Interpretation Bulletin: Accuracy

May 2013

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined.

I. Relevant Statutory Provisions

of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA)

Principle 4.6: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 4.6.1: The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

Principle 4.6.2: An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.

Principle 4.6.3: Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Principle 4.9.5: When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

Principle 4.9.6: When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

II. General Interpretations by the Courts

1. “PIPEDA does not require that personal information be completely accurate, complete, and up-to-date; rather, it requires that personal information be as accurate, complete, and up-to-date ‘as is necessary for the purposes for which it is to be used.’  Thus, it is the use that the information is put to that dictates the degree of accuracy, completeness, and currency the information must have.” (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
2. An organization cannot escape responsibility for complying with the Accuracy Principle under PIPEDA merely because the organization has chosen a system that is commercially sensible. “There is no defence of practical necessity set out in PIPEDA.” (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
3. The suggestion that a breach may be found only if an organization’s accuracy practices fall below industry standards is untenable. “The logical conclusion of this interpretation is that if the practices of an entire industry are counter to the Principles laid out in Schedule I, then there is no breach of PIPEDA. This interpretation would effectively deprive Canadians of the ability to challenge industry standards as violating PIPEDA.”  (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
4. Efforts to correct an individual’s personal information after the fact will not cure a breach of the Accuracy Principle. Rectification of the breach is not an “escape hatch”, but rather, something that is more properly a factor to consider when determining what remedy, if any, the court should award under s. 16 of PIPEDA. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
5. An organization’s obligations to assess the accuracy, completeness and currency of personal information used is an ongoing obligation; it is not triggered only once the organization is notified by individuals that their personal information is no longer accurate, complete or current. Responsibility for monitoring and maintaining accurate records cannot be shifted from organizations to individuals. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
6. In circumstances where it is appropriate for an organization to notify third parties to whom it had previously disclosed inaccurate information, it must also provide the amended information in order to “set the record straight”. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
7. In examining the reasonableness of conduct where there has been a breach of the Accuracy Principle (for the purposes of assessing damages under section 16 of PIPEDA), “it is appropriate that the Court be guided by a number of factors including the nature of the response to the complaint, the steps taken to investigate the allegation of inaccuracy, the steps taken to correct the information collected in an organization’s own records, the steps taken to correct false information the organization has provided to others, the steps taken to keep the individual informed of actions taken, and the timeliness of all steps taken.” (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
8. “A credit reporting agency makes a profit from trading in the personal information of others.  Such business, perhaps more so than others, ought to be aware of the need for accuracy and prompt correction of inaccurate information.  Such businesses should expect to be held to account when they fail to do so.” (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)

III. Application by the OPC in Different Contexts

Whether an organization can be said to meet its accuracy obligations under PIPEDA will vary depending on the facts of each complaint investigation. The following examples illustrate how the Accuracy Principle has been interpreted and applied by the OPC and some of its findings derived from different contexts.

• Personal information should be complete and up-to-date for the purpose of maintaining an employee's personnel file.
  • PIPEDA Case Summary #2002-73 Telecommunications company asked to adopt consistent retention practices
• PIPEDA requires organizations to have appropriate safeguards in place to ensure that they hold accurate personal information.
  • PIPEDA Case Summary #2006-344 Couple's safety deposit box opened in error
  • PIPEDA Case Summary #2007-381 Bank improves safeguards after individual’s personal information used fraudulently to open credit card account
• An organization was not expected to change or update personal information that was as accurate, complete and up-to-date as necessary for its tax and accounting purposes relative to the complainant’s investments (i.e. the purposes for which it had been collected and used) before presenting it to a court for the court’s purposes.
  • PIPEDA Case Summary #2009-005 Husband’s financial information disclosed to wife’s lawyers by accounting firm improperly complying with Summons to Witness
• An organization was found to have breached the Accuracy Principle by failing to ensure that personal information it disclosed to law enforcement was as accurate as possible.
  • PIPEDA Case Summary #2002-53 Bank accused of providing police with surveillance photos of the wrong person
• By presenting potentially outdated or incomplete information from a severed data source, a credit bureau could increase the possibility that inappropriate information is used to make a credit decision about an individual, contrary to the requirements of Principle 4.6.1.
  • PIPEDA Report of Findings #2011-009 Credit Bureau Purges Loan History from Individual’s Credit Report without his Knowledge
• Inaccurate information about an individual’s credit history can have negative consequences for the individual.
  • PIPEDA Case Summary #2003-224 Bank failed to correct credit rating discrepancy and to provide access to financial records
  • PIPEDA Case Summary #2003-163 Bank fails to maintain up to date, accurate personal information

Right to Amend Inaccurate Information and Notify Third Parties

• An individual must demonstrate the inaccuracy of the information that an organization holds for the organization to be required to amend the information in question.
  • PIPEDA Case Summary #2005-293 Commissioner considers access, correction, and inappropriate disclosure allegations against insurance company
  • PIPEDA Case Summary #2006-359 Bank reported accurate information regarding bounced cheque
  • PIPEDA Case Summary #2002-70 Bank accused of assigning inaccurate credit ratings
• An organization was found to have met its obligations under Principle 4.9.6 when it gave an individual the opportunity to provide a statement regarding a disputed entry, which the organization then recorded and attached to the individual's credit file and transmitted to any third parties having access to the individual's credit information.
  • PIPEDA Case Summary #2002-102 Individual objects to agency's delayed response to request for credit history