Privacy review – Information Commissioner's submission to the Department of Justice (2021)
Dear Minister Lametti:
Thank you for the opportunity to provide input at this stage of Justice Canada’s review of the Privacy Act. As with my comments from 2019, in response to Justice Canada’s Targeted Technical Engagement on the Privacy Act, the comments that follow will be limited to topics that affect the Access to Information Act (“Access Act”).
My comments focus on certain matters of interest raised in Justice’s discussion paper – specifically, definitions of key phrases which are relevant to the Access Act: “personal information” and “publicly available”. The definition of “personal information” is of particular significance as the exemption for personal information is the most commonly invoked exemption in the Access Act. Apart from these definitions, the remainder of my comments address other matters raised in Justice’s discussion paper.
The aim of my comments is to achieve an appropriate balance between rights of access and privacy. I would welcome the opportunity to provide further comments on these and other matters at later stages of this review, and on an eventual Bill.
1. Definition of personal information
a) Clarifying when an individual is identifiable
The discussion paper considers providing criteria for determining identifiability, recognizing the importance of sensitivity to context. I agree with the statement from the discussion paper that “different considerations might be appropriate depending on the circumstances.”
I am of the view that any legislative amendments should be consistent with the legal standard for identifiability. The legal standard is the “serious possibility” test:
Information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.1
In a 2019 decision under the Access Act, the Federal Court found that the “serious possibility” test envisions a possibility that is greater than speculation or mere possibility, but that does not reach the level of more likely than not on a balance of probabilities.2
Questions arise on the perspective from which identifiability is to be determined, including to whom the “other available information” is available. The 2019 Federal Court decision provided some clarity on these points, in the context of an application for disclosure under the Access Act:
Information kept confidential in the hands of a government institution cannot be considered “available” for the purposes of the analysis of identifiability;
The fact that an individual may be able to identify themselves from released information does not make the information personal; but
The scope of “available information” cannot be limited to information available to the public, or even an informed and knowledgeable member of the public. Instead, information held by a smaller subset of the public, including a private employer, can constitute “available information” depending on the circumstances.”3
Recommendation 1 – Amendments relating to the test for identifiability should be consistent with the “serious possibility” test from the case law.
b) Introducing a balancing approach where personal information reflects the views and opinions of one individual regarding another
The discussion paper proposes a more nuanced and flexible balancing approach to apply in certain situations where information is the personal information of multiple individuals. The discussion paper notes that “[c]urrently, the definition of “personal information” identifies individual A’s stated views or opinions about individual B as individual B’s personal information, not just individual A’s.” It adds that “in some circumstances, it might be more important to protect the confidentiality of a person’s opinion about someone else – for example, in the context of harassment allegations and investigations”.
I am of the view that the proposed nuanced and flexible balancing approach is worthy of consideration and would be pleased to comment on specifics as they are developed.
c) Removing exceptions in paragraphs 3(j) to (m) from the definition
These exceptions apply for the purposes of sections 7, 8 and 26 of the Privacy Act, and to section 19 of the Access Act. The discussion paper appears to suggest simplifying the definition of “personal information” by removing these paragraphs and making corresponding amendments to the aforementioned sections.
As understood, the intention is to simplify the definition of “personal information” and not to substantively change the scope of these exceptions. I wish to highlight the importance of these exceptions, which as noted in the discussion paper, exist “largely for reasons of public interest”. Their practical impact on the Privacy Act and Access Act should not be weakened, and any amendments should ensure that this is the case.
Recommendation 2 – Any amendments relating to paragraphs 3(j) to (m) should not substantively change the law as it currently exists; these exceptions should continue to be exceptions to the definition of “personal information” for the purposes of the above-mentioned provisions.
d) Merging the exceptions in paragraphs 3(j) and 3(j.1) to allow for consistency and greater transparency
While this is not raised in the discussion paper, I believe it should be considered.
While paragraph 3(j) sets out an exception for information about individuals who are or were officers or employees of government institutions that relates to their position or functions, paragraph 3(j.1) sets out a much narrower exception for information about ministerial advisers and staff. Specifically, the paragraph 3(j.1) exception applies only to the fact that an individual is or was a ministerial adviser or staff member, and the individual’s name and title, on records created after June 21, 2019.
