4. Clarifying concepts

CLOSED: This discussion has concluded.

A number of definitions and concepts in the Act could be updated, and others could be introduced

There are a number of areas where the Act should provide clearer rules about its scope – what it covers and when its full protections are engaged. A risk-based approach to the protection of personal information has been emerging as an international best practice. Changes under consideration include:

  • Applying the Act to “federal public bodies” : Currently, the Privacy Act applies to “government institutions” as defined under the Act. While this term covers a comprehensive range of governmental institutions headed by a minister, it also includes many federal public bodies that are not core government departments or agencies. Changing “government institution” to “federal public body” would make it clear that many non-governmental federal entities are also subject to the Act.

  • Updating and clarifying the definition of “personal information” : The current Privacy Act defines “personal information” as “information about an identifiable individual that is recorded in any form.” It includes a number of examples of what constitutes personal information, and also exempts certain information for the purposes of the use and disclosure provisions of the Act (and for access requests under the Access to Information Act for records that contain personal information). Proposed changes could include: 
    • Including unrecorded personal information: Removing the current requirement that personal information be “recorded” could simplify the definition. Many stakeholders have recommended this amendment as it would make the Act consistent with the Personal Information Protection and Electronic Documents Act and with the approach taken in many other jurisdictions. However, since the Act is organized around the concept of a “record,” it is unclear what practical benefits would follow from expanding the definition to include unrecorded information.  Many rights and obligations under the Act could not possibly apply to unrecorded information, such as an individual’s right to access and correct their personal information, a federal public body’s obligations to retain such information, and certain rules for use and disclosure.  Additional input on the practical benefits of such a change is needed.
    • Clarifying when an individual is “identifiable” : The Act could provide criteria for determining when information is about an “identifiable individual” and thus subject to the Act’s requirements. Sensitivity to context would be particularly important, as different considerations might be appropriate depending on the circumstances.  For example, could someone reasonably be identified from information that is restricted to confidential internal use, as opposed to greater public disclosure? 
    • Introducing a balancing approach where personal information reflects the views and opinions of one individual regarding another : Currently, the definition of “personal information” identifies individual A’s stated views or opinions about individual B as individual B’s personal information, not just individual A's. This means individual B has, subject to some exceptions, a right to access individual A’s views or opinions about them and to know the identity of the individual who made those statements. This is an important right in many situations, especially where one person’s opinions can negatively impact another’s rights. However, in some circumstances, it might be more important to protect the confidentiality of a person’s opinion about someone else – for example, in the context of harassment allegations and investigations. The Act could include a provision outlining a more nuanced and flexible balancing approach to apply in such cases, rather than the current fixed and firm rule. 
    • Removing exemptions from within the definition itself : Paragraphs (j) to (m) of the current definition exempt certain types of information that would otherwise be considered “personal information” for the purposes of sections 7, 8, and 26 of the Act (and section 19 of the Access to Information Act). These exemptions ensure that some information can be accessed by individuals other than the individual to whom the information relates, largely for reasons of public interest. However, these exclusions have been difficult to interpret and administer in practice. As well, the public-interest rationale justifying greater use, sharing and access to such personal information might be better reflected elsewhere in the Act and in the Access to Information Act. Therefore, to simplify the definition, this list of exemptions could be removed and sections 7, 8, and 26 amended as necessary.

  • Defining business contact information : Currently, the Act does not clearly indicate that business information is not personal information, which can lead to challenges in certain cases, such as where a business is operated by a sole proprietor. The Act could make it clear that information that relates primarily to a business is not “personal information.”

  • Outlining factors for valid consent : The Act could include factors or standards to help ensure that individual consent provided under the Act is specific, informed, and voluntary, and able to be revoked.

  • Setting out an updated framework for publicly available personal information : The Privacy Act applies to publicly available personal information, except its rules governing subsequent uses and disclosures of personal information. However, the Act does not specifically define the term “publicly available.” A modernized Act could define personal information as being “publicly available” in three instances: first, when it has been made manifestly public by the individual the information relates to; second, when it is broadly and continuously available to all members of the public and the individual has no reasonable expectation of privacy in the information; and third, when another act of Parliament or a regulation requires the information to be publicly available. As well, the current exclusion under subsection 69(2) could be eliminated so that all the Act’s rules would apply to publicly available personal information, while provisions to permit the use and disclosure of such information in specific cases could be added, along with a related exception to the right to have personal information collected directly from the individual.

  • Broadening the concept of administrative purpose : Certain protections in the Privacy Act apply to personal information that is used for an “administrative purpose.”  Under the Act currently,  an administrative purpose relates to the use of personal information in a decision-making process that directly affects the individual the information is about.  However, where it is not used for an administrative purpose, some of the standard requirements relating to notification, correction and retention are relaxed. The Act could be amended to broaden the scope of administrative purpose to capture any practice involving personal information that could directly affect the individual, whether or not a decision-making process was involved. This would ensure that the full suite of protections in the Act applied to the design and development of artificial intelligence systems, for example. 

The Government is not currently considering specifying categories of personal information to which special rules would apply (such as “sensitive” personal information or information relating to minors), though some other jurisdictions do so. A flexible principles-based approach, along with some of the other proposed changes, would ensure the appropriate protection of personal information according to context. The Government also agrees with the Privacy Commissioner that the Act is not an appropriate place for defining “metadata,” since many forms of metadata will simply not be information about an identifiable individual.

Share on Facebook Share on Twitter Share on Linkedin Email this link

Consultation has concluded. Thank you for your contributions.

    <span class="translation_missing" title="translation missing: en-US.projects.forum_topics.show.load_comment_text">Load Comment Text</span>