Title: University of Toronto
1University of Toronto
Privacy Lecture Series IPRP / KMDI
Privacy Lecture Series
Threshold Issues in Privacy What is Personal
Information?
Barry Sookman, Partner, McCarthy Tétrault Chair,
Internet and Electronic Commerce Law Group
(Toronto) bsookman_at_mccarthy.ca (416) 601-7949
2What is Personal Information
- Personal information is defined under section
2(1) of PIPEDA as information about an
identifiable individual, but does not include the
name, title or business address or telephone
number of an employee of an organization.
3Deliberately Broad
IPRP
- On a plain reading, this definition (in the
Privacy Act) is undeniably expansive. - the language of this section is deliberately
broad and entirely consistent with the great
pains that have been taken to safeguard
individual identity. Its intent seems to be to
capture any information about a specific person,
subject only to specific exceptions Such an
interpretation accords with the plain language of
the statute, its legislative history and the
privileged, foundational position of privacy
interests in our social and legal culture. - Dagg v. Canada (Minister of Finance) 1997
2 S.C.R. 403
4Scope of Definition
5What is Protected
- name, age, weight, height
- medical records
- income, purchases and spending habits
- race, ethnic origin and colour
- blood type, DNA code, fingerprints
- marital status and religion
- education
- home address and phone number
- See, Your Privacy Rights, Canadas Personal
Information Protection and Electronic Documents
Act
6What is Protected-the Privacy Commissioners View
- Personal information includes any factual or
subjective information, recorded or not, about an
identifiable individual. This includes
information in any form, such as - age, name, ID numbers, income, ethnic origin, or
blood type - opinions, evaluations, comments, social status,
or disciplinary actions - employee files, credit records, loan records,
medical records, existence of a dispute between a
consumer and a merchant, intentions (for example,
to acquire goods or services, or change jobs) - See, Your Privacy Responsibilities, Guide
for Businesses and Organizations to Canada's
Personal Information Protection and Electronic
Documents Act
7No Need for Recording
- Had Parliament chosen not to include unrecorded
information within the legislative framework, it
would have defined personal information, as it
did in the Privacy Act, to be information about
an identifiable individual that is recorded in
any form. - Includes video surveillance of public places.
- See, Centurion Security Services Letter
Finding June 20, 2001
8Aids in Construing Legislation
9Why Protect Personal Information?
- "This notion of privacy of information derives
from the assumption that all information about a
person is in a fundamental way his own, for him
to communicate or retain as he sees fit." R v
Dyment, 1988, 2SCR 417 - privacy is at the heart of liberty in a
modern state it is based on the notion of the
dignity and integrity of the individual. R v
Dyment, 1988 2SCR 417
10Why Protect Personal Information?
- the purpose of the protection accorded to
privacy is to guarantee a sphere of individual
autonomy for all decisions relating to choices
that are of a fundamentally private or inherently
personal nature. Godbout v. Longueuil (City),
1997 3 S.C.R. 844 - anonymity is an essential element of the
right to privacy. Aubry v. Éditions Vice-Versa
Inc, 1998 1 SCR 591
11Why Protect Information Privacy?
- Finally, there is privacy in relation to
information. This too is based on the notion of
the dignity and integrity of the
individual. This notion of privacy derives from
the assumption that all information about a
person is in a fundamental way his own, for him
to communicate or retain for himself as he sees
fit." In modern society, especially, retention
of information about oneself is extremely
important. We may, for one reason or another,
wish or be compelled to reveal such information,
but situations abound where the reasonable
expectations of the individual that the
information shall remain confidential to the
persons to whom, and restricted to the purposes
for which it is divulged, must be protected. - R. v. Dyment, 1988 2 S.C.R. 417
12Legislative History
- As this Court has recently confirmed, evidence
of a statute's history, including excerpts from
Hansard, is admissible as relevant to the
background and purpose of the legislation,
provided, of course, that the court remains
mindful of its limited reliability and weight. - See, Dagg v. Canada (Minister of Finance) 1997
2 S.C.R. 403
13Stated Purposes
- The purpose of this Part is to establish, in an
era in which technology increasingly facilitates
the circulation and exchange of information,
rules that govern the collection, use and
disclosure of personal information in a manner
that recognizes the right of privacy of
individuals with respect to their personal
information and the need of organizations to
collect, use or disclose personal information for
the purposes that a reasonable person would
consider appropriate in the circumstances.
