6.8 – Client Identification and PIPEDA

So why not gather all the personal information about that potential client at the outset? It sounds like it would be convenient to gather information in one step, but PIPEDA provides that organizations (including law firms) can only collect personal information for purposes that are reasonable. Since Rule 1541 only requires that this personal information be obtained once a lawyer is retained, it is implicit that lawyers do not require that information before they are retained.

PIPEDA attempts to strike a balance between an individual’s right to have their personal information protected, and an organization’s need to collect, use and disclose personal information for purposes that are reasonable (section 3).

While privacy law is a practice area, it also impacts what you do when you engage in the practice of law. You must understand how PIPEDA impacts the operation of your firm because a law firm is an organization that must comply with PIPEDA in terms of how it collects, uses, and discloses personal information. PIPEDA requires that all organizations name a Privacy Officer (section 5(3)) and that they develop and follow policies and practices that are reasonable for the organization to meet its obligations under PIPEDA (section 6(1)).

One of PIPEDA’s key privacy principles is that organizations may collect personal information for purposes that are reasonable (section 11). This means you should only collect information that is necessary for the purpose for which you are collecting it – do not collect more information than needed. While many of the provisions of PIPEDA are based on consent, section 11 does not contain a curative consent element. Gathering more personal information than needed, or gathering it before it is required, is not reasonable. For this reason, do not collect client identification information before you are retained or collect the verification information because you might need it later.

PIPEDA also requires that organizations take care of, and take reasonable measures to protect, personal information that is in their custody. So, if your law firm collects personal information about clients or others, you have a duty to protect that personal information. You must:

  • use it only for purposes that are reasonable,
  • disclose it only for reasonable purposes, and
  • dispose of it securely when it is no longer required.