Personal Information in the Public Sector

• Author: Barbara Von Tigerstrom
• Pages: 232-290

232

CHA PTER 4

PERSONAL

INFORMATION IN

THE PUBLIC SECTOR

Legislation in all Canadian juris dictions governs personal in formation

that is collected, used, and d isclosed by public sector institutions. At

the federal level, the relevant provisions are found in the Pr ivacy Act,1

while in the provinces they are contained in freedom of information and

protection of privacy (FOIP) or access to information and protection of

privacy (ATIP) statutes, alongside provisions dealing with the general

right of access to informat ion, which are discussed in Chapter 3.2 Most of

these statutes were enacted i n the 1980s and 1990s, with the federal Act

replacing provisions deali ng with personal information that were added

to federal human rights legislation in the 1970s.3 Their purpose is to

provide a degree of transpa rency and control with respect to personal

information in governments’ ha nds, including giving individuals the

right to access and request correct ions to their own personal informat ion

and preventing unauthorized collect ion, use, and disclosure of personal

inform ation.4 The protection of privacy is considered sufficiently import-

ant that this legislation has been descr ibed as “quasi-constitutional” in

1 RSC 1985, c P-21 [Privac y Act].

2 In this ch apter, the terms “FOIP statutes” or “FOIP legisl ation” will be used to

refer to the provinc ial/territori al and federal legislat ion collectively.

3 Peter Gillis, “The Priv acy Act: A Legislative Hi story and Overview” (1987) 1987

Canadian Huma n Rights Yearbook 119 at 123.

4 See, for example, Freedom of Infor mation and Protection of Privac y Act, RSBC

1996, c 165, s 2(1) [BC FOIPPA].

Personal Infor mation in the Public Sector 233

nature;5 it ha s equal status with the general r ight of access to information,

and the two regimes must be i nterpreted together.6

Although the relevant statutes use the term “privacy” or “protec-

tion of privacy” in their titles and purpose statements, this is some-

what misle ading.7 Their substance is both narrower and broader than

it would suggest. Although the limits on collection, use, and d isclosure

do provide some protection for individuals’ privacy, in fact, the legis-

lation allows fairly broad latitude for the government to hold, use, and

share personal in formation for a variety of purposes. The provisions

also extend beyond privacy protection to a broader set of principles

dealing with t he management of personal informat ion. These princi-

ples, referred to as “fair in formation principles” or “fair information

practices,” are set out in Guidelines published in 1980 by the Organi-

sation for Economic Co-operation and Development (OECD),8 and can

be summari zed as follows:

• Collection Limitation: Collection of personal dat a should be limited,

should be done by fair and lawful means, and should generally be

done with the knowledge and consent of the individual.

• Data Qualit y: Personal data should be relevant to, and as accurate,

complete, and up-to-date as necessar y for, the purposes for which

they are used.

• Purpose Specification: The purposes for which personal data are to

be used should be specified before data are collected and use should

be limited to these pur poses or compatible and specified pur poses.

• Use Limitation: Personal data should be used for other purpose s only

with the individual’s consent or as authorized by law.

• Security Safeguards: Personal d ata should be protected against loss or

unauthorized access, destruction, use, modification, or disclosure.

• Openness: Developments, practices, and policies regarding personal

data should generally be open and individuals should be able to

readily determine the existence and nature of personal d ata, the use

of data, and the identity and location of the d ata controller.

5 See Lavigne v Canad a (Office of the Commissioner of Officia l Languages), 2002

SCC 53 at paras 23 –25 [Lavign e] (referring to the feder al Privacy Act).

6 Dagg v Canada (Minister of Finance), [1997] 2 SCR 403 at para 55, La Forest J [Dagg].

7 See Willi am Bonner & Mike Chiass on, “If Fair Information Pri nciples Are the

Answer, What Was the Q uestion? An Actor-Network Theory Investigation of t he

Modern Constit ution of Privacy” (2005) 15 Information & Organizat ion 267 at 280.

8 Organisation for Economic C o-operation and Developmen t, “OECD Guide-

lines on t he Protection of Privacy and Tran sborder Flows of Personal Data”

(23 September 1980), online: www.oecd.org/sti/ieconomy/oecdguidelinesonthe

protectionofprivacyandtransborderflowsofpersonaldata.htm.

INFORM ATION AND PRIVACY LAW IN CAN ADA234

• Individual Participation: Individuals should have the right to obtain

confirmation of whether the dat a controller holds personal data on

them; have such data communicated to t hem, subject to exceptions

that are explai ned and can be challenged; and cha llenge and have

corrected personal dat a relating to them.

• Accountability: A data controller should be accountable for compliance

with measure s giving effect to these pr inciples.

These principles strongly inf luenced legislation in Canada and else-

where.9 In Europe, the relevant legislation tends to use t he term “data

protection,” but reflects many of the same core principles. Although

these principles have remained relevant, Canada, like other juris-

dictions, is responding to changes in technology and international

developments by engaging in a process of review ing and modernizing

public sector pr ivacy legislation.10

A. SCOPE OF APPLICAT ION

The scope of application of public sector personal information legislation

parallels th at of access to information, in that it covers inform ation in

the custody or control of a “government institution” or “public body,” as

defined by the legislation.11 The bodies to which the legislation applies

are defined in each statute, often supplemented by a list in a schedule or

regulation to the statute. They include government ministries or depart-

ments, agencies, boards, and other public offices. Alt hough the scope is

broad, it does not necessarily include all organizations with important

public functions, with courts a nd political parties bei ng notable excep-

tions.12 There are a few instances in which a person or institution is sub-

ject to personal information provisions but not access to information:

9 See, for example, Bonner & Chias son, above note 7 at 275.

10 Canada, Depar tment of Justice, “Moderniz ing Canada’s Privac y Act” (2019),

online: www.justice.gc.ca/eng/csj-sjc/p a-lprp/modern.html. For di scussion of

relevant international developments, see Chapter 1, Section C.

11 See Chapter 3, Section A.

12 Depending on the juris diction, courts are not included a s public bodies, or

most court records (in some c ases, except for court admin istration records) are

excluded from the st atute’s scope, or both. On political p arties, see Dara Lith -

wick, “Priv acy and Politics: Federal Political Pa rties’ Adherence to Recogn ized

Fair Informat ion Practices” (2016) 10 Journal of Parliamentar y & Political Law

39; Information and P rivacy Commissioner of O ntario, Thirty Years of Access and

Privacy Ser vice: 2017 Annual Report (2 018), onli ne: ww w.ipc.on.ca/wp- content/

uplo ads /2 018/0 6/a r-2017-e- web.p df a t 47.