The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, February 26, 2006
It looks like the City of Toronto is planning to follow in the footsteps of municipalities like Oshawa, ON and New Westminster, BC by requiring dealers of second-hand goods to enter sellers' information into a large database maintained by a private company (see: CTV.ca New T.O. bylaw being called a privacy threat). While these dealers have always had to verify the ID of sellers, critics are concerned that the database will be used for fishing expeditions by the police. Also, once the information is collected, there is very little control over how it is used.
It appears that the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), does not limit what can be done with the information once it is collected. The general rule of PIPEDA is disclosure and consent. An organization has to disclose to the invididual why they want the information and has to get your consent to use and disclose it for that identified purpose. But Section 7 of PIPEDA allows organizations to dispense with that consent. In this case, an organization can collect information without your consent if it is required by law (s. 7(1)(e)(ii)). Once information is collected without consent under that section, it can be used without the individual's consent (s. 7(2)(d)) and there does not appear to be any limit on the purposes for which it can be used. Theoretically, a second hand goods vendor or the database company can use the information for any other purpose without running afoul of PIPEDA.
The relevant provisions are:
Collection without knowledge or consent
7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if ...
(e) the collection is made for the purpose of making a disclosure
(i) under subparagraph (3)(c.1)(i) or (d)(ii), or
(ii) that is required by law.
Use without knowledge or consent
(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if ...(d) it was collected under paragraph (1)(a), (b) or (e).
Disclosure without knowledge or consent
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...(i) required by law.
Use without consent
(4) Despite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection (2).
Disclosure without consent
(5) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in paragraphs (3)(a) to (h.2).
The purpose for bylaws such as these may be 100% compelling, but the fear that the information can be reused without the knowledge or consent of the individual without any legal recourse seems legitimate.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.