Sensitivity to how personal information is collected, used and disclosed is growing. With this sensitivity has come a heightened awareness of the many privacy issues that can crop up when dealing with personal information. Many of us are starting to feel comfortable with the whole concept of privacy and personal information. We know now what "personal information" means. Or do we?
The Personal Information Protection and Electronic Documents Act (PIPEDA) defines as personal information any information about an identifiable individual. Although PIPEDA does not specify what is included, it does tell us what is excluded, namely one’s name, business title, business address, and business telephone number. This leaves us with a definition whose scope is very broad – broader than we might first think.
Some information easily is identified as personal information. Examples include one’s height, weight, eye colour, age, and biographical data. Other information, like social insurance and driver’s licence numbers, home addresses and telephone numbers, becomes personal information when connected to an individual. And, from Canada’s assistant privacy commissioner in Case No. 297, we have learned that business e-mail addresses also are personal information. As for the rest, with each new case the scope of personal information seems to be expanding.
An evolving concept
The privacy commissioner confronted an interesting issue in Case No. 220, where a telemarketing company employee complained that the employer used the employee’s monthly sales statistics improperly and without consent. The commissioner found that the sales statistics a telemarketing firm collects on employees is personal information of the employee to whom the statistics relate. The telemarketing company in the case used the statistics to motivate its employees to be more productive.
Finding that the telemarketing company’s practices were standard in the industry and the complainant employee knew and impliedly consented to how the employer used this personal information, the commissioner ruled that the complaint was not well-founded. Even so, the commissioner recommended that the employer stop posting an itemized list of each employee’s sales figures and instead implement a policy based on fair information principles, including posting only the personal information employees needed to know.
In Case No. 349, the assistant privacy commissioner dealt with a complaint by a tenant in an apartment building about the collection and use of personal information without consent. In this case the landlord sent a notice to all tenants advising that it would be arranging for all of the units to be inspected. The complainant was home on the day the inspectors entered his apartment. He was aware of the inspection, but did not know and was not told that the inspectors would be photographing each room of his apartment. The landlord indicated that it was standard practice in the industry to photograph the state of each apartment, in order to determine and document the state of repair of each room. The report generated from the inspection would provide the market value of the building, which the landlord would use for mortgage purposes.
The landlord did not consider that it had collected personal information when its inspectors took photographs of each of the rooms of the complainant’s apartment. However, the assistant privacy commissioner disagreed and noted that the photographs would show information about the person living in the unit and his or her standard of living. She went on to note that personal information is information about an identifiable individual. The individual must be identifiable, not necessarily identified. The pictures included in the inspectors’ report indicated the address and unit number under the pictures. This would allow the pictures to be traced back to the individual occupying the apartment. Accordingly, the taking of pictures in the complainant’s apartment was the collection of personal information for which consent was required. The complaint was determined to be well-founded.
The assistant privacy commissioner also addressed statistical information about employees in Case No. 351, where employees working for a telecommunications company complained about their employer’s use of global positioning system (GPS) devices on its trucks to track its fleet’s whereabouts. The GPS produced real-time information that could be generated in a report detailing each vehicle’s start times, stop times, speed, location, mileage, and off-shift parking location. Accepting much of the employer’s reasoning for installing the GPS devices and agreeing that the employees had impliedly consented to the devices being installed in their trucks, the assistant commissioner nevertheless expressed serious concern about using the information from the GPS to manage the employees. Although the information the devices collected did not identify the vehicle’s driver, the employees’ manager had access to the drivers’ identities, some of whom were permitted to take their company vehicle home (while others were required to return their vehicle to the employer’s depot at the end of their shift).
The assistant privacy commissioner first considered whether the information a GPS collects constituted personal information. Because the information could be linked to specific employees driving specific vehicles – making the drivers identifiable, even if not identified at any given time – the assistant commissioner determined that the GPS data collected was personal information. Though observing that the employer in the case at hand resolved the issue by implementing policies strictly limiting its use of this personal information, the assistant commissioner went on to reference the concept of "function creep" (i.e., expanding a technology’s use for more than the originally specified purposes). Finding that "function creep" was unacceptable, the assistant commissioner noted that "the purposes and uses of a particular technology should be precisely specified and that technology should be restricted to its intended purposes." She further warned "all organizations subject to the Act that the effects on the dignity of employees of all of the measures in place – taken as a whole, not just as one measure alone – must be considered in balancing the rights of the individual to privacy and the needs of organizations to collect, use or disclose personal information for appropriate purposes."
Where we are today
The complaints received by the Privacy Commissioner’s Office present a range of factual circumstances and, so far, the Office has indicated that it will take a broad view of the meaning of personal information. If information can be connected to an identifiable individual, it will be considered to be that individual’s personal information. Once the information is considered to be personal information, PIPEDA and its fair information principles will apply to the collection, use and disclosure of that information. The commissioner will also apply PIPEDA’s subsection 5(3) reasonableness principle to determine whether an organization’s reasons for installing a device, implementing a new practice or technology, or taking photographs of an apartment to collect personal information is reasonable under the circumstances. When we ask whether a piece of information is personal information, the answer will likely be "yes" whenever information can be connected to an identifiable individual.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.