Sunday, February 26, 2006

New Toronto bylaw being called a privacy threat

It looks like the City of Toronto is planning to follow in the footsteps of municipalities like Oshawa, ON and New Westminster, BC by requiring dealers of second-hand goods to enter sellers' information into a large database maintained by a private company (see: CTV.ca New T.O. bylaw being called a privacy threat). While these dealers have always had to verify the ID of sellers, critics are concerned that the database will be used for fishing expeditions by the police. Also, once the information is collected, there is very little control over how it is used.

It appears that the federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), does not limit what can be done with the information once it is collected. The general rule of PIPEDA is disclosure and consent. An organization has to disclose to the invididual why they want the information and has to get your consent to use and disclose it for that identified purpose. But Section 7 of PIPEDA allows organizations to dispense with that consent. In this case, an organization can collect information without your consent if it is required by law (s. 7(1)(e)(ii)). Once information is collected without consent under that section, it can be used without the individual's consent (s. 7(2)(d)) and there does not appear to be any limit on the purposes for which it can be used. Theoretically, a second hand goods vendor or the database company can use the information for any other purpose without running afoul of PIPEDA.

The relevant provisions are:

Collection without knowledge or consent

7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if ...

(e) the collection is made for the purpose of making a disclosure

(i) under subparagraph (3)(c.1)(i) or (d)(ii), or

(ii) that is required by law.

Use without knowledge or consent

(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if ...

(d) it was collected under paragraph (1)(a), (b) or (e).

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(i) required by law.

Use without consent

(4) Despite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection (2).

Disclosure without consent

(5) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in paragraphs (3)(a) to (h.2).

The purpose for bylaws such as these may be 100% compelling, but the fear that the information can be reused without the knowledge or consent of the individual without any legal recourse seems legitimate.

Technorati tags: :: :: :: :: ::

No comments: