PIPEDA Case Summary #2009-004

No Consent Required for Using Publicly Available Personal Information Matched with Geographically Specific Demographic Statistics

[Subsections 2(1) and 5(3), paragraph 7(1)(d), sub-paragraphs 7(2)(c.1) and 7(3)(h.1), and Principles 4.3 and 4.8]

The respondent organization supplies lists of consumer data to businesses for direct-marketing purposes.  Firstly, the complainants alleged that the organization created personalized demographic information through data matching (White Pages telephone book information with Statistics Canada data), and that the use and disclosure of this newly created ‘personal information’ required consent.  Moreover, they believed that because the organization used and disclosed detailed demographic information, a reasonable person would expect consent to be obtained before such information about her or him was compiled and sold. 

The Assistant Commissioner, however, determined that the organization’s process of compiling consumer lists did not change the status of the White Pages information from publicly available personal information to personal information subject to consent requirements.  The publicly available personal information included in the consumer lists had merely been sorted according to geo-demographic data.  She was of the view that the lists consisted of information about neighbourhoods, rather than identifiable individuals.  Thus, she found the consent complaint to be not well-founded.

Secondly, the complainants alleged that the respondent failed to meet the criteria of “openness” under the Act.  They were concerned that the organization did not provide details as to how it collected, used and disclosed the personal information that it compiled into consumer lists; that it offered little detail about its information practices and policies; and that it was resistant to answering inquiries about its practices.

The Assistant Commissioner agreed that the company did not provide enough information on its policies and practices regarding its handling of the personal information that it sold.  She commented that, while the personal information was publicly available, it nonetheless was still personal information.  In order to bring the company in line with the openness principle, she recommended changes to its policies and practices.  The company complied, and the Assistant Commissioner concluded that the openness complaint was well-founded and resolved.

The following is an overview of the investigation and the Assistant Commissioner’s deliberations.

Summary of Investigation

CONSENT

The complainants contended that the organization fails to obtain consent for the collection, use and disclosure of personal information it gains through data matching. They were concerned about the company’s matching of publicly available personal information with Statistics Canada (SC) geographically specific demographic statistics.  The complainants maintained that this process personalized the previously non-personal demographic information, and by so doing, creates personal information (information about identified individuals), inaccurate as that personal information may be.  As a result, they believed that this act of creating personalized demographic information through data matching requires consent under the Act for its use and disclosure.   The complainants also believed that the organization’s purpose for creating and selling such information was inappropriate.

According to the organization, it provides lists to customers based on the customers’ selection criteria.  The company uses aggregated data sources that it overlays onto its consumer database.  The organization claimed that, essentially, it sells lists of names, addresses and telephone numbers of people listed in telephone directory White Pages, based on the characteristics of the neighbourhood in which the people live.  The organization begins this process with the White Pages information, and then sorts it using demographic information obtained from SC census data.  Although the organization no longer uses SC’s services, it obtains SC’s data through other vendors.  In discussions with this Office, the organization stressed the limitations of its consumer lists. 

The complaints related to the company’s database of millions of Canadian consumers.  According to the organization, this database consists of listings of name, address and telephone information as it appears in telephone directories.  Customers include small businesses, multinational companies and government agencies that are offered various lists for direct marketing purposes.

As explained to this Office, the organization offers its clients basic “selects.”  In other words, a client can select the criteria on which it wants a consumer list to be based, such as age, income, home ownership, estimated home value, mailing address, telephone number and number of contacts per residence.  The geography selections include postal code, city, province, metro areas, telephone area code, carrier routes, and radius around a residence.  Other popular “selects” include estimated income, adult gender and ethnicity. 

The organization described its business processes as analogous to walking through a specific neighbourhood where certain general characteristics of the community would be apparent to the observer.  The company viewed its service in terms of offering the electronic mechanisms to do what individuals could do manually if time permitted.

According to the organization, it is not a list broker, and it does not maintain files on individuals, only on its own corporate clients.  In other words, it does not maintain lists of consumers with certain characteristics, such as those who own yachts, vacation properties, etc. 

