CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page i

CANADIAN PRIVACY Data Protection Law and Policy for the Practitioner Second Edition

By Kris Klein, CIPP/C nNovation LLP

An IAPP Publication

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page ii

©2012 by the International Association of Privacy Professionals (IAPP) All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, mechanical, photocopying, recording or otherwise, without the prior written permission of the publisher, International Association of Privacy Professionals, Pease International Tradeport, 75 Rochester Ave., Suite 4, Portsmouth, NH 03801, United States of America. Cover design: Noelle Grattan, -ing designs, llc. Copy editor: Sarah Weaver Compositor: Ed Stevens, Ed Stevens Design Indexer: Jan Bednarczuk, Jandex Indexing ISBN 978-0-9795901-6-0 Library of Congress Control Number: 2011935964

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page v

CONTENTS

PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi J.Trevor Hughes ACKNOWLEDGMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Richard Soule Chapter One

CANADIAN PRIVACY BASICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Classes of Privacy

..........................................................1

The Social Origins of Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Canadian Perspectives on Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 World Models for Data Protection

...........................................4

Comprehensive Laws (Canada, European Union) . . . . . . . . . . . Sectoral Laws (United States). . . . . . . . . . . . . . . . . . . . . . . . The Self-regulatory Model (United States, Japan and Singapore) Seal Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Technology-Based Model . . . . . . . . . . . . . . . . . . . . . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

4 5 5 6 6

The Canadian Legal System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Division of Powers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 The Roles of Courts, Administrative Tribunals and Privacy Commissioners . . . . . . . . . . . . . . . . . . . . . . . 8 Canadian Laws and Their Interpretation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Key Concepts of Canadian Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Personal Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Public Records and Publicly Available Information . . . . . . . . . . . . . . . . . . . . . Private and Sensitive Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Employee and Work-Product Information . . . . . . . . . . . . . . . . . . . . . . . . . . General Concepts of Fair Information Practices and General Privacy Principles .

v

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

11 15 16 17 18

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page vi

CONTENTS

Chapter Two

CANADIAN PRIVATE SECTOR LAWS AND PRACTICES . . . . . . . . . . . . . . . . . . . . . 23 Personal Information Protection and Electronic Documents Act (PIPEDA) . . . . . . 23 Purpose . . . . . . . . . . . . . . . . . . . . Application. . . . . . . . . . . . . . . . . . . Commercial Activity. . . . . . . . . . . . . Obligations Arising Under PIPEDA . . . The Role of the Privacy Commissioner

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

23 24 27 28 30

Personal Information Protection Act (PIPA) of Alberta and Personal Information Protection Act (PIPA) of British Columbia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Work Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Obligations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 The Role of the Commissioners. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Act Respecting the Protection of Personal Information in the Private Sector (Quebec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Obligations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Role of Oversight Body. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Canada’s Anti-Spam Legislation (CASL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Obligations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Enforcement and Penalties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Key Concepts and Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Accountability. . . . . . . . . . . . . . . . . . Identifying Purposes . . . . . . . . . . . . . Consent . . . . . . . . . . . . . . . . . . . . . Limiting Purposes . . . . . . . . . . . . . . . Limiting Use, Disclosure and Retention Accuracy . . . . . . . . . . . . . . . . . . . . . Safeguards . . . . . . . . . . . . . . . . . . . Openness . . . . . . . . . . . . . . . . . . . . Individual Access . . . . . . . . . . . . . . . Challenging Compliance . . . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

39 39 40 41 41 41 42 42 43 43

Issue: Trans-border Data Flows in the Private Sector . . . . . . . . . . . . . . . . . . . . . . . . . 44 Federal Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Issue: Online Behavioural Advertising . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 The “Cookie” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Privacy Incidents, Compliance Trends and Emerging Issues TJX Winners—Homesense SWIFT . . . . . . . . . . . . . . Facebook. . . . . . . . . . . . . Google . . . . . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

vi

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . . . . . . . . . . . . . . . . . 47 . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

47 50 52 53

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page vii

CONTENTS

Relevant Canadian Legal Developments (including appeals of commissioner’s decisions)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Collection of Biometric Information:The TELUS Voiceprint Case . . . . . . . . . . . . . . . . . Deference, De Novo and the Nature of Hearing: The Eastmond Case . . . . . . . . . . . . . An Attempt to Keep Information from the Privacy Commissioner: The Blood Tribe Case. Contesting a Commissioner’s Finding:The Accusearch (ABIKA) Case . . . . . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

