The Privacy Commissioner of Canada’s Position at the Conclusion of the Hearings on the Statutory Review of PIPEDA
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
«Work Product» Information
The Privacy Commissioner of Canada appeared before the Standing Committee on Access to Information, Privacy and Ethics (“Standing Committee”) in November 2006Footnote 1 to address possible changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). At that time, the Commissioner recommended against excluding “work product” information from the definition of personal information in PIPEDA. Excluding work product would mean that the privacy protections of PIPEDA would not apply to such information.
The Office of the Privacy Commissioner (OPC) addressed the “work product” issue in a discussion paper it released earlier in 2006, and the Office received several submissions from individuals and organizations in response. A summary of the submissions was provided to the Standing Committee.Footnote 2 The summary identified conflicting views on the merits of excluding work product information from the definition of personal information.
The Standing Committee asked the OPC to investigate the work product question further. The OPC has done so, and concludes again that work product should not be exempted from the definition of personal information in PIPEDA. The OPC took this position for two main reasons:
- The exemption is not needed, and it would be inconsistent with the balanced approach in the current definition of personal information. The current definition of personal information and the approach to deciding issues based on that definition have worked well. They have promoted a level of privacy protection that balances the right of privacy in personal information with the needs of organizations for the reasonable and appropriate collection, use and disclosure of personal information. In PIPEDA’s five years of operation, the current approach to work product has produced no problem of any significance.
- Because the concept of “work product” is ambiguous, excluding it from the definition of personal information could have unpredictable consequences that would diminish privacy unnecessarily.
The OPC therefore concludes that it would be imprudent to introduce an exemption, particularly without first seeking comments from the many sectors that might be affected by the exemption.
Section 1: A “Work Product” Exemption is Unnecessary and Inconsistent with the Balanced Approach in the Current Definition of “Personal Information”
a) The Current Definition is Based on Known Canadian and International Precedent and Consensus
PIPEDA defines the information it protects to be information “about an identifiable individual.” This definition was selected because it had a known and stable history in Canadian law and jurisprudence. It also paralleled definitions in other jurisdictions, particularly those in Europe, that were also addressing private sector privacy protection in a rapidly developing technological environment. A key goal in drafting the definition of personal information in PIPEDA was to ensure that Canadian law was harmonized with European law. This would prevent impediments to trade based on differing data protection schemes.
The definition of personal information in PIPEDA is intentionally broad, and it demonstrates a commitment to protecting individual privacy rights in all contexts. The introduction of a work product exemption would mean that Canada would be taking a position different from that taken in other jurisdictions, particularly those in Europe.
The OPC has not investigated whether a change in PIPEDA’s definition of personal information would affect the perception that PIPEDA is sufficiently harmonized with European law. However, it is worth noting that, during a recent review of the EU Data Protection Directive, the European Commission was asked to add a “work product” exemption to the Directive’s definition of personal information.Footnote 3 In general, the European Commission advised against modifying the Directive. Moreover, its report did not identify the definition of personal information as a concern. The report appears to have ignored the proposal to exempt work product from the definition of personal information.Footnote 4
b) The Current Definition Serves PIPEDA’s Purposes Well
PIPEDA is designed to balance individual privacy rights with the reasonable needs of organizations to collect, use and disclose personal information. Achieving this balance in legislation was a significant achievement, given the range of stakeholders. The current definition of personal information has served PIPEDA’s purposes well. In the first five years of PIPEDA’s operation, very few cases have raised the definition’s scope as a problem. This seems to indicate that Parliament struck a good balance in its initial definition of personal information.
c) The Current Definition Has Enabled the OPC to Develop a Fine-Tuned and Balanced Approach in its Decision-Making
The few cases that have considered the scope of “personal information” have also provided opportunities to consider what information is protected by PIPEDA and, more specifically, when it is appropriate to claim that information is not about an identifiable individual and therefore not protected by PIPEDA. A review of these findings shows that the OPC has developed a balanced approach that enables decision-making to be tailored to the context.
