On March 17, 2017, the Office of the Privacy Commissioner of Canada (OPC) published guidance on two new exceptions in PIPEDA permitting disclosure without consent. The guidance is very helpful to interpreting these new provisions and the OPC’s expectations of organizations. However, as expected, there is an undercurrent to the guidance suggesting that that the OPC would like to restrict organizations from setting up systematic information-sharing programs. This is very unfortunate given that these provisions are directly connected to improving confidence in the digital economy. Systematic sharing of information, particularly for fraud detection, suppression and prevention should be able to be accomplished if PIPEDA is truly technologically neutral. Without these tools, the OPC is incentivizing organizations to use much less transparent methods, such as predictive analytics.
The Digital Privacy Act, 2015, amended Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to lower the threshold for when an organization could share personal information without the knowledge or consent of the individual for the purposes of an investigation into a breach of an agreement or a contravention of the laws of Canada. In addition, the Digital Privacy Act, 2015, added a new exception to PIPEDA to permit the disclosure of personal information without the knowledge or consent of the individual for the purpose of the detection or suppressing fraud or preventing fraud that is likely to be committed.
7(3) […] an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
(d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;
The OPC did not support these amendments. Even before these amendments were passed and came into force, the OPC was sounding alarms that it would interpret these provisions narrowly. In particular, the OPC was concerned about two issues:
First, the triggering threshold for a permitted disclosure was changed. Under the previous provisions, organizations had to have reasonable grounds to believe that the information related to a breach of an agreement or contravention of law. Following the amendments, an organization only had to determine that the disclosure was reasonable for the purpose of investigating a breach of an agreement or a contravention of a law or reasonable for the purpose of detecting, suppressing or preventing fraud.
Second, the range of purposes were too broad in the OPC’s view. In particular, the OPC was concerned about the possibility of oversharing under the fraud exception.
The OPC’s guidance is an attempt to ensure that organizations interpret these provisions narrowly. Although the OPC does not state expressly state that organizations cannot participate in systematic programs to attempt to detect or prevent fraud or breaches of agreements, it is clear that the OPC would prefer that these exceptions be used in isolated circumstances. This is particularly evident in the OPC’s statement that organizations must be able to establish on a case-by-case basis the reasons why it determined that disclosure was appropriate.
The OPC recommends that organizations prepare policies and procedures and to make those available to individuals. The OPC reminds organizations that individuals have the right to make an access request and obtain an account of the third parties to which information has been disclosed. The OPC would also like to see organizations report publicly on the number and type of disclosures made. It should be noted that there is no legislative basis that would require such reporting.
To satisfy the OPC’s concerns about indiscriminate use of these provisions, organizations should develop polices and procedures to ensure that the preconditions to disclosure are met and should make these policies and procedures available on demand.
Although the OPC seems to suggest that organizations should include disclosure of the use of these exceptions, it does not appear to be legislatively required to advise individuals in a privacy notice that the organization may use a lawful exception to disclose information without consent. Any such disclosure would have to be at a very high level unless the organization was participating in a systematic program to share information. What could an organization meaningfully say in the case of a disclosure under the investigation exception? Nevertheless, there are clear benefits to at least mentioning the possibility of these types of disclosures to prevent later accusations that the organization failed to be transparent.
When developing a policy or procedure for disclosures relating to an investigation into a breach of an agreement or the contravention of a law of Canada, organizations should require that, at a minimum, the following criteria (and the common criteria set out below) are met before disclosure:
- If the investigation relates to a law, it is a law of Canada. The law should be specified and documented. A breach of a foreign law is not covered by this exception.
- If the investigation relates to a breach of an agreement, the agreement is documented and in force at the time of the alleged breach.
- The breach or contravention has already taken place, is ongoing or is about to happen. This suggests that the organization must document must be some credible evidence of a breach of the agreement or a contravention of a law of Canada.
- The investigation is a bona fide formal or systematic inquiry to determine the facts. It cannot be a fishing expedition or gossip.
The following are the minimum criteria for disclosures relating to detecting or suppressing fraud or of preventing fraud:
- If the disclosure relates to detecting or suppressing fraud or preventing fraud that is likely to be committed.
- In the case of preventing fraud, the risk of fraud is probable and not merely possible .
- The type of fraud that is in issue should be documented.
The following common criteria apply to disclosures under either provision:
- If the organization has received a request for disclosure under these provisions, the request provides sufficient information to ensure that the rationale for disclosure is documented in the request. Requests should not be taken at face value.
- The disclosure will be made from one organization to another organization. These provisions do not permit disclosure to law enforcement or family members.
- The disclosure is reasonably related and proportionate to the investigation of the breach of an agreement or a contravention of law or to the activities of detecting or suppressing fraud or preventing fraud that is likely to be committed. Organizations should document their rationale for why the information is necessary to assist in the investigation or is rationally connected to and effective the detection, suppression or prevention of fraud.
- Obtaining the consent of the individual would compromise the investigation or the fraud detection, suppression or prevention purposes. The rationale for the organization’s decision should be documented.
For the text of the OPC’s Guidance, see: Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA