Legal information related to PIPEDA
One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.
In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined over time.
The Meaning of “Personal Information”
I. Relevant Statutory Provisions
Section 2(1) of the Personal Information Protection and Electronic Documents Act (2000, c. 5) (PIPEDA) states that “personal information” means “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.”
Section 4(1) provides that PIPEDA applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities” or “is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.”
II. General Interpretations by the Courts
- Drawing from jurisprudence in the federal public sector, the definition of personal information must be given a broad and expansive interpretation (Dagg v. Canada (Minister of Finance),  2 S.C.R., dissenting, 403 at para 68; Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157; Canada (Information Commissioner) v. Canada (Commissioner of the Royal Canadian Mounted Police),  1 S.C.R. 66, 2003 SCC 8, at para 23).
- Personal information is information “about” an identifiable individual. “About” means that the information is not just the subject of something but also relates to or concerns the subject (Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157).
- Information will be about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information (Gordon v. Canada (Health), 2008 FC 258 (CanLII).1 Information need not be recorded for it to constitute personal information. It is sufficient that the information be about an identifiable individual even if the information is not in a recorded form, such as oral conversations, biological samples and real time video surveillance. While the absence of a recording may go to the issue of collection, it does not change the fact that the information is personal information (Morgan v. Alta Flights Inc. (2006) FCA 121, affirming (2005) FC 421).
- The same information can be personal to more than one individual, where, for example, it contains the views of one individual about another individual, or where the same information reveals something about two identifiable individuals (Wyndowe v. Rousseau, 2008 FCA 39 (CanLII)).
- Information will still be personal information even if it is publicly available within the meaning of the regulations,2 and is exempt from applicable consent requirements (Englander v. TELUS Communications Inc., 2004 FCA 387 (CanLII)).
- Subjective information about an individual may still be personal information even if it is not necessarily accurate (Lawson v. Accusearch Inc. 2007 FC 125).
III. Applications in Different Contexts
Business and Professional Context
- The name, title, business address and telephone number of an employee of an organization are not protected by PIPEDA, since they are expressly excluded from the definition of personal information contained in the Act. However, an individual’s business email address is personal information under PIPEDA.3
- An individual’s cell phone records from their work cell phone may be the personal information of the individual.4
- Information about a company is generally not personal information. However, an individual’s personal information may be so inextricably linked to information about his or her company (e.g. an owner/operator of a small business) that information about that company can constitute personal information about the individual.5 Each situation must be assessed on a case-by-case basis.
- PIPEDA does not exclude work product information from the definition of personal information. Information produced for work related purposes, may be personal information. Contextual factors, such as how the information was produced, for what purposes, how it will be used, and industry practices must inform the analysis. In an early finding, the Privacy Commissioner found that physicians’ prescribing patterns constituted their work product information and not their personal information.6 Since this finding, the Commissioner’s broad and contextual approach has evolved to conclude that sales statistics of telemarketers7 and the number of houses sold by real estate brokers8 do constitute personal information, where, among other things, such information could lead to inferences about an individual’s job performance.
- Other personal information in the Business and Professional context include: an individual’s Notice of Assessment (NOA) and Social Insurance Number (SIN);9 email addresses10 and messages; consumer purchases,11 services,12 and transactions;13 customer membership and account information in the context of frequent flyer or consumer loyalty programs;14 and, customer complaint information.15
- PIPEDA only applies to personal information of employees of federal works, undertakings or businesses.16
- An individual’s views or opinions about an employee (e.g. performance appraisals,17 internal investigation files,18 medical diagnoses or assessments,19 or complaints against an employee)20 may constitute the personal information of that employee.