The first OPC finding that limited the scope of the definition of personal information, and the only finding to use the term “work product,” concluded that a medical prescription was not the personal information of a physician.Footnote 5 The argument in that case was that the prescription was a tangible result of the physician’s work activity and therefore not personal information. However, in subsequent findings the OPC’s approach has evolved and is no longer limited by the rigid distinction between personal information produced in a work or business context and other types of personal information. Consequently, the OPC has been able to take into account not only the narrow context of information production but also the broader and more important context of its collection, use and disclosure.
For example, the Commissioner concluded that a telemarketer’s sales results could be made known to other members of the telemarketing team. In an incentive-based sales environment, a telemarketer’s consent to this industry practice is implied by his or her participation in the sales environment.Footnote 6 The decision made it clear, however, that sales records were still personal information and that PIPEDA would not tolerate “indiscriminate, ill-defined, unnecessary, inconsistent, or otherwise unreasonable” uses of the information. This point is further elaborated in a second sales records case, this time involving the sales records of real estate agents.Footnote 7 The Commissioner again concluded that sales records were personal information and that they could be used only for purposes reasonably contemplated by participants in the system in which the information was entered. These purposes did not include extraction by third parties of personal information for comparative and advertising purposes.
In both cases, the fact that information about an identifiable individual was generated in a work or business context did not alone determine the outcome. Rather, the reasonableness of the collection, use and disclosure of personal information was assessed in light of relevant contextual elements, including the needs of the organization and applicable industry standards.
This approach could be called a “total context approach” to reviewing the privacy implications of specific information practices.Footnote 8 The significant feature of this approach is that it is based on how information is used (“total context”), and not where it is produced (a “work product” approach). The OPC retains jurisdiction to oversee information practices in general without needing to exclude certain types of information entirely from privacy protection. The chief virtue of the current approach is that it enables the OPC to investigate the privacy implications of specific information practices case by case, and to provide guidance accordingly.
In developing a total context approach, the OPC has been mindful both of privacy rights and the needs of organizations to remain competitive. Remaining competitive sometimes requires collecting and using employee personal information. In balancing competitive interests and privacy rights, the OPC considers several issues: whether the collection and use of employee personal information is necessary to meet a specific need and whether it is likely to meet that need, whether the loss of privacy is proportional to the benefit gained and whether there is a less privacy-invasive way of achieving the same end.Footnote 9 This approach enables organizations to implement technical means to remain competitive while ensuring that employee privacy rights are recognized and appropriately protected.
One significant benefit of the total context approach has been to enable the OPC to retain oversight of employer surveillance activities at a time when concerns are being raised about the erosion employee privacy rights. The OPC’s total context approach also means that the OPC has retained jurisdiction to assess the introduction of new technologies that could be highly intrusive if not used in a controlled way – for example, biometrics, global positioning systems and radio frequency identification.
In sum, the OPC has achieved a delicate balancing of powers and rights, consistent with the balance attained in PIPEDA itself. The introduction of a work product exemption to the definition of personal information would upset that balance.
d) There is no General Policy Problem for Which the Exemption Would be Solution
Some organizations have an interest in the commercial value of work product information. They may want to sell that information. However, it is inadvisable to respond to such commercial interests at the potential expense of private sector privacy rights. This is particularly so where the change could have a significant impact on a policy issue – the handling of work product – that is strongly contested in Canada and elsewhere.
Rules vary in Canada about whether information identifiying those who issue drug prescriptions (“prescribers”) can be disclosed for commercial purposes.Footnote 10 Introducing a work product exemption in PIPEDA may directly affect access to information identifying prescribers in some jurisdictions, or it may indirectly send a message that supports access.
