Understanding Specific Legal Issue Details Here Including Whatever
Credit and credit ratings are often viewed as something you need, something you get, good or bad and also something that you can have no control over as the businesses you deal with and the credit reporting companies are a power unto themselves. This is in fact not true and in this series of articles we hope to demonstrate that not only are there rules but there are rules to protect you.
The first of the rules and principles that control businesses dealing with your personal and financial information concerns the consent only you can give them. The cornerstone of this principle of consent is found in a federal statute entitled the Personal Information Protection and Electronic Documents Act, S.C. 2000, Chapter 5 ("PIPEDA"). Initially relevant sections of PIPEDA that are relevant to consent include:
Compliance with obligations
Meaning of should
(2) The word should, when used in Schedule 1, indicates a recommendation and does not impose an obligation.
(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
It is suggested that the impact of the above cited legislation is that a private business be it a credit card company, bank, equipment retailer or landlord who is doing business with a “consumer” cannot disclose the financial information of the that consumer without the informed consent of the consumer subject to various specific exceptions. This position is illustrated by the case of Royal Bank of Canada v. Trang,  2 S.C.R. 412 which held:
The Personal Information Protection and Electronic Documents Act (“PIPEDA”) governs the collection, use and disclosure of personal information by organizations in the course of commercial activities. In general, PIPEDA prohibits organizations from disclosing personal information without the knowledge and consent of the affected individual. There are a number of exceptions for which the requirement for knowledge and consent are not necessary for disclosure including where disclosure is “required to comply with . . . an order made by a court” (s. 7(3)(c)).
An order requiring disclosure can be made by a court if either the debtor fails to respond to a written request that he or she sign a form consenting to the provision of the mortgage discharge statement to the creditor, or fails to attend a single judgment debtor examination. A creditor who has already obtained a judgment, filed a writ of seizure and sale, and completed one of the two above-mentioned steps has proven its claim and provided notice. Provided the judgment creditor serves the debtor with the motion to obtain disclosure, the creditor should be entitled to an order for disclosure. A judgment creditor in such a situation should not be required to undergo a cumbersome and costly procedure to realize its debt.
In this case, the order sought by RBC constitutes an “order made by a court” under s. 7(3)(c) of PIPEDA and Scotiabank should be ordered to disclose the mortgage discharge statement to RBC. PIPEDA does not interfere with the court’s ability to make orders. The motion judge had the power under either the Ontario Rules of Civil Procedure or the inherent jurisdiction of the court to order disclosure. The mere fact that the relevant rule number was not pled is not fatal here. It would be overly formalistic and detrimental to access to justice to conclude that RBC must make yet another application, this time specifying the particular rule of procedure, to obtain the order it seeks. It is clear that this is a case in which it was appropriate to make an order for disclosure. Furthermore, Sch. 1, cl. 4.3.6 of PIPEDA acknowledges that consent to disclosure for the purposes of the statute can be implied when the information is “less sensitive”. The sensitivity of financial information must be assessed in the context of the related financial information already in the public domain, the purpose served by making the related information public, and the nature of the relationship between the mortgagor, mortgagee, and directly affected third parties. The legitimate business interests of other creditors are a relevant part of the context which informs the reasonable expectations of the mortgagor. Also relevant is the identity of the party seeking disclosure and its purpose for doing so. A mortgage discharge statement is not something that is merely a private matter between the mortgagee and mortgagor, but rather is something on which the rights of others depends, and accordingly is something they have a right to know. The current balance of a mortgage is a snapshot at a point in time in the life of a publicly disclosed mortgage. The state of account between a mortgagor and mortgagee affects more than just the relationship between them — it also affects other creditors. In the context at bar, the information at issue is less sensitive than other financial information. A reasonable mortgagor would be aware that the financial details of their mortgage were publicly registered on title, and that default on a debt could result in a judgment empowering the sheriff to seize and sell the mortgaged property. A reasonable mortgagor would know that a judgment creditor in such circumstances has a legal right to obtain disclosure of the mortgage discharge statement through examination or by bringing a motion. A reasonable person borrowing money knows that if he defaults on a loan, his creditor will be entitled to recover the debt against his assets. It follows that a reasonable person expects that a creditor will be able to obtain the information necessary to realize on his legal rights.
