Personal Information in the Public Sector

• Author: Barbara Von Tigerstrom
• Pages: 232-290

232

CHAPTER 4

PERSONAL

INFORMATION IN

THE PUBLIC SECTOR

Legislation in all Canadian jurisdictions governs personal information

that is collected, used, and disclosed by public sector institutions. At

the federal level, the relevant provisions are found in the Privacy Act,1

while in the provinces they are contained in freedom of information and

protection of privacy (FOIP) or access to information and protection of

privacy (ATIP) statutes, alongside provisions dealing with the general

right of access to informat ion, which are discussed in Chapter 3.2 Most of

these statutes were enacted in the 1980s and 1990s, with the federal Act

replacing provisions dealing with personal information that were added

to federal human rights legislation in the 1970s.3 Their purpose is to

provide a degree of transparency and control with respect to personal

information in governments’ hands, including giving individuals the

right to access and request correct ions to their own personal informat ion

and preventing unauthorized collection, use, and disclosure of personal

information.4 The protection of privacy is considered sufficiently import-

ant that this legislation has been described as “quasi-constitutional” in

1 RSC 1985, c P-21 [Privac y Act].

2 In this ch apter, the terms “FOIP statutes” or “FOIP legisl ation” will be used to

refer to the provinc ial/territori al and federal legislat ion collectively.

3 Peter Gillis, “The Priv acy Act: A Legislative Hi story and Overview” (1987) 1987

Canadian Huma n Rights Yearbook 119 at 123.

4 See, for example, Freedom of Infor mation and Protection of Privac y Act,RSBC

1996, c 165, s 2(1) [BC FOIPPA].

Personal Infor mation in the Public Sector 233

nature;5 it ha s equal status with the general r ight of access to information,

and the two regimes must be interpreted together.6

Although the relevant statutes use the term “privacy” or “protec-

tion of privacy” in their titles and purpose statements, this is some-

what misleading.7 Their substance is both narrower and broader than

it would suggest. Although the limits on collection, use, and d isclosure

do provide some protection for individuals’ privacy, in fact, the legis-

lation allows fairly broad latitude for the government to hold, use, and

share personal information for a variety of purposes. The provisions

also extend beyond privacy protection to a broader set of principles

dealing with the management of personal information. These princi-

ples, referred to as “fair information principles” or “fair information

practices,” are set out in Guidelines published in 1980 by the Organi-

sation for Economic Co-operation and Development (OECD),8 and can

be summarized as follows:

• Collection Limitation: Collection of personal data should be limited,

should be done by fair and lawful means, and should generally be

done with the knowledge and consent of the individual.

• Data Quality: Personal data should be relevant to, and as accurate,

complete, and up-to-date as necessary for, the purposes for which

they are used.

• Purpose Specification: The purposes for which personal data are to

be used should be specified before data are collected and use should

be limited to these purposes or compatible and specified purposes.

• Use Limitation: Personal data should be used for other purpose s only

with the individual’s consent or as authorized by law.

• Security Safeguards: Personal d ata should be protected against loss or

unauthorized access, destruction, use, modification, or disclosure.

• Openness: Developments, practices, and policies regarding personal

data should generally be open and individuals should be able to

readily determine the existence and nature of personal data, the use

of data, and the identity and location of the data controller.

5 See Lavigne v Canad a (Office of the Commissioner of Officia l Languages),2002

SCC 53 at paras 23 –25 [Lavigne] (referring to the feder al Privacy Act).

6 Dagg v Canada (Minister of Finance), [1997] 2 SCR 403at para 55, La Forest J [Dagg].

7 See Willi am Bonner & Mike Chiass on, “If Fair Information Pri nciples Are the

Answer, What Was the Q uestion? An Actor-Network Theory Investigation of t he

Modern Constit ution of Privacy” (2005) 15 Information & Organizat ion 267 at 280.

8 Organisation for Economic C o-operation and Developmen t, “OECD Guide-

lines on t he Protection of Privacy and Tran sborder Flows of Personal Data”

(23 September 1980), online: www.oecd.org/sti/ieconomy/oecdguidelinesonthe

protectionofprivacyandtransborderflowsofpersonaldata.htm.

INFORM ATION AND PRIVACY LAW IN CANADA234

• Individual Participation: Individuals should have the right to obtain

confirmation of whether the data controller holds personal data on

them; have such data communicated to them, subject to exceptions

that are explained and can be challenged; and challenge and have

corrected personal data relating to them.

• Accountability: A data controller should be accountable for compliance

with measures giving effect to these principles.

These principles strongly influenced legislation in Canada and else-

where.9 In Europe, the relevant legislation tends to use the term “data

protection,” but reflects many of the same core principles. Although

these principles have remained relevant, Canada, like other juris-

dictions, is responding to changes in technology and international

developments by engaging in a process of reviewing and modernizing

public sector privacy legislation.10

A.SCOPE OF APPLICATION

The scope of application of public sector personal information legislation

parallels that of access to information, in that it covers information in

the custody or control of a “government institution” or “public body,” as

defined by the legislation.11 The bodies to which the legislation applies

are defined in each statute, often supplemented by a list in a schedule or

regulation to the statute. They include government ministries or depart-

ments, agencies, boards, and other public offices. Although the scope is

broad, it does not necessarily include all organizations with important

public functions, with courts and political parties being notable excep-

tions.12 There are a few instances in which a person or institution is sub-

ject to personal information provisions but not access to information:

9 See, for example, Bonner & Chias son, above note 7 at 275.

10Canada, Depar tment of Justice, “Moderniz ing Canada’s Privac y Act” (2019),

online: www.justice.gc.ca/eng/csj-sjc/pa-lprp/modern.html. For di scussion of

relevant international developments, see Chapter 1, Section C.

11See Chapter 3, Section A.

12Depending on the juris diction, courts are not included a s public bodies, or

most court records (in some c ases, except for court admin istration records) are

excluded from the st atute’s scope, or both. On political p arties, see Dara Lith -

wick, “Priv acy and Politics: Federal Political Pa rties’ Adherence to Recogn ized

Fair Informat ion Practices” (2016) 10 Journal of Parliamentar y & Political Law

39; Information and P rivacy Commissioner of O ntario, Thirty Years of Access and

Privacy Ser vice: 2017 Annual Report (2 018), onli ne: www.ipc.on.ca/wp-content/

uploads/2018/06/ar-2017-e-web.pdf a t 47.