Annual Reports to Parliament

[Back to Table of Contents][Part One][Part Three]

Annual Report to Parliament 2001-2002

Part Two-Report on the Personal Information Protection and Electronic Documents Act

Introduction

A year is not long in the life of a law - not long enough, perhaps, to afford a basis at present for a comprehensive analysis of the application of the Personal Information Protection and Electronic Documents (PIPED) Act. Still, from the 28 investigations we finalized under the PIPED Act in 2001, I was able to draw some fairly solid conclusions on two fronts at least, and I believe it is instructive to share those conclusions at this time. (I will report on the experience with the second year of the PIPED Act in my upcoming next Annual Report.)

In particular, there has been considerable progress made in interpreting what is and what is not personal information, and in determining areas in which organizations typically seem to be having problems adapting to the requirements of the Act.

The Definition of Personal Information: Broad but not Infinite

Section 2 of the PIPED Act defines personal information simply as "information about an identifiable individual." That definition is meant to cover a lot of ground, and the first year of the Act served in good measure to clarify what ground it does, and does not, cover.

Several cases have already given rise to disputes over whether the information at issue constituted the complainant's personal information. Notably, some organizations have been quick to claim "ownership" of certain items of information assigned to customers, such as account numbers, identification numbers and credit cards. The usual argument is that such information should not be considered personal because it is not collected from customers. Because it is generated internally by the organization itself, it is deemed by corporate convention to be the organization's property.

But the section 2 definition was designed to sidestep such arguments. It doesn't say that personal information has to originate with or be collected from the individual. It doesn't concern itself with who may or may not be said to have proprietary interest in the information. It only says that information is personal if it is "about" an identifiable individual. When it comes right down to it, if an organization has put someone's name on something, it is difficult for the organization to argue that the thing isn't "about" that individual.

The definition is deliberately broad, and in my findings I have tended to interpret it as broadly as possible. Generally speaking, it does not matter who generated the information, or how, or who technically "owns" it, or what the corporate convention may be. If it has been assigned in an individual's name, the chances are that I will accept it as being his or her personal information.

I am inclined to regard information as personal even if there is the smallest potential for it to be about an identifiable individual. A case in point was one in which a broadcaster had attempted - inadvertently, as it turned out - to collect NETBIOS information from the computer of a Web site visitor. Our investigation revealed that, in certain technical circumstances such as the complainant's, NETBIOS information could be used to trace the computer's Internet Protocol address, which in turn could be used to trace Web sites visited by the user or recent passwords to secure accounts. On the basis of the potential for intrusion into the complainant's privacy, I determined that the information at issue was personal information for purposes of the PIPED Act.

But even a deliberately broad definition must have limits. In a much-publicized case, I took the view that section 2 was not so broad as to encompass all information associated with an individual. Specifically, I determined that physicians' prescriptions or prescribing patterns did not constitute personal information about the physicians themselves. An individual prescription, I reasoned, is potentially revealing about a patient, but it is not in any meaningful sense about the prescribing physician as an individual. Rather, it is about the professional process that led to its issuance and should therefore be regarded as a work product - that is, the tangible result of the physician's work activity.

I judged furthermore that extending the definition to include prescriptions and prescribing patterns would not be consistent with the PIPED Act's purpose. Section 3 sets out that purpose in terms of balancing the individual's right of privacy with the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate. I did not think it reasonable to extend the definition to prescriptions, since that would mean extending it also to other work products such as legal opinions or documents written in the course of employment. Nor did I think it reasonable to extend the definition to prescribing patterns, since that would mean extending it also to patterns discoverable in other types of work products and thus would preclude many kinds of legitimate consumer reporting.

Systemic Problems

Privacy code only the beginning

It is the rare organization nowadays that isn't greatly concerned about the privacy rights of individuals - on paper, at least. Most corporate brochures and Web sites proudly proclaim a privacy code, ostensibly in full compliance with corporate obligations under the PIPED Act. What our complaint investigations are showing, however, is that some organizations have been less than thorough about putting their codes into practice.

A privacy code is pointless without comprehensive and detailed policies and procedures, and these in turn are pointless unless they are known and consistently observed and applied. The privacy violations that give rise to complaints are often attributable to problems or defects in an organization's information-handling processes or system as a whole. Such problems are themselves often caused by failure on an organization's part to grasp, or turn its attention to, the practical implications of the PIPED Act's principles. Sometimes, too, the problems derive from unquestioned adherence to traditional practices that may no longer be acceptable under the Act.

