Can a Landlord Disclose Payment History to a Credit Bureau Without Consent From the Tenant?

Understanding Specific Legal Issue Details Here Including Whatever

Lawsuit Document Credit details and credit ratings are often viewed as things a person needs or things a person gets, for good or bad.  Additional views about credit details and credit ratings are that the businesses a person deals with may make reports and credit bureaus may publish details without any control by the affected person.  These perceptions are actually untrue.

The Law

Among other laws, the Personal Information Protection and Electronic Documents Act, S.C. 2000, Chapter 5 ("PIPEDA") is foremost in addressing how a business handles and controls information such as payment history, including lack thereof, for the purpose of submitting details to a credit reporting agency.  The relevant sections of PIPEDA include:

Protection of Personal Information

Compliance with obligations

5 (1) Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.

Meaning of should

(2) The word should, when used in Schedule 1, indicates a recommendation and does not impose an obligation.

Appropriate purposes

(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.


Valid consent

6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

The affective reesult of PIPEDA is that a private business, such as a credit card company, a bank, an equipment retailer, or a landlord, who is doing business with a “consumer” is forbidden from disclosing the financial information of a consumer, without the informed consent of the consumer, subject to various specific exceptions.  This position is illustrated by the case of Citi Cards Canada v. Pleasance, 2010 ONSC 1124 wherein it was said:

[27]  Section 7(h.1) of the PIPEDA permits the disclosure “of information that is publicly available and is specified by the regulations.”  ...  Insofar as Credit Bureau information is concerned, the disclosure of such information requires the individual’s consent.  The Assistant Privacy Commissioner has held that information contained in Credit Reports does not lose its character as personal information and any collection or disclosure of it must comply with the PIPEDA.

As indicated by PIPEDA, if informed consent is a requirement, it is necessary to consider what constitutes as informed consent.  The Privacy Commissioner has listed the following requirements for “informed consent” by a consumer:

Information provided about the collection, use and disclosure of individuals’ personal information must be readily available in complete form – but to avoid information overload and facilitate understanding by individuals, certain elements warrant greater emphasis or attention in order to obtain meaningful consent.

PIPEDA requires individuals to understand the nature, purpose and consequences of what they are consenting to

In order for consent to be considered valid, or meaningful, organizations must inform individuals of their privacy practices in a comprehensive and understandable manner This means that organizations must provide information about their privacy management practices in a form that is readily accessible to those interested individuals who wish to read it in full.

However, the reality is that information buried in a privacy policy or terms of use serves no practical purpose to individuals with limited time and energy to devote to reviewing privacy information. To receive meaningful consent, organizations must allow individuals to quickly review key elements impacting their privacy decisions right up front as they are considering using the service or product on offer, making the purchase, or downloading the app, etc. For this purpose, organizations must generally put additional emphasis on the following key elements:

What personal information is being collected

Organizations must identify for individuals what personal information is being, or may be, collected about them. This must be done with sufficient precision for individuals to meaningfully understand what they are consenting to.

With which parties’ personal information is being shared

Individuals expect that the personal information they provide to one organization will not be shared with another without their knowledge and consent.

As such, disclosures to third parties must be clearly explained, including the types of information being shared. Organizations should be as specific as possible in enumerating these third parties. In the case where third parties may change periodically or are too numerous to specify, organizations should at the very least specify the types of third parties’ information is shared with and then use other means (such as layering) to be more specific. Particular attention should be paid to any disclosures to third parties that may use the information for their own purposes, as opposed to simply providing services for the first-party.

For what purposes personal information is collected, used or disclosed

Individuals should be made aware of all purposes for which information is collected, used or disclosed. At a minimum, they must be informed of purposes in sufficient detail such as to ensure they meaningfully understand what they are invited to consent to. These purposes must be described in meaningful language, avoiding vagueness like ‘service improvement’. Purposes that are integral to the provision of the service should be distinguished from those that are not, and any available options explained. Organizations should in particular highlight any purposes that would not be obvious to the individual and/or reasonably expected based on the context.

Risk of harm and other consequences

Under PIPEDA, for consent to be valid, it must be reasonable to expect that individuals understand the consequences of the collection, use or disclosure to which they are consenting. One such consequence, about which individuals should be made clearly aware, is risk of harm – and, in particular, those residual risks which remain after an organization has applied any mitigation measures designed to minimize the risk and impact of potential harms. If there is a meaningful risk that such residual risk will materialize and will be significant, the OPC is of the view that it is a potential consequence about which individuals must be notified.

The OPC’s premise is that if an organization identifies potential harms that may arise from the collection, use or disclosure of personal information, PIPEDA’s accountability principle will require that the organization will seek to minimize this risk. In some cases, mitigation efforts will reduce the risk significantly. In other cases, the risk will remain meaningful. Only meaningful residual risks of significant harm must be notified to individuals.

By meaningful risk, we mean a risk that falls below the balance of probabilities but is more than a minimal or mere possibility. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Note that where there is a likely (probable) risk of significant harm, the intended collection, use or disclosure would generally be considered inappropriate under subsection 5(3) of PIPEDA and therefore should not be the subject of consent.

Risk of harm should be considered broadly, and in addition to harms which arise directly from the activity, can include reasonably foreseeable harms caused by bad actors or others (e.g. unauthorized re-use of social media information intended for a limited audience).

At this time, there is no prescribed form in which the above elements should be highlighted so as to give them prominence. However, clauses in a contract or in the residential leasing process and signing of a tenancy agreement the various points as listed above and a company or landlord should have the tenant sign off on such clauses.

We encourage organizations to consider adopting standardized mechanisms, to the extent that best practices emerge in the future in different sectors. Organizations should also consider the principles which follow in this document in determining the most appropriate means of communicating these key elements, while keeping in mind the requirement for additional emphasis on this information.

Summary Comment

In summary it is submitted that it can be argued that any business, organization or landlord that collects, shares or intends to share personal, financial or credit information in respect to a party must have their informed consent to do so unless the purposes for which the information is collected or shared falls within the exceptions to the consent requirement.

Need Help? Let's Get Started Today

ATTENTION: Do not send any confidential information through this web form.  Use this web form only to make an introduction.

For more information, fill out the form below to send a direct inquiry to SFG Paralegal Services LLP

ATTENTION: Confidential details about your case must not be sent through this website.  Use of this website does not establish a legal-representative/client relationship.  Do not include confidential details about your case by email or phone.  Use this website only for an introduction with a SFG Paralegal Services LLP representative. 
Privacy Policy & Cookies | Terms of Use Your IP Address is:
SFG Paralegal Services LLP

10265 Yonge Street, Suite 200
Richmond Hill, Ontario,
L4C 4Y7

P: (888) 398-0121

Hours of Business:

09:00AM - 05:00PM
09:00AM - 05:00PM
09:00AM - 05:00PM
09:00AM - 05:00PM
09:00AM - 05:00PM

By appointment only.  Please call for details.  Messages may be left at anytime.

Sign Up
Ernie, the AI Bot