In B.C. the disclosure of information identifying prescribers for commercial purposes is prohibited.Footnote 11 The Alberta Information and Privacy Commissioner also found this practice to be contrary to Alberta’s Health Information Act.Footnote 12 The Alberta Commissioner’s order was appealed and is currently stayed pending judicial review. Other Canadian jurisdictions also place constraints on access to and use of information identifying prescribers. Quebec’s private-sector privacy legislation imposes restrictions on the disclosure of information about professionals. These restrictions include the need to obtain the authorization of the Quebec Commissioner (after consultation with the relevant regulatory body), knowledge by the professional of the purpose of the collection and the ability of the professional to refuse to allow his or her information to be used for the disclosed purposes.Footnote 13
As this Standing Committee has heard, physician organizations are highly critical of the disclosure of information identifying prescribers. For example, the Canadian Medical Association’s policy insists that, generally, the knowledge and consent of the physician should be required before identifying prescription information is sold.Footnote 14 In its brief to this Committee, the Association reiterated its position and sought to ensure that physician prescribing information is included in PIPEDA’s definition of personal information, and that it not lose the protection of the Act by being defined as “work product.”Footnote 15 One key concern raised by the practice of selling physician prescription information is the potential for undue influence on physician prescribing practices by pharmaceutical companies.Footnote 16
Work product is also a contentious issue in other jurisdictions. As noted above, the European Commission was asked to introduce a work product exemption but did not. Access to information identifying prescribers has recently been an issue in the United States, the United Kingdom and Australia.
In the United States, the sale of information identifying prescribers is a growing concern. The American Medical Association has been criticized for disclosure of physician information, and a lawFootnote 17 has been introduced in New Hampshire to prevent the sale of information identifying prescribersFootnote 18 (this law is currently being challenged on constitutional grounds). Similar laws are being contemplated in other states.Footnote 19
In the United Kingdom, information identifying prescribers cannot be sold. However, one company used access to information legislation to attempt to obtain the records of prescribers. The request was successful in Scotland but unsuccessful in England, and it resulted in the British Medical Association demanding a review of public access to information legislation.Footnote 20
In Australia, access to information identifying prescribers is not permitted. Moreover, the Australian Medical Association has raised concerns even about the release of de-identified patient prescription information for commercial purposes.Footnote 21
This Committee’s review of PIPEDA is not the appropriate policy forum for deciding whether or not prescriber information or de-identified patient information should be sold for commercial purposes or used by pharmaceutical companies. Complex policy issues are involved that require a fuller consideration than this Committee can reasonably be expected to undertake during the current review of PIPEDA. At the very least, determining whether to change the established definition of personal information – the lynchpin of PIPEDA – requires the input of experts, bodies responsible for health and drug expenditures, and employee and public interest groups.
Section 2: The Concept of “Work Product” is Ambiguous
a) Ambiguity: Little Precedent in the Private Sector Privacy Context
As noted, PIPEDA, like other privacy legislation, contains a definition of personal information that is intentionally broad and that has considerable precedent in Canada and in other jurisdictions to guide its interpretation. Information that is “about” an identifiable individual is protected, whether or not the information was authored or created by the individual in the context of work.
In contrast, “work product” is not a well understood or well defined concept in the private sector privacy context, and has little precedent to guide its interpretation. It seems that only British Columbia has formally introduced the “work product” exemption – in this case, in its Personal Information Protection Act (PIPA).Footnote 22 The scope of this exemption has yet to be tested. However, that scope is potentially great and could remove privacy protection from a significant amount of information, no matter how the information was being collected, used or disclosed.
B.C.’s exemption applies to “information prepared or collected by an individual or group of individuals as a part of the individual’s or group’s responsibilities or activities related to the individual’s or group’s employment or business.” This definition applies to information collected or prepared by employees in the course of employment. It also extends to information collected or prepared by anyone in the course of business, which could include professionals, entrepreneurs, independent contractors and business owners. The B.C. law does not define “business,” and as a result the precise scope of the exemption is difficult to ascertain.
The one orderFootnote 23 in B.C. that has considered the work product exemption demonstrates a lack of certainty about the meaning of the exemption. It also shows some uncertainty by the B.C. Commissioner about whether his own interpretation of the term is correct:
These and other documents indicate that these discussions did not have to do with the organization’s business or possible new business products of the organization. Nor is the information merely about business ideas of the complainants and others. It is information they prepared or collected as part of their responsibilities or activities related to a business of theirs. In the circumstances of this case, even if this information could be said to be “about an identifiable individual”, I am satisfied that it is excluded from the definition of “personal information”.
