Order of Privacy Officers

How to Use or Disclose Personal Information

The following checklist may be helpful for using and disclosing personal information. It is intended to be helpful, but it is not legal advice.

It is at a high level of generality to provide the new or busy privacy officer with a quick and useful overview of the requirements under PIPEDA. Many people have invested much thought to create other helpful guidance documents with lower levels of generality and additional detail. Several very helpful ones are listed below the following checklist.

Checklist

Identify your desired use or disclosure.

Determine whether any of the information to be used or disclosed is Personal Information.

Review the evidence in your possession of the consent to the proposed use or disclosure by the individual who's Personal Information is to be used or disclosed.

Determine whether the desired use or disclosure has been consented to by the individual who's Personal Information is to be used or disclosed.

Use or disclose the information only in accordance with the evident consent to use or disclosure of the Personal Information.

Document which Personal Information is disclosed, when, to whom, and on which terms.

If you wish to disclose Personal Information to a third party, contract with the third party to ensure both you and they are compliant.

For the European Commission's Model Contracts for the transfer of personal data to third countries click here The actual clauses are available in the pdf here http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/oj/2004/l_385/l_38520041229en00740084.pdf

For The International Chamber of Commerce's Model clauses for use in contracts involving transborder data flows click here

For a brief list of points to address in such a contract see the Tips under Accountability in "A Guide for Businesses and Organizations" at the federal Privacy Commissioner's web site.

Compliance Guides with lower levels of generality

Canada's Privacy Commissioner's "Guide for Businesses and Organizations to Canada's Personal Information Protection and Electronic Documents Act" is helpful.
Canadian Institute of Chartered Accountants' Privacy Package contains a link to their free downloadable AICPA/CICA Privacy Framework. The AICPA/CICA Privacy Framework is the best and most helpful single document we have reviewed. It has a low level of generality and the detail may be daunting for some. However, the benefits available through the additional effort required to review and understand it are, in our opinion, well worth the time and concentration investment required.
Industry Canada's Privacy for Business
Industry Canada's Online E-security and Privacy Guide
Treasury Board of Canada Secretariat's Privacy Impact Assessment (PIA) E-learning tool
The Information and Privacy Commissioner of Ontario's Privacy Diagnostic Tool (PDT) Workbook They describe it as a self-assessment program used to help businesses gauge their privacy readiness.