to these disclosures.
- Organizations should be open about their policies and practices and make them available to individuals.
- Further, any related policies and procedures should be accompanied with up-to-date training for employees on an on-going basis.
Identify procedures for handling access requests from individuals
- Individuals generally have the right to access their personal information, including obtaining an account of the third parties to whom their personal information has been disclosed. Organizations must provide access to personal information on request, unless an exception under PIPEDA applies.
Consider all other PIPEDA requirements
- Even though information-sharing may occur in specified circumstances without consent, an organization is still required to fulfill its other PIPEDA obligations, including but not limited to, limiting the disclosure of personal information, safeguarding it, and ensuring that any disclosure of personal information is only for purposes that a reasonable person would consider are appropriate in the circumstances.
C: Consider Other Ways to Improve Transparency and Consumer Trust
- Organizations could further consider reporting publicly on the number and types of disclosures made on an annual or semi-annual basis, using aggregate and anonymized data.
- Organizations could also consider making available a summary of their frameworks and information sharing practices under paragraphs 7(3)(d.1) and 7(3)(d.2).
- These additional steps may help organizations build greater trust with individuals by demonstrating accountability for disclosures, and making more visible what would otherwise be invisible to Canadians.
- Date modified: