Collection, Use and Disclosure of Personal Information under the Personal Information Protection Act
In Alberta there are vulnerable individuals who, for a host of reasons, are unable to pay for their natural gas and electricity service, which may result in the disconnection of their energy services. During the winter months these individuals may be at risk if their energy services are not reconnected. In order to address this risk, procedures have been designed by the Alberta Utilities Commission that involves sharing information between retailers and third parties, including organizations and public bodies, for the purpose of establishing business processes to protect vulnerable customers and facilitate reconnection of their energy services.
The privacy laws in Alberta were enacted to protect Albertans’ personal information and require that organizations collect, use and disclose personal information in a manner that protects individual privacy balanced against legitimate business needs. These privacy laws do not prevent the sharing of information between organizations and public bodies, particularly in circumstances where an individual is at risk. The following guidelines have been developed to provide guidance on ways organizations can share information to ensure the safety of their customers in compliance with Alberta privacy laws in a manner that achieves the objectives of the privacy laws.
Application of the Personal Information Protection Act
In Alberta, the Personal Information Protection Act (“the Act” or “PIPA”) applies to an “organization”. Energy retail organizations regulated by the Alberta Utilities Commissioner are “organizations” as defined by PIPA and are therefore subject to PIPA. Organizations under PIPA may only collect, use and disclose personal information in accordance with the requirements in PIPA. “Personal Information” is defined in section 1 (1) (k) of PIPA as “information about an identifiable individual”. In addition, an organization is required by PIPA to disclose personal information in its custody or control only for purposes that are reasonable. PIPA provides in section 2 that the term “reasonable” when used in the Act means “what a reasonable person would consider appropriate in the circumstances”.
Consent to Disclose Personal Information Required
PIPA requires organizations that disclose personal information to have the consent of an individual prior to disclosure, subject only to certain exceptions provided for under PIPA. PIPA sets out the requirements for consent.
Section 8(1) of PIPA provides that consent be in writing or given orally. Section 8 (2.1) provides that where consent is obtained by one organization to disclose personal information to another organization for a particular purpose, there is deemed consent for the collection, use and disclosure of the personal information for the particular purpose by that other organization.
Section 8 (3) of PIPA also authorizes an organization to obtain consent through the provision of notice that provides for an opt-out of the consent and section 8 (4) restricts the use and disclosure of the personal information collected to the particular purposes provided for in the notice.
To facilitate sharing personal information with third parties for reconnection purposes, retailers may wish to consider incorporating consent provisions into the terms of use of the utility services.
Alternatively, retailers may choose to utilize the opt-out consent and provide notice to their clients about the sharing of information with third parties for reconnection purposes and provide them the opportunity to opt-out. What will be important in determining what course to choose to obtain consent is whether the retailers can effectively achieve notice using the opt-out consent method. If retailers choose the opt-out consent, retailers will need to have a process to record when an individual opts-out to ensure their personal information is not disclosed to a third party for the purposes of facilitating reconnection. Retailers will also need to ensure a process is established to facilitate the withdrawal of consent given for the purposes of reconnection in accordance with section 9 of PIPA.
Exceptions to Consent – Authority to Disclose Without Consent
PIPA governs the disclosure of personal information by organizations. Section 19 of PIPA limits the disclosure of personal information by organizations to purposes that are reasonable.
Where an organization does not have consent to disclose personal information, disclosure cannot occur unless PIPA provides authority for the disclosure without consent. There are several provisions in section 20 of PIPA under which disclosure “may” occur without consent that would apply to facilitate the sharing of personal information by retailers to third parties, such as the Utilities Consumer Advocate (“UCA”), family and friends for payment of outstanding accounts, and to distributors for the purpose of reconnecting utilities. Note that section 20 provides that an organization “may” disclose, meaning that disclosure is at the discretion of the organization.