I am of the view that the scope of the exception relating to ministerial advisers or staff members should be more consistent with paragraph 3(j).
Recommendation 3 – Amendments to paragraphs 3(j) and 3(j.1) should be considered to allow for greater transparency. More specifically, ministerial advisers or staff should be added to paragraph 3(j) and paragraph 3(j.1) should be eliminated.
e) Excluding “business contact information” from the definition
The discussion paper’s proposal on this point is: “The Act could make it clear that information that relates primarily to a business is not “personal information”.”
I agree with the substance of this proposal. In the review of the Access Act, I proposed that the issue of business contact information should be addressed either by: allowing for disclosure of this information under the Access Act, or by excluding it from the definition of “personal information” in the Privacy Act. In my view, disclosure of the name, title and business or professional address and telephone number of an individual should generally be permitted when that information is of a professional nature.
I am of the view that the definition of “business contact information” should contain enumerated examples of information that relate primarily to a business. These examples can clarify the scope of the definition, without detracting from the contextual nature of the analysis.
Recommendation 4 – The name, title, business or professional address and telephone number of an individual should be included as examples of information that relate primarily to a business.
2. Definition of “publicly available”
As part of the updated framework for publicly available personal information, the discussion paper considers a definition for publicly available personal information. This definition appears likely to impact the Access Act, which contains a relevant discretionary exception to the exemption for personal information in paragraph 19(2)(b). This provision permits disclosure of publicly available personal information, and is commonly used to disclose information under the Access Act.
I am concerned that an overly restrictive definition of “publicly available” would limit the utility of paragraph 19(2)(b) of the Access Act, in a manner that does not appropriately balance the dual objectives of providing access and protecting privacy.
The discussion paper’s proposed definition of “publicly available” is too restrictive because of various qualifications that narrow the definition. It sets out three instances in which personal information could be defined as “publicly available”:
- first, when it has been made manifestly public by the individual the information relates to;
- second, when it is broadly and continuously available to all members of the public and the individual has no reasonable expectation of privacy in the information; and
- third, when another act of Parliament or a regulation requires the information to be publicly available.
This definition contains significant qualifications which are at odds with the common law definitions of “publicly available”. This is clear from phrases like “manifestly public”, “broadly and continuously available to all members of the public”, and “the individual has no reasonable expectation of privacy”. (my emphasis).
The Federal Court of Appeal’s interpretation of “publicly available” has been much broader. In a 2015 decision, the Federal Court of Appeal found this phrase to mean (in the context of subsection 69(2) of the Privacy Act) “available to the citizenry at large”.4 In making this finding, the Federal Court of Appeal considered the phrase to be “relatively precise and unequivocal”. In a 2007 decision, the majority of the Federal Court of Appeal found the phrase to mean (in the context of paragraph 17(2)(d) of the Statistics Act) available “to a segment of the population”.5
It follows that the adoption of the proposed definition from the discussion paper would significantly restrict the definition of “publicly available” compared to the common law definition. I recognize that social media and the increased digitization of information has changed the nature, type and amount of personal information that is publicly available today, and that the discussion paper responds to important issues. I believe that these issues can be adequately addressed in the context of the Privacy Act, albeit with a less restrictive definition of the phrase “publicly available”.
I note that in a different section, the discussion paper proposes rules relating to the use and disclosure of publicly available personal information, and correctly suggests that the Privacy Act:
“could ensure sufficient consistency between its approach to publicly available personal information and that of the Access to Information Act – the Privacy Act should not protect publicly available information in a way that is incompatible with the public’s right to access it under the Access to Information Act.” (my emphasis)
Recommendation 5 – The definition of “publicly available” should be less restrictive than envisioned in the discussion paper to be consistent with the case law on point and achieve a proper balance between privacy and access.