The company stated that it provides customers with lists of names, addresses and telephone numbers of consumers, in a mailable format.  In some cases, gender is provided.  Also, in some instances, ethnicity is imputed, using name-table models—a process based on genealogical regression analysis in which certain surnames are frequently associated within commonly identifiable ethnic origins. 

In order to clarify the request process, the organization gave this Office a sample of an order for 50 Canadian households.  The selection criteria included the following:

• Address type: single family dwelling unit, one record per address
• Geography options: postal, first three digits of postal code
• Census selection options:
  • Average age, male and female population
  • 30-44
  • 35-49
  • 40-54
  • 45-59
• Average household income: $80,000 and over.

The resulting consumer list contained a column of the organization’s identification numbers with corresponding columns of individuals’ first names or initials, surnames, street addresses, cities, provinces, postal codes, country, telephone area codes and telephone numbers. Telephone numbers are verified at least once annually, according to the company, and it guarantees a 99% accuracy rate.

How the organization develops lists

The organization summarized its data compilation process as follows:

• Names, addresses, telephone numbers and, by implication, the cities/towns and provinces of Canadian consumers are compiled from Canadian White Pages telephone directory listings.
• The organization pointed out that it does not have access to unlisted telephone numbers or to the names of people not listed in a directory (for example, spouses).
• Names are captured as they appear in the directory.  The company stated that it does not attempt to determine, for instance, whether D. Anderson refers to David Anderson or Denise Anderson.
• Using proprietary models, the company attributes gender and ethnic or religious origin (based on first and/or last name).  Names are categorized as female, male or androgynous.  The organization stated that it cannot assign gender to the majority of listings because they are published with a first initial only.
• The directories are scanned into a machine-readable format, and every record is manually keyed to maintain quality of 99 per cent compared to the source.
• Postal codes are assigned using Canada Post certified information.
• The respondent claimed that it enhances the information collected from the directories only by adding postal codes and by imputing gender and ethnicity.  It does not add any identifiable information such as transaction data or magazine lists, nor does it add any privately sourced information to its database.
• Some of the organization’s other proprietary models identify the likelihood of single or multiple family-dwelling units.
• The consumer database is updated on a monthly basis.
• Before any information is made available to a customer, the database is audited, and data is purged against Canadian Marketing Association and internal Do Not Mail/Call files.  Files can also be processed through the National Change of Address Service, licensed through Canada Post.
• In response to requests from its customers, the organization sorts or filters this information based on data from SC’s Census Database.  SC collects information at the household level; however, the information is released or published only as aggregated data based on census dissemination areas¹.
• The organization also makes use of SC’s Postal Code Conversion File.  It correlates and represents postal codes within dissemination-area boundaries, which enables geographic list selections to be made.

The respondent indicated that its procedure for developing its lists involves overlaying two aggregated data sources onto its consumer database.  The first data source is SC’s Census Database, which it obtains from another company for a fee. This database provides a number of consumer demographics based on dissemination areas.  Some of the data elements provided by SC include median age, median household income, propensity of households with children, propensity of home ownership, median home value and dominant period of construction at the dissemination-area level.  The aggregated census information, such as average age or median home value, is used to determine factors such as the probability of children, and marital status.

The second data source is SC’s Postal Code Conversion File.  The file correlates and represents postal codes within dissemination-area boundaries, which make it possible for geographic list selections.  The organization noted that it maps census boundaries within the postal code areas and overlays this information onto the dissemination areas.

Another database, namely, the Generation 5 Mosaic Neighbourhood Cluster System, is licensed by the organization from a Toronto-based company.  Using aggregated information from various sources, including SC, Generation 5 licenses its demographic-segmentation system for neighbourhood-level target-marketing applications. This database provides generally aggregated, descriptive, life-stage/lifestyle categories in geographic clusters across Canada and in four specific market-focused categories.  Similar to the overlay methodology used with SC data, the organization provides lifestyle‑cluster selection criteria to its customers within postal-code-driven geographic areas.