- Other examples of personal information of employees of federal works, undertakings or businesses include: employee number21; employee voices;22 swipe cards and video footage or live-feed;23 salary, benefits and performance ratings;24 and, employee personnel files.25
- Keeping background notes about an individual separate from that individual’s medical assessment report does not change the status of the personal information contained in those notes.26
- Background notes taken by a physician in support of an independent medical examination (IME) report to an insurer may contain the personal information of the patient, as well as the personal information of the physician.27
- Personal information that has been de-identified does not qualify as anonymous information if there is a serious possibility of linking the de-identified data back to an identifiable individual.28
- Other examples of personal information in the health context include: information concerning the physical or mental health of an individual, such as: medical diagnoses,29 general medical information,30 clinical notes31 and independent medical assessments for insurance-related purposes; 32 as well as entire medical records and/or patient charts in the context of a closing or sale of a health professional’s practice.33
- Examples of financial information which may constitute personal information of an individual include: bank account numbers, summaries or balances;34 transaction histories;35 debt-related information;36 mortgage applications/renewals, tax returns and net worth;37 credit reports38 and credit scores.39
- The contents of and details about an individual’s safety deposit box is that individual’s personal information.40
- Residential property appraisal documents constitute the personal information of the property owner,41 including the selling/purchase price of an individual’s home.
- A simple reference to an outstanding debt, even without disclosing specific details about the debt, is personal information.42
- Examples of personal information in the technological context include forms of biometric information, such as fingerprints43 and voiceprints.44 A voiceprint is personal information even though it may not necessarily tell much about an individual. How much more it reveals about an individual will depend on how the voiceprint is used.45
- A photograph of an individual’s home may constitute the personal information of that individual.46 Video surveillance that captures an individual’s physical image or movement47 may also constitute his or her personal information even if it is not taped,48 since the definition of personal information in PIPEDA does not require that the information be recorded.
- Tracking information collected from a Global Positioning System (GPS) placed in company vehicles is personal information since the information can be linked to specific employees driving the vehicles. The employees are identifiable even if they are not identified at all times to all users of the system.49
- Information collected through the use of radio frequency identification (RFID) tags to track and locate baggage, retail products, and individual purchases may constitute the personal information of any identifiable individual associated with those items.50
- An Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual.51 For example, in one complaint finding, we determined that some of the IP addresses that an internet service provider (ISP) was collecting were personal information because the ISP had the ability to link the IP addresses to its customers through their subscriber IDs. See also a report prepared by the Technology Analysis Branch of the OPC on "What an IP Address Can Reveal About You".52
1 This case arose under the Access to Information Act, R.S., 1985, c. A-1 that incorporates the definition of “personal information” from the Privacy Act, R.S.C. 1985, c. P-21, which is virtually identical to the definition of “personal information” in PIPEDA.
2 Personal Information Protection and Electronic Documents Act, Regulations Specifying Publicly Available Information (SOR/2001-7).
4PIPEDA Case Summary #372 - Disclosures to data brokers expose weaknesses in telecoms’ safeguards.
5 PIPEDA Case Summary #181 (July 10, 2003), Alleged inappropriate disclosure of personal information to a third party.
6 PIPEDA Case Summary #14 - Selling of information on physicians’ prescribing patterns; PIPEDA Case Summary #15 - Privacy Commissioner releases his finding on the prescribing patterns of doctors.
7 PIPEDA Case Summary #220 - Telemarketer objects to employer sharing her sales results with other employees.
8 PIPEDA Case Summary #303 - Real estate broker publishes names of top five sales representatives in a city.
9 PIPEDA Case Summary #22 - Company asks for customer’s SIN as a matter of policy; PIPEDA Case Summary #337 - Income tax preparation company mails personal information to wrong clients; PIPEDA Case Summary #317 - Fax from debt collector contained debtor’s personal information.
10 PIPEDA Case Summary # 277 - Mass mailout results in disclosure of contest entrants e-mail addresses; PIPEDA Case Summary # 297 - Unsolicited e-mail for marketing purposes.
13 PIPEDA Case Summary #374 - Bank faxes credit card account statement to fraudster; PIPEDA Case Summary #176 - Bank records customer call without consent; refuses to erase tape; PIPEDA Case Summary #72 - Telecommunications company improves its collection and disclosure practices.
14 PIPEDA Case Summary #292 - Former employer changed account information of Air Canada frequent flyer member and PIPEDA Case Summary #241 - Bank complies with consent principles.
