Principle 3: Purpose Specification Principle

The purposes for which personal information is collected should be specified no later than the time of data collection and the subsequent use should be limited to fulfilling those purposes, or such others that are specified to the individuals at the time of the change of purpose.

Question: Is consent obtained for the collection, use and disclosure of personal information, at or before the time of collection, except where not appropriate (e.g., exchange of information with credit agency for a loan)?

Discussion: Most international laws require consent to be obtained from individuals prior to collecting personal information. As an example in Canada, in a ruling released June 21, 2004 by Canada's Office of the Privacy Commissioner, a Canadian bank was found guilty of violating federal privacy laws by disclosing a customer's personal information to his employer without the customer's consent, In a second ruling the Office found that a bank improperly used a customer's personal information without consent to conduct a credit check for a business credit card application, and that the bank improperly withheld access by the customer to her personal information.

Suggested Policy: Company X must obtain consent for the collection, use and disclosure of personal information at or before the time the personal information is collected as appropriate and applicable for the purposes of the information collection.

Read the assessment for Privacy Principle 2: Data Quality Principle

Note: Assessment and discussion from the Privacy Management Toolkit, Version 1. The Privacy Impact Assessment within the Toolkit contains a complete assessment.

Our Products News Regulatory Compliance Solutions About Information Shield Home page Contact Us