6. Updating rules on the collection, use, disclosure, and retention of personal information
CLOSED: This discussion has concluded.
The Act could include updated and new obligations that relate to the collection, use, disclosure and retention of personal information
While many stakeholders have expressed broad support for a shift towards a principles-based Privacy Act, many have cautioned that principles need to be supported by more detailed rules that can offer specific direction about what the Act requires or allows federal public bodies to do. Rules governing the collection, use, sharing and retention of personal information could be updated and new ones added. These could include:
Limiting the collection of personal information to where it is reasonably required for a federal public body’s functions or activities : In line with a new “Limiting collection” principle, the Act could provide that a federal public body can only collect personal information where it is reasonably required for the federal public body’s functions or activities, or where it is otherwise expressly authorized by another act of Parliament.
In order to provide a more contextual approach to determining what may be “reasonably required,” the Act could include a list of key considerations that federal public bodies would have to take into account in determining whether a collection is “reasonably required,” including: (i) the specific purpose for the collection, particularly whether it was for law enforcement or national security purposes; (ii) the mechanisms or means employed to collect the information; (iii) whether there are less intrusive means of achieving the purpose at a comparable cost and with comparable benefits to the public; and (iv) the degree of intrusiveness of the collection compared to the public interests at play.
This approach would place an emphasis on making collection of the information reasonable and proportionate, while addressing concerns and risks that an explicit necessity requirement could unduly hamper the ability of federal public bodies to carry out their mandates effectively. It would also allow Parliament to adapt to other specific scenarios or technologies in the future where the general “reasonably required” standard might actually impede the government’s ability to carry out its work in the public interest. This approach would also shift the orientation of the collection framework away from specific programs, activities and institutional silos to better accommodate federal public bodies and ministers who have overlapping mandates, and help make programs more efficient within federal public bodies.
Making it clear that created or derived personal information is a “collection” : The Act could specify that personal information that a federal public body creates or derives by making inferences based on an individual’s personal information, or information about other individuals, would qualify as a collection of personal information.
Addressing unsolicited collections of personal information : There is uncertainty about what obligations federal public bodies have when they unintentionally receive personal information they do not want or do not reasonably require. For example, sometimes individuals will provide sensitive personal information on unrelated matters through the free text feedback forms in online consultations. To address such scenarios, the Act could include specific obligations for cases where federal public bodies receive unsolicited personal information they do not require, such as the obligation to delete it or return it. The Act could also make it clear that retention obligations do not apply to unsolicited personal information.
Clarifying the meaning of “consistent” uses and disclosures : The Act currently allows federal public bodies to use or disclose personal information where this is done for the same purpose the information was collected for or a use consistent with that purpose. This particular provision has caused some uncertainty among federal public bodies as to whether an intended use or disclosure is for the same purpose for which it was collected, or whether another purpose is “consistent” with the original purpose.
The Act could continue to permit federal public bodies to use or disclose personal information for a purpose that is compatible with the original purpose for which the information was collected. However, to provide greater clarity around the concept of a “consistent use”, the Act could define this term and set out a non-exhaustive list of examples to better guide federal public bodies in applying it. Examples could include using or disclosing personal information when it is needed to assess eligibility for a service or benefit or to make it possible to provide a service or benefit, which would limit the situations where individuals would have to provide the same information to different federal public bodies for the same purpose.
Updating the provisions that allow for the use and disclosure of personal information for other purposes : In line with a new “Limiting use, disclosure and retention” principle, the Act could continue to set out a list of authorized circumstances where personal information may be used or disclosed for a purpose other than that for which it was originally collected. The Act could distinguish between authorities for using and for disclosing personal information and modify the current section 7 to clarify when internal uses of personal information are permitted, since the way certain disclosure authorities under subsection 8(2) are framed make them ill-suited for internal uses of personal information.
The list of circumstances in which personal information may be used or disclosed could continue to include when an individual has given their consent, as well as many of the currently listed authorities. Others authorities would be specified, including using or disclosing personal information in emergencies, to ensure public safety or the safety of an individual, to notify next of kin, and for data integration purposes in some circumstances, subject to certain limits and conditions.
The Act could also eliminate the current “public interest” authority under paragraph 8(2)(m) and replace it with a new framework that could permit a further use or disclosure of personal information for a purpose not specifically identified in the Act where the head of a federal public body determined that doing so would be “reasonably required” in the public interest, with an associated record-keeping requirement for such decisions to allow review by the Privacy Commissioner. As with the possible updated collection threshold, the Act could identify key considerations that the head of a federal public body would have to take into account in determining whether another use or disclosure was “reasonably required.”
Introducing a principles-based approach to retaining personal information : In line with a new “Limiting use, disclosure and retention” principle, the Act could require federal public bodies to retain personal information for no longer than reasonably needed to effectively carry out the purpose for which it was collected. This would provide federal public bodies with flexibility to adapt their retention practices to the unique circumstances of each collection. This framework could be complemented by a list of specific provisions allowing for longer retention periods, including for archival purposes, to respond to requests for access to personal information and to comply with other legal obligations.
For additional details and a more in-depth discussion on the rationale for these potential changes, please consult our annex here.
Share on Facebook
Share on Linkedin
Email this link
Consultation has concluded. Thank you for your contributions.