By now you will have read a lot about the new Digital Privacy Act Bill S-4 introduced in theSenate on April 8th, 2014. The Bill amends the Personal Information Protection and Electronic Documents Act (PIPEDA) to introduce some long anticipated enhancements to the legislation, including:

  • Requiring more robust, understandable and informed consent.
  • Permitting the disclosure of personal information without knowledge or consent to identify an injured, ill or deceased person and communicating with next of kin; preventing detecting or suppressing fraud (more on this below); or protecting victims of financial abuse.
  • Permitting collection, use and disclosure or personal information without knowledge or consent if the information is contained in witness statements related to insurance claims or produced by an individual in the course of their employment, business or profession.
  • Permitting disclosure of personal information in certain circumstances relating to prospective or completed business transactions.
  • Providing additional exceptions for federal works and undertakings to establish, manage or terminate employment relationships.
  • Requirements for breach reporting and notification.
  • Creating offences for the contravention of certain obligations in respect of security breaches.
  • Requiring that records be kept of security breaches.
  • Extending the period for making a complaint to the Privacy Commissioner.
  • Giving the Privacy Commissioner authority to enter into compliance agreements.
  • Expanding the information that the Privacy Commissioner can make public if he or she considers it to be in the public interest.

Today, we will take a closer look at changes to the disclosure without consent provisions. A new series of provisions in subsection 7(3), relate to disclosure aimed at the detection, prevention or investigation of crimes or potential crimes. Personal information may now be released to “another organization” if it is,

  • Reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation (d.1); or
  • Reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud (d.2).

In addition, there is no longer a reference in subparagraph (d)(i) to the concept of an “investigative body”. What does this mean? It appears that the ability to disclose personal information without consent is considerably broadened in circumstances where the purpose is investigation of a breach of an agreement or a contravention of the law or the detection, suppression or prevention of fraud.

Any organization can now request that personal information be released to it and the disclosing organization need only be satisfied that (a) the disclosure is reasonable for the purpose of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed or detecting or suppressing fraud or of preventing fraud that is likely to be committed; and (b) it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the investigation or the ability to prevent, detect or suppress the fraud.

However,an  organization asked to disclose personal information under these circumstances will want to continue to be very careful to ensure that it can meet the test for disclosure without consent. The prudent course of action may continue to be to insist on a court order, warrant or similar process.