PIPA’s definition of “work product information” is not, I note, restricted to information prepared or collected as a part of responsibilities or activities related to an individual’s employment or business relationship with the organization in question. [?]
In the event that my interpretation of “work product information” is wrong, I will also analyze PIPA’s application to the information about business activities of the complainants and others on the assumption, for discussion purposes, that it is their personal information. Footnote 24
The fact that the B.C. Commissioner has difficulty determining the interpretation of work product information contained in the B.C. PIPA suggests that the meaning of the B.C. work product exemption is ambiguous, and that it will take some time before the scope of this exemption is settled. It also demonstrates the difficulty of assessing or foreseeing the full consequences of creating a work product exemption in the definition of personal information.
The B.C. legislation also demonstrates that if a work product exemption is included in the definition of personal information, other sections must also be amended. For example, the B.C. PIPA makes special provisions for employee and volunteer personal information, which continue to be included in the definition of personal information. However, the information that continues to be considered personal information is restricted to information required to establish, manage and terminate the relationship. Whether this provision will be sufficient to enable oversight of surveillance or monitoring in the workplace remains to be seen.
Noticeably absent from the B.C. PIPA is any similar protection for those who may be engaged in providing professional or contract services to an organization. Does this mean that any personal information that is collected, used or disclosed for the purposes of establishing, managing or terminating such relationships is given no privacy protection? In this way, the B.C. PIPA may, however unintentionally, give greater rights to organizations to intrude when dealing with the personal information of professionals and contractors than would be the case with employees.
Finally, as noted above, the disclosure of information identifying physicians, which is a focal point of the discussion of work product, is prohibited in B.C.. As a result, the work product exemption in the B.C. PIPA would have no direct impact on the collection of information identifying prescribers.
b) Public Sector Precedent is Irrelevant for the Private Sector
Although the term “work product” is used in the public sector context, the precedent has no relevance for the discussion of work product and privacy in the private sector. In the public sector, “work product” information can be released under a general access to government information request, but government employee (personal) information cannot. This rationale is not relevant for the discussion of work product under PIPEDA. Unlike public sector access to information legislation, there is no general right of access by the public to information held by private sector organizations. Consequently, there is no need to distinguish between information that must be released as “work product” and information that need not be released because it engages a privacy interest of an employee. Under PIPEDA, it is not the value of access that competes with the value of privacy. Rather, the interest competing with privacy is organizational needs.Footnote 25 This accords with the stated purposes of PIPEDA, and it provides the flexibility to take organizational needs and privacy interests into account on a case-by-case basis.
In any event, the privacy protections governing public sector access to information and privacy protection regimes typically contain fairly extensive provisions to help determine which information counts as releasable work product information, and which information does not.Footnote 26 This shows that in the public sector, legislatures have found it necessary to go into some detail to distinguish between two types of employee information. Even so, courts and commissioners have been forced to decide the parameters of these legislative provisions.Footnote 27
Unfortunately, the different contexts for discussing “work product” in the public and private sectors is often overlooked, along with the different approaches to interpretation taken in the two sectors. At times, the reasoning of the jurisprudence developed in the public sector is represented as if should apply automatically in the private sector. This is clearly not the case. However, such reasoning leads to further confusion about the implications of placing a work product exemption in PIPEDA.
c) Destabilization and Unintended Consequences in Other Areas of Law
Although the proposed work product exemption is not intended to establish rights and obligations beyond the privacy context, inevitably it will have an impact beyond privacy.
The respective rights of ownership and control of information produced in a work environment are complex, but generally settled. The insertion of a work product exemption in privacy legislation could influence this established order. This is particularly so because, as one author has observed, in Canada’s move from a manufacturing-based economy to one of high technology there has been a corresponding shift in the types of assets companies list in balance sheets.Footnote 28 At one time it was 80 per cent real property and 20 per cent intellectual property. Now it is more likely to be the converse. Intellectual property generated in the work context is growing in relative value and is increasingly likely to be the subject of legal contests concerning rights, ownership and control.
While it is clear that employees cannot generally claim copyright in the work they produce for employers this is certainly not the case for independent contractors or for professionals.Footnote 29 Industrial designsFootnote 30 and patentsFootnote 31 are another fairly settled area of intellectual property law.
