A significant change to Canada’s private sector privacy law in 2015 involved the dismantling of designated investigative bodies – a listing of entities to whom disclosures of personal information could be made without getting consent. This was replaced with the new paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA, which allow disclosures of personal information, without the individual’s consent, to any other organization in certain contexts. 7(3)(d.1) allows for disclosures that are “reasonable for the purpose of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being, or is about to be committed”. 7(3)(d.2) allows for disclosures that are “reasonable for the purpose of detecting or suppressing fraud or preventing fraud that is likely to be committed”.
Recently, the Office of the Privacy Commissioner of Canada (OPCC) released a guidance document on these provisions to remind organizations that these consent exceptions “do not permit the indiscriminate disclosure of personal information”. The OPCC reminds and warns organizations that the ‘reasonableness’ standard in these provisions must be carefully considered to avoid over-disclosure.
In addition to expanding on when and how to use these consent exemptions responsibly, the OPCC also stressed other considerations, including demonstrating due diligence by documenting the reasons why the organization determined that a particular disclosure was warranted and met all the requirements under 7(3)(d.1) or 7(3)(d.2); and the need to develop transparent policies and procedures (supported by employee training) that set out when the organization requests such disclosures and how it responds to requests for such disclosures without consent.
CLICK HERE to view the OPCC guidance document on these consent exemptions in the context of disclosures of personal information.
For assistance with policies, employee training or responding to specific requests for information about your customers or employees, contact PRIVATECH.0