Legal information related to PIPEDA

Interpretation Bulletin

Personal Information

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined over time.

The Meaning of “Personal Information”

I. Relevant Statutory Provisions

Section 2(1) of the Personal Information Protection and Electronic Documents Act (2000, c. 5) (PIPEDA) states that “personal information” means “information about an identifiable individual.”

Section 4(1) provides that PIPEDA applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities” or “is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.”

II. General Interpretations by the Courts

  1. Drawing from jurisprudence in the federal public sector, the definition of personal information must be given a broad and expansive interpretation (Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R., dissenting, 403 at para 68; Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157; Canada (Information Commissioner) v. Canada (Commissioner of the Royal Canadian Mounted Police), [2003] 1 S.C.R. 66, 2003 SCC 8, at para 23).
  2. Personal information is information “about” an identifiable individual. “About” means that the information is not just the subject of something but also relates to or concerns the subject (Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157).
  3. Information will be about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information (Gordon v. Canada (Health), 2008 FC 258 (CanLII).1 Information need not be recorded for it to constitute personal information. It is sufficient that the information be about an identifiable individual even if the information is not in a recorded form, such as oral conversations, biological samples and real time video surveillance. While the absence of a recording may go to the issue of collection, it does not change the fact that the information is personal information (Morgan v. Alta Flights Inc. (2006) FCA 121, affirming (2005) FC 421).
  4. The same information can be personal to more than one individual, where, for example, it contains the views of one individual about another individual, or where the same information reveals something about two identifiable individuals (Wyndowe v. Rousseau, 2008 FCA 39 (CanLII)).
  5. Information will still be personal information even if it is publicly available within the meaning of the regulations,2 and is exempt from applicable consent requirements (Englander v. TELUS Communications Inc., 2004 FCA 387 (CanLII)).
  6. Subjective information about an individual may still be personal information even if it is not necessarily accurate (Lawson v. Accusearch Inc. 2007 FC 125).

III. Applications in Different Contexts

Business and Professional Context
  • PIPEDA does not apply to an organization in respect of the business contact information of an individual that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.3
  • An individual’s cell phone records from their work cell phone may be the personal information of the individual.4
  • Information about a company is generally not personal information. However, an individual’s personal information may be so inextricably linked to information about his or her company (e.g. an owner/operator of a small business) that information about that company can constitute personal information about the individual.5 Each situation must be assessed on a case-by-case basis.
  • Sales statistics of telemarketers6 and the number of houses sold by real estate brokers7 can constitute personal information.
  • Other personal information in the Business and Professional context include: an individual’s Notice of Assessment (NOA) and Social Insurance Number (SIN);8 email addresses9 and messages; consumer purchases,10 services,11 and transactions;12 customer membership and account information in the context of frequent flyer or consumer loyalty programs;13 and, customer complaint information.14
Employment Context
  • PIPEDA only applies to personal information of employees of, and applicants for employment with, federal works, undertakings or businesses.15
  • An individual’s views or opinions about an employee (e.g. performance appraisals,16 internal investigation files,17 medical diagnoses or assessments,18 or complaints against an employee)19 may constitute the personal information of that employee.
  • Other examples of personal information of employees of federal works, undertakings or businesses include: employee number20; employee voices;21 swipe cards and video footage or live-feed;22 salary, benefits and performance ratings;23 and, employee personnel files.24
Health Context
  • Keeping background notes about an individual separate from that individual’s medical assessment report does not change the status of the personal information contained in those notes.25
  • Background notes taken by a physician in support of an independent medical examination (IME) report to an insurer may contain the personal information of the patient, as well as the personal information of the physician.26
  • Personal information that has been de-identified does not qualify as anonymous information if there is a serious possibility of linking the de-identified data back to an identifiable individual.27
  • Other examples of personal information in the health context include: information concerning the physical or mental health of an individual, such as: medical diagnoses,28 general medical information,29 clinical notes30 and independent medical assessments for insurance-related purposes; 31 as well as entire medical records and/or patient charts in the context of a closing or sale of a health professional’s practice.32
Financial Context
  • Examples of financial information which may constitute personal information of an individual include: bank account numbers, summaries or balances;33 transaction histories;34 debt-related information;35 mortgage applications/renewals, tax returns and net worth;36 credit reports37 and credit scores.38
  • The contents of and details about an individual’s safety deposit box is that individual’s personal information.39
  • Residential property appraisal documents constitute the personal information of the property owner,40 including the selling/purchase price of an individual’s home.
  • A simple reference to an outstanding debt, even without disclosing specific details about the debt, is personal information.41
Technological Context
  • Examples of personal information in the technological context include forms of biometric information, such as fingerprints42 and voiceprints.43 A voiceprint is personal information even though it may not necessarily tell much about an individual. How much more it reveals about an individual will depend on how the voiceprint is used.44
  • A photograph of an individual’s home may constitute the personal information of that individual.45 Video surveillance that captures an individual’s physical image or movement46 may also constitute his or her personal information even if it is not taped,47 since the definition of personal information in PIPEDA does not require that the information be recorded.
  • Tracking information collected from a Global Positioning System (GPS) placed in company vehicles is personal information since the information can be linked to specific employees driving the vehicles. The employees are identifiable even if they are not identified at all times to all users of the system.48
  • Information collected through the use of radio frequency identification (RFID) tags to track and locate baggage, retail products, and individual purchases may constitute the personal information of any identifiable individual associated with those items.49
  • An Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual.50 For example, in one complaint finding, we determined that some of the IP addresses that an internet service provider (ISP) was collecting were personal information because the ISP had the ability to link the IP addresses to its customers through their subscriber IDs. See also a report prepared by the Technology Analysis Branch of the OPC on "What an IP Address Can Reveal About You".51

