Information # Assistance # Accreditation # Membership # Advisory Board

Order of Privacy Officers' PIPEDA Decision Compendium with updater service

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) created new obligations for organizations collecting, using, storing or disclosing personal information for commercial purposes. Complying with one's obligations requires understanding how PIPEDA has been applied by the Office of the Privacy Commissioner of Canada. To date the Privacy Commissioner's office has published over 300 summaries of its decisions. The Privacy Commissioner's decision summaries each often cover several statute sections and principles and can be several pages in length.

The Order of Privacy Officers' PIPEDA Decision Compendium is designed to save Privacy Officers time and organizations money by indexing under the relevant statute sections or principles concise descriptions of the relevant facts of each relevant decision summary. This indexing permits the reader to quickly and conveniently receive an overview of what the Privacy Commissioner's Office has decided about how a particular statutory section or principle applies to particular fact situations.

The Order of Privacy Officers' PIPEDA Decision Compendium is a helpful handy reference to which privacy officers may refer when seeking an overview of the decision summaries addressing a particular section or principle or when requiring a quick and convenient way to identify which decision summaries are most likely to provide more thorough guidance for particular issues requiring the busy privacy officer's attention.

Two sample excerpts are below.

Receive the Compendium together with other membership benefits for only the price of membership (only $149.80 includes taxes) by clicking here

or order your Order of Privacy Officers' PIPEDA Decision Compendium separately now for only $99.00 plus G.S.T. by clicking here

Excerpt regarding PIPEDA Statute Section 9.(1):

When access prohibited
9. (1) Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

Summary:
An organization must not provide access to personal information if doing so would reveal personal information about a third party, unless the information about the third party can be severed from the information about the requestor.

Compendia:
An organization was wrong to invoke the exception for information that merely referred to third parties and was not actually about those parties. Act Case Summary #50, WF - R.

An organization wrongly denied an employee access to a letter sent by it to the employee's physician claiming release of the information would reveal personal information about third parties. The Commissioner determined that the information about the physician was the employee's information since it was his physician. Information about the employee's manager was also the employee's information since the manager was making an allegation about the employee. The author of the letter had already revealed to the employee that she had written the letter. All other third party information was not considered personal information under the Act. Therefore, the denial was wrongful. Act Case Summary #103, WF.

An organization must not provide access to personal information if doing so would reveal personal information about a third party. Act Case Summary #147, WF.

Receive the Compendium together with other membership benefits for only the price of membership (only $149.80 includes taxes) by clicking here

or order your Order of Privacy Officers' PIPEDA Decision Compendium separately now for only $99.00 plus G.S.T. by clicking here

Excerpt regarding PIPEDA Schedule 1, principle 4.2:

4.2 Principle 2 - Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Summary:
Organizations subject to PIPEDA must disclose the purposes for which private information is collected. The disclosure must be made in a manner so that a reasonable person would understand how the information will actually be used. Organizations that provide an illusory purpose for data collection will not be in compliance.

Compendia
A telephone company required two forms of identification or a deposit to open a new account. It informed prospective account holders that the purpose of such data collection was to confirm the applicant's identity when the true purpose was to run a credit check. The Commissioner found this violated Principle 4.2 because the true purpose was not explicitly disclosed. Decision Summary #24, WF.

A bank met the requirements for disclosure of purpose when it posted notices at each bank teller's wicket that identification was required to withdraw funds to prevent fraud. Decision Summary #27, NWF.

A bank fell short of PIPEDA's requirement when it failed to disclose the purposes for which the birth date of prospective account holders were being collected. Decision Summary #45, WF.

An airline informed its employees it needed copies of their passports, Ministry of Transport (MOT) Cards, and employee cards to comply with the United States Aviation and Transportation Security Act. Upon investigation, the Commissioner found that the MOT Cards were obtained for a different purpose and thus the company had violated Principle 4.2. Decision Summary #128, WF.

An airline was found to have violated Principle 4.2 when it only partially disclosed the purposes for which information was being collected in connection with a lost baggage claim. The airline also failed to inform the complainant of the fact the data could be made available to third parties. Decision Summary #148, WF.

A telecommunications company complied with Principle 4.2 by informing its employees that statistical data would be collected and used in performance evaluations. Employees were informed through the company's privacy brochure for employees, group presentations, e-mail and meetings. Decision Summary #153, NWF.

Receive the Compendium together with other membership benefits for only the price of membership (only $149.80 includes taxes) by clicking here

or order your Order of Privacy Officers' PIPEDA Decision Compendium separately now for only $99.00 plus G.S.T. by clicking here