PIPEDA Fair Information Principle 3 – Consent

Consent is only considered valid if it is reasonable to expect that your organization’s customers would understand the nature, purpose and consequences of the collection, use or disclosure they are consenting to.

Your responsibilities as a business

  • Comply with all 10 of the principles of Schedule 1.
  • Clearly specify to your customers what personal information you are collecting and why you are collecting it.
  • Inform the individual in a meaningful way of the purposes for the collection, use or disclosure of personal data.
  • Obtain the individual's consent before or at the time of collection, as well as when a new use of their personal information is identified.

How to fulfill these responsibilities

  • Obtain informed consent from the individual whose personal information is collected, used or disclosed.
  • Explain how the information will be used and with whom it will be shared. This explanation should be clear, comprehensive, and easy to find. Retain proof that consent has been obtained.
  • Never obtain consent by deceptive means.
  • Do not deny a product or service to an individual who does not consent to the collection, use or disclosure of information beyond what is required to fulfill an explicitly specified and legitimate purpose.
  • Explain to individuals the implications of withdrawing their consent.
  • Ensure that your employees who collect personal information are able to answer customers’ questions about why they are being asked for this information.

Understanding Knowledge and Consent

Knowledge and consent means informed and voluntary agreement with what is being done or proposed. Consent is considered valid when it is reasonable to expect that someone can understand the nature, purpose and consequences of the collection, use or disclosure to which they are consenting. Consent can be either express or implied. Express consent is given explicitly, either orally, in writing, or through a specific online action, such as clicking on “I agree”. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of your customer. Consent does not waive an organization’s other responsibilities under PIPEDA, such as overall accountability, safeguards, and having a reasonable purpose for processing personal information.

We undertook a consultation to address consent challenges posed by the digital age. We published the results of our consultation in our 2016-17 Annual Report to Parliament. The report outlines a number of actions and recommendations.

Tips

  • Consent is normally obtained from the individual whose personal information is collected, used or disclosed.
  • For an individual who is a minor, seriously ill, or mentally incapacitated, consent may be obtained from a legal guardian, or person having power of attorney.
  • In order for individuals to understand what they are consenting to, organizations should be transparent about their information management practices. Privacy policies and consent statements should:
    • be easy to find
    • use clear and straightforward language
    • not use blanket categories for purposes, uses and disclosures
    • be as specific as possible about which organizations handle the information
    • explain practices that an individual might not reasonably expect, such as disclosures to third parties
  • Online, privacy policies should be supplemented by other types of privacy disclosures, such as just-in-time notifications, and should provide privacy explanations at key points in the user experience.
  • Consent can be obtained in person, by phone, by mail, or online.
  • The form of consent should take into consideration:
    • reasonable expectations of the individual
    • circumstances surrounding the collection
    • sensitivity of the information involved.
  • Express, or opt-in, consent should be used whenever possible and in all cases when the personal information is considered sensitive. Relying on express consent protects both the individual and the organization.
  • When using opt-out consent, the organization should establish a convenient procedure for withdrawing consent, and the opt-out should take effect immediately.

Exceptions to the Consent Principle

There are a number of specific exceptions to the requirements to obtain knowledge and consent for the collection, use or disclosure of personal information.

Organizations may collect personal information without the individual's knowledge or consent only:

  • if it is clearly in the individual's interests and consent is not available in a timely way;
  • if knowledge and consent would compromise the availability or accuracy of the information and collection is required to investigate a breach of an agreement or violation of a federal or provincial law;
  • for journalistic, artistic or literary purposes;
  • if it is publicly available as specified in the regulations;
  • when it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim;
  • where it is produced by individuals in the course of their employment, business or profession–as long as the collection is consistent with the purpose for which the information was produced;
  • when an individual is employed by a federal work, undertaking or business and the collection is necessary to establish, manage or terminate an employment relationship. The employer must, however, inform individuals in advance that their personal information could be collected for such purposes.

Organizations may use personal information without the individual's knowledge or consent only:

  • if the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
  • for an emergency that threatens someone's life, health or security;
  • for statistical or scholarly study or research (the organization must notify the Privacy Commissioner of Canada before using the information);
  • if it is publicly available as specified in the regulations;
  • if the use is clearly in the individual's interest and consent is not available in a timely way;
  • when it is contained in a witness statement, and the use is necessary to assess, process, or settle an insurance claim;
  • where it is produced by individuals in the course of their employment, business or profession–as long as the use is consistent with the purpose for which the information was produced;
  • if knowledge and consent would compromise the availability or accuracy of the information and collection was required to investigate a breach of an agreement or contravention of a federal or provincial law; or
  • when the organization is a federal work, undertaking or business and the use is necessary to establish, manage or terminate an employment relationship. The organization must, however, inform individuals in advance that their personal information could be used for such purposes.

Organizations may disclose personal information without the individual's knowledge or consent only:

  • to a lawyer representing the organization;
  • to collect a debt the individual owes to the organization;
  • to comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction;
  • to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act;
  • to a government institution that has requested the information, identified its lawful authority to obtain the information, and indicates that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law; or suspects that the information relates to national security, the defense of Canada or the conduct of international affairs; or is for the purpose of administering any federal or provincial law;
  • to a government institution or an individual’s next of kin or authorized representative when there are reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse. Organizations however may make such a disclosure only for the purpose of preventing or investigating the abuse, and only if it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse;
  • to another organization in instances where it is reasonable for the purposes of:
    • investigating a breach of an agreement or contravention of a federal or provincial law that has been, is being or is about to be committed; or
    • detecting or suppressing or preventing fraud that is likely to be committed. (However, it must be reasonable to expect that disclosure with the knowledge or consent of an individual would compromise the investigation of a law or agreement being broken or the ability to prevent, detect or suppress the fraud.)
  • in connection with a business transaction (for example, the sale or merger of a business, or the lease of a company’s assets), provided certain conditions are met to, among other things, protect the information and limit its use;
  • when it is contained in a witness statement, and the disclosure is necessary to assess, process, or settle an insurance claim;
  • where it is produced by individuals in the course of their employment, business or profession–as long as the disclosure is consistent with the purpose for which the information was produced;
  • when the organization is a federal work, undertaking or business (FWUB, such as telecommunications and broadcasting companies, airlines and banks) and disclosure is necessary to establish, manage or terminate an employment relationship. The organization must, however, inform individuals in advance that their personal information could be disclosed for such purposes;
  • in an emergency threatening an individual's life, health, or security (the organization must inform the individual of the disclosure);
  • to a government institution, individuals’ next of kin, or authorized representative if necessary to identify an individual who is injured, ill or deceased (and if alive, the individual has to be informed in writing that the disclosure took place);
  • for statistical, scholarly study or research (the organization must notify the Privacy Commissioner before disclosing the information); to an archival institution;
  • 20 years after the individual's death or 100 years after the record was created;
  • if it is publicly available as specified in the regulations; or
  • if required by law.
Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: