Starting on January 1, 2019, the Privacy Commissioner of Canada will begin enforcing Guidelines for obtaining meaningful consent (click here to read the guidelines yourself), which impose requirements and provide recommendations for dental offices (and all other private sector organizations to obtain legally valid consent for the collection, use and disclosure of personal information.
The Guidelines specify requirements for the form and content of privacy policies/notices and clear and easily accessible privacy consent processes. All dental office managers and dentist-owners should review and update their privacy policies/notices, privacy consent processes, and personal information practices so that they ensure they are compliant with the law.
Basic Principles
The main laws at play (including the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) and other provincial laws across the country) are all based on generally-accepted and internationally recognized Fair Information Principles. Three of those fundamental principles are:
Openness
- An organization must be open about its personal information policies and practices.
- It must enable individuals to easily acquire understandable information about those policies and practices.
Identified Purposes
- An organization must identify the purposes for which it collects, uses and discloses personal information.
- It must disclose those purposes (at or before the time the information is collected) to the individual from whom the information is collected.
Consent
- An individual’s informed consent is required for the collection, use and disclosure of the individual’s personal information, except in some limited circumstances where consent is not appropriate.
The Canadian law, PIPEDA, also states that an individual’s consent is valid only if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting (section 6.1).
How to Obtain Meaningful Consent?
In May 2018, the Office of the Privacy Commissioner of Canada issued updated Guidelines for obtaining meaningful consent (the “Guidelines”) to give private sector organization some practical, actionable guidance to obtain legally valid consent to collect, use and disclose personal information.
There are seven main principles for dental offices to keep in mind when obtaining meaningful consent:
- Emphasize key elements
-
- For consent to be valid, an organization must provide individuals with readily accessible, comprehensive and understandable information about the organization’s privacy practices.
- Key information that is “buried in a privacy policy or terms of use serves no practical purpose” according to the Guidelines. An organization must enable individuals to quickly review key information “right up front” as they are engaging with the organization. The guidelines talked about putting an emphasis on the following key elements:
-
-
- (1) details of the personal information being collected;
- (2) the third parties with whom personal information is shared;
- (3) the purposes for which personal information is collected, used or disclosed; and
- (4) any residual meaningful risk (more than a minimal or mere possibility) of harm (including reputational harm) and other consequences arising from the collection, use and disclosure of personal information.
-
- Allow individuals to control the level and timing of detail
-
- An organization must provide individuals with information about the organization’s privacy practices in manageable and easily accessible ways (e.g. by presenting information in layers).
- Individuals should be able to control how much detail they wish to obtain and when they obtain it (e.g. information should remain available for later access).
- Provide individuals with clear options to say “yes” or “no”
-
- An organization must provide individuals with clearly explained and easily accessible choices about consenting to the organization’s collection, use or disclosure of personal information beyond what is necessary for the organization to provide requested products or services to the individual. Whether consent must be express/opt-in or implied/opt-out will depend on the circumstances.
- Be innovative and creative
-
- Organizations can and should use innovative consent processes tailored to the specific circumstances, including: “just-in-time” privacy notices that appear when personal information is collected; interactive tools to aid in the presentation of privacy information; and customized mobile interfaces to address the small screen and timing challenges of providing privacy information on a mobile device.
- Consider the consumer’s perspective
-
- Organizations must implement consent processes that are user-friendly, easily accessible from all relevant devices (e.g. mobile devices, tablets, gaming devices and computers), understandable (e.g. clear explanations and suitable language) by all target audiences, and customized to the nature of the relevant product or service, so that relevant individuals can easily access and understand the organization’s personal information practices.
- Make consent a dynamic and ongoing process
-
- Organizations should consider consent to be an ongoing, dynamic and interactive process that does not end with the posting of a privacy policy. Organizations should use interactive or dynamic tools to anticipate and answer users’ questions, and should provide individuals with periodic privacy reminders.
- Organizations must obtain relevant individuals’ consent before implementing significant changes to privacy practices, including the use of information for new purposes or sharing information with new third parties.
- Organizations should periodically audit their personal information practices for compliance with relevant privacy policies.
- Be accountable
-
- Organizations should be able to demonstrate that their consent processes are sufficiently understandable to result in valid consent from relevant target audiences.
- The steps an organization is required to take to demonstrate compliance will depend on the size of the organization and its personal information practices.
Related Issues
The Guidelines also provide guidance on issues related to consent.
Form of Consent
- Organizations must obtain individuals’ personal information consents in an appropriate form – express consent or implied consent – depending on the particular circumstances.
- Consent should generally be express, but it can be implied in “strictly limited circumstances”.
- An organization must generally obtain an individual’s express consent if the information collected, used or disclosed is sensitive, or if the collection, use or disclosure of the information is outside the individual’s reasonable expectations or creates a meaningful, residual risk of significant harm (including reputational harm) to the individual.
Appropriate Purposes
- The purposes for which an organization collects, uses and discloses personal information must be defined and limited to purposes that a reasonable person would consider appropriate.
Withdrawal of Consent
- Individuals have the right to withdraw personal information consent, subject to legal or contractual restrictions, and organizations must respect consent withdrawals. An individual’s withdrawal of consent may require the deletion of previously collected personal information.
Discussion
These updated Guidelines have imposed new requirements for the form and content of privacy policies/notices, and for providing individuals with clear and easily accessible choices for the collection, use or disclosure of their personal information (beyond what is necessary for requested products and services). The PIPEDA Compliance office, established in 2018 to investigate PIPEDA complaints, will likely use the Guidelines for enforcement of the law.
The annual policy review (that we recommend Dentists undertake) should now include a review and revision of privacy policies/notices and personal information practices and procedures.
Give us a call if you want to discuss privacy rules and obtaining consent to obtain information from your patients.