53 54 56 57

Commissioner’s Guidance and Published Positions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Authentication Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Responding to Privacy Breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Alberta’s Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Model Codes and Cooperation

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Chapter Three

CANADIAN PUBLIC SECTOR LAWS AND PRACTICES . . . . . . . . . . . . . . . . . . . . . . 67 The Privacy Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Application. Obligations. Collection . Use . . . . . Disclosure .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

The Privacy Act: Personal Information Banks

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

68 68 68 69 69

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Access to Information Act Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Applications for Employment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Educational Leave/Co-op Replacement Program (EDCO) . . . . . . . . . . . . . . . . Financial Officer/Internal Auditor Recruitment and Development (FORD/IARD). Public Enquiries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Personal Service Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Right of Access Under the Privacy Act

. . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

72 73 73 74 74 75

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Retention of Personal Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Role of the Privacy Commissioner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Video Surveillance Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Differences Between the Federal and Provincial Approaches . . . . . . . . . . . . . . . . . . 81 The Need for Reform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Key Policies and Guidelines

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Privacy Impact Assessments (PIAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Data Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Outsourcing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Issue: Trans-border Data Flow in the Public Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

vii

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page viii

CONTENTS

Chapter Four

CANADIAN HEALTH INFORMATION PRIVACY

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Purpose and Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Obligations

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Health Information Organizations

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

eHealth Ontario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Canadian Organization for the Advancement of Computers in Health (COACH) . . . . . . . . . . . . . . . . . . 105 Canadian Institute for Health Information (CIHI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Health Information Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Conclusion

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Chapter Five

INTERNATIONAL PRIVACY LAW BASICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 The European Union . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 The The The The The The

EU Data Protection Directive (95/46/EC) . . . . . . . Safe Harbor Framework . . . . . . . . . . . . . . . . . . . EU Approach to “Consent” . . . . . . . . . . . . . . . . . . EU Approach to SPAM. . . . . . . . . . . . . . . . . . . . . EU Approach to the SWIFT Case. . . . . . . . . . . . . . EU Approach to Cookies and Behavioural Advertising

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

110 114 116 117 118 119

The Asia-Pacific Region . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 The Asia Pacific Economic Cooperation Privacy Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

The United States

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

The Fair Credit Reporting Act (FCRA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Health Insurance Portability and Accountability Act (HIPAA) . . . . . . . . . . . . . . The Financial Services Modernization Act of 1999 / Gramm-Leach-Bliley Act (GLBA) The Children’s Online Privacy Protection Act of 2000 (COPPA) . . . . . . . . . . . . . . . U.S. Marketing Communications Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U.S. State Security Breach Notification Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . Unfair and Deceptive Trade Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Google Wi-Fi Debacle: An International Perspective Canadian Response. . . . U.S. Response . . . . . . . German Response . . . . UK Response . . . . . . . . Spanish Response . . . . Australian Response . . . South Korean Response

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

123 124 125 126 127 129 129

. . . . . . . . . . . . . . . . . . . . . 130 . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

130 131 131 132 132 133 133

Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

viii

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page ix

CONTENTS

Appendix One KEY STEPS FOR ORGANIZATIONS IN RESPONDING TO PRIVACY BREACHES

. . . . 137

Appendix Two GUIDELINES FOR PROCESSING PERSONAL DATA ACROSS BORDERS . . . . . . . . . . . 145

Appendix Three CIRCLE OF CARE

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Appendix Four GUIDELINES FOR THE USE OF VIDEO SURVEILLANCE OF PUBLIC PLACES BY POLICE AND LAW ENFORCEMENT AUTHORITIES . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

ix

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page 11

CANADIAN PRIVACY BASICS

SAMPLE FROM CHAPTER ONE Canadian Privacy Basics

Key Concepts of Canadian Privacy Personal Information Privacy in Canada is protected by setting up rules and principles that govern what governments and organizations can do with personal information. The catalyst to any privacy issue, therefore, is a determination that the type of information being discussed is indeed “personal information.” As elaborated further below, personal information is generally considered to be any information about an identifiable individual. Thus, corporate information (or information belonging to groups of people) is not generally considered personal information. The starting point is that information is deemed to be personal information if it is about an identifiable individual. Most laws give examples to help clarify what is and is not considered to

