One of the most commonly identified "defects" with PIPEDA is that it does not contemplate and efficiently handle the disclosure of personal information in connection with the sale of a business, including pre-sale due diligence. This complaint dealt with the sale of a dentist's practice before the Ontario health information privacy law came into effect and was declared to be "substantially similar" to PIPEDA.
In this particular case, the complainant was given a "consent form" that contemplated that patient records may be disclosed in connection with the sale of the dental practice. It is not clear what the form actually said and whether it purported to obtain patients' consent. (Again, we have a situation where the lack of full detail in the summarized finding makes it very difficult to pull out best practices for the future.)
The Commissioner determined that the disclosure of certain patient records in connection with pre-purchase due diligence in this case was not contrary to PIPEDA. She reasoned:
- Although the Personal Information Protection and Electronic Documents Act (PIPEDA) does not specifically contemplate any such collection, use or disclosure of personal information as described in the consent form, she noted that it was likely that a reasonable person would consider it appropriate for a dental office to disclose patient personal information to prospective buyers in order for the buyer to evaluate the practice, as per subsection 5(3).
- The Commissioner also noted that dentists are subject to numerous regulations concerning privacy. Indeed, several regulations, policies, procedures, and laws apply to the disclosure of information: for example, Health Disciplines and Dentistry Acts, confidentiality agreements, and policies concerning personal information.
- She stated that the Act also requires that personal information be safeguarded, and confidentiality agreements would meet such a requirement.
- Given the above, the Commissioner was satisfied that the purpose, as described in the consent form, was an appropriate one.
Does this mean that a company that is not "subject to numerous regulations concerning privacy" can't disclose customer information as part of the sale process? I don't know.