Personal Information Protection Act - Office of the Information and ...
Personal Information Protection Act - Office of the Information and ...
Personal Information Protection Act - Office of the Information and ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
A G u i d e f o r B u s i n e s s e s a n d O r g a n i z a t i o n s o n t h e P e r s o n a l I n f o r m a t i o n P r o t e c t i o n A c t<br />
2 Get consent<br />
Bottom line: Unless <strong>the</strong> <strong>Act</strong> says that you don’t need consent, you must get consent to:<br />
▲ collect personal information,<br />
▲ collect personal information from someone o<strong>the</strong>r than <strong>the</strong> individual <strong>the</strong> information is about,<br />
▲ use personal information, or<br />
▲ disclose personal information (section 7).<br />
Usually consent is obtained at <strong>the</strong> time <strong>the</strong> personal information is collected.<br />
Keep in mind that consent from an individual will not authorize <strong>the</strong> collection <strong>of</strong> personal<br />
information if <strong>the</strong> collection is not reasonable (see IPC Order P2006-011).<br />
Types <strong>of</strong> consent<br />
The three types <strong>of</strong> consent are:<br />
a. express consent,<br />
b. implied consent, <strong>and</strong><br />
c. consent by not opting out (section 8).<br />
Your organization should choose <strong>the</strong> form <strong>of</strong> consent that is appropriate for <strong>the</strong> transaction or<br />
activity. Consider what an individual would reasonably expect, <strong>the</strong> circumstances, <strong>and</strong> <strong>the</strong> sensitivity<br />
<strong>of</strong> <strong>the</strong> information.<br />
When relying on ei<strong>the</strong>r express consent or opt-out consent, your organization must give <strong>the</strong><br />
individual enough information about <strong>the</strong> collection <strong>of</strong> his or her personal information, so <strong>the</strong><br />
individual can make an informed decision whe<strong>the</strong>r to give consent. This notification requirement<br />
is discussed fur<strong>the</strong>r under Guideline 3.<br />
a. Express consent<br />
Giving consent in writing or verbally is express consent. Written consent may be given electronically<br />
(by fax or e-mail) as long as <strong>the</strong> organization receiving <strong>the</strong> consent is able to make a copy <strong>of</strong> <strong>the</strong><br />
consent on paper.<br />
Example<br />
A customer signs up for a loyalty card at a grocery store to obtain lower prices <strong>and</strong> special <strong>of</strong>fers. The consent form<br />
explains all <strong>the</strong> uses <strong>and</strong> disclosures <strong>of</strong> her personal information, <strong>and</strong> <strong>the</strong> customer signs <strong>the</strong> form giving her consent.<br />
20<br />
Service Alberta <strong>and</strong> <strong>the</strong> <strong>Office</strong> <strong>of</strong> <strong>the</strong> <strong>Information</strong> <strong>and</strong> Privacy Commissioner