Information # Assistance # Accreditation # Membership # Advisory Board

How to distinguish Personal Information from other information

The following information may provide you with a understanding of how to respond to requests for access to Personal Information under PIPEDA. It is intended to be helpful, but it is not legal advice. If you notice any errors or omissions, please let us know so we may improve the document. This document includes compendia of the Federal Privacy Commissioner's Decision Summaries released up to Decision Summary #260.

Many people have invested much thought to create other helpful guidance documents. Several very helpful ones are listed below this information.

How to distinguish Personal Information from other information

Table of Contents

After this tutorial you will be able to:

* Identify what has been determined to be personal information.

* Identify what has been determined not to be personal information.

* Identify the source of each determination.

* Evaluate the relevant persuasiveness of each source of each determination.

* Apply a procedure to assess by analogy to previous determinations whether novel pieces of information are likely to be determined to be personal information.

Click here to return to this tutorial's table of contents

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) protects "Personal Information". Hence its name. However, reasonable people may differ over what should and should not be protected by being included within the meaning of the label "Personal Information".

As a Privacy Officer you want to know what has been, has not been, and is likely to be determined to be protected by the term, "personal information".

Fortunately, we have a number of clues:

* The legislators included a definition of "personal information" in PIPEDA.

* Disputants have asked the federal privacy commissioner to decide whether particular pieces of information are "personal information".

* In the absence of a dispute the federal privacy commissioner's office has published its thoughts about some pieces of information it considers to be or not to be personal information.

Click here to return to this tutorial's table of contents

PIPEDA contains this definition:

2.(1) "personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

Click here to return to this tutorial's table of contents

The federal privacy commissioner's office has decided as follows:

These were determined to be personal information:

* A "code word" chosen by the complainants to remind them of their personal identification number, despite being technically incorrect, was determined to be the complainants' personal information simply by virtue of being included among their records and traceable to them as identifiable individuals. Decision summary #54

* A personal guarantee by the guarantor was personal information of the guarantor even though physically stored in the debtor's file. Decision summary #205, #90

* An employee's sales statistics. Decision summary #220

* The extreme difficulty of separating an individual's business information from his personal information resulted in a determination that his business information was personal information where: bank documents listed the corporate account in the business's name, followed by the complainant's and his wife's names; the complainant's house was collateral for his corporate line of credit; and there were instances when the bank advised him to return money from his personal account because he had paid himself too much from his corporate line of credit. Decision summary #181

* Information provided to operators during: (1) directory information requests such as the city, name and occasionally the street address of the person whose listing is being requested and if payment is required immediately, the requestor's own name and the third number, or a calling card number and the PIN; and (2) operator placed calls such as the customer's telephone number, the name of the person they are calling, and, in the case of collect calls, the customer's name were determined to be personal information. Decision summary # 160

* Documents referring to the complainant by a numerical identifier were the complainant's personal information due to the complainant being identifiable through the use of the identifier. Comments made by other individuals to the complainant on an audio tape containing were determined to be the complainant's personal information. Decision summary #149

* Four digits of a social insurance number were determined to be personal information. Decision summary #146

* An investigation report pertaining to a complainant was determined to contain personal information of the complainant. Decision summary #68

* An individual's credit card and PIN became his personal information simply on being assigned to him and put into envelopes addressed to him even though created and owned by the bank. Decision summary #43

* That an identifiable individual had had an argument at a bank, had exhibited rude and inappropriate behavior and that the bank intended to terminate its relationship with the individual was determined to be the identifiable individual's personal information. Decision summary #30

* A NETBIOS that might be used to obtain information traceable to an identifiable individual, it was determined to be personal information of the individual. Decision summary #25

These were determined not to be personal information:

No personally identifiable individual

* Information captured by a video camera from a street where neither individuals nor personal identifiers such as license plate numbers were identifiable was determined not to be personal information. Decision summary #131.

* A name appearing in the complainant's family's telephone company account was the same name as the complainant's. It was determined not to be the complainant's personal information because there was no information in the account that would link that name to the complainant. Decision summary #205

* The total entertainment budget of an establishment with only one entertainer was determined not to be personal information of the entertainer when collected by an organization neither interested in nor collecting the number or names of the establishment's entertainers. Decision summary #4

Corporate information

* A corporation's bank account information was determined to be information of a corporation rather personal information of an individual. Decision summary #240

* Information about corporations was determined not to be personal information. Decision summary #80.

* Documents naming a numbered company but not naming the individual presiding over the numbered company were determined not to be personal information of the individual presiding over the numbered company. Decision summary #68

Business Information

* The name, company name, business phone line number and an old business address of a self-employed operator of a home based business were determined to be business information rather than the person's personal information. Decision summary #141

* An unlisted home phone number disclosed to a bank when opening a business account without the discloser specifying that the number was personal or was not to be considered a business number was determined to be analogous to the telephone number of an employee of an organization. Decision summary #230.

* Information related to medical prescriptions including the names, identification numbers, telephone numbers, and prescribing details of physicians is a work product-that is, the tangible result of the physician's work activity and not personal information of the prescribing physician. Decision summary #14

In addition to the above decisions, the Privacy Commissioner's office has issued over 200 other decision summaries. For a concise compendium of summaries (such as those above) of those decisions order the OPO Compendium. All decision summaries may be read in their entirety on the Privacy Commissioner's web site. If you have a few specific pieces of information in mind, ask about them in the OPO Answer Forum. To access the OPO Answer Forum, simply join OPO.

