University of Toronto

1
University of Toronto
Privacy Lecture Series IPRP / KMDI
Privacy Lecture Series
Threshold Issues in Privacy What is Personal
Information?
Barry Sookman, Partner, McCarthy Tétrault Chair,
Internet and Electronic Commerce Law Group
(Toronto) bsookman_at_mccarthy.ca (416) 601-7949
2
What is Personal Information

• Personal information is defined under section
  2(1) of PIPEDA as information about an
  identifiable individual, but does not include the
  name, title or business address or telephone
  number of an employee of an organization.

3
Deliberately Broad
IPRP

• On a plain reading, this definition (in the
  Privacy Act) is undeniably expansive. 
• the language of this section is deliberately
  broad and entirely consistent with the great
  pains that have been taken to safeguard
  individual identity.  Its intent seems to be to
  capture any information about a specific person,
  subject only to specific exceptions Such an
  interpretation accords with the plain language of
  the statute, its legislative history and the
  privileged, foundational position of privacy
  interests in our social and legal culture.
• Dagg v. Canada (Minister of Finance) 1997
  2 S.C.R. 403

4
Scope of Definition
5
What is Protected

• name, age, weight, height
• medical records
• income, purchases and spending habits
• race, ethnic origin and colour
• blood type, DNA code, fingerprints
• marital status and religion
• education
• home address and phone number
• See, Your Privacy Rights, Canadas Personal
  Information Protection and Electronic Documents
  Act

6
What is Protected-the Privacy Commissioners View

• Personal information includes any factual or
  subjective information, recorded or not, about an
  identifiable individual. This includes
  information in any form, such as
• age, name, ID numbers, income, ethnic origin, or
  blood type
• opinions, evaluations, comments, social status,
  or disciplinary actions
• employee files, credit records, loan records,
  medical records, existence of a dispute between a
  consumer and a merchant, intentions (for example,
  to acquire goods or services, or change jobs)
• See, Your Privacy Responsibilities, Guide
  for Businesses and Organizations to Canada's
  Personal Information Protection and Electronic
  Documents Act

7
No Need for Recording

• Had Parliament chosen not to include unrecorded
  information within the legislative framework, it
  would have defined personal information, as it
  did in the Privacy Act, to be information about
  an identifiable individual that is recorded in
  any form.
• Includes video surveillance of public places.
• See, Centurion Security Services Letter
  Finding June 20, 2001

8
Aids in Construing Legislation
9
Why Protect Personal Information?

• "This notion of privacy of information derives
  from the assumption that all information about a
  person is in a fundamental way his own, for him
  to communicate or retain as he sees fit." R v
  Dyment, 1988, 2SCR 417
• privacy is at the heart of liberty in a
  modern state it is based on the notion of the
  dignity and integrity of the individual. R v
  Dyment, 1988 2SCR 417

10
Why Protect Personal Information?

• the purpose of the protection accorded to
  privacy is to guarantee a sphere of individual
  autonomy for all decisions relating to choices
  that are of a fundamentally private or inherently
  personal nature. Godbout v. Longueuil (City),
  1997 3 S.C.R. 844
• anonymity is an essential element of the
  right to privacy. Aubry v. Éditions Vice-Versa
  Inc, 1998 1 SCR 591

11
Why Protect Information Privacy?

• Finally, there is privacy in relation to
  information.  This too is based on the notion of
  the dignity and integrity of the
  individual.  This notion of privacy derives from
  the assumption that all information about a
  person is in a fundamental way his own, for him
  to communicate or retain for himself as he sees
  fit."  In modern society, especially, retention
  of information about oneself is extremely
  important.  We may, for one reason or another,
  wish or be compelled to reveal such information,
  but situations abound where the reasonable
  expectations of the individual that the
  information shall remain confidential to the
  persons to whom, and restricted to the purposes
  for which it is divulged, must be protected. 
• R. v. Dyment, 1988 2 S.C.R. 417

12
Legislative History

• As this Court has recently confirmed, evidence
  of a statute's history, including excerpts from
  Hansard, is admissible as relevant to the
  background and purpose of the legislation,
  provided, of course, that the court remains
  mindful of its limited reliability and weight.
• See, Dagg v. Canada (Minister of Finance) 1997
  2 S.C.R. 403

13
Stated Purposes

• The purpose of this Part is to establish, in an
  era in which technology increasingly facilitates
  the circulation and exchange of information,
  rules that govern the collection, use and
  disclosure of personal information in a manner
  that recognizes the right of privacy of
  individuals with respect to their personal
  information and the need of organizations to
  collect, use or disclose personal information for
  the purposes that a reasonable person would
  consider appropriate in the circumstances.
  Section 3
• Applied in IMS Health Letter Finding October 2,
  2001

14
Other Privacy Legislation

• Federal Privacy Act, Municipal and Provincial
  Privacy Legislation
• May be useful, but there are significant
  differences.
• Information must recorded in any form
• Includes subject matter that may not be included

