1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

New Guidance on Disclosure Exceptions for Investigations and Fraud

On March 17, 2017, the  Office of the Privacy Commissioner of Canada (OPC) published guidance on two new exceptions in PIPEDA permitting disclosure without consent. The guidance is very helpful to interpreting these new provisions and the OPC’s expectations of organizations. However, as expected, there is an undercurrent to the guidance suggesting that that the OPC would like to restrict organizations from setting up systematic information-sharing programs. This is very unfortunate given that these provisions are directly connected to improving confidence in the digital economy. Systematic sharing of information, particularly for fraud detection, suppression and prevention should be able to be accomplished if PIPEDA is truly technologically neutral. Without these tools, the OPC is incentivizing organizations to use much less transparent methods, such as predictive analytics.

Background

The Digital Privacy Act, 2015, amended Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to lower the threshold for when an organization could share personal information without the knowledge or consent of the individual for the purposes of an investigation into a breach of an agreement or a contravention of the laws of Canada. In addition, the Digital Privacy Act, 2015, added a new exception to PIPEDA to permit the disclosure of personal information without the knowledge or consent of the individual for the purpose of the detection or suppressing fraud or preventing fraud that is likely to be committed.

7(3) […] an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

(d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;

The OPC did not support these amendments. Even before these amendments were passed and came into force, the OPC was sounding alarms that it would interpret these provisions narrowly.  In particular, the OPC was concerned about two issues:

First, the triggering threshold for a permitted disclosure was changed. Under the previous provisions, organizations had to have reasonable grounds to believe that the information related to a breach of an agreement or contravention of law. Following the amendments, an organization only had to determine that the disclosure was reasonable for the purpose of investigating a breach of an agreement or a contravention of a law or reasonable for the purpose of detecting, suppressing or preventing fraud.

Second, the range of purposes were too broad in the OPC’s view. In particular, the OPC was concerned about the possibility of oversharing under the fraud exception.

OPC Guidance

The OPC’s guidance is an attempt to ensure that organizations interpret these provisions narrowly. Although the OPC does not state expressly state that organizations cannot participate in systematic programs to attempt to detect or prevent fraud or breaches of agreements, it is clear that the OPC would prefer that these exceptions be used in isolated circumstances. This is particularly evident in the OPC’s statement that organizations must be able to establish on a case-by-case basis the reasons why it determined that disclosure was appropriate.

The OPC recommends that organizations prepare policies and procedures and to make those available to individuals. The OPC reminds organizations that individuals have the right to make an access request and obtain an account of the third parties to which information has been disclosed. The OPC would also like to see organizations report publicly on the number and type of disclosures made. It should be noted that there is no legislative basis that would require such reporting.

To satisfy the OPC’s concerns about indiscriminate use of these provisions, organizations should develop polices and procedures to ensure that the preconditions to disclosure are met and should make these policies and procedures available on demand.

Although the OPC seems to suggest that organizations should include disclosure of the use of these exceptions, it does not appear to be legislatively required to advise individuals in a privacy notice that the organization may use a lawful exception to disclose information without consent. Any such disclosure would have to be at a very high level unless the organization was participating in a systematic program to share information. What could an organization meaningfully say in the case of a disclosure under the investigation exception? Nevertheless, there are clear benefits to at least mentioning the possibility of these types of disclosures to prevent later accusations that the organization failed to be transparent.

Recommendations

When developing a policy or procedure for disclosures relating to an investigation into a breach of an agreement or the contravention of a law of Canada, organizations should require that, at a minimum, the following criteria (and the common criteria set out below) are met before disclosure:

  • If the investigation relates to a law, it is a law of Canada. The law should be specified and documented. A breach of a foreign law is not covered by this exception.
  • If the investigation relates to a breach of an agreement, the agreement is documented and in force at the time of the alleged breach.
  • The breach or contravention has already taken place, is ongoing or is about to happen. This suggests that the organization must document must be some credible evidence of a breach of the agreement or a contravention of a law of Canada.
  • The investigation is a bona fide formal or systematic inquiry to determine the facts. It cannot be a fishing expedition or gossip.