Inserting a work product exemption that applies to all manner of information prepared or collected in a work context, including work produced by employees, independent contractors, freelancers, professionals and large and small business, could have the unintended consequence of altering or destabilizing the current rights of ownership and control in these settled areas of law.
In addition, currently contested areas of law, particularly those concerned with rights and obligations in “intellectual capital” – experience and knowledge obtained while working including trade-secrets, proprietary and confidential information and less tangible things such as memorized client lists – may be influenced by an exemption that appears to give greater control of work product to an employer or the organization receiving it. Similarly, an exemption might affect the approach to copyright and ownership of materials produced by professors – important rights that are bargained for and staunchly defended.Footnote 32
Although “work product” has no clear or settled meaning in the private sector privacy context, it does have distinct meanings in other contexts. Including a “work product” exemption in PIPEDA might generate confusion. For example, “work product” has been used quite extensively in the solicitor-client context.Footnote 33 However, here the term has not been used to deny solicitors an ongoing privacy interest in the information they produce. On the contrary, “work product” identifies work produced by a lawyer that is subject to a claim of privilege. “Work product” has also been used elsewhere to denote enhanced privacy or confidentiality protection in information produced in a work environment – for example, in the notes of journalistsFootnote 34 and in the analysis of an accounting firm.Footnote 35
Personal information that is subject to privacy protection under legislation is far more likely to be considered information in which a reasonable expectation of privacy also exists. A reasonable expectation of privacy in personal information has direct implications for the type of access law enforcement, regulatory agencies and private entities can have to the information. If a reasonable expectation of privacy exists in the information then access to it can only be obtained after some kind of legal process, which is often the requirement of judicial authorization.Footnote 36 Undoubtedly, removing “work product” information from PIPEDA’s protection will suggest that there is no, or minimal, expectation of privacy in the information.
To summarize: Exempting work product from the definition of personal information will destabilize settled areas of law, potentially take a position that may inadvertently tip the balance in favour of one side in policy areas that are in dispute, and remove protections from information.
This discussion shows that there is anything but a clear understanding of what “work product” means or what the consequences of inserting an exemption into PIPEDA might be. The discussion also suggests that any exemption must be carefully crafted, and that other sections of PIPEDA may need to be amended or augmented to avoid difficulties in integrating this exemption into the existing privacy regime.
Perhaps most important, it is imperative to identify precisely what problem the exemption is needed to solve. The current definition of personal information has served PIPEDA well and has not created any significant difficulties. Consequently, it is not clear that there is a problem to be solved. The current definition has not been an impediment to the numerous organizations that have crafted privacy policies and practices on the basis of it (and who would need to amend those policies if PIPEDA exempts work product).
The current definition has enabled the OPC to take a total context approach to the privacy protection accorded by PIPEDA, unhindered by an artificial distinction based on the working environment in which the information is prepared or collected. If an individual is identifiable, the information continues to be “about” that individual and is consequently subject to PIPEDA and the oversight of the OPC. In practice, this has not meant that organizations cannot use employee personal information or the personal information of others. However, there are limits to this use, and these limits have been carefully crafted to take into account the legitimate needs of organizations and the privacy rights of individuals.
The Commissioner has already expressed concern that a work product exemption could give employers a licence to increase surveillance of employees because the activity in question would no longer be subject to privacy protection. It seems reasonable to project that an unintended consequence of inserting an untried and ambiguous work product exemption would be to undermine employee privacy rights. Similar concerns are also raised in connection with those who perform work but who are not considered employees.
The respective rights and obligations of employers and employees have been significant sources of complaints and concern for the OPC, and any changes that would signal support for the erosion of the privacy rights of employees should be avoided.
There are many reasons for retaining the present definition of personal information, and few for changing it to exclude work product information. A delicate balance and consensus has been achieved in the current regime for securing privacy rights in personal information. It would be imprudent to introduce a work product exemption without significantly greater consultations with and representations from the range of stakeholders whose rights or interests could be adversely affected.
- Date modified: