Publicly Available Information
One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.
In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined.
I. Relevant Statutory Provisions
Principle 4.3 of PIPEDA states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Section 7(1)(d) of PIPEDA states that for the purpose of clause 4.3 of Schedule 1, an organization may collect personal information without the knowledge or consent of the individual if the personal information is publicly available and is specified by the regulations.
Section 7(2)(c.1) of PIPEDA states that for the purpose of clause 4.3 of Schedule 1, an organization may use personal information without the knowledge or consent of the individual if the personal information is publicly available and is specified by the regulations.
Section 7(3)(h.1) of PIPEDA states that for the purpose of clause 4.3 of Schedule 1, an organization may disclose personal information without the knowledge or consent of the individual if the personal information is publicly available and is specified by the regulations.
Section 1 of the Regulations state that the following information and classes of information are specified for the purposes of paragraphs 7(1)(d), (2)(c.1) and (3)(h.1) of the Personal Information Protection and Electronic Documents Act:
- personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;
- personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relates directly to the purpose for which the information appears in the directory, listing or notice;
- personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relates directly to the purpose for which the information appears in the registry;
- personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and
- personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.
II. General Interpretations by the Courts
- “It goes without saying that by appearing in public, an individual does not automatically forfeit his or her interest in retaining control over the personal information which is thereby exposed” (Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401, 2013 SCC 62 at para. 27).
- Personal information must be both publicly available and specified by the Regulation to exempt an organization from the requirement to obtain consent (Turner v. Telus Communications Inc. 2005 FC 1601).
- Even if voice characteristics or “voiceprints” collected by voice recognition technology could be said to be publicly available, this form of personal information is not specified by the Regulation. Therefore, the Regulation does not exempt an organization from the requirement to obtain consent to collect such information. (Turner v. Telus Communications Inc. 2005 FC 1601).
- For the Regulation to apply, personal information must be collected from a publicly available source (Citi Cards Canada Inc. V. Pleasance 2010 ONSC 124; See also Citi Cards Canada Inc. v. Pleasance, 2011 ONCA 3).
- The current balance of a mortgage is not publicly available (City Cards Canada Inc. V. Pleasance 2010 ONSC 124; See also Citi Cards Canada Inc. v. Pleasance, 2011 ONCA 3).
- The exception to the requirement to obtain consent recognized in section 7 of the Act and paragraph 1(a) of the Regulations does not apply to the very organization that initially collects the information for the purposes of publishing a telephone directory that will, once published, become publicly available (Englander v. TELUS Communications Inc., 2004 FCA 387).
- The fact that the use of personal information contained in publicly available telephone directories can be so widespread because of these Regulations militates in favour of the Court exercising additional caution when determining issues pertaining to initial listings in telephone directories (Englander v. TELUS Communications Inc., 2004 FCA 387).
III. Application by the OPC in Different Contexts
Whether information can be said to be “publicly available” for the purposes of PIPEDA will vary depending on the facts of each complaint investigation. The following examples illustrate how the provisions setting out each type of publicly available information specified by the Regulations have been interpreted and applied by the OPC.
1(a) Telephone directories
- Even if it is published in a telephone directory that is available to the public, an individual’s telephone number is still personal information. Subsection 5(3) of the Act, which requires appropriate purposes for the collection, use or disclosure of personal information, continues to apply.
- Paragraph 1(a) of the Regulation does not apply to a name-like term used to signify a subscriber’s spouse that is stored as a “code word” within a telecommunication company’s customer records.
- Combining publicly available telephone directory information with non-personal geo-demographic information does not create new personal information to which consent requirements apply.
- The commercial manipulation and sale of publicly available telephone directory information does not contravene the reasonable person test described in subsection 5(3) of the Act.
- Personal “white pages” telephone directory information, re-published in a new (online) format that merely reflects the same personal information that was initially published, is considered publicly available information exempt from the consent requirements of the Act.
- A division of a telecommunications company could collect its parent company’s customers’ names, addresses and telephone numbers from the parent company’s white-pages directory to use for its own business purposes.
1(b) Professional and business directories
- A third party’s collection and use of email addresses to market the sale of sports tickets was not related to the purpose for which the employer made its employees’ contact information publicly available. Therefore, the regulations did not authorize the collection and use of this information by the third party without consent.
- Information about an individual’s business collected from publicly available sources such as the yellow pages, telepages, superpages and other marketing sources may be disclosed without consent.
1(c) Public registries
- It is not enough for personal information to be simply available from a public source. The information must also have been collected from the publicly available source for the Regulation to apply.
- Examining the particular purposes for a collection, use or disclosure is a key consideration in assessing whether the exception to the consent requirement set out in the Regulations applies.
- Personal information appearing in a publicly accessible registry may only be collected, used and disclosed without consent when the purpose for the collection, use or disclosure relate directly to the purpose for which the information appears in the registry.
- PIPEDA Case Summary #2009-020 Publicly available information about individual’s bankruptcy cannot be disclosed for debt-collection purposes without her consent
- PIPEDA Case Summary #2010-004 Manager’s remark reveals employee’s salary — consent was necessary despite existing public disclosure requirement
- The public availability of information about a bankruptcy does not authorize the use of this information to collect a debt by means other than those provided for under federal bankruptcy legislation, which is the purpose for which the information is made publicly available.
- The public availability of audited financial statements for accountability and transparency purposes does not authorize the disclosure of an individual’s salary for other, unrelated purposes.
1(d) Court and tribunal records
- Where the disclosure of court records containing an individual’s personal information relates directly to the purpose of advancing a claim in a court of law, that individual’s consent will not be required. However, the regulation did not apply in this case because disclosing personal information in court documents to a stranger to the litigation process was not directly related to purpose for which the information appeared in the documents (namely, the pursuit of legal action).
- The ‘open courts’ principle can allow a member of the public to access court documents but it does not give an organization to whichPIPEDA applies the unfettered right to distribute the contents of a court file or pleadings to third parties outside the litigation.
- Personal information that appears in a court record for the purpose of providing evidence in an ongoing legal proceeding cannot be collected and used without consent by a mortgage broker for the unrelated purpose of proposing financing arrangements.
1(e) Books, magazines, newspapers
- Regulation 1(e) does not require that the collection or use of the information relate directly to the purpose for which the information appears in the publication.
- Consent to use a business e-mail address for marketing purposes is not required when that business e-mail address has been published on a website by the individual to whom it relates.
- Date modified: