Interpretation Bulletin: Personal Information

October 2013

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. While findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues have begun to crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined over time.

The Meaning of “Personal Information”

I. Relevant Statutory Provisions

Section 2(1) of the Personal Information Protection and Electronic Documents Act (2000, c. 5) (PIPEDA) states that “personal information” means “information about an identifiable individual.”

Section 4(1) provides that PIPEDA applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities” or “is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.”

II. General Interpretations by the Courts

1. Drawing from jurisprudence in the federal public sector, the definition of personal information must be given a broad and expansive interpretation (Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R., dissenting, 403 at para 68; Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157; Canada (Information Commissioner) v. Canada (Commissioner of the Royal Canadian Mounted Police), [2003] 1 S.C.R. 66, 2003 SCC 8, at para 23).
2. Personal information is information “about” an identifiable individual. “About” means that the information is not just the subject of something but also relates to or concerns the subject (Canada (Information Commissioner) v. Canada (Transportation Accident Investigation and Safety Board), 2006 FCA 157).
3. Information will be about an “identifiable individual” where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information (Gordon v. Canada (Health), 2008 FC 258 (CanLII).^{Footnote 1} Information need not be recorded for it to constitute personal information. It is sufficient that the information be about an identifiable individual even if the information is not in a recorded form, such as oral conversations, biological samples and real time video surveillance. While the absence of a recording may go to the issue of collection, it does not change the fact that the information is personal information (Morgan v. Alta Flights Inc. (2006) FCA 121, affirming (2005) FC 421).
4. The same information can be personal to more than one individual, where, for example, it contains the views of one individual about another individual, or where the same information reveals something about two identifiable individuals (Wyndowe v. Rousseau, 2008 FCA 39 (CanLII)).
5. Information will still be personal information even if it is publicly available within the meaning of the regulations,^{Footnote 2} and is exempt from applicable consent requirements (Englander v. TELUS Communications Inc., 2004 FCA 387 (CanLII)).
6. Subjective information about an individual may still be personal information even if it is not necessarily accurate (Lawson v. Accusearch Inc. 2007 FC 125).

III. Applications in Different Contexts

Business and Professional Context

• PIPEDA does not apply to an organization in respect of the business contact information of an individual that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.^{Footnote 3}
• An individual’s cell phone records from their work cell phone may be the personal information of the individual.^{Footnote 4}
• Information about a company is generally not personal information. However, an individual’s personal information may be so inextricably linked to information about his or her company (e.g. an owner/operator of a small business) that information about that company can constitute personal information about the individual.^{Footnote 5} Each situation must be assessed on a case-by-case basis.
• Sales statistics of telemarketers^{Footnote 6} and the number of houses sold by real estate brokers^{Footnote 7} can constitute personal information.
• Other personal information in the Business and Professional context include: an individual’s Notice of Assessment (NOA) and Social Insurance Number (SIN);^{Footnote 8} email addresses^{Footnote 9} and messages; consumer purchases,^{Footnote 10} services,^{Footnote 11} and transactions;^{Footnote 12} customer membership and account information in the context of frequent flyer or consumer loyalty programs;^{Footnote 13} and, customer complaint information.^{Footnote 14}

Employment Context

• PIPEDA only applies to personal information of employees of, and applicants for employment with, federal works, undertakings or businesses.^{Footnote 15}
• An individual’s views or opinions about an employee (e.g. performance appraisals,^{Footnote 16} internal investigation files,^{Footnote 17} medical diagnoses or assessments,^{Footnote 18} or complaints against an employee)^{Footnote 19} may constitute the personal information of that employee.
• Other examples of personal information of employees of federal works, undertakings or businesses include: employee number^{Footnote 20}; employee voices;^{Footnote 21} swipe cards and video footage or live-feed;^{Footnote 22} salary, benefits and performance ratings;^{Footnote 23} and, employee personnel files.^{Footnote 24}

Health Context

• Keeping background notes about an individual separate from that individual’s medical assessment report does not change the status of the personal information contained in those notes.^{Footnote 25}
• Background notes taken by a physician in support of an independent medical examination (IME) report to an insurer may contain the personal information of the patient, as well as the personal information of the physician.^{Footnote 26}
• Personal information that has been de-identified does not qualify as anonymous information if there is a serious possibility of linking the de-identified data back to an identifiable individual.^{Footnote 27}
• Other examples of personal information in the health context include: information concerning the physical or mental health of an individual, such as: medical diagnoses,^{Footnote 28} general medical information,^{Footnote 29} clinical notes^{Footnote 30} and independent medical assessments for insurance-related purposes; ^{Footnote 31} as well as entire medical records and/or patient charts in the context of a closing or sale of a health professional’s practice.^{Footnote 32}

Financial Context

• Examples of financial information which may constitute personal information of an individual include: bank account numbers, summaries or balances;^{Footnote 33} transaction histories;^{Footnote 34} debt-related information;^{Footnote 35} mortgage applications/renewals, tax returns and net worth;^{Footnote 36} credit reports^{Footnote 37} and credit scores.^{Footnote 38}
• The contents of and details about an individual’s safety deposit box is that individual’s personal information.^{Footnote 39}
• Residential property appraisal documents constitute the personal information of the property owner,^{Footnote 40} including the selling/purchase price of an individual’s home.
• A simple reference to an outstanding debt, even without disclosing specific details about the debt, is personal information.^{Footnote 41}

Technological Context

• Examples of personal information in the technological context include forms of biometric information, such as fingerprints^{Footnote 42} and voiceprints.^{Footnote 43} A voiceprint is personal information even though it may not necessarily tell much about an individual. How much more it reveals about an individual will depend on how the voiceprint is used.^{Footnote 44}
• A photograph of an individual’s home may constitute the personal information of that individual.^{Footnote 45} Video surveillance that captures an individual’s physical image or movement^{Footnote 46} may also constitute his or her personal information even if it is not taped,^{Footnote 47} since the definition of personal information in PIPEDA does not require that the information be recorded.
• Tracking information collected from a Global Positioning System (GPS) placed in company vehicles is personal information since the information can be linked to specific employees driving the vehicles. The employees are identifiable even if they are not identified at all times to all users of the system.^{Footnote 48}
• Information collected through the use of radio frequency identification (RFID) tags to track and locate baggage, retail products, and individual purchases may constitute the personal information of any identifiable individual associated with those items.^{Footnote 49}
• An Internet Protocol (IP) address can be considered personal information if it can be associated with an identifiable individual.^{Footnote 50} For example, in one complaint finding, we determined that some of the IP addresses that an internet service provider (ISP) was collecting were personal information because the ISP had the ability to link the IP addresses to its customers through their subscriber IDs. See also a report prepared by the Technology Analysis Branch of the OPC on "What an IP Address Can Reveal About You".^{Footnote 51}