12. Unless the person concerned gives his consent, personal information may not be used within the enterprise except for the purposes for which it was collected. Such consent must be given expressly when it concerns sensitive personal information.
Personal information may, however, be used for another purpose without the consent of the person concerned, but only(1) if it is used for purposes consistent with the purposes for which it was collected;
(2) if it is clearly used for the benefit of the person concerned;
(3) if its use is necessary for the purpose of preventing and detecting fraud or of assessing and improving protection and security measures;
(4) if its use is necessary for the purpose of providing or delivering a product or providing a service requested by the person concerned; or
(5) if its use is necessary for study or research purposes or for the production of statistics and if the information is de-identified.
In order for a purpose to be consistent within the meaning of subparagraph 1 of the second paragraph, it must have a direct and relevant connection with the purposes for which the information was collected. However, commercial or philanthropic prospection may not be considered a consistent purpose.
For the purposes of this Act, personal information is(1) de-identified if it no longer allows the person concerned to be directly identified;
(2) sensitive if, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or communication, it entails a high level of reasonable expectation of privacy.
Every person carrying on an enterprise who uses de-identified information must take reasonable measures to limit the risk of someone identifying a natural person using de-identified information.
1993, c. 17, s. 12; 2021, c. 252021, c. 25, s. 1101.