1 This case arose under the Access to Information Act, R.S., 1985, c. A-1 that incorporates the definition of “personal information” from the Privacy Act, R.S.C. 1985, c. P-21, which is virtually identical to the definition of “personal information” in PIPEDA.

2 Personal Information Protection and Electronic Documents Act, Regulations Specifying Publicly Available Information (SOR/2001-7).

3 PIPEDA, section 4.01.

11 PIPEDA Case Summary #262 - Airline agrees to amend privacy policy.

15 PIPEDA, section 4(1)(b).

16 PIPEDA Case Summary #198 - Employer accused of wrongful disclosure.

22 PIPEDA Case Summary #264 - Video cameras and swipe cards in the workplace; PIPEDA Case Summary #290 - Video surveillance cameras at food processing plant questioned; PIPEDA Case Summary #279 - Surveillance of employees at work; PIPEDA Case Summary #114 - Employee objects to company’s use of digital video surveillance cameras; Eastmond v. Canadian Pacific Railway, 2004 FC 852 (CanLII), (2004), 16 Admin. L.R.(4th) 275.

42 Privacy Commissioner’s Report of Findings – Law School Admission Council Investigation – May 29, 2008

43 Wansink v. TELUS Communications Inc. (F.C.A.), 2007 FCA 21.

44 See note 43, above.

46 See note 23, above.

50 PIPEDA Case Summary #25 - A broadcaster accused of collecting personal information via Web site; PIPEDA Case Summary #315 - Web-centered company’s safeguards and handling of access request and privacy complaint questioned; PIPEDA Case Summary #319 - ISP’s anti-spam measures questioned; PIPEDA Case Summary #2009-010 – Assistant Commissioner recommends Bell Canada inform customers about Deep Packet Inspection; See also Submission of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunications Commissioner (CRTC) – February 2009; Final reply of the Office of the Privacy Commissioner of Canada to the Canadian Radio-television and Telecommunication Commissioner (CRTC) – July 2009; and Canadian Radio and Telecommunications Commission Telecom Regulatory Policy CRTC 2009-657 at paras 96-105

51 What an IP Address Can Reveal About You, a report prepared by the Technology Analysis Branch of the Office of the Privacy Commissioner of Canada, May 2013.