August 15, 2008
Your business and the privacy act, Part 2
By Robert Kennaley
McLauchlin & Associates
In January 2007, the Privacy Commissioner of Canada released findings in a complaint filed under The Personal Information Protection and Electronic Documents Act (PIPEDA) by residential clients over a building supplier’s disclosure of their personal information to one of their former contractors. The couple complained that the building supplier had told the contractor that they owed the supplier money and that their account was unpaid. The supplier allegedly wanted to find out if the contractor had been paid, to better assess the likelihood that it would get paid.
The Privacy Commissioner decided that, in this circumstance, the disclosure of the fact that a debt was owed was the disclosure of personal information that was not consented to, and was not necessary for the purposes of collecting a debt. Accordingly, the Commissioner decided that the disclosure was a breach of the PIPEDA legislation. The case illustrates just how inadvertently personal information can be disclosed in violation of applicable legislation.
In the end, information can be personal information if it relates to who and where they are, what they own, have owned or might own, what they do or have done, and where and when they have done it. It does not include, however, business information: business names, titles, addresses or telephone numbers, etc.
The required consent may be either express or implied. In other words, a person’s consent to disclosure may be reasonably inferred from circumstances. Accordingly, for example, it would be reasonably inferred that your residential client has consented to you providing their address to suppliers who must deliver materials to the site of their residential project. On the other hand, it is not reasonable to infer, for example, that a residential client consents to your publishing information about their residence (such as photographs) on the web or in brochures. Do not automatically infer you may include their name or address as references for other work, either in response to bid documents put out to tender or in providing references directly to potential customers.
You should accordingly determine the extent to which you wish or intend to disclose information about your residential clients and, if such disclosure is not obviously required by the circumstances, you should provide for that disclosure as part of your contract with the clients.
The importance of keeping personal information confidential should be incorporated into a policy to be followed by all employees. Employees might also be asked to sign-off on the policy, much as they would in relation to occupational health and safety. The policies need not be lengthy or complex, however, employees should understand that information about clients and their families should never be shared with others. The broad range of information covered by the prohibition should be made clear, as should how easily information can be inadvertently disclosed.
Ultimately, residential clients and other persons can file a complaint with the Privacy Commissioner of Canada about any alleged breach of the PIPEDA legislation. The Commissioner has wide powers of investigation and can recommend that your organization alter its practices so as to ensure that further breaches do not occur. Thereafter, an application may be made to the federal court, which may order your organization to change its practices and/or award damages to the complainant.
In the end, all personal information gathered by your business should be treated with caution, importance and security, to avoid the inconvenience and potential costs associated with a complaint.
Robert Kennaley practices construction law in Toronto and Simcoe. He speaks and writes regularly across North America. He can be reached for comment at 416- 368-2522, or at kennaley@mclauchlin.ca. This material is for information purposes and is not intended to provide legal advice in relation to any particular fact situation. Readers who have concerns about any particular circumstance are encouraged to seek independent legal advice in that regard.
McLauchlin & Associates
In January 2007, the Privacy Commissioner of Canada released findings in a complaint filed under The Personal Information Protection and Electronic Documents Act (PIPEDA) by residential clients over a building supplier’s disclosure of their personal information to one of their former contractors. The couple complained that the building supplier had told the contractor that they owed the supplier money and that their account was unpaid. The supplier allegedly wanted to find out if the contractor had been paid, to better assess the likelihood that it would get paid.
The Privacy Commissioner decided that, in this circumstance, the disclosure of the fact that a debt was owed was the disclosure of personal information that was not consented to, and was not necessary for the purposes of collecting a debt. Accordingly, the Commissioner decided that the disclosure was a breach of the PIPEDA legislation. The case illustrates just how inadvertently personal information can be disclosed in violation of applicable legislation.
Broad range of personal information
It should be understood that the range of information which can be ‘personal’, and therefore subject to protection, is very, very, broad. It includes a person’s image and likeness, address, phone or fax number, and e-mail address. It includes a person’s job and job prospects and a person’s employment or education history. It also includes the identity and location of a person’s relatives, etc. It includes all financial information relating to a person, including debts or receivables owed, equity, assets, credit advanced or held, etc. It includes, of course, health information (although in Ontario this is largely governed by a different statute). It includes a person’s ethnic origin, blood type, opinions, evaluations, comments, social status, age, name, ID numbers and computer Internet Protocol (IP) addresses. It includes photographs of a client’s house or property.In the end, information can be personal information if it relates to who and where they are, what they own, have owned or might own, what they do or have done, and where and when they have done it. It does not include, however, business information: business names, titles, addresses or telephone numbers, etc.
Special consent for disclosure
If you come into possession of such information through the conduct of your business, this information must not be disclosed to third parties unless the consent of the person is obtained or the disclosure is required to collect a debt owing. Any consent obtained should be obtained again, should you intend to use the information for purposes other than for what it was originally collected.The required consent may be either express or implied. In other words, a person’s consent to disclosure may be reasonably inferred from circumstances. Accordingly, for example, it would be reasonably inferred that your residential client has consented to you providing their address to suppliers who must deliver materials to the site of their residential project. On the other hand, it is not reasonable to infer, for example, that a residential client consents to your publishing information about their residence (such as photographs) on the web or in brochures. Do not automatically infer you may include their name or address as references for other work, either in response to bid documents put out to tender or in providing references directly to potential customers.
You should accordingly determine the extent to which you wish or intend to disclose information about your residential clients and, if such disclosure is not obviously required by the circumstances, you should provide for that disclosure as part of your contract with the clients.
Responsibility to protect information
You are also expected to have sufficient safeguards in place to protect personal information, such as locked filing cabinets, computer passwords or data encryption. In this regard, it is towards protecting personal information that most e-mails and fax cover sheets include a statement requesting those who receive the email or fax inadvertently to return it to the sender and destroy any copies they may have.The importance of keeping personal information confidential should be incorporated into a policy to be followed by all employees. Employees might also be asked to sign-off on the policy, much as they would in relation to occupational health and safety. The policies need not be lengthy or complex, however, employees should understand that information about clients and their families should never be shared with others. The broad range of information covered by the prohibition should be made clear, as should how easily information can be inadvertently disclosed.
Ultimately, residential clients and other persons can file a complaint with the Privacy Commissioner of Canada about any alleged breach of the PIPEDA legislation. The Commissioner has wide powers of investigation and can recommend that your organization alter its practices so as to ensure that further breaches do not occur. Thereafter, an application may be made to the federal court, which may order your organization to change its practices and/or award damages to the complainant.
In the end, all personal information gathered by your business should be treated with caution, importance and security, to avoid the inconvenience and potential costs associated with a complaint.
Robert Kennaley practices construction law in Toronto and Simcoe. He speaks and writes regularly across North America. He can be reached for comment at 416- 368-2522, or at kennaley@mclauchlin.ca. This material is for information purposes and is not intended to provide legal advice in relation to any particular fact situation. Readers who have concerns about any particular circumstance are encouraged to seek independent legal advice in that regard.