The typical business model has significantly expanded in recent years, and often includes an element of collecting, using, storing or modifying personal information (also known as “processing”). If you are involved in processing personal information, you may likely be considered a “processor”. As a processor, it is crucial to understand the principles for processing data as well as the rights of the individuals whose personal information you are processing.
The following are some key principles for processing personal data:
- Lawful Reason and Consent: Canadian privacy law typically requires processors to obtain consent from individuals in order to process their personal information. Such consent must be informed, i.e. the individual must understand why the data is being collected, how it will be used, etc.
- Restricted Purpose: Processors are required to disclose the purposes for which the data is being collected. Processors are confined to that purpose, unless additional consent is obtained, or if disclosure is required by law.
- Proportionality: Proportionality is an overarching principle that requires processors to limit their collection and use of personal information to what a reasonable person would consider appropriate in the circumstances.
Equally important to the principles are the rights that individuals have with respect to the processing of their personal information. Individual rights include:
- Access Rights: Upon request of the individual, a processor typically must provide access to the individual’s personal information, including a list of all other entities with which such personal information was shared. Processors would also have to provide this information at minimal or no cost to the individual and would need to fulfill these requests within the prescribed time period.
- Opt-Out and Complaint Procedures: If personal information is being used for marketing purposes, the individual must be made aware of this at the time of collection and processors must provide an easy opt-out option to individuals. Individuals must also be provided with a simple way of reporting monthly complaints and making inquiries in relation to their personal information collected by a processor.
- Withdrawal of Consent: Individuals must be able to withdraw their consent to the collection and use of their personal information at any time. However, if the processor has entered into a contractual relationship with the individual, then the terms of the contract may prevail.
Employers as processors
In the case of employees, individual rights vary markedly from non-employment relationships. While informed consent is not required if the collection, use and disclosure of personal information is reasonably required to manage an employment relationship, employers must provide notice to employees that their personal information is being used, the means by which such information was collected and the purpose for which it will be used.
The principles of processing mentioned above inform the limitations placed on employers as it relates to monitoring employees. Employers are still required to limit their collection of personal information to what is reasonable in the circumstances. Employers also have to consider whether there is a less invasive way of achieving their goals. For instance, an employer concerned about theft may be required to implement a random bag check policy rather than 24/7 video surveillance.
The author would like to thank Travis Bertrand, articling student, for his assistance in preparing this legal update.
Stay informed on M&A developments and subscribe to our blog today.