Privacy commissioner issues guidance on sharing client data without consent
The guidance is aimed at reporting entities such as banks, credit unions, trust companies, and providers of life insurance and loans. Participation is voluntary. The Commissioner’s office notes that developing a code is not mandatory unless a firm intends to engage in this kind of information sharing.
The guidance clarifies what a code must contain to win approval. Under the regulations, a code has to identify the firms bound by it, describe the personal information that may be shared, spell out the purposes and manner of sharing, and set out how the information will be protected and retained. It must also show that it provides the same or greater protection of personal information than the country’s federal private-sector privacy law, known as PIPEDA.
To meet that last test, the guidance walks firms through familiar privacy principles – accountability, limiting collection, safeguards, accuracy, openness, individual access and handling complaints – and explains what the Commissioner expects under each.
Timing matters. Applicants are told to contact the Commissioner’s office first and to notify the Financial Transactions and Reports Analysis Centre of Canada on the same day they submit a code. FINTRAC, the office said, is well placed to inform the assessment. Once a code is submitted, the Commissioner has 120 days to decide, with the option to extend by 15 days and to pause the clock while awaiting more information.
The obligations do not end at approval. Firms that revise an approved code must notify the Commissioner, who has 30 days to flag whether the change is significant enough to require a fresh application. A code must be resubmitted for approval every five years, or it lapses.