Defining Purposes and Obtaining Consent

1
Defining Purposes and Obtaining Consent

• A Presentation to the Riley Information Services
  Inc.
• Conference
• Privacy Legislation Complying with New Demands
• Ottawa, Ontario
• February 16,2004
• Rick Shields

2
Agenda

• Defining Purposes and Obtaining Consent under
  PIPEDA
• What PIPEDA says
• How regulatory officials have interpreted PIPEDA
• Q A

3
What PIPEDA Says s. 5

• PIPEDA incorporates CSA Model Code for the
  Protection of Personal Information
• S. 5(1) Subject to sections 6 to 9 of PIPEDA,
  every organization obliged to comply with the
  portions of the Model Code set out in Schedule 1.
  
• S. 5(2) In Schedule 1, shall means must and
  should indicates non-mandatory best practice

4
What PIPEDA Says Schedule 1

• Schedule 1 contains the CSA 10 Principles for the
  Protection of Personal Information
• Principle 2 deals with the identification of
  purposes for collection
• Principle 3 deals with consent requirements

5
What PIPEDA Says Principle 2

• The purposes for which personal information is
  collected shall be identified by the organization
  at or before the time the information is
  collected.
• Must document purposes for collection (4.2.1) as
  a means of determining the PI required by the
  organization (4.2.2) and avoiding excessive
  collection

6
What PIPEDA Says Principle 2

• Should identify purpose at or before time of
  collection to person who furnishes PI (4.2.3)
• Purposes can be identified orally or in writing
  (4.2.3)
• Cannot use PI previously collected for new,
  previously unidentified purpose without
  identifying same prior to use (4.2.4)

7
What PIPEDA Says Principle 2

• Consent of data subject required unless new
  purpose required by law (4.2.4)
• Persons collecting PI should be able to explain
  purpose for collection (4.2.5)

8
Commissioners Views Principle 2

• If purposes are not stated at or before
  collection, organization cant be deemed to limit
  its collection of PI to that which is necessary
  for identified purposes
• For online collections, consider pop-up boxes to
  explain purpose for each item of PI
• For telephone collections, ensure operators are
  trained and appropriate scripts provided (PIPED
  Act Case Summary 45)

9
Commissioners Views Principle 2

• Purpose must be stated in a manner reasonably
  conducive to the complainants understanding of
  how the PI will actually be used or disclosed
  (PIPED Act Case Summary 148)
• If relying on implied consent for third party
  disclosures, advise data subject of this fact,
  describe purposes for secondary disclosure and
  items of PI that will be disclosed, identify
  third party recipients and provide convenient
  opt-out mechanism, all at point of collection
  (PIPED Act Case Summaries 91 167)

10
Commissioners Views Principle 2

• Avoid vague or open-ended statements of purpose
  details are required (PIPED Act Case Summaries
  42, 91, 97)
• Do not mislead data subjects about dealings with
  PI (PIPED Act Case Summary 42)

11
Commissioners Views Principle 2

• When documenting purpose(s) for secondary uses of
  PI, do not
• Expect individual to find resulting document on
  their own furnish same to data subject
• Use fine print in long documents
• Use complex, jargon-filled text avoid legalese
• Fail to provide customers with adequately
  detailed information about the extent and purpose
  of contemplated uses and sharing of their PI
• Fail to provide an easy opt-out method (PIPED Act
  Case Summary 78)

12
What PIPEDA Says Principle 3

• The knowledge and consent of the individual are
  required for the collection, use, or disclosure
  of personal information, except where
  inappropriate.
• Consent should be obtained before collection in
  most cases (4.3.1)
• Organizations must make reasonable effort to
  ensure informed consent (4.3.2) linked to
  Principle 2

13
What PIPEDA Says Principle 3

• Cant make consent a condition of supplying a
  product or service beyond that required to fulfil
  express, legitimate purposes (4.3.3)
• Form of consent can vary, depending upon
  sensitivity of PI at issue
• Some PI (e.g. health or income records) almost
  always sensitive, while the sensitivity of other
  PI will depend on context (4.3.4)

