Interpretations

Personal Information

As an Ombudsperson, the Commissioner’s primary role is to investigate and try to resolve privacy complaints against organizations. Her findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from the Commissioner’s findings to date, the OPC has begun issuing Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended only as a guide. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined over time.

The Meaning of “Personal Information”

I. Relevant Statutory Provisions

Section 2(1) of the Personal Information Protection and Electronic Documents Act (2000, c. 5) (PIPEDA) states that “personal information” means “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.”

Section 4(1) provides that PIPEDA applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities” or “is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.”

II. General Interpretations by the Courts

1. Drawing from jurisprudence in the federal public sector, the definition of personal information must be given a broad and expansive interpretation (Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R., dissenting, 403 at para 68; Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157; Canada (Information Commissioner) v. Canada (Commissioner of the Royal Canadian Mounted Police), [2003] 1 S.C.R. 66, 2003 SCC 8, at para 23).
2. Personal information is information “about” an identifiable individual. “About” means that the information is not just the subject of something but also relates to or concerns the subject (Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157).
3. Information will be about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information (Gordon v. Canada (Health), 2008 FC 258 (CanLII).¹ Information need not be recorded for it to constitute personal information. It is sufficient that the information be about an identifiable individual even if the information is not in a recorded form, such as oral conversations, biological samples and real time video surveillance. While the absence of a recording may go to the issue of collection, it does not change the fact that the information is personal information (Morgan v. Alta Flights Inc. (2006) FCA 121, affirming (2005) FC 421).
4. The same information can be personal to more than one individual, where, for example, it contains the views of one individual about another individual, or where the same information reveals something about two identifiable individuals (Wyndowe v. Rousseau, 2008 FCA 39 (CanLII)).
5. Information will still be personal information even if it is publicly available within the meaning of the regulations,² and is exempt from applicable consent requirements (Englander v. TELUS Communications Inc., 2004 FCA 387 (CanLII)).
6. Subjective information about an individual may still be personal information even if it is not necessarily accurate (Lawson v. Accusearch Inc. 2007 FC 125).

III. Applications in Different Contexts

Business and Professional Context

• The name, title, business address and telephone number of an employee of an organization are not protected by PIPEDA, since they are expressly excluded from the definition of personal information contained in the Act. However, an individual’s business email address is personal information under PIPEDA.³
• An individual’s cell phone records from their work cell phone may be the personal information of the individual.⁴
• Information about a company is generally not personal information. However, an individual’s personal information may be so inextricably linked to information about his or her company (e.g. an owner/operator of a small business) that information about that company can constitute personal information about the individual.⁵ Each situation must be assessed on a case-by-case basis.
• PIPEDA does not exclude work product information from the definition of personal information. Information produced for work related purposes, may be personal information. Contextual factors, such as how the information was produced, for what purposes, how it will be used, and industry practices must inform the analysis. In an early finding, the Privacy Commissioner found that physicians’ prescribing patterns constituted their work product information and not their personal information.⁶ Since this finding, the Commissioner’s broad and contextual approach has evolved to conclude that sales statistics of telemarketers⁷ and the number of houses sold by real estate brokers⁸ do constitute personal information, where, among other things, such information could lead to inferences about an individual’s job performance.
• Other personal information in the Business and Professional context include: an individual’s Notice of Assessment (NOA) and Social Insurance Number (SIN);⁹ email addresses¹⁰ and messages; consumer purchases,¹¹ services,¹² and transactions;¹³ customer membership and account information in the context of frequent flyer or consumer loyalty programs;¹⁴ and, customer complaint information.¹⁵

Employment Context

• PIPEDA only applies to personal information of employees of federal works, undertakings or businesses.¹⁶
• An individual’s views or opinions about an employee (e.g. performance appraisals,¹⁷ internal investigation files,¹⁸ medical diagnoses or assessments,¹⁹ or complaints against an employee)²⁰ may constitute the personal information of that employee.
• Other examples of personal information of employees of federal works, undertakings or businesses include: employee number²¹; employee voices;²² swipe cards and video footage or live-feed;²³ salary, benefits and performance ratings;²⁴ and, employee personnel files.²⁵

Health Context

• Keeping background notes about an individual separate from that individual’s medical assessment report does not change the status of the personal information contained in those notes.²⁶
• Background notes taken by a physician in support of an independent medical examination (IME) report to an insurer may contain the personal information of the patient, as well as the personal information of the physician.²⁷
• Personal information that has been de-identified does not qualify as anonymous information if there is a serious possibility of linking the de-identified data back to an identifiable individual.²⁸
• Other examples of personal information in the health context include: information concerning the physical or mental health of an individual, such as: medical diagnoses,²⁹ general medical information,³⁰ clinical notes³¹ and independent medical assessments for insurance-related purposes; ³² as well as entire medical records and/or patient charts in the context of a closing or sale of a health professional’s practice.³³

Financial Context

• Examples of financial information which may constitute personal information of an individual include: bank account numbers, summaries or balances;³⁴ transaction histories;³⁵ debt-related information;³⁶ mortgage applications/renewals, tax returns and net worth;³⁷ credit reports³⁸ and credit scores.³⁹
• The contents of and details about an individual’s safety deposit box is that individual’s personal information.⁴⁰
• Residential property appraisal documents constitute the personal information of the property owner,⁴¹ including the selling/purchase price of an individual’s home.
• A simple reference to an outstanding debt, even without disclosing specific details about the debt, is personal information.⁴²

Technological Context

• Examples of personal information in the technological context include forms of biometric information, such as fingerprints⁴³ and voiceprints.⁴⁴ A voiceprint is personal information even though it may not necessarily tell much about an individual. How much more it reveals about an individual will depend on how the voiceprint is used.⁴⁵
• A photograph of an individual’s home may constitute the personal information of that individual.⁴⁶ Video surveillance that captures an individual’s physical image or movement⁴⁷ may also constitute his or her personal information even if it is not taped,⁴⁸ since the definition of personal information in PIPEDA does not require that the information be recorded.
• Tracking information collected from a Global Positioning System (GPS) placed in company vehicles is personal information since the information can be linked to specific employees driving the vehicles. The employees are identifiable even if they are not identified at all times to all users of the system.⁴⁹
• Information collected through the use of radio frequency identification (RFID) tags to track and locate baggage, retail products, and individual purchases may constitute the personal information of any identifiable individual associated with those items.⁵⁰
• An Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual.⁵¹ For example, in one complaint finding, we determined that some of the IP addresses that an internet service provider (ISP) was collecting were personal information because the ISP had the ability to link the IP addresses to its customers through their subscriber IDs.