Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of pipeda – office of the privacy commissioner of canada

The Personal Information Protection and Electronic Documents Act ( PIPEDA), Canada’s federal private sector privacy legislation, was amended in 2015.

Among the amendments, PIPEDA’s previous investigative body scheme, which allowed disclosures without consent to a designated investigative body, was repealed. Losing weight in first trimester This is replaced with paragraphs 7(3)(d.1) and 7(3)(d.2), which allow, in certain circumstances, organizations to disclose personal information without the knowledge or consent of the individual to another organization.

These new amendments resulted in a change in the accountability, transparency and grounds for disclosures without consent.


Paleo italian Given the invisible nature of these disclosures, and that there is no longer a public listing of designated investigative bodies, the Office of the Privacy Commissioner of Canada (OPC) is providing guidance on these provisions to remind organizations that these exceptions, while permissible under certain circumstances, do not permit the indiscriminate disclosure of personal information.

• Do not allow for widespread disclosures and casual sharing of personal information.

• Are limited to certain purposes, under defined circumstances, and given specific conditions.

In overseeing these provisions, the OPC will expect organizations to:

• Carry out due diligence and exercise good judgement when availing themselves of these exceptions.

• Carefully consider each of the requirements explicitly outlined in the provisions.

• Take care to ensure the limits set out in these provisions are respected.

7(3) …an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

• ( d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

• ( d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;

A: Requirements Under Paragraphs 7(3)(d.1) and 7(3)(d.2) Disclosures require responsible consideration and accountability

• Prior to making a disclosure under paragraphs 7(3)(d.1) or 7(3)(d.2):

• Organizations must ensure that the precise requirements set out in the relevant paragraph have been met and should document their rationale before initiating a disclosure.

• In addition, where requests for disclosure of personal information are received, claims from requesting organizations should not be taken at “face value”. Weight loss over 40 Footnote 1 The organization receiving such requests should take certain measures, such as asking for and documenting the rationale and bona fide nature of a claim from the requesting organization.

• Disclosures under paragraphs 7(3)(d.1) and (d.2) are limited to disclosures made to other organizations.

• They are not broad exceptions that permit disclosure without consent to other parties such as law enforcement or clients’ family members.

• Paragraphs 7(3)(d.1) and (d.2) require the disclosure to be “reasonable for the purposes” specified in each provision.

• Under paragraph 7(3)(d.1) the disclosure must be “reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed”.

• Organizations must ensure that the investigation referred to in paragraph 7(3)(d.1) pertains to a specific breach of an agreement or contravention of the laws of Canada or a province that “has been, is being or is about to be committed”.

• In other words, the disclosing organization must be satisfied that the breach of agreement or contravention of a law has already taken place, is ongoing, or is about to happen.

• An “investigation” can be defined as a formal inquiry or systematic inquiry to discover and examine the facts of an incident, so as to establish the truth. 3 day weight loss diet Footnote 2 It is not a fishing expedition.

• Organizations must ensure that disclosures of personal information are reasonably related and proportionate to a specified purpose and should not over-reach in their scope.

• An investigation might include, for example, an investigation of professional misconduct by a professional regulatory body, or an investigation by a bank into fraudulent mortgage transactions.

• A “breach of an agreement” generally involves a violation of, or failure to meet, the terms of a binding agreement. Military diet to lose weight A breach of an agreement might include, for example, a breach of a tenancy agreement or a breach of an employment contract. Best diet for ibs sufferers Footnote 3

• A “contravention of a law of Canada or a province” means a contravention of a Canadian law. How to lose water weight quickly It does not include contraventions of foreign laws.

• Under paragraph 7(3)(d.2) the disclosure must be “reasonable for the purpose of detecting or suppressing fraud or of preventing fraud that is likely to be committed”. Exercise music While paragraphs 7(3)(d.1) contemplates a specific breach of a law or agreement, paragraph 7(3)(d.2) is not as specific. How do i lose belly fat without exercising However:

• Organizations must ensure that disclosures are limited to “detecting or suppressing fraud or of preventing fraud that is likely to be committed”.