Click here to return to this tutorial's table of contents

In addition to the above decision summaries, the federal privacy commissioner's office has published these statements in fact sheets:

In the Fact Sheet: Gearing up for the Personal Information Protection and Electronic Documents Act:

"Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

* age, name, ID numbers, income, ethnic origin, or blood type;

* opinions, evaluations, comments, social status, or disciplinary actions; and

* employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)."

In the Fact Sheet: Privacy in the Workplace:

"For almost all personal information - including pay and benefit records, formal and informal personnel files, video or audio tapes, and records of web-browsing, electronic mail, and keystrokes ..."

The Privacy Commissioner of Canada has stated in the Application of the Personal Information Protection and Electronic Documents Act to Employee Records Fact Sheet that PIPEDA's application to employment in the private sector is limited to the federally regulated sector.

In the Fact Sheet: Best Practices for Recording of Customer Telephone Calls

"Taping telephone calls involves the collection of personal information."

And

"The recording of customer calls by organizations raises several other privacy issues. Although a customer service representative could attempt to write down the details of a conversation, a recording is qualitatively different for a number of reasons:

* It will capture incidental information that the service representative might not note - information that may not be germane to the call but could be used by the organization for other purposes;

* It will capture the caller's tone of voice, that could also be used for other purposes such as a legal proceeding; and

* It can be used to infer information about the caller, for example ethnic origin and age that is not relevant to the purpose of the call."

Click here to return to this tutorial's table of contents

The statutory provision is an express statement of the law. The Privacy Commissioner's decision summaries are the Privacy Commissioner's opinions of what the statutory provision means. PIPEDA subsection 14(1) permits complainants to go to the Federal Court after receiving the Privacy Commissioner's report in some situations. Therefore, there may be instances of the Federal Court offering opinions of what the statutory provisions mean that contradict those offered by the Privacy Commissioner. There may also be apparently contradictory decisions issued by either the Privacy Commissioner's office or the Federal Court. Contradiction may result from, among many other reasons, changes of the Privacy Commissioner, competing requirements of fairness in the respective fact situations and changes in what is considered acceptable over time. Some may consider Privacy Commissioner's opinions offered in the fact sheets to be less persuasive than the decision summaries because only the latter benefit from representations by both sides of a dispute. However, as the opinions expressed in the fact sheets have been expressed to provide guidance to organizations, that guidance ought to be given due consideration.

As a Privacy Officer you want to know what the decision maker will decide if a dispute ever arises. In Canada the ultimate decision maker is the Privacy Commissioner whenever complainants can not afford a subsequent application to the federal court. Therefore, in assessing what may or may not be personal information you should ask yourself what you think the Privacy Commissioner or Federal Court would determine the information to be if asked the question rather than what your organization would like the information to be considered.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Click here to return to this tutorial's table of contents

Here is a handy procedure for use in determining whether particular information may or may not be personal information:

Does the information fall clearly in or out of the statutory definition?

If yes, then you may have your answer.

If no, ask, "Is the information in its context more similar to information that has been determined to be personal information or to information that has been determined not to be personal information by the Privacy Commissioner or the Federal Court than information about which neither has expressed an opinion?

If yes, then you may have your answer.

If no, then ask, "Has the Privacy Commissioner expressed an opinion about information similar to this in a fact sheet or other commentary?"

If yes, then you may have your answer.

If no, then ask, "What, on the basis of public policy, is the Privacy Commissioner or Federal Court more likely to determine the information to be?.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Try a few quick questions to decide whether you think they would be determined to be Personal Information.

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Click here to return to this tutorial's table of contents

Quiz Questions

1. A bank that has issued a credit card leaves an automated digital message on a home telephone number, provided to the bank on the credit card application form. The message indicates who is calling, that the credit card holder is slightly behind in making his/her minimum payment, and provides a toll-free number. The cardholder's name is not mentioned. The cardholder is the only person in the household with a credit card from that bank.

Is the message content personal information of the cardholder?

2. Video of an employee engaging in non-work related activities.

3. Information that a bank's customer has "A sizeable debt," is "under financial pressure," and that the customer was involved in "civil dispute" with the bank.

4. Video of employees leaving the place of employment during work hours.

5. Video of an employee violating rules of employment.

6. The name, telephone number, flight number and date of flight of an airline passenger.

7. An employee's business card.

Check your answers

++++++++++++++++++++++++++++++++++++++++++++++++++++++

Click here to return to this tutorial's table of contents

Quiz Answers

1. Yes. The information was determined to be personal information because the credit card holder was identifiably by virtue of being the only credit card holder of this bank in the household. Decision summary #270

2. Yes. The information was personal information. Decision summary #269

3. Yes. Decision summary #267

4. Yes. Decision summary #266

5. Yes. Decision summary #265

6. Yes. Decision summary #262

7. No. Employee information exclusion in definition of personal information.

Click here to return to this tutorial's table of contents

Compliance Guides with lower levels of generality