The organization pointed out that it provides list-enhancement services to businesses. This service involves comparing customer data to its own data to ensure the information is current and accurate.  For example, it may add telephone numbers to the lists of subscribers provided by a customer who is a magazine publisher.  The company claims that, in such a case, it would not retain or use the names of the customer’s subscribers in order to enhance its own lists.  For instance, it would not determine that D. Anderson at 123 Main Street is David Anderson, nor would it retain any information about an individual’s subscription choices or purchases.  The organization was of the view that doing so would contravene the Act.

The Office learned that the terms and conditions of the organization’s customer agreements specify that purchasers will “abide by the current business practices respecting the privacy of consumers and will not imply to an individual that any specific information is known about that individual.”  Customers must sign a disclaimer or an on-line agreement whereby the customer agrees not to use the information for any illegal purpose.  As well, the disclaimer stipulates that the information is not to be shared or sold.

The organization’s marketing is handled by its US-based parent company.  Prior to receiving these complaints, the organization used US-marketing publicity materials for its Canadian marketing program without explicitly differentiating between US and Canadian selection options.  This caused confusion about the nature of the Canadian database, particularly as the organization’s on-line marketing material gave the impression that the company offered Canadian consumer-list selections such as yacht owners and aircraft owners.  It appeared that the information applied to both the Canadian and US consumer lists.  However, this is not the case—Canadian lists do not contain such information.

The organization advised the Office that the US database is “far richer” than the Canadian database.  The US database contains more information, largely due to the United States having different privacy laws than Canada.  This Office confirmed that American customers purchasing Canadian consumer lists from the organization are provided with the same information as Canadian customers.

The organization’s on-line advertising material now differentiates between the Canadian and US consumer lists.  The demographic selections include average income, average age, likely marital status, and likely home ownership, all of which are inferred through the use of data provided by SC.  The material also clearly specifies that no confidential information about individuals or households has been obtained from SC.

Statistics Canada (SC) Census Data

Statistics Canada’s commitment to maintain the confidentiality of information obtained from the Canadian public is an integral part of the Statistics Act.  This legislationrequires that all personal information be kept confidential and that no one outside SC be permitted access to any individual’s census information.  According to SC, it releases only aggregate non-confidential information to the public and to commercial entities, and provides it in a form that protects the confidentiality of the individual.  The data is screened, and multiple measures are taken to guard against disclosure of census information about individuals.  Such measures are called data- perturbation procedures. 

SC explained that, if all members of an identifiable group share the same or very similar characteristics, inferences could be made about individuals within the group.  This as a form of inferential or probability disclosure, and SC addresses it through the use of statistical techniques such as sampling, rounding, suppression, regrouping or a combination thereof.

In clarifying how it mitigates this type of disclosure, SC gave as an example a scenario in which SC deals with quantitative data, such as income.  If sampling does not provide a sufficient degree of uncertainty as to whom the information applies, other measures are used to prevent the accurate prediction of values for individual members of a population.  For instance, SC reports on median household income.  If a dissemination area is homogenous in terms of household incomes (in other words, all or many of the households have an income very close to the median), SC will not report the household income for that dissemination area.  In some situations, SC rounds particular data to the nearest five.  For example, if a dissemination area has eight people reporting that they are of South Asian origin, SC will show this as ten, and if one person is of Japanese origin, SC will report this as zero. 

SC provides a wide range of products and services, some at no cost and some for a fee. This includes pre-formulated tabulations, custom tabulations, analytical reports, public-use microdata files and analytical services.  SC pointed out that all of its products and services include a notice stating that “No confidential personal or business information has been released without consent.”  Its marketing material informs the public and potential clients that individual respondents cannot be identified by its products.

