The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that was enacted to protect the privacy rights of residents of Canada. As with other privacy laws, PIPEDA can apply to websites far outside of Canada, but, for the law to apply, you must collect Personally Identifiable Information as defined by this law. Each privacy law has different definitions of Personally Identifiable Information. In this blog post, we will explore the PIPEDA definition of PII (please note that the law uses the term “personal information”).
PIPEDA definition of personal information
PIPEDA defines personal information as data about an identifiable information or information that on its own or combined with other pieces of data, can identify someone as an individual. Some examples of personal information under PIPEDA include information about an individual’s:
- Race, national or ethic origin;
- Age, marital status;
- Medical, education or employment history;
- Financial information;
- Identifying numbers such as social insurance number or driver’s license number;
- Views or opinions about that individual as an employee.
What does it mean for personal information to be “about an identifiable individual under PIPEDA?
Under PIPEDA, information must be “about” a particular individual to be considered personal information. According to a case on the subject, “the words “about” and “concernant” shed little light on the precise nature of the information which relates to the individual, except to say that information recorded in any form is relevant if it is “about” an individual and if it permits or leads to the possible identification of an individual” (Gordon v. Canada, 2008 FC 258). For example, a zip code of a large area where the individual resides would not be considered personal information as it does not allow the website operator to know who in particular lives in that zip code. However, if the zip code is combined with a name of a person who lives in that zip code, then it would be considered personal information as it is information about an individual that can lead to their identification.
Does information have to be recorded to be considered personal information under PIPEDA?
No, information need not be recorded to be considered personal information under PIPEDA. It is sufficient that the information be about an identifiable individual even if the information is not in a recorded form, such as oral conversations, biological samples and real time video surveillance (Morgan v. Alta Flights, Inc. (2006) FCA 121). This means that even a simple conversation about a particular person could be considered personal information so businesses need to carefully train their staff on these types of discussions.
What is not personal information under PIPEDA?
The Office of the Privacy Commissioner of Canada has also stated that the following types of information are generally not considered personal information:
- Information that is not about an individual because the connection with a person is too weak or far removed (e.g. a postal code on its own which covers a wide area with many homes;
- Information about an organization such as a business;
- Information that has been rendered anonymous, as long as it is not possible to link that data back to an identifiable person;
- Certain information about public servants such as their name, position and title;
- A person’s business contact information that an organization collects, uses or discloses for the sole purpose of communicating with that person in relation to their employment, business or profession;
- Government information.
Are you collecting personal information about individuals under PIPEDA?
Hans is the Vice President of Termageddon, an auto-updating website policies generator. With Termageddon, you can generate a comprehensive set of policies for your website, and then receive automatic updates to your policies when the laws change. When not working on Termageddon, you can find Hans gardening, beekeeping, fishing or taking care of his chickens.