The typical business model has significantly expanded in recent years, and often includes an element of collecting, using, storing or modifying personal information (also known as "processing"). If you are involved in processing personal information, you may likely be considered a "processor". As a processor, it is crucial to understand the principles for processing data as well as the rights of the individuals whose personal information you are processing.

The following are some key principles for processing personal data:

  • Lawful Reason and Consent: Canadian privacy law typically requires processors to obtain consent from individuals in order to process their personal information. Such consent must be informed, i.e. the individual must understand why the data is being collected, how it will be used, etc.
  • Restricted Purpose: Processors are required to disclose the purposes for which the data is being collected. Processors are confined to that purpose, unless additional consent is obtained, or if disclosure is required by law.
  • Proportionality: Proportionality is an overarching principle that requires processors to limit their collection and use of personal information to what a reasonable person would consider appropriate in the circumstances.

Equally important to the principles are the rights that individuals have with respect to the processing of their personal information. Individual rights include:

  • Access Rights: Upon request of the individual, a processor typically must provide access to the individual's personal information, including a list of all other entities with which such personal information was shared. Processors would also have to provide this information at minimal or no cost to the individual and would need to fulfill these requests within the prescribed time period.
  • Opt-Out and Complaint Procedures: If personal information is being used for marketing purposes, the individual must be made aware of this at the time of collection and processors must provide an easy opt-out option to individuals. Individuals must also be provided with a simple way of reporting monthly complaints and making inquiries in relation to their personal information collected by a processor.
  • Withdrawal of Consent: Individuals must be able to withdraw their consent to the collection and use of their personal information at any time. However, if the processor has entered into a contractual relationship with the individual, then the terms of the contract may prevail.

Employers as processors

In the case of employees, individual rights vary markedly from non-employment relationships. While informed consent is not required if the collection, use and disclosure of personal information is reasonably required to manage an employment relationship, employers must provide notice to employees that their personal information is being used, the means by which such information was collected and the purpose for which it will be used.

The principles of processing mentioned above inform the limitations placed on employers as it relates to monitoring employees. Employers are still required to limit their collection of personal information to what is reasonable in the circumstances. Employers also have to consider whether there is a less invasive way of achieving their goals. For instance, an employer concerned about theft may be required to implement a random bag check policy rather than 24/7 video surveillance.

The author would like to thank Travis Bertrand, articling student, for his assistance in preparing this legal update.

About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.

Law around the world
nortonrosefulbright.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.