14
What PIPEDA Says Principle 3

• When obtaining consent, need to take into
  consideration the reasonable expectations of the
  individual (e.g. reasonable to assume magazine
  subscriber can be solicited re. renewal) (4.3.5)
• Organizations should generally seek express
  consent with respect to sensitive information,
  while implied consent should generally be okay
  for less sensitive PI (4.3.6)

15
What PIPEDA Says Principle 3

• Forms of consent can vary (e.g. signing
  application form, check off box, online click
  box, oral) (4.3.7)
• Individuals can withdraw consent at any time,
  subject to legal or contractual restrictions and
  reasonable notice.
• If individual opts to withdraw consent,
  organization must advise re. implications of
  withdrawal (4.3.8)

16
What PIPEDA Says Ss. 7 5(3)

• Ss. 7(1), (2) and (3) of PIPEDA permit
  non-consensual collections, uses and disclosures
  of PI, respectively, in certain specified cases
• These exemptions, and all other PIPEDA
  provisions, are subject to the overarching
  reasonableness requirement established by s. 5(3)
  of PIPEDA

17
Commissioners Views Principle 3

• Like most other privacy advocates, I have a
  very low opinion of opt-out consent, which I
  consider to be a weak form of consent reflecting
  at best a mere token observance of what is
  perhaps the most fundamental principle of privacy
  protection. Opt-out consent is in effect the
  presumption of consent - the individual is
  presumed to give consent unless he or she takes
  action to negate it. I share the view that such
  presumption tends to put the responsibility on
  the wrong party. I am also of the view that
  inviting people to opt in to a thing, as opposed
  to putting them into the position of having to
  opt out of it or suffer the consequences, is
  simply a matter of basic human decency.

18
Commissioners Views Principle 3

• Accordingly, while acknowledging that the Act
  does provide for the use of opt-out consent in
  some circumstances, I intend, in this and all
  future deliberations on matters of consent, to
  ensure that such circumstances remain limited,
  with due regard both to the sensitivity of the
  information at issue and to the reasonable
  expectations of the individual. In other words,
  in interpreting Principle 4.3.7, I intend always
  to give full force to other relevant provisions
  of the Act, notably 4.3.4, 4.3.5, and 4.3.6 and
  section 5(3).
• Former Commissioner Radwanski

19
Commissioners Views Principle 3

• Express consent required for tailored marketing
  that is customized according to knowledge of
  individuals purchasing habits and preferences
  (PIPED Act Case Summary 42)
• Too vague statements of purpose will invalidate
  even express consent (PIPED Act Case Summary 42)

20
Commissioners Views Principle 3

• Four preconditions identified for reliance upon
  opt-out consent
• The personal information must be clearly
  non-sensitive in nature and context.
• The information-sharing situation must be limited
  and well-defined as to the nature of the personal
  information to be used or disclosed and the
  extent of the intended use or disclosure.

21
Commissioners Views Principle 3

• The organization's purposes must be limited and
  well-defined, stated in a reasonably clear and
  understandable manner, and brought to the
  individual's attention at the time the personal
  information is collected.
• The organization must establish a convenient
  procedure for easily, inexpensively, and
  immediately opting out of, or withdrawing consent
  to, secondary purposes and must notify the
  individual of this procedure at the time the
  personal information is collected (PIPED Act Case
  Summaries 207, 203, 192)

22
Commissioners Views Principle 3

• Consent can sometimes be inferred (e.g.
  employers entitlement to use PI in the course of
  employee performance evaluations) (PIPED Case
  Summary 153)
• Former Commissioners views regarding
  requirements for express consent have been
  rejected by a Court in at least one case
  (LEcuyer v. Aéroports de Montréal, F.C.T.D.)

23
Commissioners Views Principle 3

• Whether consent to collection, use or disclosure
  of PI can be made a condition of service will
  depend upon circumstances (Compare PIPED Act Case
  Summary 22 with 94)
• Restrictions on non-consensual new uses includes
  internal use by organization (e.g. for training)
  (PIPED Act Case Summary 180)

24
Conclusion

• Provide readily accessible, readily understood,
  reasonably detailed description of all purposes,
  whether primary or secondary, and opt-out
  mechanisms, updated as required, and deliver by
  personnel knowledgeable enough to explain
  purposes (where appropriate)
• Ensure consent is informed and is appropriate to
  sensitivity of the data, subject to specific
  exemptions contained in PIPEDA