Section 3 - Applied in IMS Health Letter Finding October 2,
2001
14Other Privacy Legislation
- Federal Privacy Act, Municipal and Provincial
Privacy Legislation - May be useful, but there are significant
differences. - Information must recorded in any form
- Includes subject matter that may not be included
15Ontario Freedom of Information and Protection of
Privacy Act
- means recorded information about an identifiable
individual, including, - (a) information relating to the race, national or
ethnic origin, colour, religion, age, sex, sexual
orientation or marital or family status of the
individual, - (b) information relating to the education or the
medical, psychiatric, psychological, criminal or
employment history of the individual or
information relating to financial transactions in
which the individual has been involved,
16Ontario Freedom of Information and Protection of
Privacy Act (cont)
- (c) any identifying number, symbol or other
particular assigned to the individual, - (d) the address, telephone number, fingerprints
or blood type of the individual, - (e) the personal opinions or views of the
individual except where they relate to another
individual, - (f) correspondence sent to an institution by the
individual that is implicitly or explicitly of a
private or confidential nature, and replies to
that correspondence that would reveal the
contents of the original correspondence,
17Ontario Freedom of Information and Protection of
Privacy Act (cont)
- (g) the views or opinions of another individual
about the individual, and - (h) the individual's name where it appears with
other personal information relating to the
individual or where the disclosure of the name
would reveal other personal information about the
individual.
18EU Directive
- Personal Data means any information relating to
an identified or identifiable natural person
('data subject') an identifiable person is one
who can be identified, directly or indirectly, in
particular by reference to an identification
number or to one or more factors specific to his
physical, physiological, mental, economic,
cultural or social identity.
19Australia Privacy Act
- Personal information means information or an
opinion (including information or an opinion
forming part of a database), whether true or not,
and whether recorded in a material form or not,
about an individual whose identity is apparent,
or can reasonably be ascertained, from the
information or opinion.
20Childrens Online Privacy Protection Rule
- Personal information means individually
identifiable information about an individual
collected online including - (c) An e-mail address or other online contact
information, including but not limited to an
instant messaging user identifier, or a screen
name that reveals an individuals e-mail address - (f) A persistent identifier, such as a customer
number held in a cookie or a processor serial
number, where such identifier is associated with
individually identifiable information or a
combination of a last name or photograph of the
individual with other information such that the
combination permits physical or online contacting
21Predominant Purpose of Collection
- The question whether information is "personal
information" cannot be determined according to
whether its predominant characteristic is
personal or professional. The plain language of
the act is "personal information" is information
about an identifiable individual. - Dagg v. Canada (Minister of Finance) 1997 2
S.C.R. 403
22Reasonable Expectation of Privacy
- Although it is not strictly necessary for my
analysis, I believe that employees of the
respondent would have a reasonable expectation
that the information in the sign-in logs would
not be revealed to the general public. The
reasonable expectation of privacy principle is
a tool used in search and seizure jurisprudence
to determine whether or not a search is
"reasonable" in constitutional terms... The
principle ensures that, at a conceptual level,
the dignity and autonomy interests at the heart
of privacy rights are only compromised when there
is a compelling state interest for doing so. - Dagg v. Canada (Minister of Finance) 1997 2
S.C.R. 403
23Reasonable Expectation of Privacy
- In determining whether an individual has a
reasonable expectation of privacy in a particular
piece of information, it is important to have
regard to the purpose for which the information
was divulged - Dagg v. Canada (Minister of Finance) 1997 2
S.C.R. 403
24Limiting Principles
25Express Limitations
- The Collection, use or disclosure of personal
information by federal government organizations
listed in the Privacy Act - Provincial or territorial governments and their
agents - An employees name, title, business address or
telephone number - An individuals collection, use or disclosure of
personal information strictly for personal
purposes (e.g. personal greeting card list) - The collection, use or disclosure of personal
information solely for journalistic, artistic or
literary purposes.
26Regulations Specifying Publicly Available
Information
- Information in
- telephone directories
- professional and business directories
- public registries
- court records
- books and magazines
- Note limitations associated with particular
exemptions
27Freedom of Speech
- Commercial speech is protected under section 2(b)
of the Canadian Charter of Rights and Freedoms.
The constitutional guarantee protects not only
the right to speak, but also the right not to
speak. - The requirement to disclose certain types of
information e.g., opinions, might compromise
basic constitutional values.
