Accuracy

May 2013

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined.

I. Relevant Statutory Provisions

of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA)

Principle 4.6: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 4.6.1: The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

Principle 4.6.2: An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.

Principle 4.6.3: Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Principle 4.9.5: When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.

Principle 4.9.6: When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

II. General Interpretations by the Courts

  1. “PIPEDA does not require that personal information be completely accurate, complete, and up-to-date; rather, it requires that personal information be as accurate, complete, and up-to-date ‘as is necessary for the purposes for which it is to be used.’  Thus, it is the use that the information is put to that dictates the degree of accuracy, completeness, and currency the information must have.” (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
  2. An organization cannot escape responsibility for complying with the Accuracy Principle under PIPEDA merely because the organization has chosen a system that is commercially sensible. “There is no defence of practical necessity set out in PIPEDA.” (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
  3. The suggestion that a breach may be found only if an organization’s accuracy practices fall below industry standards is untenable. “The logical conclusion of this interpretation is that if the practices of an entire industry are counter to the Principles laid out in Schedule I, then there is no breach of PIPEDA. This interpretation would effectively deprive Canadians of the ability to challenge industry standards as violating PIPEDA.”  (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
  4. Efforts to correct an individual’s personal information after the fact will not cure a breach of the Accuracy Principle. Rectification of the breach is not an “escape hatch”, but rather, something that is more properly a factor to consider when determining what remedy, if any, the court should award under s. 16 of PIPEDA. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
  5. An organization’s obligations to assess the accuracy, completeness and currency of personal information used is an ongoing obligation; it is not triggered only once the organization is notified by individuals that their personal information is no longer accurate, complete or current. Responsibility for monitoring and maintaining accurate records cannot be shifted from organizations to individuals. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
  6. In circumstances where it is appropriate for an organization to notify third parties to whom it had previously disclosed inaccurate information, it must also provide the amended information in order to “set the record straight”. (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
  7. In examining the reasonableness of conduct where there has been a breach of the Accuracy Principle (for the purposes of assessing damages under section 16 of PIPEDA), “it is appropriate that the Court be guided by a number of factors including the nature of the response to the complaint, the steps taken to investigate the allegation of inaccuracy, the steps taken to correct the information collected in an organization’s own records, the steps taken to correct false information the organization has provided to others, the steps taken to keep the individual informed of actions taken, and the timeliness of all steps taken.” (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)
  8. “A credit reporting agency makes a profit from trading in the personal information of others.  Such business, perhaps more so than others, ought to be aware of the need for accuracy and prompt correction of inaccurate information.  Such businesses should expect to be held to account when they fail to do so.” (Nammo v. TransUnion of Canada Inc., 2010 FC 1284)

III. Application by the OPC in Different Contexts

Whether an organization can be said to meet its accuracy obligations under PIPEDA will vary depending on the facts of each complaint investigation. The following examples illustrate how the Accuracy Principle has been interpreted and applied by the OPC and some of its findings derived from different contexts.

Right to Amend Inaccurate Information and Notify Third Parties

Date modified: