![]() ![]() ![]() |
![]() |
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
|
![]() |
![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
![]() Determining the appropriate form of consent under the Personal Information Protection and Electronic Documents ActThis document was created to provide guidance to organizations as to which form of consent would be appropriate in a given situation. The relevant principles are identified, followed by illustrations of how these principles have been interpreted and applied by the OPC . Principle 4.3 The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.4 The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. Principle 4.3.5 In obtaining consent, the reasonable expectations of the individual are also relevant. Principle 4.3.6 An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Positive/Opt-in (Express) ConsentUnder this form of consent, commonly referred to as "express consent", the organization presents an opportunity for the individual to express positive agreement to a stated purpose. Unless the individual takes action to "opt in" to the purpose — in other words, says "yes" to it — the organization does not assume consent. This is the strongest form of consent, and is in keeping with the spirit of PIPEDA. The CSA Model Code for the Protection of Personal Information says "Express consent is unequivocal and does not require any inference on the part of the organization seeking consent". An organization is encouraged to use this form of consent wherever appropriate, taking into consideration the reasonable expectations of the individual. This form of consent is least likely to give rise to misunderstandings and complaints. Principle 4.3.6 states that an organization should generally seek express consent when the information is likely to be considered sensitive. Negative/Opt-out MechanismThe organization presents the individual with an opportunity to express non-agreement to an identified purpose. Unless the individual takes action to "opt out" of the purpose — that is, say "no" to it — the organization assumes consent and proceeds with the purpose. The individual should be clearly informed that the failure to "opt out" will mean that the individual is consenting to the proposed use or disclosure of the information. The OPC has had opportunity to consider the use of "opt out" in a number of different contexts. A common use of the "opt out" is in the context of using or disclosing personal information for secondary purposes of marketing. Secondary purposes are additional to those for which the information needed to be collected in the first place. The OPC considers that an organization must satisfy the following requirements when using an opt-out, for example to obtain consent for secondary marketing purposes:
Implied ConsentThe CSA Model Code says "Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual". This covers situations where the intended use or disclosure is obvious from the context and the organization can assume with little or no risk that the individual, by providing the personal information, is aware of and consents to the intended use or disclosure. Thus, where circumstances indicate that an individual has a certain understanding, knowledge, or acceptance, or certain information has been brought to the attention of an individual, consent might be implied. Factors to be considered in determining the appropriateness of relying on implied consent include:
No requirement for consentPrinciple 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate . The explanatory note that accompanies principle 4.3 is inoperative pursuant to section 2 (2) and section 7 of the Act. Sections 7(1), (2), and (3) set out the only situations where an organization may collect, use or disclose personal information without the knowledge or consent of the individual. |
![]() |
||||
Date published: 2004-09-28 |
![]() |
Important Notices |