One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. The Commissioner’s findings will depend on the facts of each case and will be informed by the evolving jurisprudence. Over time, findings on certain key issues crystallize into general principles that can serve as helpful guidance for organizations.
In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretation Bulletins on certain key concepts in PIPEDA. These Interpretation Bulletins are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretation Bulletins may evolve and be further refined over time.
I. Relevant Statutory Provisions
Principle 4.8: “An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.”
Principle 4.8.1: “Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable”.
Principle 4.8.2: “The information made available shall include
(a) the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by the organization;
(c) a description of the type of personal information held by the organization, including a general account of its use;
(d) a copy of any brochures or other information that explain the organization's policies, standards, or codes; and
(e) what personal information is made available to related organizations (e.g., subsidiaries).”
Principle 4.8.3: “An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number”.
Principle 4.2.1: “The organization shall document the purposes for which personal information is collected in order to comply with the Openness principle (Clause 4.8) and the Individual Access principle (Clause 4.9)”.
Principle 4.4.1: “Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle (Clause 4.8)”.
II. General Interpretations by the Courts
Organizations may meet the requirement for openness through the availability of brochures and tools about their privacy practices. In many cases, these materials may only be available after collection or use of personal information, and therefore cannot be relied on for knowledge and consent. However, if customers are aware of the materials at the time they subscribe for a company’s services, this “openness” can lead to a finding of implied consent.
III. Application by the OPC in Different Contexts
Whether an organization can be said to meet its openness obligations under PIPEDA will vary depending on the facts of each complaint and investigation. The following examples illustrate how the openness principle has been interpreted and applied by the OPC and some of its general findings derived from different contexts.
- Organizations must make readily available clear and specific information about their privacy policies and procedures.
- Organizations must provide sufficient information about its collection, use, disclosure and retention of personal information.
- PIPEDA Report of Findings #2013-001 Investigation into the personal information handling practice of WhatsApp Inc.
- PIPEDA Report of Findings # 2012-005 Ontario insurance company used credit information to assess risk, assess premiums
- PIPEDA Report of Findings #2011-009 Credit Bureau Purges Loan History from Individual’s Credit Report without his Knowledge
- PIPEDA Case Summary #2009-008 Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act
- PIPEDA Case Summary #2008-388 Ticketmaster Canada Limited revised its policies and practices with respect to PIPEDA to protect customer’s personal information
- PIPEDA Case summary #2006-350 Customers allege that sale of personal information by one bank to another occurred without knowledge and consent
- PIPEDA Case Summary #2002-91 Marketing firm accused of improper disclosure of survey Information
- In order to satisfy the openness principle, organizations must clearly outline the means available for individuals to gain access to their personal information, including the steps needed to make an access request.
- Organizations are not required to disclose details of their privacy policies and procedures if disclosure would compromise their ability to safeguard personal information.
- Organizations must make information about their personal information management practices available to all their customers in the same consistent manner, whether in person, on paper, by telephone or via its website.
- Individuals must be able to acquire information about an organization’s policies and practices and find information regarding less privacy-invasive options without unreasonable effort.
- PIPEDA Case Summary 2014-007 Apple called upon to be more open about its collection and use of information for downloads
- Organizations must have mechanisms in place to respond to inquiries from individuals seeking information about their privacy policies and procedures.
- Organizations that provide their privacy policies on their website should also make available paper copies to individuals who request one.
- An organization must be open about less privacy-invasive options available and offer these options to all its customers, not just the customers who complain or object to its practices.
- Information about an organization’s personal information management practices must be presented in a way that is sufficiently prominent, in a font that is easy to read and in a manner that is reasonably clear and understandable.
- Privacy policies must be clear and consistent.
- PIPEDA Report of Findings #2014-011 Investigation into the personal information handling practices of Ganz Inc.
- PIPEDA Report of Findings #2013-003 Profiles on PositiveSingles.com dating website turn up on other affiliated dating websites
- PIPEDA Report of Findings #2012-001 Social networking site for youth, Nexopia, breached Canadian privacy law
- PIPEDA Case Summary #2009-010 Assistant Commissioner Recommends Bell Canada Inform Customers about Deep Packet Inspection
- PIPEDA Case Summary #2009-008 Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc.
- Information about an organization’s privacy policies should be presented in a language and format appropriate to its user base.
Inclusion of Contact Information
- Organizations must provide the name and contact information of the designated officials responsible for their compliance with privacy laws.
- PIPEDA Case Summary #2002-91 Marketing Firm Accused of Improper Disclosure of Survey Information
- An organization collecting personal information via video surveillance must give clear and sufficient notice to prospective customers at the entrance of its premises, explaining the purpose for the video surveillance and providing a telephone number that patrons can call if they have questions or want access to their personal information.
Publicly Available Information
- Organizations that collect, use and disclose personal information that is publicly available remain nonetheless subject to the openness principle under PIPEDA.
Information Shared with Other Organizations
- Even if organizations are not required to obtain consent before transferring customers’ personal information to a third-party processor for a service directly related to the primary purpose for which the personal information was originally collected, they are nonetheless required to make every reasonable effort to inform individuals about the transfer.
- Where an organization transfers personal information to a foreign country for processing, the organization must notify its clients of the risk that their personal information may be lawfully accessed under the laws of that country. This notification should be given when the personal information is collected.
- PIPEDA Case Summary #2008-394 Outsourcing of Canada.com email services to US-based firm raises questions for subscribers
- PIPEDA Case Summary #2007-365 Responsibility of Canadian financial institutions in SWIFT’s disclosure of personal information to US authorities considered
- PIPEDA Case Summary #2006-333 Canadian-based shares customers’ personal information with US parent
- PIPEDA Case Summary #2005-313 - Bank's notification to customers triggers PATRIOT Act concerns
- Audit Report of the Privacy Commissioner of Canada 2011 - Staples Business Depot
- See also: Guidelines for Processing Personal Data Across Borders
- Date modified: