On March 17, 2017, the Office of the Privacy Commissioner of Canada (“OPC”) published a Guidance on two provisions of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) that deal with the disclosure of personal information by private-sector organizations (“organizations”) without prior knowledge or consent of the individual to whom the information pertains (the “Guidance”).
In particular, the Guidance reminds organizations, including charities and not-for-profits, that while paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA provide exceptions to the knowledge and consent principles enumerated in PIPEDA, these exceptions do not permit the indiscriminate disclosure of personal information. In particular, the above noted paragraphs of PIPEDA allow organizations, in certain limited circumstances, to disclose personal information to “another organization” (not another individual or family member), without prior knowledge or consent. For example, where fraud is being investigated, disclosure is permitted when it is reasonable to expect the disclosure with knowledge or consent of the individual would compromise the investigation. However, the Guidance warns that these exceptions are not to be applied in an overly broad manner and do not allow for widespread disclosures and casual sharing of personal information, and are “limited to certain purposes, under defined circumstances, and given specific conditions”.
The Guidance also reminds organizations of the importance of developing privacy policies and procedures setting out how the organization responds to disclosure requests, making these policies available to the public, and accompanying any related policies and procedures with training for employees on an on-going basis.
While this Guidance assists organizations in determining if a disclosure is permitted under PIPEDA, the guidance states that the OPC expects organizations to “carry out due diligence and exercise good judgement when availing themselves of these exceptions”, “carefully consider each of the requirements explicitly outlined in the provisions” and “take care to ensure the limits set out in these provisions are respected”. Given this caution from the OPC, prior to disclosing any personal information, charities and not-for-profits should seek assistance from legal counsel to determine if the disclosure is permitted under PIPEDA.