11

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page 12

CANADIAN PRIVACY

be personal information. For example, the federal Privacy Act lists nine examples of the types of information that are deemed to be information about an identifiable individual. They are:

(a) Information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual; (b) Information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved; (c) Any identifying number, symbol or other particular assigned to the individual; (d) The address, fingerprints or blood type of the individual; (e) The personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations; (f) Correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; (g) The views or opinions of another individual about the individual; (h) The views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the individual by an institution or a part of an institution referred to in paragraph (e), but excluding the name of the other individual where it appears with the views or opinions of the other individual; and, (i) The name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual. One particularly important point to emphasize at this juncture is that the federal Privacy Act (which, as detailed in Chapter 3, applies to information under the control of federal government institutions) considers opinions about an individual to be the personal information of the individual whom the opinion is about. This is important considering that privacy laws provide a right of access to one’s own personal information. So, if Jones has an opinion about Smith, Smith can discover it by making a request to see his own personal information. And, not only can Smith see the content of the opinion about himself, but he will often be allowed to know the identity of the opinion holder too. This is because the identity of the opinion holder is considered the personal information of both the opinion holder and the person the opinion is about.23 One stumbling block that arises over and over again across the country is the difficulty in interpreting the meaning of “about” as it is used in the phrase “about an identifiable individual.”

12

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page 13

CANADIAN PRIVACY BASICS

The Supreme Court of Canada pronounced that this definition of personal information is undeniably expansive. The court said that the language of this section is “deliberately broad” and “entirely consistent with the great pains that have been taken to safeguard individual identity. Its intent seems to be to capture any information about a specific person, subject only to specific exceptions”24 [underlining in original]. This particularly expansive definition of the term “personal information” has been used to justify finding that all sorts of information, regardless of whether or not the information is sensitive, private, innocuous or well-known, is “personal information.” Notably, this interpretation has been used by some judges when they wanted to find that job-related information fell under the definition of personal information and thus afford it some protection under privacy legislation.25 In the 2001–2002 Annual Report to Parliament, the federal privacy commissioner also noted the expansive nature of the term “about an identifiable individual”:

That definition is meant to cover a lot of ground . . . [the definition] does not say that personal information has to originate with or be collected from the individual. It doesn’t concern itself with who may or may not be said to have proprietary interest in the information. It only says that information is personal if it is “about” an identifiable individual.When it comes right down to it, if an organization has put someone’s name on something, it is difficult for the organization to argue that the thing isn’t “about” that individual. The definition is deliberately broad . . . It does not matter who generated the information, or how, or who technically “owns” it, or what the corporate convention may be. If it has been assigned in an individual’s name, the chances are that I will accept it as being his or her personal information. I am inclined to regard information as personal even if there is the smallest potential for it to be about an identifiable individual. Other judges and commissioners, however, have attempted to move away from this expansive definition of personal information. For example, the Federal Court of Appeal found that before information fell within the definition of personal information, the information should connote concepts of intimacy, identity, dignity and integrity of the individual.”26 In that particular case, job-related information was deemed not to be personal information.27 In Alberta, the commissioner has also slightly moved away from the “undoubtedly broad” interpretation given to the term “personal information” by the Supreme Court:

The Act defines “personal information” as “information about an identifiable individual”. In my view, “about” in the context of this phrase is a highly significant restrictive modifier. “About an applicant” is a much narrower idea than “related to an Applicant”. Information that is generated or collected in consequence of a complaint or some other action on the part of or associated with an applicant—and that is therefore connected to them in some way—is not necessarily “about” that person.28

13

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page 14

CANADIAN PRIVACY

In 2006, the commissioner ordered a furniture retailer to cease recording the license plate numbers of customers who came to pick up their orders. The commissioner concluded that license plate numbers constituted personal information, the recording of which violated the Personal Information Protection Act. The Alberta Court of Appeals disagreed, holding that a license plate number is not personal information because it is not about an individual.29 At the time of publishing this case was on appeal to the Supreme Court. Information that alone does not identify an individual can be “personal information” if, in combination with other information, it could be used to identify an individual. In 2008, the Federal Court determined that data regarding the province location in which medical patients were treated was personal information because such data, when coupled with other available data, could lead to identifying individual patients. In adopting a new test to determine what should be considered personal information, the court provided that “[i]nformation will be about an individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.”30 (emphasis added) Most laws also provide for exceptions to the definition to recognize that while something might otherwise be considered to be about an identifiable individual, there is a public policy reason for not treating it as such. One common example of this is information about bureaucrats who work for the public sector. Generally, while the law recognizes that their job-related information is information about identifiable individuals, the policy choice is made to create an exception so that the information is not protected if it is:

Information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual including: (i) The fact that the individual is or was an officer or employee of the government institution; (ii) The title, business address and telephone number of the individual; (iii) The classification, salary range and responsibilities of the position held by the individual; (iv) The name of the individual on a document prepared by the individual in the course of employment; and, (v) The personal opinions or views of the individual given in the course of employment.31

14

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page 15

CANADIAN PRIVACY BASICS

Public Records and Publicly Available Information Most laws that protect privacy in Canada also recognize that they can go only so far. In that regard, one common reason for not protecting personal information is if that information is publicly available. The Privacy Act, for example, provides that a government’s restricted ability to use and disclose personal information does not apply if the information is publicly available. Interestingly, however, the government’s obligations to collect the information in accordance with the act are not affected by whether or not the information is publicly available.32 The Privacy Act also provides a total exception to any information that is found in a “library or museum material preserved solely for public reference or exhibition purposes; or material placed in the Library and Archives of Canada, the National Gallery of Canada, the Canadian Museum of Civilization, the Canadian Museum of Nature or the National Museum of Science and Technology by or on behalf of persons or organizations other than government institutions.”33 Despite the consequences that ensue if personal information is deemed to be publicly available, there is no definition in the Privacy Act to help guide users as to what is and what is not to be considered publicly available. PIPEDA treats publicly available information differently. Perhaps because of the lack of definition in the Privacy Act, the drafters of PIPEDA decided to define what it means to be publicly available by creating a set of categories of information, as follows:

(a) Personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory; (b) Personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice; (c) Personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry; (d) Personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and, (e) Personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

15

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page 16

CANADIAN PRIVACY

Regardless of whether or not any particular privacy law defines what it means to be publicly available, the debate about the need to protect that type of personal information is currently a hot topic. With the advent of online social networking and the ability to find information about individuals easily via the Internet, more and more information is entering the realm of what could easily be considered publicly available. Moreover, that information itself is more frequently sensitive in nature. Even when the information by itself is not sensitive, the vast proliferation of personal information found in distinct and separate locations on the Internet (or elsewhere) is fuel for data miners, who now have the technical ability of parsing through this information to piece it together and develop comprehensive profiles on individuals.Whereas in the past, the “needle in a haystack” theory afforded individuals relative anonymity even if their information was publicly available, today’s technology turns this idea on its head and renders publicly available information very accessible.

Private and Sensitive Information In the discussion above about the expansive nature of the definition of personal information, we highlighted how the Supreme Court of Canada’s guidance on the subject did not allow for subsequent interpretations to take into account the private or sensitive nature of the information. For those regulators and judges who have followed this guidance, it has meant that any determination of whether or not the personal information is sensitive is irrelevant. As shown, however, some judges and commissioners have attempted to move away from this very broad definition. In doing so, they have tried to argue that before personal information can be protected, it must be related in some way to a private or sensitive fact about the individual. At the federal level, the legislation does not address this debate, and what remains, therefore, is the need to apply the definition as it stands. Provincially, however, some statutes address the difference between all personal information (being any information “about an identifiable individual”) and information that deserves more protection because of its sensitive nature. In particular, these considerations come into play when government institutions are working through questions about whether or not information held by the government should be released. When making these types of determinations, the laws often dictate that the information can only be released if doing so would not be an unreasonable invasion of privacy. The laws often go further by providing guidance of what types of information would attract more protection and which ones should attract less. This is done through the enumeration of examples of types of information, the release of which would be considered unreasonable invasions of privacy. For example, in Nova Scotia, disclosure of personal information is presumed to be an unreasonable invasion of a third party’s personal privacy if:

(a) the personal information relates to a medical, dental, psychiatric, psychological or other health-care history, diagnosis, condition, treatment or evaluation; (b) the personal information was compiled and is identifiable as part of an investigation into a possible violation of law, except to the extent that disclosure is necessary to prosecute the violation or to continue the investigation;

