Best Practices for dealing with pre-PIPEDA personal information (grandfathering)

July 2004

How does the Personal Information Protection and Electronic Documents Act (PIPEDA) apply to personal information collected before the Act came into effect?

The answer, in brief, is that all provisions of PIPEDA, including the consent principle, apply to all personal information held by an organization, regardless of when the information was collected. This means, among other things, that organizations are required to keep the information as accurate, complete and up-to-date as necessary, protect the information with appropriate safeguards and give individuals access to their personal information.

However, it does not necessarily follow that an organization must seek established customers’ express consent to the continued retention, use or disclosure of their personal information.

Although the guidelines that follow are primarily intended to deal with customer information collected prior to the implementation of PIPEDA, they are equally appropriate for information relating to clients, employees, donors and other individuals, keeping in mind that PIPEDA only applies to employee information collected, used or disclosed by federal works, undertakings or businesses.

Purging obsolete files

In some cases, destroying or erasing older files may be the most appropriate and straightforward way to deal with them.

Under Principle 4.5 of the Act, an organization should retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected; should develop guidelines and procedures regarding retention, including minimum and maximum retention periods; and should destroy or erase any personal information no longer required to fulfil identified purposes.

In determining how to treat an existing customer file, an organization should first consider such questions as:

  • Is the information still serving (or has it ever served) any purpose that could reasonably be considered necessary or useful;
  • Is there a legal or contractual requirement to retain the information: and
  • Would the individual reasonably expect the organization to be still holding the information on file?

If the answer to any of these questions is no then the most appropriate action may be simply to purge the file. The organization should also set reasonable minimum and maximum retention periods for handling all customer files in future.

Seeking Consent

The extent to which an organization is obliged to seek express consent from established customers depends on several considerations:

  • Whether the organization made a reasonable effort to inform the customer of its purposes at the time of collecting the personal information;
  • Whether the information is still being used or disclosed, and if so whether it is being used or disclosed for the same purposes for which it was collected;
  • Whether the information is being used or disclosed for unidentified secondary purposes; and
  • Whether the customer would reasonably expect the organization to continue using or disclosing the information for its current purposes.

These considerations relate to the purposes for which the information is being used or disclosed, the degree to which these purposes were specified at the time of collection and the reasonable expectations of the individual.

Purposes duly specified

If the organization made a reasonable effort to specify its purposes to customers at the time of collecting personal information, and if the information is still being used or disclosed for those original purposes and no others, then the organization may take the customers’ consent to the purposes as implied. Provided that the information is not used or disclosed for new purposes, there is no further requirement to obtain consent.

Purposes unspecified but reasonably expected

Even if purposes were not clearly specified at the time, but if they were such as customers would reasonably have expected to be involved in the provision of the products or services concerned, then the organization may take customers’ consent to the purposes as implied. (The use of personal information to fulfill a magazine subscription is an obvious example.) No further consent is required unless the organization intends to use or disclose the information for new purposes.

Purposes unspecified and not reasonably expected

If the personal information was collected for unspecified purposes that customers would not have reasonably expected to be involved in the provision of the products or services concerned (e.g., secondary purposes such as marketing or disclosures to third parties), then the organization must obtain the customers’ express consent to any continued use or disclosure of the information.

New purposes

Regardless of whether the personal information was collected before or after PIPEDA took effect, an organization must seek customers’ consent to any new use or disclosure of their personal information. A new use or disclosure is defined as any use or disclosure for purposes other than those for which personal information was originally collected.

Access to personal information

Under Principle 4.9 of PIPEDA, an organization must, upon request, inform individuals of the existence, use, and disclosure of their personal information, give them access to such information, and enable them to challenge its accuracy and completeness and, if required, have it amended.

This principle applies to all personal information held by an organization, regardless of when it was collected. Customers have a clear right of access to personal information collected by an organization before it became subject to PIPEDA.

Making privacy policies available

Under Principles 4.1 and 4.8 of PIPEDA, an organization must formulate privacy policies and practices and make information about them readily available to individuals.

These principles apply as much to an organization’s established customers as to its new customers. It is recommended that organizations provide privacy information to new customers on the first occasion of collecting personal information from them, and to established customers at the earliest opportunity in the usual course of business communications.

Date modified: