Legitimate processing of PII
Legitimate processing – grounds
Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner's legal obligations or if the individual has provided consent?
In general, subject to limited exceptions, Canadian privacy legislation requires organisations to obtain meaningful consent for the collection, use and disclosure of personally identifiable information (PII). What constitutes 'meaningful consent' is guided by seven principles designed to ensure that the individual providing the consent has, among other things, a clear understanding of the nature, purpose and consequence of what they are consenting to, been provided information, in a clear and comprehensible manner, about the organisation's privacy management practices, and been provided with a clear 'yes' or 'no' option.
An organisation cannot not require consent as a condition for providing a product or service, beyond that required to fulfil an explicitly specified and legitimate purpose. The form of consent, whether express or implied, may vary depending on the nature of the PII and the reasonable expectations of the individual. Individuals may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
Legitimate processing – types of PII
Does the law impose more stringent rules for specific types of PII?
Privacy legislation generally states that the more sensitive the PII, the greater the security safeguards required to protect it. Legislation does not always specifically state what types of security safeguards ought to be implemented, but rather leaves it to an organisation to determine what is appropriate in the circumstances. In addition, the vast majority of provinces have health legislation that applies specifically to entities that fit within the definition of 'custodians' or 'trustees' and have stricter and more specific standards of security safeguards for health PII.
Data handling responsibilities of owners of PII
Notification
Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?
Canadian privacy law is based on consent. As such, the obtaining of meaningful consent, either express or implied, is necessary for an organisation's collection, use and disclosure of PII. Accordingly, apart from mandatory breach notifications in the event of a breach of security safeguards that could reasonably create a real risk of significant harm to an individual; or notifications that may be required pursuant to a proposed transfer of personally identifiable information (PII) outside of its jurisdiction, or a request to access information from an affected individual, there is no law of general application that requires organisations to notify individuals whose PII they hold.
In the case of mandatory breach notifications, the notification must be conspicuous and include enough information to allow the individual to understand the significance of the breach to them and to take steps, if possible, to reduce or mitigate the risk of harm.
Exemption from notification
When is notice not required?
Apart from mandatory breach notifications in the event of a breach of security safeguards that could reasonably create a real risk of significant harm to an individual; or notifications that may be required pursuant to a proposed transfer of PII outside of its jurisdiction, or a request to access information from an affected individual, there is no law of general application that requires organisations to notify individuals whose PII they hold.
Control of use
Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?
Generally, individuals have the right to acquire information as to an organisation's PII handling practices and policies without unreasonable effort. Individuals also have the right:
- to gain access to their PII;
- to know whether and what type of PII is held;
- a general account of the use and disclosure of their PII; and
- the right to amend PII if it is inaccurate or incomplete.
Data accuracy
Does the law impose standards in relation to the quality, currency and accuracy of PII?
Canadian privacy legislation contains obligations for organisations to ensure that the PII that it uses, collects and discloses is accurate, complete and up to date, particularly where the information is used to make a decision about the individual to whom the information relates or is likely to be disclosed to another organisation.
Amount and duration of data holding
Does the law restrict the amount of PII that may be held or the length of time it may be held?
Canadian private sector privacy legislation provides that the amount of PII that an organisation holds should be limited to what is necessary for the identified purpose. Canadian privacy legislation also provides that, absent any specific legislative requirements to keep the PII for a certain period of time, the PII should be held only as long as is necessary to fulfil its identified purpose and once it is no longer required to fulfil such purpose it should be destroyed, erased or made anonymous.
Finality principle
Are the purposes for which PII can be used by owners restricted? Has the 'finality principle' been adopted?
Organisations are generally required to identify the purposes for which PII is collected at or before the time the information is collected. Organisations shall also document such purposes in order to be transparent about privacy practices. PII must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as permitted or required by law.
Use for new purposes
If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?
If an organisation wishes to use PII in its possession for a new purpose, it must obtain consent from individuals to use their PII for the newly identified purpose.
Originally Published by TDS Law, February 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