15
Ontario Freedom of Information and Protection of
Privacy Act

• means recorded information about an identifiable
  individual, including,
• (a) information relating to the race, national or
  ethnic origin, colour, religion, age, sex, sexual
  orientation or marital or family status of the
  individual,
• (b) information relating to the education or the
  medical, psychiatric, psychological, criminal or
  employment history of the individual or
  information relating to financial transactions in
  which the individual has been involved,

16
Ontario Freedom of Information and Protection of
Privacy Act (cont)

• (c) any identifying number, symbol or other
  particular assigned to the individual,
• (d) the address, telephone number, fingerprints
  or blood type of the individual,
• (e) the personal opinions or views of the
  individual except where they relate to another
  individual,
• (f) correspondence sent to an institution by the
  individual that is implicitly or explicitly of a
  private or confidential nature, and replies to
  that correspondence that would reveal the
  contents of the original correspondence,

17
Ontario Freedom of Information and Protection of
Privacy Act (cont)

• (g) the views or opinions of another individual
  about the individual, and
• (h) the individual's name where it appears with
  other personal information relating to the
  individual or where the disclosure of the name
  would reveal other personal information about the
  individual.

18
EU Directive

• Personal Data means any information relating to
  an identified or identifiable natural person
  ('data subject') an identifiable person is one
  who can be identified, directly or indirectly, in
  particular by reference to an identification
  number or to one or more factors specific to his
  physical, physiological, mental, economic,
  cultural or social identity.

19
Australia Privacy Act

• Personal information means information or an
  opinion (including information or an opinion
  forming part of a database), whether true or not,
  and whether recorded in a material form or not,
  about an individual whose identity is apparent,
  or can reasonably be ascertained, from the
  information or opinion.

20
Childrens Online Privacy Protection Rule

• Personal information means individually
  identifiable information about an individual
  collected online including
• (c) An e-mail address or other online contact
  information, including but not limited to an
  instant messaging user identifier, or a screen
  name that reveals an individuals e-mail address
• (f) A persistent identifier, such as a customer
  number held in a cookie or a processor serial
  number, where such identifier is associated with
  individually identifiable information or a
  combination of a last name or photograph of the
  individual with other information such that the
  combination permits physical or online contacting

21
Predominant Purpose of Collection

• The question whether information is "personal
  information" cannot be determined according to
  whether its predominant characteristic is
  personal or professional.   The plain language of
  the act is "personal information" is information
  about an identifiable individual.
• Dagg v. Canada (Minister of Finance) 1997 2
  S.C.R. 403

22
Reasonable Expectation of Privacy

• Although it is not strictly necessary for my
  analysis, I believe that employees of the
  respondent would have a reasonable expectation
  that the information in the sign-in logs would
  not be revealed to the general public.  The
  reasonable expectation of privacy principle is
  a tool used in search and seizure jurisprudence
  to determine whether or not a search is
  "reasonable" in constitutional terms...  The
  principle ensures that, at a conceptual level,
  the dignity and autonomy interests at the heart
  of privacy rights are only compromised when there
  is a compelling state interest for doing so.
• Dagg v. Canada (Minister of Finance) 1997 2
  S.C.R. 403

23
Reasonable Expectation of Privacy

• In determining whether an individual has a
  reasonable expectation of privacy in a particular
  piece of information, it is important to have
  regard to the purpose for which the information
  was divulged
• Dagg v. Canada (Minister of Finance) 1997 2
  S.C.R. 403

24
Limiting Principles
25
Express Limitations

• The Collection, use or disclosure of personal
  information by federal government organizations
  listed in the Privacy Act
• Provincial or territorial governments and their
  agents
• An employees name, title, business address or
  telephone number
• An individuals collection, use or disclosure of
  personal information strictly for personal
  purposes (e.g. personal greeting card list)
• The collection, use or disclosure of personal
  information solely for journalistic, artistic or
  literary purposes.

26
Regulations Specifying Publicly Available
Information

• Information in
• telephone directories
• professional and business directories
• public registries
• court records
• books and magazines
• Note limitations associated with particular
  exemptions

27
Freedom of Speech

• Commercial speech is protected under section 2(b)
  of the Canadian Charter of Rights and Freedoms.
  The constitutional guarantee protects not only
  the right to speak, but also the right not to
  speak.
• The requirement to disclose certain types of
  information e.g., opinions, might compromise
  basic constitutional values.