In addition, SC stated that it licenses statistical information to secondary distributors, through its Value-Added Distribution Licence Agreement and its Third Party Value-Added Distribution Licence Agreement.  As only non-confidential information can be released to the public, the agency includes in its licensing agreements the requirement that all secondary distributors must inform their data users that “no confidential personal or business information has been obtained from Statistics Canada.”  The licensee also agrees not to merge or link the computer file(s) with any other databases, for commercial sales, in such a fashion that it gives the appearance of the licensee receiving, or having access to, information about any identifiable individual, family, household, organization or business held by SC.

Compliance with the conditions of the licensing agreements is monitored by SC.  Under the agreements, the licensee cannot claim that any proprietary methodology it may have used was supported or endorsed by SC or that its data analysis was approved by SC.  The agency noted that it strictly enforces its requirements, and failure to comply can result in legal sanctions. 

A Value-Added Distributor purchases SC products for use in developing new products for sale.  Such development could involve combining SC data with data from other sources.  The concept of “value-added” means the development and delivery of value-added products.  For example, a company that increases the level of functionality associated with any original SC file embeds the SC data in the value-added product, and uses that data each time the product is delivered to the ultimate client, and/or transfers or communicates not more than 50% of the original SC data set in a non-modified form.  Value-Added Distribution Licence Agreements authorize the design and distribution of new and derived products to users. 

Clause 11.1 of the Value-Added Distribution Agreement states, in part, that:

The Licensee agrees, as a condition of being granted this Licence, to disclose in writing to Statistics Canada, prior to execution of this agreement, a statement of facts regarding the ownership of the firm, the nature of its business and the intended use of the Computer file(s) listed in Schedule “A”.

The Third Party and Value-Added Distribution Agreement contains a similar clause.

The Canadian Marketing Association (CMA)

The CMA indicated that its mission is to create an environment that fosters the responsible growth of information-based marketing in Canada.  Its goals are to establish and promote standards of practice for marketing and to promote codes of business conduct, and it takes an active role in ensuring compliance with such standards. 

The respondent organization, as a member of the CMA, ascribes to the standards of business conduct fostered by the Association.  It also must abide by the seven principles of personal privacy adopted by the CMA, which are laid out in the Association’s Code of Ethics and Standards of Practice.

The CMA stressed that the respondent does not merge information from two sources of publicly available information, but rather uses the geo-demographic information from SC as a filter applied against public lists of names, telephone numbers and addresses from telephone directories of different geographic areas.  It is CMA’s position that the result is an average for a given region for variables such as income, age and ethnicity, and that this average increases the probability that contact will be limited to those consumers who will likely have an interest in the product or service being offered.

In reference to personal information that either is exempt from the consent requirement or that is provided with consent, the CMA noted that the filtering of such information through non-personal data sources is a standard, widespread practice in the marketing industry.  It claims that this is an efficient and effective way of limiting the information being sent to consumers.

The CMA supported the respondent’s business process and noted that:

The process is used to sort publicly available contact information according to general demographic characteristics which may apply to those people who live in those areas. The information is not person-specific, and it is not necessarily accurate at the individual level. In effect, where high-level demographic indicators are used to sort and assemble consent-based lists, there is no person-specific information added to personal files.

OPENNESS

The complainants claimed that the organization provided very little information on its web site or in other publications about its policies and practices regarding the management of personal information.  Other than a company privacy policy regarding the collection and use of customer and web-site visitor information, they believed that the organization does not specify how it collects, uses and discloses the personal information that it compiles into consumer lists.   Furthermore, the complainants asserted that the organization is obligated to explain what it does internally with consumer data.

Upon request, the organization provided the complainants with a one-page document, which is not available on its web site, entitled “Canadian Privacy Legislation.”  The document notes that the Act exempts from its consent provisions, people’s names, addresses and telephone numbers that are published in a telephone directory.  The document also provides contact information for the company’s Privacy Officer.  When the complainants contacted the company, it provided additional information about its collection, use and sale of consumer information.