The following are a few of the systemic problems that our investigations have been turning up.

Not designating a privacy officer

Principle 4.1 of Schedule 1 to the PIPED Act states that an organization must designate one or more individuals responsible for the organization's compliance with the principles of the Act. In more than one case, we have found that the organization had not yet designated such an individual or did not identify any person as the responsible privacy officer.

Not knowing how to handle access requests and complaints

Most organizations seem to understand that an individual has a right to gain access to his or her personal information (Principle 4.9) and to challenge an organization's compliance (Principle 4.10). However, when it comes down to receiving an actual access request or complaint from an individual, some organizations are still uncertain how to go about processing it. At this point, it is especially important to have specific policies and procedures in place and to follow them thoroughly and consistently.

Keeping information too long or not long enough

Retention is another principle to which some organizations need to pay greater heed in the form of specific guidelines and procedures. Under Principle 4.5.2, a minimum and a maximum retention period should be established for personal information. Information that has been used to make a decision about an individual must be kept long enough to allow the individual access to the information. Under Principle 4.5.3, information no longer required to fulfil identified purposes should be destroyed, erased or made anonymous.

What we have been finding in some cases is that organizations are either destroying personal information too soon - that is, before the individual has a chance to gain access to it - or habitually keeping it for long periods of time, far past any need to do so. In one case, we learned of an organization that was in the habit of keeping the information it collected from unsuccessful credit card applicants for indefinite periods of time and for no particular reason. We even learned of one organization that never destroyed any of the personal information it collected, just because it didn't know it was allowed to.

Not meeting the time limit

As provided in section 8 of the PIPED Act, I have already determined in a number of cases that organizations have in effect refused individuals' access requests by having exceeded the 30-day time limit for response. In most of these cases, however, the failure to meet the time limit was due more to a lack of efficient procedures for processing the requests than to deliberate refusal on the organization's part.

Not limiting collection to what is necessary

Is it appropriate for an organization, such as an Internet company, to insist on having your Social Insurance Number (SIN)? The short answer is no; there are very few private sector organizations that have a legitimate reason for collecting SINs from customers (financial institutions sometimes need to collect them for revenue reporting purposes, for example).

But in one noteworthy complaint last year, collection of SINs was the central issue. In that case, it had been the company's policy for some time to collect SINs as a means of avoiding confusion over similar names among customers. The company had never really considered whether that purpose was a legitimate one, and front-line staff had come to regard the collection as a requirement. In my finding, I determined that the collection was unnecessary and indiscriminate and that it was clearly wrong of the company to require applicants to provide their SINs as a condition of service.

This was not the only case where an organization collected more information than it really needed to fulfil legitimate purposes. Under the PIPED Act, organizations must take pains to ensure not only that their purposes for collecting personal information are legitimate and reasonable ones, but also that both the amount and type of information collected are necessary to fulfil those purposes. Reviewing longstanding and long-unquestioned collection policies and practices is the best way for an organization to start complying with Principle 4.7, limiting collection.

Not identifying purpose for which information collected

Persons from whom organizations demand information have a right to know why. It is therefore not enough that purposes be legitimate. They must also be identified.

Under Principle 4.2, an organization must identify the purposes for which it collects information. Under Principle 4.2.1, the purposes must be documented. Under Principle 4.2.3, the organization should specify the purposes to the individual at or before the time of collection. And under Principle 4.2.5, it is incumbent on the organization to make sure that employees who do the collecting can explain the purposes to individuals who question the practice.

Several complaints so far have brought to light violations of one or more of these principles. Again, in some cases the cause has been a slowness to understand that standard ways of doing things in the past are not necessarily acceptable now that the PIPED Act is with us.

Not instituting proper safeguards

In one case last year, I found that an organization's reliance on a credit cardholder's telephone number or year of birth was not adequate to prevent unauthorized access to the individual's personal information. In another case, involving loss of documents, I found that an organization had not taken proper measures to protect personal information during a transfer of files to another building. In yet another, I found that a company was not exercising appropriate operational controls in a workplace to keep employees' pay statements confidential.

In these and other cases involving actual or potential breaches of informational security, the central issue was the adequacy of the safeguards instituted by certain organizations. Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Depending on the nature of the information, safeguards may take many forms, ranging from physical measures such as locked filing cabinets, to organizational measures such as security clearances, to technological measures such as the use of passwords and encryption.

The obligation to protect personal information once it has been collected is obviously one that some organizations need to start taking more seriously.