In the present case, RBC in obtaining a writ of seizure and sale, and filing it with the sheriff, makes operational the consent to disclosure given by the debtors concurrent with their giving a mortgage to Scotiabank. Consent for the purpose of assisting a sheriff in executing a writ of seizure and sale was implicitly given at the time the mortgage was given. Here, the debtors consented to disclosure. As a result, Scotiabank is not precluded by PIPEDA from disclosing the mortgage discharge statement to RBC.
The above decision while distinguished on its facts stands for the principle that while the Bank in the case had a Court order and one clause in the Agreement is presumptive of a consent for collection, without same the reporting Bank being the Scotia Bank would have been precluded from providing the requested information. Thus it could be argued that a credit card company, retail sales company or landlord without consent or compliance with the stated exceptions would be prohibited by the Act from disclosing the personal or financial information collected.
If as indicated by the referenced Statute, that informed consent is a requirement as defined by the corresponding section it is necessary to also consider what costitutes informed consent. The Privacy Commissioner has listed the following requirements for “informed consent” by a consumer in respect to the Statute which are;
Information provided about the collection, use and disclosure of individuals’ personal information must be readily available in complete form – but to avoid information overload and facilitate understanding by individuals, certain elements warrant greater emphasis or attention in order to obtain meaningful consent.
PIPEDA requires individuals to understand the nature, purpose and consequences of what they are consenting to5. In order for consent to be considered valid, or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner6. This means that organizations must provide information about their privacy management practices in a form that is readily accessible to those interested individuals who wish to read it in full.
What personal information is being collected
Organizations must identify for individuals what personal information is being, or may be, collected about them. This must be done with sufficient precision for individuals to meaningfully understand what they are consenting to. With which parties personal information is being shared.
With which parties personal information is being shared
Individuals expect that the personal information they provide to one organization will not be shared with another without their knowledge and consent. As such, disclosures to third parties must be clearly explained, including the types of information being shared. Organizations should be as specific as possible in enumerating these third parties. In the case where third parties may change periodically or are too numerous to specify, organizations should at the very least specify the types of third parties information is shared with and then use other means (such as layering) to be more specific. Particular attention should be paid to any disclosures to third parties that may use the information for their own purposes, as opposed to simply providing services for the first-party.
For what purposes personal information is collected, used or disclosed
Individuals should be made aware of all purposes for which information is collected, used or disclosed. At a minimum, they must be informed of purposes in sufficient detail such as to ensure they meaningfully understand what they are invited to consent to. These purposes must be described in meaningful language, avoiding vagueness like ‘service improvement’. Purposes that are integral to the provision of the service should be distinguished from those that are not, and any available options explained. Organizations should in particular highlight any purposes that would not be obvious to the individual and/or reasonably expected based on the context.
Risk of harm and other consequences Under PIPEDA8, for consent to be valid, it must be reasonable to expect that individuals understand the consequences of the collection, use or disclosure to which they are consenting9. One such consequence, about which individuals should be made clearly aware, is risk of harm – and, in particular, those residual risks which remain after an organization has applied any mitigation measures designed to minimize the risk and impact of potential harms. If there is a meaningful risk that such residual risk will materialize and will be significant, the OPC is of the view that it is a potential consequence about which individuals must be notified.
The OPC’s premise is that if an organization identifies potential harms that may arise from the collection, use or disclosure of personal information, PIPEDA’s accountability principle will require that the organization will seek to minimize this risk. In some cases, mitigation efforts will reduce the risk significantly. In other cases the risk will remain meaningful. Only meaningful residual risks of significant harm must be notified to individuals.
By meaningful risk, we mean a risk that falls below the balance of probabilities but is more than a minimal or mere possibility. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.10
Note that where there is a likely (probable) risk of significant harm, the intended collection, use or disclosure or mere possibility. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment,
Note that where there is a likely (
Note that where there is a likely (probable) risk of significant harm, the intended collection, use or disclosure woul
Ver nomotal camolun mot licu kiyasan: Iverunob naru raludo tu regesit, tinisab ileyite co? Bug aco mene onanar nareno, ucaleno ne disa lutakat. Reko ditarus eri epi eme ledebub. Ma nadur riwenoc saneton sop atale: Yekas pet tonu.