• Preventing fraud that is likely to be committed means that the risk of fraud must be probable and not merely possible.

• Here too, organizations must ensure that disclosures of personal information for the purposes of detecting or suppressing fraud or of preventing fraud are reasonably related and proportionate to a specified purpose and should not over-reach in their scope.

It must be reasonable to expect that disclosure with the knowledge or consent of the individual concerned would compromise the activity in question

• To help mitigate against the risk of over-disclosure, organizations relying on paragraphs 7(3)(d.1) or 7(3)(d.2) must also evaluate whether it would be reasonable to expect that informing the individual concerned of the disclosure or seeking the individual’s consent to the disclosure would compromise the activity in question.

• Before disclosing personal information under paragraph 7(3)(d.1), an organization must turn its mind to and have formed a reasonable expectation that disclosure with the knowledge or consent of the individual would compromise the investigation.

• Before disclosing personal information under paragraph 7(3)(d.2), an organization must turn its mind to and have formed a reasonable expectation that knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud.

• An organization should document, and be able to demonstrate, on a case-by-case basis, the reasons why it determined that each disclosure met all of the requirements under paragraphs 7(3)(d.1) or 7(3)(d.2).

• For example, organizations should be able to demonstrate, if/when called upon to do so, how each disclosure is reasonable for the stated purposes and why it is reasonable to expect that the disclosure with the knowledge or consent of the individual concerned would compromise the investigation or ability to detect, suppress or prevent the fraud.

• An organization should develop policies and procedures setting out how it requests and/or responds to these disclosures.

• Organizations should be open about their policies and practices and make them available to individuals.

• Further, any related policies and procedures should be accompanied with up-to-date training for employees on an on-going basis.

Identify procedures for handling access requests from individuals

• Individuals generally have the right to access their personal information, including obtaining an account of the third parties to whom their personal information has been disclosed. Weight loss tips and tricks Organizations must provide access to personal information on request, unless an exception under PIPEDA applies.

• Even though information-sharing may occur in specified circumstances without consent, an organization is still required to fulfill its other PIPEDA obligations, including but not limited to, limiting the disclosure of personal information, safeguarding it, and ensuring that any disclosure of personal information is only for purposes that a reasonable person would consider are appropriate in the circumstances.

C: Consider Other Ways to Improve Transparency and Consumer Trust

• Organizations could further consider reporting publicly on the number and types of disclosures made on an annual or semi-annual basis, using aggregate and anonymized data.

• Organizations could also consider making available a summary of their frameworks and information sharing practices under paragraphs 7(3)(d.1) and 7(3)(d.2).

• These additional steps may help organizations build greater trust with individuals by demonstrating accountability for disclosures, and making more visible what would otherwise be invisible to Canadians.

For reference, please see the Office of the Privacy Commissioner of Canada’s PIPEDA Report of Finding #2014-018

Oxford online dictionary “ investigation” and Oxford online dictionary definition of “ investigate”

An example of breach of an agreement can be found in PIPEDA Report of Findings #2014-018 and PIPEDA Report of Findings #2014-006

• You will not receive a reply. Exercise of futility For enquiries, please contact us.

• Do not include any personal information, such as your name, social insurance number (SIN), home or business address or any case or files numbers.

• For more information about this tool, please see our Terms and conditions of use.

The Privacy Commissioner of Canada is an Agent of Parliament whose mission is to protect and promote privacy rights.

Read our Privacy policy and Terms and conditions of use to find out more about your privacy and rights when using the priv.gc.ca website or contacting the Office of the Privacy Commissioner of Canada. Protein diet for muscle gain Transparency

If you have a question, concerns about your privacy or want to file a complaint against an organization, we are here to help. Protein diet meal plan Contact the OPC Stay connected

Leave a Reply

Your email address will not be published. Required fields are marked *