The Office of the Privacy Commissioner of Canada ("OPC") issued its final versions of two new guidance documents today:
- Guidelines for obtaining meaningful consent; and
- Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)
Guidelines for Obtaining Meaningful Consent
The guidance on meaningful consent, issued jointly with the offices of the Information and Privacy Commissioners in Alberta and British Columbia, is comprised of seven guiding principles for obtaining meaningful consent. These are:
1. Emphasize key elements, namely;
- What personal information is being collected,
- With which parties personal information is being shared,
- For what purposes personal information is collected, used or disclosed, and
- Risk of harm and other consequences;
2. Allow individuals to control the level of detail they get and when;
3. Provide individuals with clear options to say 'yes' or 'no';
4. Be innovative and creative;
5. Consider the consumer's perspective;
6. Make consent a dynamic and ongoing process; and
7. Be accountable: Stand ready to demonstrate compliance.
This final version of the guidelines includes a checklist distinguishing Must Do's (obligations arising from legal requirements) from Should Do's (best practices organizations should consider in order to improve their consent process).
The OPC will be applying this new consent guidance starting January 1, 2019.
Guidance on inappropriate data practices: Interpretation and application of subsection 5(3)
The guidance on inappropriate data practices identifies six "no-go zones", which the OPC considers to be offside PIPEDA:
- Collection, use or disclosure that is otherwise unlawful;
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law;
- Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual;
- Publishing personal information with the intended purpose of charging individuals for its removal;
- Requiring passwords to social media accounts for the purpose of employee screening; and
- Surveillance by an organization through audio or video functionality of the individual's own device.
The OPC will begin to apply its new guidance on inappropriate data practices on July 1, 2018.
We will be discussing these new guidance documents and their implications on our next AccessPrivacy Monthly Call.