16 PIPEDA, section 4(1)(b).
18 PIPEDA Case Summary #73 - Telecommunications company asked to adopt consistent retention practices.
19 PIPEDA Case Summary #233 - An individual challenged the requirement to provide the medical diagnosis on her doctor’s certificate for sick leave; PIPEDA Case Summary #257 - Employees objected to corporation’s requirement; PIPEDA Case Summary #235 - Individual challenges employer’s refusal to grant sick leave; PIPEDA Case Summary #287 - Request for medical information deemed reasonable, but consent procedures not properly followed; Case Summary #284 - Use and disclosure of health information considered appropriate, but access request was mishandled; PIPEDA Case Summary #226 - Company's collection of medical information unnecessary; safeguards are inappropriate.
21 PIPEDA Case Summary #149 - Individual denied access to personal information.and PIPEDA Case Summary #360 - Bank erroneously e-mails employees’ personal information to client.
23 PIPEDA Case Summary #264 - Video cameras and swipe cards in the workplace; PIPEDA Case Summary #290 - Video surveillance cameras at food processing plant questioned; PIPEDA Case Summary #279 - Surveillance of employees at work; PIPEDA Case Summary #114 - Employee objects to company’s use of digital video surveillance cameras; Eastmond v. Canadian Pacific Railway, 2004 FC 852 (CanLII), (2004), 16 Admin. L.R.(4th) 275.
24 PIPEDA Case Summary #360 - Bank erroneously e-mails employees’ personal information to client.
25 PIPEDA Case Summary #201 - Former employee encounters delays in accessing personal information.
28 PIPEDA Case Summary #2009-018 – Psychologist’s anonymized peer review notes are the personal information of the patient.
30 PIPEDA Case Summary #368 - Insurance adjusters’ consent form considered overly broad.
31 PIPEDA Case Summary #362 -Insurance adjuster readjusts its collection practices.
33 PIPEDA Case Summary 325 - Personal information practices considered in sale of dental practice; PIPEDA Case Summary 328 - Medical records storage company revises its access policy.
34 PIPEDA Incident Summary #2 - CIBC's privacy practices failed in cases of misdirected faxes; PIPEDA Case Summary #335 - Customer receives banking information of other clients; PIPEDA Case Summary #332 - Bank issues new guidelines and educates employees after customer information is faxed to the wrong individual.
35 PIPEDA Case summary #356 - Customer’s banking personal information found in a recycling bin.
36 PIPEDA Case Summary #317 - Fax from debt collector contained debtor’s personal information; PIPEDA Case Summary #200 - Bank disclosure results in cancelled wedding.
37 PIPEDA Case Summary #154 - Couple dismayed at receiving unsealed envelope from bank; PIPEDA Case Summary # 336 - Disclosure of mortgage information required by law; collection of information by bankruptcy trustee also allowed.
38 PIPEDA Case Summary #340 - Law firms collected credit reports without consent.
39 PIPEDA Case Summary #63 - Bank refuses customer access to internal credit score; PIPEDA Case Summary #39 - Privacy Commissioner releases finding on a bank's refusal to release credit score.
41 PIPEDA Case Summary #390 - Residential Property Appraisal Documents are Owners’ Personal Information.
42 PIPEDA Case Summary #130 - Disclosure of personal information in the collection of a debt; PIPEDA Case Summary #267 - Bank discloses customer's personal information to employer.
45 See note 43, above.
46 PIPEDA Case Summary #349 - Photographing of tenants’ apartments without consent for insurance purposes.
47 See note 23, above.
49 PIPEDA Case Summary #351 - Use of personal information collected by Global Positioning System considered.
51 PIPEDA Case Summary #25 - A broadcaster accused of collecting personal information via Web site; PIPEDA Case Summary #315 - Web-centered company’s safeguards and handling of access request and privacy complaint questioned; PIPEDA Case Summary #319 - ISP’s anti-spam measures questioned; PIPEDA Case Summary #2009-010 – Assistant Commissioner recommends Bell Canada inform customers about Deep Packet Inspection; See also Submission of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunications Commissioner (CRTC) – February 2009; Final reply of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunication Commissioner (CRTC) – July 2009; and Canadian Radio and Telecommunications Commission Telecom Regulatory Policy CRTC 2009-657 at paras 96-105