Not recognizing that employees have privacy rights too

There is considerable evidence that some organizations that are federal works, undertakings or businesses, upon reading that the PIPED Act applies to the collection, use and disclosure of personal information, have jumped to the conclusion that it refers only to information about their customers. It appears not to have occurred to such organizations that, in the everyday course of business administration, they also handle a great deal of personal information about the individuals who work for them.

As a result, some organizations have been taken off guard by certain well-founded complaints against them under the PIPED Act - complaints filed by their own employees, past or present. In good part, the violations at issue in such complaints originate in an organization's neglect to take its staff into account in developing privacy policies and procedures.

Positive Responses to my Recommendations

Despite the foregoing, I find it encouraging that, once systemic problems have been pointed out to them, organizations by and large have been quick to accept and implement the remedies that I have recommended.

Overall, I am pleased with the progress of the PIPED Act so far, and with the efforts that organizations are making to bring themselves into compliance with it.

Definitions of Findings under the PIPED Act

Not well-founded: This means that there is no evidence to lead the Privacy Commissioner to conclude that the organization violated the Personal Information Protection and Electronic Documents (PIPED) Act.

Well-founded: This means that the investigation revealed that the organization failed to respect a provision of the PIPED Act.

Resolved: This means that the organization has taken corrective action to remedy the situation, or that the complainant is satisfied with the results of the inquiries made by the Office of the Privacy Commissioner of Canada.

Discontinued: This category applies to investigations that are terminated before all the allegations have been fully investigated. A case may be discontinued for any number of reasons, for example, when the complainant is no longer interested in pursuing the matter.

Privacy Practices and Reviews

The Personal Information Protection and Electronics Documents (PIPED) Act allows me to audit the compliance of private organizations if I have "reasonable grounds to believe" that the organizations are contravening a provision of the Act or are not following a recommendation set out in Schedule 1.

The Privacy Practices and Reviews Branch of my Office will conduct compliance reviews and audits under section 18 of the PIPED Act, following accepted standard audit objectives and criteria. As I mentioned in my previous Annual Report to Parliament, I have not yet initiated any such audit because no matter has been brought to my attention that meets the reasonable grounds test.

In the Courts

Under section 14 of the Personal Information Protection and Electronic Documents (PIPED) Act, an individual complainant has a right, following my investigation, to apply to the Federal Court of Canada for a hearing in respect of any matter on which the complaint was made or that is referred to in the Commissioner's report. These matters must be among those in the Schedule clauses and sections of the Act listed in section 14. I may also apply to the Court in respect of any complaint I have initiated. From the time the Act came into force on January 1, 2001, five applications have been filed in the Federal Court.

Section 15 of the PIPED Act allows me to apply to appear in Federal Court. I may, with the consent of the complainant, apply directly to the Court for a hearing in respect of any matter covered by section 14; appear before the Court on behalf of any complainant who has applied under section 14; or, with the leave of the Court, appear as a party to any section 14 hearing.

The following is not an exhaustive list of applications in the courts but a listing of matters of particular interest.

Mathew Englander v. Telus Communications Inc.

This is the first application to be filed in the Federal Court under section 14 of the PIPED Act. Mr. Englander argues that Telus uses and discloses customers' names, addresses and telephone numbers in its white pages directories and otherwise, without customers' knowledge and consent, and inappropriately charges customers for choosing to have their telephone number "non-published." He claims that these actions by Telus contravene subsections 5(1) and (3) of the Act, as well as several clauses of Schedule 1 of the Act.

Status

A hearing date has not been set.

Ronald G. Maheu v. IMS Health Canada and the Privacy Commissioner of Canada

Ronald Maheu applied for a hearing in the Federal Court of Canada, arguing that IMS Health Canada improperly discloses personal information by selling data on physicians' prescribing patterns without their consent.

Status

In his application, Mr. Maheu had asked the Court to review my "decision" in this case. I filed a motion objecting to the manner in which Mr. Maheu had framed his application, arguing that under the PIPED Act it is the responsibility of the organization concerned (here, IMS), and not the Privacy Commissioner, to justify why it should not have to modify its practices to comply with the Act. On February 12, 2002 the Federal Court ordered Mr. Maheu to file an amended Notice of Application removing allegations and requested orders against my Office, and ordered that his application be directed solely against IMS Health Canada. I was also granted leave under section 15(c) of the Act to appear as a party respondent in support of my finding in this proceeding. On May 14, 2002, in response to a motion brought by IMS, the Federal Court ordered Mr. Maheu to post security for costs. Mr. Maheu has successfully appealed this order.