16

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page 17

CANADIAN PRIVACY BASICS

(c) the personal information relates to eligibility for income assistance or social-service benefits or to the determination of benefit levels; (d) the personal information relates to employment or educational history; (e) the personal information was obtained on a tax return or gathered for the purpose of collecting a tax; (f) the personal information describes the third party’s finances, income, assets, liabilities, net worth, bank balances, financial history or activities, or creditworthiness; (g) the personal information consists of personal recommendations or evaluations, character references or personnel evaluations; (h) the personal information indicates the third party’s racial or ethnic origin, sexual orientation or religious or political beliefs or associations; or (i) the personal information consists of the third party’s name together with the third party’s address or telephone number and is to be used for mailing lists or solicitations by telephone or other means.34

Employee and Work-Product Information One of the most widely debated arguments in Canadian privacy law surrounds whether or not separate laws ought to exist for employee information and work-product information. Employee information is often thought of and defined as follows (taken from the Alberta Personal Information Protection Act): “‘personal employee information’ means, in respect of an individual who is an employee or a potential employee, personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating: (i) an employment relationship; or, (ii) a volunteer work relationship between the organization and the individual but does not include personal information about the individual that is unrelated to that relationship”. Work product information is generally thought of as being information about an individual but that is related to that individual’s position, functions and/or performance of his or her job. PIPEDA does not differentiate between regular “personal information” and employee-related information or work-product information, which has resulted in several conflicting decisions on the issue of whether or not work-product information is protected.35 Similarly, because PIPEDA does not treat employee-related information differently from regular personal information, there have been several cases where creative interpretations have been needed to achieve just results.36

17

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page 18

CANADIAN PRIVACY

The Privacy Act does carve out some employment- and work-product-related information from the definition of personal information. However, the exception applies only to “information about an individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual including,

(i) the fact that the individual is or was an officer or employee of the government institution; (ii) the title, business address and telephone number of the individual, (iii) the classification, salary range and responsibilities of the position held by the individual; (iv) the name of the individual on a document prepared by the individual in the course of employment; and, (v) the personal opinions or views of the individual given in the course of employment.”37 The private sector laws in British Columbia and Alberta, on the other hand, attempt to deal with the question of employee-related personal information by defining it. For example, British Columbia’s Personal Information Protection Act (PIPA) states: “‘Employee personal information’ means personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual’s employment.” Then within the body of the two laws, specific provisions set out a separate set of rules for this type of personal information. More detail is provided in Chapter 3.

General Concepts of Fair Information Practices and General Privacy Principles Underlying all modern privacy regimes are fundamental principles. While there are several iterations of these principles,38 one of the more influential in the development of Canadian privacy law is the one adopted by the Organisation for Economic Co-operation and Development (OECD). In 1981 the OECD published a set of privacy principles entitled “Guidelines Governing the Protection of Privacy and Transborder Data Flows of Personal Data.” That code encapsulated eight principles. Subsequently, the Canadian Standards Association (CSA) developed its own set of privacy principles and broke the OECD’s code into ten principles. The OECD’s model code was obviously influential.

18

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page 19

CANADIAN PRIVACY BASICS

Figure 1: Model Codes for Privacy Compliance

OECD

CSA

Accountability

Accountability

Purpose Specification

Identifying Purpose Consent

Collection Limitation Limiting Collection Use Limitation

Limiting Use, Disclosure, & Retention

Data Quality

Accuracy

Security Safeguards

Safeguards

Openness

Openness Individual Access

Individual Participation

Challenging Compliance

Source: Organisation for Economic Co-operation and Development/Canadian Standards Association.

The CSA called its iteration, published in 1996, the “Model Code for the Protection of Personal Information.”39 Below is the summary of each principle as published by the CSA:

Ten interrelated principles form the basis of the CSA Model Code for the Protection of Personal Information. Each principle must be read in conjunction with the accompanying commentary. 1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles. 2. Identifying Purposes The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. 3. Consent The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

19

CDN_Privacy_Pages_r5-196pp 11/9/11 10:54 AM Page 20

CANADIAN PRIVACY

4. Limiting Collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. 5. Limiting Use, Disclosure, and Retention Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes. 6. Accuracy Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. 7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 8. Openness An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. 9. Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. 10. Challenging Compliance An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

20