Due Diligence Required When Using Exemptions to Disclose Personal Information Without Consent

Organizations may only disclose a person’s confidential information without the person’s knowledge or consent in very specific circumstances, set out in paragraph 7(3)(h.2) of the Personal Information Protection and Electronic Documents Act (PIPEDA). Now, the Office of the Privacy Commissioner of Canada recently found that in order to properly rely on the s.7(3)(h.2) exemption it is essential that an organization document the purpose for which personal information is disclosed and exercise due diligence to ensure that the disclosure is reasonable under the circumstances.

The law in question

Section 7(3)(h.2) of PIPEDA states:

7. (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is,

(h.2.) made by an investigative body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; or (i) required by law.

Section 4.3 of Schedule 1 of PIPEDA states that the knowledge and consent of an individual are required for the collection, use, or disclosure of personal information except where inappropriate.

Facts of the case

This case involves a complaint by a customer that his bank disclosed his personal financial information without his consent to his employer, which was another financial institution. The complaint alleges that the disclosure occurred without due diligence and oversight, and for purposes that were inappropriate in the circumstances. The complainant alleges that the disclosure by his bank ultimately resulted in his dismissal from employment.

The employer argued that it dismissed the employee because he had been in receipt of commissions from a third-party financial services organization. In the employer’s view, this contravened the terms and conditions attached to his employment.

The bank that disclosed the customer’s personal financial information declared that it did so in the context of an ongoing investigation into a breach of an employment contract and violation of a code of conduct involving the complainant. Therefore, the s. 7(3)(h.2.) exemption applied.

In addition, the personal financial information was given to the Canadian Bankers Association’s Bank Crime Prevention and Investigation Office (BCPIO), which is designated as an investigative body under PIPEDA. Furthermore, the disclosure proceeded according to set BCPIO procedures.

BCPIO procedures allow designated employees of BCPIO member organizations to collect, use and disclose personal information in the prevention and investigation of criminal and dishonest activity, including the breach of an employment agreement.

In the bank’s opinion, the disclosure was justified and reasonable.

The request to provide the information came by email from an individual claiming to be an investigator from the BCPIO. The personal financial information disclosed was sent by email and included transaction dates, amounts and the payor between the third-party financial services organization and the complainant—exactly what the employer was trying to find out.

Investigation by OPC

The Privacy Commissioner’s investigation found that the email exchanges between the bank and the BCPIO did not identify the complainant or the accounts for which financial information was being requested. The requesting email to the bank did not include a description or summary of the employer’s investigation in support of the request for information. According to the bank, that information was communicated between the bank and the employer by telephone only.

A bank disclosing an individual’s information must file a disclosure form with the BCPIO within seven business days. However, the BCPIO disclosure form contains minimal information on the reasons for such disclosure.

The OPC concluded:

“Our overall view is that an entity designated as an ‘investigative body’ pursuant to the Regulations is not given carte blanche to collect, use or disclose personal information without the knowledge and consent of the individual concerned simply because the entity has been so designated.”

All the bank could conclude is that the BCPIO was a designated body requesting information in an ongoing investigation of a contract of employment breach thus applying the exemption. However, the bank provided the personal information without conducting a proper assessment of whether it was permitted to do so without knowledge and consent in this particular case.

Findings by OPC

In short, the commissioner’s office found that the bank properly invoked the PIPEDA exemption: the BCPIO is a designated investigative body and the reason for the disclosure was legitimate. As a result, the commissioner found the complaint to not well-founded. However, the commissioner’s office also found the bank failed to provide any direct evidence to show what it had done to establish that the request for this highly sensitive personal information was reasonable or necessary.

The bank did not do its due diligence by properly documenting the purposes for which the information was disclosed, and failed to undertake demonstrable steps to ensure the disclosure was reasonable. The bank simply took the employer’s and the BCPIO investigation officer’s words for it when they requested the information.

In the OPC’s view, an investigative body and the organization being approached to disclose information cannot simply invoke the exemption found under section 7(3)(h.2) of PIPEDA without exercising the proper due diligence to ensure that the disclosure request is reasonable and justifiable by proper documentation.

The OPC made two recommendations to the BCPIO:

• That the BCPIO review its procedures to clarify disclosure requests and the use of the exemption found under section 7(3)(h.2) of PIPEDA
• That the organization communicate to and train its members on these updated procedures

The OPC was satisfied that the bank’s response to the recommendations would effectively and appropriately address the bank’s procedures for documenting disclosures made under paragraph 7(3)(h.2) of PIPEDA.

Important changes

In June 2015, the Digital Privacy Act (Senate Bill S-4) amended PIPEDA and the specific exemption in s.7(3)(h.2) was repealed and replaced by a significantly broader exemption that states:

7 (3) For the purpose of clause 4.3 of Schedule 1…an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is:

(d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed, and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed, and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;

Without the mention of designated investigative bodies, organizations may face requests for personal information without the subject’s knowledge or consent from any organization conducting an investigation into wrongdoing as defined in the amended Act.

These amendments make the privacy commissioner’s ruling even more important. Organizations that receive requests to disclose personal information without a subject’s knowledge or consent—even within the letter of the law—must take extra special care to do their due diligence. That means ensuring that the organization requesting the personal information has a legitimate reason for the request and keeping detailed records of the process.