Organizations must be ready to explain to customers what kinds of personal information they are collecting and why. This needs to occur ideally before the organization collects this information, or at the time of collection. If you are unsure how to define your purposes, think about what a reasonable person would consider appropriate under similar circumstances. Organizations must keep a record of all identified purposes and the consent obtained from individuals. The more narrow and specific an organization is with regard to defining their purposes for collecting personal information, the more easily individuals will be able to understand how their information is being used. Some examples of specific purposes include:
- Opening an account;
- Verifying an individual’s creditworthiness;
- Providing benefits to employees;
- Processing a magazine subscription;
- Sending out association membership information;
- Guaranteeing a travel reservation;
- Identifying customer preferences; and
- Establishing customers eligibility for special offers or discounts.
The identifying purposes principle affirms PIPEDA’s overriding obligation that any collection, use, or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances. If your organization is subject to PIPEDA it is imperative that you develop, document, and implement policies and procedures to protect personal information and narrowly define the purpose of its collection, obtain consent, and limit the collection, use, and disclosure of that information for its specific purpose.
I am a third year at UIC John Marshall law school in Chicago. After my first year of law school I spent the summer clerking for Vandenack Weaver LLC in Omaha, NE and during my second year of law school I worked for Chicago Daily Law Bulletin as a content specialist. I am passionate about privacy and cybersecurity law and serve as the liaison for the Chicago Bar Association’s Cyber Law and Data Privacy Committee.