In 2015 the Personal Information Protection and Electronic Documents Act (the "Act") was amended to eliminate the regime that permitted the disclosure without consent of personal information to certain "designated investigative bodies". This regime was replaced by the general exceptions to consent in sections 7(3)(d.1) and (d.2). Those exceptions permit an organization to disclose information, without an individual's knowledge or consent, to another organization for the purposes of investigating a breach of agreement, a contravention of Canadian law or for the purposes of detecting, suppressing or preventing fraud.
The Office of the Privacy Commissioner ("OPC") recently released guidance on how it will interpret these exceptions. With financial institutions under great pressure to ensure they do not facilitate money laundering, breach of economic sanctions, or other forms of financial crime, they are under substantial competing pressures; to maintain the integrity of their organizations and business processes, while protecting and respecting the privacy of their accountholders. This guidance provides direction as to the OPC's expectations in striking that balance.
Under the current framework, organizations no longer have the benefit of a public listing of designated investigative bodies. Rather, organizations must assess, on a case-by-case basis, whether the disclosure of information without an individual's knowledge or consent falls under one of the exceptions under the Act. The exceptions read in full as follows:
7(3) …an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
(d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;
(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;
OPC's interpretation of the exceptions
The OPC has made clear that the exceptions should not be applied in an overly broad fashion and do not allow for widespread disclosures and casual sharing of information. Each stipulated requirement permitting the disclosure must be considered and met in each case.
(a) Disclosure requires responsible consideration and accountability
Organizations should develop policies and procedures that outline how they will request and/or respond to disclosures under 7(3)(d.1) and (d.2). They should ensure when requesting information that they make clear the purpose and rationale for the request, how it is permitted under the Act, and when responding to requests organizations should ensure they have a basis to support and document the bona fide nature of the request.
(b) Disclosures can only be made to "another organization"
The exceptions under section 7(3)(d.1) and (d.2) limit disclosure to other organizations. The term "organization" will likely be interpreted narrowly. The OPC states that broad disclosure to "law enforcement" and family members of clients without consent would not be permitted under these sections. The guidance suggests that where specific exemptions address disclosure issues, such as to law enforcement (7(3)(d)) or to family members (7(3)(d.3)) these general investigative provisions may not be permitted to expand other specific exceptions.
(c) Disclosure must be "reasonable for the purposes"
Disclosure must also be reasonably related to and proportionate to its specified purpose under the Act.
With respect to 7(3)(d.1), the disclosure must relate to an investigation with respect to a specific breach of an agreement or contravention of law that has already occurred, is ongoing, or will likely occur in the future. In this regard, the OPC provides specific guidance as to the meaning of each of these purposes:
With respect to 7(3)(d.2), an organization should determine whether the disclosure is reasonable for the purposes of detecting or suppressing fraud, or preventing fraud that is likely to be committed. The risk of fraud should be probable, and not merely possible.
Lastly, prior to disclosure, organizations should evaluate and form a reasonable expectation that disclosure with the knowledge or consent of an individual would compromise the activity in question.
Clearly, the amendments to the voluntary disclosure exceptions under the Act will not allow for indiscriminate disclosure of personal information between organizations. The OPC's guidance should serve as a clear warning to organizations that regulators will interpret these exceptions narrowly, with the expectation that initiators and receivers of personal information will have clear policies and procedures in place to properly document this process.
- An "investigation" is as a formal or systematic inquiry to discover and examine the facts of an incident, such as an investigation by a bank into a fraudulent transaction;
- A "breach of an agreement" relates to the failure to meet the terms of a binding agreement, such as a breach of an employment contract;
- A "contravention of a law of Canada or a province" means that a breach of Canadian law; foreign laws do not apply.