The following are the minimum criteria for disclosures relating to detecting or suppressing fraud or of preventing fraud:

  • If the disclosure relates to detecting or suppressing fraud or preventing fraud that is likely to be committed.
  • In the case of preventing fraud, the risk of fraud is probable and not merely possible .
  • The type of fraud that is in issue should be documented.

The following common criteria apply to disclosures under either provision:

  • If the organization has received a request for disclosure under these provisions, the request provides sufficient information to ensure that the rationale for disclosure is documented in the request. Requests should not be taken at face value.
  • The disclosure will be made from one organization to another organization. These provisions do not permit disclosure to law enforcement or family members.
  • The disclosure is reasonably related and proportionate to the investigation of the breach of an agreement or a contravention of law or to the activities of detecting or suppressing fraud or preventing fraud that is likely to be committed. Organizations should document their rationale for why the information is necessary to assist in the investigation or is rationally connected to and effective the detection, suppression or prevention of fraud.
  • Obtaining the consent of the individual would compromise the investigation or the fraud detection, suppression or prevention purposes. The rationale for the organization’s decision should be documented.

For the text of the OPC’s Guidance, see: Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA

,

New Guidance on Disclosure Exceptions for Investigations and Fraud

Dentons to Participate in Whistleblowing and Privacy Webinar

Whistleblowing is back in the news with the recent unveiling of the Ontario Securities Commission’s office of the Whistleblower. Our post about the new program can be found here.

Join DataGuidance and Dentons on August 4, 2016 for an examination of Whistleblowing & Privacy in Canada and select other jurisdictions. Click here to register.

Dentons to Participate in Whistleblowing and Privacy Webinar

OSC Whistleblower Program Launched

 

On July 16, 2016, the Ontario Securities Commission (OSC) announced the launch of its Office of the Whistleblower. This is the first paid whistleblower program by a securities regulator in Canada. Subject to eligibility requirements, whistleblowers could receive an award of between 5% and 15% of the total sanctions imposed and/or voluntary payments made in an administrative proceeding brought as a result of information from a whistleblower. The total of the sanctions and/or voluntary payments must exceed CA$1 million. The maximum award to a whistleblower is CA$5 million.

Certain individuals may be ineligible for an award. For example, a lawyer or auditor may be ineligible if the lawyer or auditor obtained information in connection with providing legal services or an internal audit or external assurance mandate and the disclosure would violate professional obligations. Other examples of ineligible individuals include directors, officers and Chief Compliance Officers of an entity that is the subject of the whistleblower submission.

There is no requirement that whistleblowers report violations through internal compliance programs (although the OSC encourages internal reporting). Although the OSC will endeavour to keep the identity of the whistleblower confidential, including in response to an access to information requires, the OSC has been careful not to guarantee confidentiality and the OSC will require verification of identity prior to payment in order to ensure the whistleblower is not ineligible. The Ontario Securities Act (s. 121.5) prohibits reprisals by an employer against an employee.

For more information, see OSC Policy 15-601 Whistleblower Program.

Dentons is delighted to participate in a Whistleblowing & Privacy Webinar offered by DataGuidance on August 4, 2016. Click here to register.

OSC Whistleblower Program Launched

The Connected Retail Store

In the battle for consumer engagement, brick-and-mortar retailers and shopping centres are investing in new technologies to gather data on their customers and offer new shopping centre experiences. According to the Toronto Star, retailers are finding that millennials have a different approach to luxury than previous generations. No surprise – it is a more social and experiential understanding of luxury. Retailers are not stopping with social listening. Recent articles in the National Post and on the CBC describes technologies, such as those offered by Eyeris, that retailers can use to analyze and track emotions and engagement levels using in-store cameras. Another technology, offered by Stefanka, allows for 3D body scans to assist salespersons to find apparel that will fit the customer’s body.