This Office reviewed the respondent’s privacy policy on its web site.  The policy described how the company protects user information, including sensitive information such as a credit card numbers that are collected through its web site.  The company allows web-site visitors to opt out of further promotional contacts and to update or correct personal information previously submitted.  The web site also provides users with an e-mail address through which they can obtain more information about its privacy policy.

Findings

Issued January 9, 2009

Application: Subsection 2(1) defines personal information as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.  Subsection 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.  Paragraph 7(1)(d) indicates that, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect  personal information without the knowledge or consent of the individual only if the information is publicly available and is specified by the Regulations.  Sub-paragraph 7(2)(c.2) notes that for the purpose of clause 4.3 of Schedule 1 and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if it is publicly available and is specified by the Regulations.  Sub-paragraph 7(3)(h.1) adds that for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is of information that is publicly available and is specified by the Regulations.  The Regulations Specifying Publicly Available Information under the Act set out distinct classes of such information, including, under regulation 1(a), personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory.  Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.  Principle 4.8 requires an organization to make readily available to individuals specific information about its policies and practices relating to the management of personal information.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

CONSENT

• This complaint essentially revolved around the question of whether adding aggregated geo-demographic information to publicly available names, addresses and telephone numbers—information that does not require consent for use or disclosure—results in personal information that does require consent.  In other words, did the White Pages information lose its consent-free status as a result of the attribution and sorting performed by the organization?  And, did the fact that a person lives in a neighbourhood with certain characteristics constitute personal information about the individual?  The information at issue was the consumer lists produced by the company’s filtering process, using customer-requested criteria.
• The complainants believed that, by “matching” publicly available personal information with geographically specific demographic statistics, the organization was able to produce information that could be linked to identifiable individuals.  Nonetheless, they conceded that this process may result in inaccurate personal information. 
• White Pages information is publicly available personal information.  The Assistant Commissioner underscored the fact that no consent is necessary to collect, use or disclose it in the scenarios contemplated under paragraph 7(1)(d), and sub-paragraphs 7(2)(c.1) and 7(3)(h.1).  The company does not enhance the White Pages data with any individual-specific information, for instance, from magazine subscription lists or public registries.  Rather, the company takes aggregate information licensed from SC, which is not personal information under the Act, to sort this publicly available personal information.
• The Assistant Commissioner noted that the organization uses a filtering or sorting process to compile consumer information.  Although it no longer acquires census data directly from SC, it obtains the same data from other vendors.   She found the concept of attribute disclosure to be useful in examining the privacy ramifications of the organization’s processes.  This type of disclosure occurs when something new is discovered about an individual. 
• The organization’s process, as the Assistant Commissioner viewed it, is to combine census data with other data sets and with proprietary models to create a database about Canadians.  A key component of the database is the White Pages, which provides the names, addresses and telephone numbers of individuals in the mailing lists that are sold.
• The database has two types of information: (a) information about individuals, which is associated with records from the White Pages, and (b) information about dissemination areas or postal codes, which is obtained from the census and other data sets.  When one of the company’s clients chooses a set of selects on (b), a subset of the dissemination areas is returned based on the criteria of the selects, and, out of the individuals who live in those areas (as determined by their addresses in the White Pages), a subset is returned based on the criteria of the selects on (a).  For example, if a client selects “income in the range of $50,000 to $70,000 for males,” then the income condition is applied to the dissemination areas and returns those areas with average incomes within that range.  Then the gender condition is applied to the individuals in the selected postal codes.
• To determine whether it was easy to get information about individuals from their names and addresses, this Office performed Internet searches as well as searches on public registries.  To find out whether the information in the selects correctly characterized the individuals in the mailing lists, a series of simulations to understand the accuracy of the selects under worst-case scenarios was performed.
• The results suggested that, with minimal Internet-search skill, it was quite easy to gather some basic information about individuals if their names and addresses were known.  For example, it was easy to access gender and religious origin by using name-gender databases and by looking up names in religion-specific name web sites.  However, there were limitations to what could be ascertained.
• The Assistant Commissioner was aware that only about 25 per cent of White Pages names have a first name that may allow for gender identification, and the organization maintained that it did not use other sources of information to match names to first initials.  For those listings with first names, not all are gender‑specific—for instance, Leslie, Kris, Pat.
• With respect to religion, the level of accuracy may vary widely.  Sheamus O’Leary is highly likely to be a Catholic.  However, some married women take their husband’s surname, which can confuse the issue of religious origin.  The Catholic-sounding Patricia O’Toole may actually have a maiden name of Wong.  Although many individuals with Arabic names are Muslim, some are not.  They could be Lebanese Christians or Egyptian Copts or Syrian Alawis, for instance.
