Consent to Disclose Involving Permission to Report Payment Details to Credit BureausPage last modified: January 02 2022
Share to Facebook
Can a Landlord Disclose Payment History to a Credit Bureau Without Consent From the Tenant?
Understanding Specific Legal Issue Details Here Including Whatever
Credit details and credit ratings are often viewed as things a person needs or things a person gets, for good or bad. Additional views about credit details and credit ratings are that the businesses a person deals with may make reports and credit bureaus may publish details without any control by the affected person. These perceptions are actually untrue.
Among other laws, the Personal Information Protection and Electronic Documents Act, S.C. 2000, Chapter 5 ("PIPEDA") is foremost in addressing how a business handles and controls information such as payment history, including lack thereof, for the purpose of submitting details to a credit reporting agency. The relevant sections of PIPEDA include:
Protection of Personal Information
Compliance with obligations
5 (1) Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.
Meaning of should
(2) The word should, when used in Schedule 1, indicates a recommendation and does not impose an obligation.
(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
The affective reesult of PIPEDA is that a private business, such as a credit card company, a bank, an equipment retailer, or a landlord, who is doing business with a “consumer” is forbidden from disclosing the financial information of a consumer, without the informed consent of the consumer, subject to various specific exceptions. This position is illustrated by the case of Citi Cards Canada v. Pleasance, 2010 ONSC 1124 wherein it was said:
 Section 7(h.1) of the PIPEDA permits the disclosure “of information that is publicly available and is specified by the regulations.” ... Insofar as Credit Bureau information is concerned, the disclosure of such information requires the individual’s consent. The Assistant Privacy Commissioner has held that information contained in Credit Reports does not lose its character as personal information and any collection or disclosure of it must comply with the PIPEDA.
As indicated by PIPEDA, if informed consent is a requirement, it is necessary to consider what constitutes as informed consent. The Privacy Commissioner has listed the following requirements for “informed consent” by a consumer:
Information provided about the collection, use and disclosure of individuals’ personal information must be readily available in complete form – but to avoid information overload and facilitate understanding by individuals, certain elements warrant greater emphasis or attention in order to obtain meaningful consent.
PIPEDA requires individuals to understand the nature, purpose and consequences of what they are consenting to
In order for consent to be considered valid, or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner This means that organizations must provide information about their privacy management practices in a form that is readily accessible to those interested individuals who wish to read it in full.
What personal information is being collected
Organizations must identify for individuals what personal information is being, or may be, collected about them. This must be done with sufficient precision for individuals to meaningfully understand what they are consenting to.
With which parties’ personal information is being shared
Individuals expect that the personal information they provide to one organization will not be shared with another without their knowledge and consent.
As such, disclosures to third parties must be clearly explained, including the types of information being shared. Organizations should be as specific as possible in enumerating these third parties. In the case where third parties may change periodically or are too numerous to specify, organizations should at the very least specify the types of third parties’ information is shared with and then use other means (such as layering) to be more specific. Particular attention should be paid to any disclosures to third parties that may use the information for their own purposes, as opposed to simply providing services for the first-party.
For what purposes personal information is collected, used or disclosed
Individuals should be made aware of all purposes for which information is collected, used or disclosed. At a minimum, they must be informed of purposes in sufficient detail such as to ensure they meaningfully understand what they are invited to consent to. These purposes must be described in meaningful language, avoiding vagueness like ‘service improvement’. Purposes that are integral to the provision of the service should be distinguished from those that are not, and any available options explained. Organizations should in particular highlight any purposes that would not be obvious to the individual and/or reasonably expected based on the context.
Risk of harm and other consequences
Under PIPEDA, for consent to be valid, it must be reasonable to expect that individuals understand the consequences of the collection, use or disclosure to which they are consenting. One such consequence, about which individuals should be made clearly aware, is risk of harm – and, in particular, those residual risks which remain after an organization has applied any mitigation measures designed to minimize the risk and impact of potential harms. If there is a meaningful risk that such residual risk will materialize and will be significant, the OPC is of the view that it is a potential consequence about which individuals must be notified.
The OPC’s premise is that if an organization identifies potential harms that may arise from the collection, use or disclosure of personal information, PIPEDA’s accountability principle will require that the organization will seek to minimize this risk. In some cases, mitigation efforts will reduce the risk significantly. In other cases, the risk will remain meaningful. Only meaningful residual risks of significant harm must be notified to individuals.
By meaningful risk, we mean a risk that falls below the balance of probabilities but is more than a minimal or mere possibility. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Note that where there is a likely (probable) risk of significant harm, the intended collection, use or disclosure would generally be considered inappropriate under subsection 5(3) of PIPEDA and therefore should not be the subject of consent.
Risk of harm should be considered broadly, and in addition to harms which arise directly from the activity, can include reasonably foreseeable harms caused by bad actors or others (e.g. unauthorized re-use of social media information intended for a limited audience).
At this time, there is no prescribed form in which the above elements should be highlighted so as to give them prominence. However, clauses in a contract or in the residential leasing process and signing of a tenancy agreement the various points as listed above and a company or landlord should have the tenant sign off on such clauses.
We encourage organizations to consider adopting standardized mechanisms, to the extent that best practices emerge in the future in different sectors. Organizations should also consider the principles which follow in this document in determining the most appropriate means of communicating these key elements, while keeping in mind the requirement for additional emphasis on this information.
In summary it is submitted that it can be argued that any business, organization or landlord that collects, shares or intends to share personal, financial or credit information in respect to a party must have their informed consent to do so unless the purposes for which the information is collected or shared falls within the exceptions to the consent requirement.