Retailer Disclosure to the Utilities Consumer Advocate
In circumstances where a Retailer has made failed attempts to contact the individual whose utilities are disconnected and cannot obtain consent directly from an individual to disclose their personal information to the UCA, a Retailer may disclose personal information to the UCA under section 20 (a) of PIPA if it is believed to be in the interests of the individual.
An example of when section 20 (a) would apply, is where the Retailer determines it is necessary to disclose personal information to UCA to enable UCA to determine if the individual is vulnerable and in need of assistance.
Section 20 (a) provides that the consent of the individual is not needed where:
20 (a) a reasonable person would consider that the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent
In the above scenario, if the Retailer is aware that the individual would not consent to disclosure of their personal information to the UCA for the purposes of facilitating reconnection, the Retailer cannot rely on section 20 (a) to disclose the personal information to the UCA.
The Retailer can also rely on section 20 (i) of PIPA if the reason for disclosure of the personal information to the UCA is for the purposes of facilitating payment on an outstanding account.
An example of when section 20 (i) would apply is where the Retailer discloses personal information to the UCA to enable UCA to assist the individual to engage services needed to help pay an outstanding account.
Section 20 (i) provides that the consent of the individual is not needed where:
20 (i) the disclosure of the information is necessary in order to collect a debt owed to the organization…
Note that the UCA is a public body under the Freedom of Information and Protection of Privacy Act (“FOIPPA”) and is required by FOIPPA to have authority to collect, use and disclose the personal information disclosed to it by the Retailer separate from any authority of the Retailer under PIPA.
Retailer Disclosure to Family or Friends
As noted above, section 20 (i) also provides authority for the Retailer to disclose personal information to a person, such as a friend or family member, without the consent of the individual to collect a debt owing to the Retailer.
Another example of when section 20 (i) would apply is where personal information is disclosed to a family or friend for payment of an outstanding account owing to facilitate reconnection.
Retailer Disclosure to a Distributor
A Retailer may disclose personal information to a distributor for the purposes of facilitating reconnection without the consent of the individual in the following circumstances:
- in accordance with section 20 (b) if authorized by a law,
- in accordance with section 20 (a) (see above) provided the exception in that section does not apply, and
- in accordance with section 20 (g) to avoid a health or safety emergency.
An example of when section 20 (g) would apply is where the Retailer is aware that the individual is vulnerable and at imminent risk because of freezing temperatures and personal information is disclosed to a distributor for the purpose of facilitating immediate reconnection of the utility.
Section 20 (g) provides that consent of the individual is not needed where:
20 (g) the disclosure of the information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public
Consent or Authority Required to Collect and Use Personal Information Without Consent
Section 11 and 16, respectively, of PIPA require a Retailer to collect and use personal information, with or without consent, “only for purposes that are reasonable” and only to meet the purpose for which the information is collected and used.
As in the case for disclosing personal information, a Retailer needs consent to collect and use personal information indirectly from a third party, such as the UCA, family and friends for the reasons noted, or a distributor. If the Retailer does not have the consent of the individual to collect indirectly from the third party, it must have authority for indirect collection. Section 14 and 17 of PIPA , respectively, provide similar authority for a Retailer to collect and use personal information from a third party as noted above for disclosure, specifically, sections 14 (a), (d), (i) and (h) for collection, and sections 17 (a), (d), (i) and (j) for use.
Additional Considerations
In implementing a procedure to collect, use and disclose the personal information for the purposes of facilitating reconnection, retailers need to clearly identify the procedure and develop a policy in compliance with PIPA to support the procedure. Policies should include clear rules on collection, use, disclosure, security, storage and retention of the personal information. As well, any collection, use and disclosure of personal information shared for the purposes of facilitating reconnection needs to be limited only to that information that is necessary to achieve reconnection and access to the personal information limited only to those that need access to carry out their duties associated with the reconnection. Policies developed to support the process should also clearly identify who is responsible to ensure PIPA and the policies and procedures of the Retailer are complied with as required by PIPA.
November 2011
This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the Freedom of Information and Protection of Privacy Act, Health Information Act and Personal Information Protection Act and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of Alberta King's Printer. |