28Must be Information
- Information means Knowledge acquired in any
manner facts data. - Canada (Privacy Commissioner) v Canada (Labour
Relations Board) 1996 3 F.C. 609
29Must be Intended to Inform
- it is doubtful that anything expressed by a
decision maker in the course of consultations or
deliberations can be regarded as personal
information about an individual. This is because
nothing that is recorded by a decision maker in
the course of deliberations is intended to
inform. - Canada (Privacy Commissioner) v Canada (Labour
Relations Board) 1996 3 F.C. 609
30Opinions
- Opinion 1. a belief not based on absolute
certainty or positive knowledge but on what seems
true, valid, or probable to one's own mind
judgment 2. an evaluation, impression or
estimation, etc. 3. the formal judgment of an
expert. - Canada (Privacy Commissioner) v Canada
(Labour Relations Board) 1996 3 F.C. 609
31Opinions
- Not included in definition of personal
information, although expressly included in
Federal Privacy Act. - Political opinions v an individuals opinion
about another person - Internal credit scores and underwriting
information?
32Must be Capable of Collection
- Must personal information be capable of
collection? - Does it include all information that is created
by an entity? - Does created information belong to an
individual? - Must the information created be capable of being
accurate, corrected and up to date to be
personal information?
33Intention/Capability to Use
- The scheme of the Privacy Act supports the
proposition that it is aimed at information that
is intended to be used as such or that is at
least capable of being used as such. Recorded
consultations and deliberations are neither... - Accounts of consultations and deliberations do
not lend themselves to notations and corrections.
They do not purport to be and cannot reasonably
be viewed by anyone as "accurate" "up-to-date" or
"complete" as to what they may reveal. - Canada (Privacy Commissioner) v Canada
(Labour Relations Board) 1996 3 F.C. 609
34Must identify Individual - anonymous data
- While I do not rule out the possibility that
information about small groups may, in some
cases, constitute personal information, the mere
fact that one can divide the groups assets by
the number of its members does not support such a
finding. - Montana Band of Indians v. Canada (Minister of
Indian and Northern Affairs) 1989 1 F.C. 143
35Must identify Individual - anonymous data
- The terms personal data and data subject
serve to underscore that the Guidelines are
concerned with physical persons. The precise
dividing line between personal data in the sense
of information relating to identified or
identifiable individuals and anonymous data may
be difficult to draw and must be left to the
regulation of each Member country. In principle,
personal data convey information which by direct
(e.g. a civil registration number) or indirect
linkages (e.g. an address) may be connected to a
particular physical person. - OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data
36Employee Related Information
- Does Act apply to employee related information of
non-federal undertakings? - Does Act apply to prevent collection of
information about activities and behavior of
employees of other firms?
37Employee Related Information
- 4. (1) This Part applies to every organization in
respect of personal information that - (a) the organization collects, uses or discloses
in the course of commercial activities or - (b) is about an employee of the organization and
that the organization collects, uses or discloses
in connection with the operation of a federal
work, undertaking or business.
38Employee Related Information
- Considering the specific case of employee data
exported from the EU to Canada, the Working Party
notes that this will fall under the Act as from
1st January 2001, if the data is about an
employee of a Canadian federally related work or
if the exchange of information is carried out for
a commercial purpose. In all other cases, the Act
will apply as of 1st January 2004. - European Commission, Opinion 2/2001 on the
adequacy of the Canadian Personal Information and
Electronic Documents Act Adopted on 26th January
2001
39Information Must Relate to an Individual
- The word individual means a natural person, so
it follows that it does not include legal persons
such as corporations, partnerships or
associations. There may be circumstances where
information relating to an entity such as a sole
proprietorship is so closely linked to an
individual person, that the information can be
said to be about that individual but for the most
part personal information must be about an
identifiable individual and not merely associated
with the individual, by name for example. In my
view, therefore, the meaning of personal
information, while broad, is not so broad as to
encompass all information associated with an
individual. IMS Health Letter Finding October 2,
2001
40Information Must Relate to an Individual
- In what cases will the activities or behavior of
an individual within an organization be
considered personal information about the
individual rather than the activities or behavior
of the organization? - Implications for CRM projects.
41Work Products
- If the prescribing patterns of a physician for
instance, a tendency to prescribe one medication
rather than another for a given ailment were
deemed to be information "about" the physician,
then the same determination would logically have
to be made about identifiable patterns with
regard to the work products arising from a broad
variety of other activities... - I do not believe that such results would be
consistent with the stated purpose of the Act.
Rather, it is my view that the balance is
properly struck by establishing whether the
information is indeed about the individual, or
rather about the tangible result of his or her
work activity, namely the work product. - IMS Health Letter Finding October 2, 2001
42University of Toronto
Privacy Lecture Series IPRP / KMDI
Privacy Lecture Series
Threshold Issues in Privacy What is Personal
Information?
Barry Sookman, Partner, McCarthy Tétrault Chair,
Internet and Electronic Commerce Law Group
(Toronto) bsookman_at_mccarthy.ca (416) 601-7949