Thursday, December 28, 2006

What is Personal Information Definition under PIPEDA

What is Personal InformationDefinition:

The definition of ‘Personal Information,’ is integral to understanding the scope of PIPEDA, as PIPEDA only applies to the collection of ‘personal information.’[1]

“Personal Information means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.” [2]
The phrase “about an identifiable individual” has been through some debate. For example, “identifiable” has been held in Ontario to mean that there is a reasonable expectation that the information may identify a person, rather than the actual identification of a person.[3] As well, “individual” connotes that the information must identify a human being as opposed to an organization.[4] Of course, an organization like a sole-proprietorship or a corporation may also be included when the ‘nexus between the individual and that entity are closely related.’ [5] Finally, the legislation clearly states ‘identifiable individual,’ illustrating how the personal information gathered must relate to a singular person.

With regards to the term “about,” PIPEDA seeks to protect personal aspects of an individual that are exemplified by the following non-exhaustive list: age, name, medical records, income, purchases and spending habits, etc.[6] The Privacy Commissioner noted in his findings that personal information extends beyond this list, and in some circumstances, may include an individual’s NETBIOS, which consists of the websites an individual on a computer has accessed, and the passwords used by an individual to access secure accounts,[7] as a NETBIOS might be used to obtain information traceable to an identifiable individual. The reason it is traceable to an individual is that the viewing habits, and their personal enjoyments form an integral part of that person, and the collection of that individual’s hobby habits are personal.

Analysis:

What this statute fails to do is distinguish when it would be reasonable to collect a person's online information, especially when many personal computers are shared between individuals, and where this statute only covers the singular person.

A spyware victim will put forward the argument that their privacy has been invaded, even if they shared their computer. It does not matter when a spyware company is spying on a person, and that the spyware company has contravened PIPEDA several times. However, the spyware company can make the counterargument that the information they have collected only comes from one computer, and that the data that is itself collected cannot identify a singular person.

This line of argument could then be transferred to cases where spyware is collected on a computer used by one person, as a spyware company could argue that there was no reasonable way that the data they collected could have reasonably been known to come from one person as opposed to several people.

[1] Priscilla Platt et al., Privacy Law in the Privat Sector An Annotation of the Legislation in Canada, looseleaf (Canada Law Book Inc., 2002) at PIP-15.
[2] Personal Information and Electronic Documents Act, S.C. 2005, c. 5. at s. 2.
[3] Canadian Privacy Law Annotation, supra note 1 at PIP-16.
[4] Ibid.
[5] Ibid.
[6] The Privacy Commissioner has set up a website to help understand PIPEDA. This information was found at “A Guide for Individuals,” .
[7] A NETBIOS is a computer's common or "friendly" name related to its Internet protocol (IP) address. If an IP address is traced, it allows access to information such as Web sites visited by the computer's user or recent passwords used in obtaining access to secure accounts. It is important to note that there are no case names dealing with privacy complaints, only case numbers. As such, I will be citing these cases by providing the case number, and relevant URL. PIPEDA Case #25, .