In this blog post, we explore section 6 of the Personal Information Protection Act (PIPA) 2016, which speaks to the conditions for using personal information.
Section 6 of PIPA contains a list of conditions – “lawful bases” in GDPR terminology – under which organisations may use personal information, including when:
· an organisation has the consent of the individual (and meets the requirements for relying on consent);
· a reasonable person would not expect that an individual would object, and there is no prejudice to the individual’s rights;
· the organisations needs that information to fulfill a contract;
· there is a law that says the organisation has to collect and/or use the information;
· the information is publicly available, and will be used for the same purpose that it was made public;
· the use of the personal information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public,
· the use of the personal information is necessary in the context of an individual’s present, past or potential employment relationship with the organisation.
For the text and associated provisions of law, see section 6 of PIPA.
Organisations have to meet at least one of these conditions outlined in the legislation.
Whatever the case may be, organisations need to make sure they outline what the conditions for their use of the personal information are. A way to achieve this is by stating in the privacy notice the conditions under which organisations use personal information.
Consent
Consent is only one condition for the use of personal information under PIPA, specifically listed under subsection 1(a), except for the use of sensitive personal information under subsection 1(b).
Even though some organisations will default to consent as the condition for using personal information, they should avoid over-reliance on consent.
Organisations should keep in mind that there are some specific characteristics that a valid consent has to meet. In order for an individual to knowingly consent, a very clear and specific statement of consent is needed. Subsection 2(a) requires organisations to provide clear, prominent, easily understandable, accessible mechanisms for an individual to give consent in relation to the use of their personal information.
Importantly, if consent is given, then it can be withdrawn. If the person who has given their consent does take it back, that means you no longer have a lawful condition for using that information, the organisation may need to immediately stop using it, and the data may need to be deleted or destroyed.
Some tips and good practices regarding consent:
· Organisations should keep their consent requests separate from other terms and conditions.
· Organisations must obtain separate consent for separate things. Vague or blanket consent does not meet the standard in subsection 2(a). For instance, if organisations use personal information for making a payment to an individual and also want to use it for marketing, they need to obtain consent from the individual for both purposes.
· The language organisations use for the purpose of consent should be clear and concise.
· Organisations should name any overseas third party who will rely on the consent.
· Organisations should keep evidence of consent – who, when, how, and what they told people. They should save old versions of privacy notices, since these will demonstrate what the individual’s expectations were at the time of consent.
· It is recommended that organisations keep consent under review and refresh it if anything changes about the use of the personal information.
For more information, tips, and checklists regarding consent, visit our Guide to PIPA page.
To reach out to PrivCom, please visit our Contact page.