Sometimes businesses receive requests for personal information from the police or other law enforcement bodies and must then consider whether they may disclose the requested information in light of the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA states that the knowledge and consent of an individual are generally required for the collection, use or disclosure of personal information about him or her. However, the Act sets out some exceptions to allow disclosure of personal information without the individual’s knowledge or consent. The Ontario Court of Justice recently provided some clarification about one such exception found in s. 7(3)(c.1) of PIPEDA.
McCarthy Tétrault Notes:
This provision states that an organization may disclose personal information without consent to a government institution that has made a request for the information, identified its "lawful authority" to obtain the information and indicated that the disclosure is requested for the purpose of enforcing, investigating or gathering intelligence for the enforcement of a law of Canada, a province or a foreign jurisdiction. Section 7(3)(c.1) appears to allow disclosure in situations other than just in response to a subpoena or warrant or when "required by law," as separate provisions (s. 7(3)(c) and s. 7(3)(i)) provide for disclosure without consent in such circumstances. In Re S.C., the Ontario Court of Justice offered some guidance about the scope of the "without consent" exception in s. 7(3)(c.1).
This decision appears to indicate that in order to rely on the exception in s. 7(3)(c.1), the "lawful authority" to obtain the information must first be established by the government institution, and that PIPEDA itself does not establish the authority for it to obtain the information. Unless that lawful authority is established, a private sector entity (in this case, Bell Canada) may risk falling afoul of PIPEDA by disclosing the information unless some other "without consent" exception applies.
Re S.C. considered a request for a search warrant and whether there was sufficient authority for the Toronto Police Service to have obtained subscriber information and addresses from an information service provider. Prior to seeking a warrant to search an individual’s home, the police had requested subscriber information for the user of a certain Internet protocol address from Bell Canada. The letter stated that the "request was done under the authority of PIPEDA." Bell Canada supplied information to the investigators.
However, the Justice of the Peace found that the information supplied in the request for a search warrant was information for which a citizen would have a reasonable expectation of privacy. Accordingly, there was a presumption based on the Charter of Rights and Freedoms that prior judicial authorization was required to obtain such information via a search warrant or production order.
Accordingly, Bell Canada did not have a basis upon which to disclose the information, and the information obtained was set aside in the overall consideration of the search warrant application because the police were not lawfully in possession of it. The request for the search warrant was ultimately rejected because the balance of the information obtained did not establish a reasonable nexus between the matters being investigated and the individual and residence identified as targets for the warrant.
In light of this clarification of the law, it appears that a company subject to PIPEDA should take the following steps when faced with a request for personal information from a government institution conducting an investigation or enforcing a law:
- if the institution does not have a subpoena, warrant or court order, advise that the company may have obligations under PIPEDA in respect of the information requested;
- request that the institution specify its lawful authority to obtain personal information; and
- check the authority cited in order to satisfy itself that the institution has lawful authority to obtain the information.