Dentons, with special guests from Deloitte, will be tackling the legal issues pertinent to a successful Connected Retail Store in a half-day program to be held in Toronto on April 14, 2016. Dentons and Deloitte will address:

  • Omnichannel marketing issues and trends
  • Bringing eyeballs to the screens and feet to the stores
  • Privacy issues in tracking shoppers in stores
  • Negotiating percentage rent when dealing with online sales
  • Supply chain challenges and cross-border fulfillment

Learn more at http://www.dentons.com/en/whats-different-about-dentons/connecting-you-to-talented-lawyers-around-the-globe/events/2016/april/14/the-connected-retail-store

The Connected Retail Store

Update on Canadian Data Breach Regulations

Innovations, Science and Economic Development Canada has issued a consultation paper asking Canadians what should be included in new data breach regulations that will be made under the Personal Information Protection and Electronic Documents Act (PIPEDA). The consultation will close on May 31, 2016. Following this consultation process, the Canadian Government will publish draft regulations for public comment and further consultation. It is unlikely, therefore, that we would see breach reporting come into force in Canada before the last quarter of the year.

Why are regulations required?

Canada’s Parliament enacted the Digital Privacy Act in 2015. The Act included amendments to PIPEDA that will introduce new provisions relating to breaches of security safeguards. These provisions include mandatory breach reporting to the Office of the Privacy Commissioner of Canada (OPC) and to individuals and, in some cases, third parties. The provisions also contain controversial record-keeping requirements. These new data breach provisions will not come into force until the Government passes regulations regarding the form and content of the required notices. The Government may also supplement certain provisions in the legislation by way of regulation.

What are the key data breach obligations?

Once the amendments to PIPEDA come into force, organizations will have four new obligations regarding data breaches:

  • Organizations will need to keep records of breaches of security safeguards;
  • Organizations will be required to report a breach of security safeguards to the OPC if it is reasonable to believe that the breach creates a real risk of significant harm to an individual.
  • Organizations will be required to notify affected individuals about a breach that it is reasonable to believe creates a real risk of significant harm to the individual.
  • Organizations will be obligated to notify third parties if the third party could mitigate the risk of harm to the affected individual.

A “breach of security safeguards” is defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s safeguards that are referred to in Clause 4.7 of Schedule 1 or from a failure to establish those safeguards.” Clause 4.7 of Schedule 1 of PIPEDA is the principle that requires an organization to protect personal information by physical, organizational, and technological measures that are proportional to the sensitivity of the personal information.

What is the consultation about?

The consultation relates to five key issues.

  • Record keeping: The Government wants to know what records organizations should be required to keep and for how long.
  • Risk assessment: The Digital Privacy Act provides that an organization assessing whether there is a “real risk” of significant harm should consider the sensitivity of the personal information involved in the breach, the probability that it will be misused and other factors that could be prescribed by regulation. The Government wants to know whether further factors should be specified and whether the risk of harm should be presumed to be low for data that was encrypted.
  • Reports to the OPC: The Government has asked what should be included in reports to the OPC about a breach of safeguards that poses a real risk of significant harm to the individual. The Government has asked whether reports should be made through an electronic secure tool developed by the OPC.
  • Notices to Individuals: The Government is considering a number of issues relating to individual notices. What should the content of the notices be? How much detail should be required? How should notices be delivered? Do the notices need to be separate from other communications by the organization? When should organizations be able to give notice indirectly, such as through posts on the organization’s website?
  • Notices to Third Parties: The Government is mindful that third-parties such as law enforcement and consumer (credit) reporting agencies have a role to play in the protection of individuals from fraud and identity theft. The Government is asking whether there are circumstances that should be enumerated where reporting to third parties should be required.

What about the Province of Alberta’s regime?

The Government acknowledged that the Alberta regime for mandatory breach reporting has been in place for several years and that lessons could be learned from that province’s approach. However, the Government does not seem to be focused on ensuring that there is a harmonized system. It is possible, therefore, that we could see different types of reports and notices being required under PIPEDA than under Alberta’s law.

,

Update on Canadian Data Breach Regulations