• The variables that are not readily available publicly are income, marital status and whether the individual has children.  Income was focused on as it is the most sensitive variable of these three.  The simulation results suggest that under worst-case assumptions, the accuracy of the income attribute provided by the organization can be quite high.  Two important factors came into play: the variation in the distribution of the data in the geographic area (e.g., if everyone earns an income within a $10,000 range, then the average income will be a good characterization of everyone’s income), and whether the selects covered the centre of the distribution.  The Assistant Commissioner acknowledged that the analysis was limited because the Office did not have access to the raw census data and therefore relied on other public information and simulations.  However, she deemed the simulated scenarios seemed to be plausible for her purposes.
• Because it is relatively easy to gather basic information—gender, ethnicity, religious origin, dwelling type—about individuals who are listed in the White Pages, the Assistant Commissioner concluded that it was difficult to make the case for attribute disclosure.  Some of the aggregate information could also be easily obtained from other public sources, albeit for a fee.  The key pieces of information that are not easy to obtain through public sources are income, marital status and whether the individual has children.
• Under the worst-case scenario, the accuracy of the selects can be quite high, despite the perturbations performed by SC.  Accuracy is not static:  it is largely a function of the amount of variation and of the selects.  If the variation is narrow, then aggregate data will more accurately characterize the population.  If the selects are centred around the mean of the original population distribution, accuracy will also be increased.  However, the more numerous the variables included in the selects, the lower the accuracy will be. 
• In the context of this organization’s data sorting, It is not possible to determine how prevalent the worst-case scenario is, nor how often such a scenario would occur.  However, the Assistant Commissioner believed that it would be reasonable to conclude that the probability of occurrence is greater than zero.
• Nevertheless, the Assistant Commissioner was of the view that the information assembled by the organization and sold to its customers in the form of consumer lists is unlikely to be highly accurate with respect to each individual on the list.  However, it may be generally accurate at the group level, which is sufficient for marketing purposes.  Following are some of the factors that she determined would limit the accuracy of the lists:
  • Names and addresses in telephone directories are not 100% accurate for many reasons.  Some people move to new addresses with different telephone numbers after the directory has been published, and some people die.  Also, not all adults living in a particular household are listed in the directory.
  • SC data represents a snapshot in time, that is, census day once every five years.  Data tends to become less accurate the further removed it becomes from census day.
  • Of all census respondents, 80% of households receive the short questionnaire that contains seven questions on basic topics such as the respondent’s relationship to others in the household, age, sex, marital status and mother tongue.  Only 20% receive the long questionnaire that contains the same seven basic questions plus 52 additional questions on topics such as education, ethnicity, mobility, income and employment.
  • There is a wide disparity between the data of the White Pages and that of SC.  SC collects data from every household and, in theory, from every individual in a dissemination area or neighbourhood.  A respondent list of people in the same dissemination area or neighbourhood would be much smaller as it would exclude people with unlisted telephone numbers, as well as those whose names are not listed in the White Pages, namely, some spouses, children or elderly parents living with their adult children.  Conversely, a respondent list would contain the names of people with listed telephone numbers who had moved into a different dissemination area or neighbourhood since the last census.  The two sets of data can, therefore, be very dissimilar.
  • With respect to income, a dissemination area with an average income of $60,000 could be the result of a large number of residents with incomes around $60,000.  On the other hand, it could be the result of residents having a wide range of incomes from $10,000 to $250,000 that average out to $60,000.  There is nothing in the SC data to indicate which scenario is more likely.  Moreover, it is important to keep in mind that the organization has no way of knowing if the attribute is accurate for any given individual in the neighbourhood. 
• The Assistant Commissioner came to the conclusion that, in practice, the company offers a lot of publicly available information in bulk form.  At its simplest, however, it sells the names, addresses and telephone numbers of people who live in neighbourhoods with certain characteristics.  Any individual person in that area may or may not have some or all of these characteristics.  For example, a consumer list may consist of names, addresses and telephone numbers of people who live in Ottawa neighbourhoods where more than 75% of households own their own homes and the average value of the homes is in excess of $400,000.  Some people on the list might be home owners living in a house worth over $400,000.  Others might be renters occupying a basement apartment, or children with their own telephone numbers, or people renting houses worth less than $400,000.  Others should not even be on the list.
• Nothing changes the fact that the information included in the consumer list is publicly available; it merely has been sorted according to geo-demographic data.  The Assistant Commissioner did not regard the fact that a person lives in a neighbourhood with certain characteristics to be personal information about the individual, as specified in subsection 2(1).  From her perspective, it is information about the neighbourhood, not about the individual. 
• Therefore, the Assistant Commissioner determined that, in compiling its consumer lists, the organization does not change the status of the White Pages information from publicly available personal information to personal information subject to consent requirements.  Consequently, in her view, this publicly available personal information that is exempt from consent when collected remains exempt from such consent when sold by the organization as part of its consumer lists.  Thus, the organization was not in breach of Principle 4.3.
• The complainants contended that a reasonable person would consider the company’s purpose for “creating” and selling its information to be inappropriate; in other words, they did not believe that the company should be making a profit from this enterprise.  While the Assistant Commissioner agreed that the organization does sell personal information, she believed that the company does not create personal information.  Rather, it uses personal information that is publicly available.
• The Assistant Commissioner added that, in making telephone directory information publicly available, Parliament recognized that it could and would be used for commercial marketing purposes.  The Assistant Commissioner was satisfied that the use of such publicly available information by the organization did not violate the reasonable person test as described in subsection 5(3).