Communications and Public Education

The PIPED Act has given me and my Office a greater responsibility, an expanded role and a strengthened legislative mandate to educate Canadians and organizations about issues surrounding personal privacy.

To meet these new responsibilities and in preparation for the communications activities ahead, my Office's communications capabilities were expanded. Since then, we have been proactively involved in a variety of activities to raise public awareness and understanding of issues that could potentially threaten Canadians' privacy, to inform Canadians of their legislated privacy protections and to remind private sector organizations of their responsibilities under the new legislation.

In view of my mandated responsibilities under section 24 of the Act, I am gratified by the increased awareness of privacy rights and privacy issues that these activities appear to be generating.

Speaking engagements

Conferences and other special events, in Canada and around the world, have provided me with a unique opportunity to meet Canadians and to raise awareness of privacy issues among diverse audiences and settings - professional and industry associations, non-profit and advocacy groups, universities and public events.

From January 1, 2001 to March 31, 2002, I gave a total of 55 speeches; another 35 were delivered by other senior staff of this Office. At these events, I spoke out about issues such as workplace privacy, genetic privacy, the application of the PIPED Act and its implications for businesses, the Government On-Line initiative, my grave concerns regarding video surveillance by public authorities in public places, and the need to balance privacy rights with security objectives following the terrorist attacks in the United States.

At international conferences, I had the opportunity to share my perspective on the Canadian experience with officials and privacy advocates from other countries.

Media relations

The media's appetite for news relating to privacy has continued to increase steadily. Our analysis of news coverage indicates a growing interest in the issues and in awareness of this Office. The number of calls from journalists, which currently averages approximately 100 per month, continues to increase. From January 1, 2001 to March 31, 2002, I granted more than 270 interviews to reporters.

In addition to responding to the demand for more information and comment about personal privacy and Canadians' rights under federal privacy laws, my Office has taken a number of steps to raise awareness of various issues through the media. During this period, we disseminated more than 25 news releases and media advisories, participated in a number of editorial board meetings of daily newspapers across the country, contributed articles and other information to several publications, and provided media relations support for conferences, public meetings and other special events.

Public education materials

In 2001, my Office produced two guides in anticipation of a demand from Canadians and businesses for more information about the PIPED Act. Our Citizens' Guide tells Canadians about their rights under the new law. The Business Guide informs organizations of their responsibilities under the law, so they can learn how to comply with it.

The Office receives requests for these guides on a daily basis and the demand is increasing. Not only are these materials sent to individuals upon request, they are also distributed at conferences and accessed in electronic format by visitors to our Web site. During this period, more than 24,000 of the guides were distributed.

In addition to the Citizens' Guide and the Business Guide, this Office has produced and distributed other educational and promotional materials, including bookmarks, posters, fact sheets, annual reports and copies of both federal privacy laws.

Plans are currently underway to identify other suitable locations where the guides and the other information could be offered to Canadians.

Advertising

Advertising is another important tool my Office has used to raise public awareness and understanding of privacy issues.

In 2001, we placed advertisements in daily and community newspapers. The ads provided information on the new legislation and its application to federally regulated businesses.

In 2002, we initiated another national advertising campaign. Radio spots were produced in English and French, and were aired on the top stations in every market across the country. These radio ads emphasized Canadians' rights under the new law and my Office's role in helping to protect those rights.

Both advertising campaigns reached millions of Canadians and resulted in nearly doubling the number of inquiries to this Office.

Public inquiries

The Communications and Policy Branch also responds to thousands of inquiries from the general public who contact my Office for advice and assistance on all sorts of privacy-related matters.

Web site

In the spirit of openness and transparency, every effort is made to ensure that new and useful information is posted on my Office's Web site on an ongoing basis and in a timely manner. New elements such as speeches, news releases, fact sheets, selected reports and case summaries are always being added to keep the site current and interesting.

Over the past year, because organizations wanted a better understanding of how the PIPED Act was being applied, a new section entitled "Commissioner's Findings" was added to the site. Here, summaries of my findings are posted in an effort to provide guidance to businesses and the legal community.

In 2001, the Web site was redesigned and the number of visits to the Web site has increased steadily, with a surge that resulted in almost double the visitors after October 2001. Over the period, the site averaged approximately 16,000 hits per month.

Communications Activities
January 1, 2001 to March 31, 2002

Inquiries by type under Privacy Act
April 1, 2001 to March 31, 2002

Inquiries by type under the PIPED Act
January 1, 2001 to December 31, 2001

[Back to Table of Contents][Part One][Part Three]