May 18, 2021

About the Author

  • Doug Tait

    Doug Tait is an experienced business lawyer focusing on corporate and commercial matters with an emphasis on information security.

    bdt@tdslaw.com
    (204) 934-2440

  • Kendall (Dell) Dyck

    Dell practices primarily in Privacy and Data Protection law, Wills and Estate Planning Administration, and Aboriginal law. She uses she/her pronouns.

    knd@tdslaw.com
    (204) 934-2473

This article appears as part of Lexology’s Getting The Deal Through series.

Legitimate processing of PII

 Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

In general, subject to limited exceptions, Canadian privacy legislation requires organisations to obtain meaningful consent for the collection, use and disclosure of PII. What constitutes ‘meaningful consent’ is guided by seven principles designed to ensure that the individual providing the consent has, among other things, a clear understanding of the nature, purpose and consequence of what they are consenting to, been provided information, in a clear and comprehensible manner, about the organisation’s privacy management practices, and been provided with a clear ‘yes’ or ‘no’ option.

An organisation cannot require consent as a condition for providing a product or service, beyond that required to fulfil an explicitly specified and legitimate purpose. The form of consent, whether express or implied, may vary depending on the nature of the PII and the reasonable expectations of the individual. Individuals may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

 

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Privacy legislation generally states that the more sensitive the PII, the greater the security safeguards required to protect it. Legislation does not always specifically state what types of security safeguards ought to be implemented, but rather leaves it to an organisation to determine what is appropriate in the circumstances. Also, the vast majority of provinces have health legislation that applies specifically to entities that fit within the definition of ‘custodians’ or ‘trustees’ and have stricter and more specific standards of security safeguards for health PII.

 

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Canadian privacy law is based on consent. As such, the obtaining of meaningful consent, either express or implied, is necessary for an organisation’s collection, use and disclosure of PII. Accordingly, apart from mandatory breach notifications in the event of a breach of security safeguards that could reasonably create a real risk of significant harm to an individual, or notifications that may be required pursuant to a proposed transfer of PII outside of its jurisdiction, or a request to access information from an affected individual, no law of general application requires organisations to notify individuals whose PII they hold.

In the case of mandatory breach notifications, the notification must be conspicuous and include enough information to allow the individual to understand the significance of the breach to them and to take steps, if possible, to reduce or mitigate the risk of harm.

 

Exemption from notification

When is notice not required?

Apart from mandatory breach notifications in the event of a breach of security safeguards that could reasonably create a real risk of significant harm to an individual, or notifications that may be required pursuant to a proposed transfer of PII outside of its jurisdiction, or a request to access information from an affected individual, no law of general application requires organisations to notify individuals whose PII they hold.

 

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

Generally, individuals have the right to acquire information as to an organisation’s PII handling practices and policies without unreasonable effort. Individuals also have the right:

  • to gain access to their PII;
  • to know whether and what type of PII is held;
  • a general account of the use and disclosure of their PII; and
  • the right to amend PII if it is inaccurate or incomplete.

 

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Canadian privacy legislation contains obligations for organisations to ensure that the PII that it uses, collects and discloses is accurate, complete and up to date, particularly where the information is used to make a decision about the individual to whom the information relates or is likely to be disclosed to another organisation.

 

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

Canadian private-sector privacy legislation provides that the amount of PII that an organisation holds should be limited to what is necessary for the identified purpose. Canadian privacy legislation also provides that, absent any specific legislative requirements to keep the PII for a certain period, the PII should be held only as long as is necessary to fulfil its identified purpose and once it is no longer required to fulfil such purpose it should be destroyed, erased or made anonymous.

 

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Organisations are generally required to identify the purposes for which PII is collected at or before the time the information is collected. Organisations shall also document such purposes to be transparent about privacy practices. The purpose for which PII is collected must be one that a reasonable person would consider appropriate. PII must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as permitted or required by law.

 

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

 If an organisation wishes to use PII in its possession for a new purpose, it must obtain consent from individuals to use their PII for the newly identified purpose.

Law stated date

 Correct on

Give the date on which the information above is accurate.

18 May 2021.


DISCLAIMER:
This article is presented for informational purposes only. The content does not constitute legal advice or solicitation and does not create a solicitor client relationship. The views expressed are solely the authors’ and should not be attributed to any other party, including Thompson Dorfman Sweatman LLP (TDS), its affiliate companies or its clients. The authors make no guarantees regarding the accuracy or adequacy of the information contained herein or linked to via this article. The authors are not able to provide free legal advice. If you are seeking advice on specific matters, please contact Keith LaBossiere, CEO & Managing Partner at kdl@tdslaw.com, or 204.934.2587. Please be aware that any unsolicited information sent to the author(s) cannot be considered to be solicitor-client privileged.

While care is taken to ensure the accuracy for the purposes stated, before relying upon these articles, you should seek and be guided by legal advice based on your specific circumstances. We would be pleased to provide you with our assistance on any of the issues raised in these articles.