OPENNESS

• The organization provided information on its web site regarding the management of customer personal information.  This information was also available to callers and e-mail users upon request.
• However, the web site did not provide information on the company’s policies and practices regarding its handling of the personal information that it sells.  While White Pages information is publicly available, it remains, nevertheless, personal information that must be accounted for under the openness principle.  The Assistant Commissioner therefore determined that the organization did not meet its obligations under Principle 4.8.  

Recommended actions and response by the organization

• In the Assistant Commissioner’s preliminary report, she made the following recommendations relating to the organization’s lack of openness with respect to  its handling of publicly available personal information:
  • That the company revise its web site to add information on its privacy policies and practices related to its management of the personal information that it collects through the White Pages or other publicly available sources; and
  • That the company develop material that informs clients and other interested individuals about its privacy policies and practices regarding the management of personal information collected through the White Pages or other publicly available sources.
• In response, the organization revised its privacy policy so as to include the following explanation of its handling of publicly available information:

  Database Information
  We collect personal information, such as name, phone number and address, from publicly available sources or as otherwise permitted by law.  In addition, we may use statistical models to search the databases.  The models may contain information, such as: average age, average income, median home value, modelled ethnicity, etc.  We do not have any personally identifiable information beyond name, address and phone number.  Our database products are integrated into information products, database marketing services, data processing services and sales and marketing solutions.

• The organization has posted the revised privacy on its web site.  The company has also informed our Office that, in the interest of accuracy, it intends to respond to future requests for further information on a case-by-case basis.
• The Assistant Commissioner considered this to be an adequate response to her recommendations.

The Assistant Commissioner concluded that the consent complaint was not well-founded and that the openness complaint was well-founded and resolved.