28
Must be Information

• Information means Knowledge acquired in any
  manner facts data.
• Canada (Privacy Commissioner) v Canada (Labour
  Relations Board) 1996 3 F.C. 609

29
Must be Intended to Inform

• it is doubtful that anything expressed by a
  decision maker in the course of consultations or
  deliberations can be regarded as personal
  information about an individual. This is because
  nothing that is recorded by a decision maker in
  the course of deliberations is intended to
  inform.
• Canada (Privacy Commissioner) v Canada (Labour
  Relations Board) 1996 3 F.C. 609

30
Opinions

• Opinion 1. a belief not based on absolute
  certainty or positive knowledge but on what seems
  true, valid, or probable to one's own mind
  judgment 2. an evaluation, impression or
  estimation, etc. 3. the formal judgment of an
  expert.
• Canada (Privacy Commissioner) v Canada
  (Labour Relations Board) 1996 3 F.C. 609

31
Opinions

• Not included in definition of personal
  information, although expressly included in
  Federal Privacy Act.
• Political opinions v an individuals opinion
  about another person
• Internal credit scores and underwriting
  information?

32
Must be Capable of Collection

• Must personal information be capable of
  collection?
• Does it include all information that is created
  by an entity?
• Does created information belong to an
  individual?
• Must the information created be capable of being
  accurate, corrected and up to date to be
  personal information?

33
Intention/Capability to Use

• The scheme of the Privacy Act supports the
  proposition that it is aimed at information that
  is intended to be used as such or that is at
  least capable of being used as such. Recorded
  consultations and deliberations are neither...
• Accounts of consultations and deliberations do
  not lend themselves to notations and corrections.
  They do not purport to be and cannot reasonably
  be viewed by anyone as "accurate" "up-to-date" or
  "complete" as to what they may reveal.
• Canada (Privacy Commissioner) v Canada
  (Labour Relations Board) 1996 3 F.C. 609

34
Must identify Individual - anonymous data

• While I do not rule out the possibility that
  information about small groups may, in some
  cases, constitute personal information, the mere
  fact that one can divide the groups assets by
  the number of its members does not support such a
  finding.
• Montana Band of Indians v. Canada (Minister of
  Indian and Northern Affairs) 1989 1 F.C. 143

35
Must identify Individual - anonymous data

• The terms personal data and data subject
  serve to underscore that the Guidelines are
  concerned with physical persons. The precise
  dividing line between personal data in the sense
  of information relating to identified or
  identifiable individuals and anonymous data may
  be difficult to draw and must be left to the
  regulation of each Member country. In principle,
  personal data convey information which by direct
  (e.g. a civil registration number) or indirect
  linkages (e.g. an address) may be connected to a
  particular physical person.
• OECD Guidelines on the Protection of Privacy and
  Transborder Flows of Personal Data

36
Employee Related Information

• Does Act apply to employee related information of
  non-federal undertakings?
• Does Act apply to prevent collection of
  information about activities and behavior of
  employees of other firms?

37
Employee Related Information

• 4. (1) This Part applies to every organization in
  respect of personal information that
• (a) the organization collects, uses or discloses
  in the course of commercial activities or
• (b) is about an employee of the organization and
  that the organization collects, uses or discloses
  in connection with the operation of a federal
  work, undertaking or business.

38
Employee Related Information

• Considering the specific case of employee data
  exported from the EU to Canada, the Working Party
  notes that this will fall under the Act as from
  1st January 2001, if the data is about an
  employee of a Canadian federally related work or
  if the exchange of information is carried out for
  a commercial purpose. In all other cases, the Act
  will apply as of 1st January 2004.
• European Commission, Opinion 2/2001 on the
  adequacy of the Canadian Personal Information and
  Electronic Documents Act Adopted on 26th January
  2001

39
Information Must Relate to an Individual

• The word individual means a natural person, so
  it follows that it does not include legal persons
  such as corporations, partnerships or
  associations. There may be circumstances where
  information relating to an entity such as a sole
  proprietorship is so closely linked to an
  individual person, that the information can be
  said to be about that individual but for the most
  part personal information must be about an
  identifiable individual and not merely associated
  with the individual, by name for example. In my
  view, therefore, the meaning of personal
  information, while broad, is not so broad as to
  encompass all information associated with an
  individual. IMS Health Letter Finding October 2,
  2001

40
Information Must Relate to an Individual

• In what cases will the activities or behavior of
  an individual within an organization be
  considered personal information about the
  individual rather than the activities or behavior
  of the organization?
• Implications for CRM projects.

41
Work Products

• If the prescribing patterns of a physician for
  instance, a tendency to prescribe one medication
  rather than another for a given ailment were
  deemed to be information "about" the physician,
  then the same determination would logically have
  to be made about identifiable patterns with
  regard to the work products arising from a broad
  variety of other activities...
• I do not believe that such results would be
  consistent with the stated purpose of the Act.
  Rather, it is my view that the balance is
  properly struck by establishing whether the
  information is indeed about the individual, or
  rather about the tangible result of his or her
  work activity, namely the work product.
• IMS Health Letter Finding October 2, 2001

42
University of Toronto
Privacy Lecture Series IPRP / KMDI
Privacy Lecture Series
Threshold Issues in Privacy What is Personal
Information?
Barry Sookman, Partner, McCarthy Tétrault Chair,
Internet and Electronic Commerce Law Group
(Toronto) bsookman_at_mccarthy.ca (416) 601-7949