3. Matters relating to permissive disclosure under subsection 8(2) of the Privacy Act
The discussion paper’s proposed modifications to subsection 8(2) of the Privacy Act will have some impact on disclosures under paragraph 19(2)(c) of the Access Act. This latter provision is a discretionary exception to the exemption for personal information, where disclosure is in accordance with section 8 of the Privacy Act. I limit my comments to a few matters relating to subsection 8(2) of the Privacy Act – which set out circumstances in which personal information may be disclosed without the consent of the individual to whom the information relates.
a) Additional authorities to disclose, including to next of kin
The discussion paper proposes adding “additional authorities permitting use or disclosure where doing so is reasonably required”, including “to contact a relative or any other person whom it would be reasonable to contact when an individual is injured or ill”.
In the Access review6, I recommended a change to the Access Act to permit institutions to disclose personal information of a deceased person to their partner or next of kin. Similarly, I suggest considering compassionate reasons as an enumerated circumstance authorizing disclosure under subsection 8(2) of the Privacy Act.
Recommendation 6 – The addition of compassionate reasons in a paragraph within subsection 8(2) of the Privacy Act should be considered.
b) Amendments to accommodate changes to the definition of “personal information”
The discussion paper proposes such amendments to reflect the removal of paragraphs 3(j) to (m) of the definition of “personal information”, which serve as exceptions to that definition for the purposes of specific provisions of the Privacy Act and the Access Act. I am concerned, however, that the discussion paper’s proposal may weaken the effects of these exceptions.
If the information currently described in paragraphs 3(j) to (m) is added to subsection 8(2) of the Privacy Act to simply authorize its disclosure (or non-disclosure), this would materially change the law. Specifically, it would permit institutions to refuse to disclose such information, under subsection 8(2) of the Privacy Act. Currently, institutions do not have the ability to refuse to disclose such information under subsection 8(2) of the Privacy Act, because this information falls within the scope of an exception to the definition of personal information for the purposes of that subsection.7
Recommendation 7 – Any amendments should ensure that, as stated in Recommendation 2, above, the law as it relates to paragraph 3(j) to (m), in the context of section 8 of the Privacy Act, is not substantively changed.
c) Providing flexibility for unforeseen circumstances, with regard to paragraph 8(2)(m)
The discussion paper considers replacing paragraph 8(2)(m) of the Privacy Act with a new provision, allowing for disclosure of personal information where disclosure would be “reasonably required” in the public interest. The framework for determining whether this is the case would include certain key considerations.
I am in general agreement with this proposal, since paragraph 8(2)(m) as currently worded does not provide the flexibility that I believe it should, due to the qualifications it contains. Specifically, subparagraph 8(2)(m)(i) requires that the public interest “clearly outweighs” any invasion of privacy that could result from the disclosure, and subparagraph 8(2)(m)(ii) requires that disclosure would “clearly benefit the individual to whom the information relates.”
In my view, an important concept for determining whether disclosure would be “reasonably required” in the public interest is whether disclosure would constitute an unjustified invasion of a person’s privacy. This concept relates to key considerations (iii) and (iv) that are raised in the discussion paper. I previously discussed this concept in the Access review, in the context of the personal information exemption in the Access Act.
Recommendation 8 – The envisioned amendments relating to paragraph 8(2)(m) should be considered in order to allow for greater flexibility.
4. Allowing a greater role for de-identified personal information
The discussion paper suggests that federal institutions “could be provided with greater flexibility to use and disclose personal information that has undergone an established process for removing personal identifiers”.
I support this idea, which is relevant to the Access Act in terms of: the determination of whether information is personal, under subsection 19(1), and the determination of whether information in a record containing personal information can be severed and disclosed, under section 25.
Personal information that is properly de-identified is no longer personal information. The practice of de-identification should be encouraged as an appropriate balance between access and privacy, both inside and outside the context of the Access Act.
Thank you again for the opportunity to comment on this discussion paper. I look forward to further opportunities to provide comments, and testimony, during this Privacy Act review process.
Should you have any questions or wish to receive any further information from my office, please contact Vanessa Moss-Norbury, Manager, Policy and Parliamentary Affairs at 819-994-1891 or firstname.lastname@example.org.
Information Commissioner of Canada
c.c.: Daniel Therrien
Privacy Commissioner of Canada
30 Victoria Street, 1st Floor
Gatineau, Quebec K1A 1H3