Three years ago, on January 1, 2019, the Office of the Privacy Commissioner of Canada (“OPCC”) began applying their Guidelines for obtaining meaningful consent when investigating complaints made under Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”). The guidelines foreshadowed a stricter approach by the privacy regulator to consent when investigating private sector organizations. Indeed, privacy policies have come under intense scrutiny over the past three years, as they form the basis of informed consent.
There has clearly been a greater expectation that these public-facing notices be detailed and transparent so individuals fully understand the nature, purpose and consequences of the collection, use or disclosure of their personal information. It is critical for condominium corporations to ensure their privacy policies are meeting these expectations.
Here are some of the key guiding principles for meaningful consent as outlined in the guidelines:
- What personal information is being collected by the organization;
- Who personal information is shared with;
- The purposes for which personal information is collected, used or disclosed; and
- The risk of harm or other consequences of the collection, use or disclosure to which they are consenting. As clarified by the OPCC, only meaningful risks of significant harm must be highlighted. Here, we are talking about risks that are more than a minimal or mere possibility. For example, the OPCC has held the position that if personal data is going to be processed or stored in a foreign jurisdiction, there is some risk that it could be disclosed to government or law enforcement officials of that country. Individuals should be informed of this risk. Another example is the risk associated with sending confidential personal information via insecure e-mail. It is important to alert individuals of this risk and recommend that such information not be sent in this way.
Here are two decisions that demonstrate how the OPCC has been examining privacy policies since introduction of the guidelines:
- PIPEDA Case Summary 2020-001: A former TD Canada Trust employee complained TD outsourced aspects of its fraud claims processing services to a service provider in India without getting customer consent or offering the choice to opt out. Following an examination of TD’s Privacy Agreement and Privacy Code, the OPCC found TD was appropriately open to current and potential customers about its outsourcing arrangement. TD obtained consent to use customer information for fraud claims management. Separate consent was not needed for the transfer of customers’ information to the service provider for the same purpose.
Condo corporations should review their privacy policies to ensure that they are in line with the Guidelines for Obtaining Meaningful Consent; and it would be a good time to make sure that any service providers who are provided with owner information have the appropriate policies in place.