Findings under the Privacy Act
Investigation finds no evidence that Canadian Human Rights Commission accessed individual's Internet connection
An individual complained that the Canadian Human Rights Commission (CHRC) improperly collected and then subsequently used her personal information. Specifically, she complained that the CHRC accessed her wireless internet connection to log onto and post messages to a white supremacist website during the course of an investigation.
The purpose of the investigation was to examine whether the CHRC improperly collected, used, disclosed or retained personal information about the complainant during the course of its investigations, in contravention of sections 4 to 8 of the Privacy Act. To that end, numerous on-site interviews with CHRC officials were conducted and evidence was gathered to determine what, if any, personal information was collected and then used by the CHRC, as alleged by the complainant.
In making our determination, we considered sections 3 to 8 of the Act.
Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing, information relating to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, identifying numbers, fingerprints, blood type, personal opinions, etc.
Section 4 of the Privacy Act provides that personal information collected by a government institution must relate directly to an operating program or activity of the institution.
Section 5 states that personal information shall be collected directly from the individual about whom it relates, unless the individual authorizes otherwise. It also permits collection by other methods in cases where direct collection would result in inaccurate information or defeat the purpose for which the information is collected.
Section 6 of the Privacy Act requires that a government institution retain personal information that has been used for an administrative purpose for such period of time after it has been used as may be prescribed by regulation and that it shall dispose of it in accordance with the retention and disposal schedule approved by the designated minister. Moreover, section 4 of the Privacy Regulations requires that a government institution retain such information for at least two years following the last time it is used.
Section 7(a) of the Act states that personal information shall not, without the consent of the individual to whom it relates, be used by the institution except for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.
Personal information as defined in the Act can only be disclosed with an individual's consent or in accordance with one of the categories of permitted disclosures outlined in section 8(2) of the Act.
The first issue to consider is whether or not the information in question constitutes personal information as defined in section 3 of the Act.
The information that is relevant to this investigation consists of the complainant’s Internet Protocol (IP) address. This Office has previously ruled that an IP address can be considered personal information if it can be associated with an identifiable individual.
In this case, personal information was introduced, as a result of a subpoena issued to an Internet Service Provider, during the course of a Canadian Human Rights Tribunal public hearing. The subject of the subpoena was an IP address allegedly accessed by the CHRC during the course of its investigations. In response to the subpoena, the Internet Service Provider disclosed the name, address and telephone number of the Internet subscriber it associated with that IP address, namely the complainant. It is the view of this Office that the IP address, in this instance, does constitute personal information as defined in section 3 of the Act.
The second issue to consider is whether the CHRC collected the complainant’s personal information and then subsequently used it during the course of its investigations.
The investigation found no evidence that the CHRC ever collected any personal information about the complainant or in fact that the CHRC had any knowledge about the complainant prior to the allegations made in the Canadian Human Rights Tribunal public hearing.
There is no evidence that the CHRC ever collected or improperly used, disclosed or retained the complainant’s personal information.
Technological experts have indicated that, most likely, but without certainty, the association of the complainant’s IP address to the CHRC was simply a mismatch on the part of a third party, which could have occurred in a variety of ways not involving the CHRC.
What is certain is that there is no evidence of the CHRC having ever collected or improperly used, disclosed or retained any personal information about the complainant.
Accordingly, the Assistant Privacy Commissioner has concluded that there is no contravention of sections 4 to 8 of the Privacy Act and has determined that the complaint is not well-founded.
While there is no evidence to support the allegations made in this instance, this Office cautions individuals to take appropriate measures to properly secure their Internet connections to avoid any unauthorized uses of their personal information.