Personal Information in the Public Sector

AuthorBarbara Von Tigerstrom
Legislation in all Canadian juris dictions governs personal in formation
that is collected, used, and d isclosed by public sector institutions. At
the federal level, the relevant provisions are found in the Pr ivacy Act,1
while in the provinces they are contained in freedom of information and
protection of privacy (FOIP) or access to information and protection of
privacy (ATIP) statutes, alongside provisions dealing with the general
right of access to informat ion, which are discussed in Chapter 3.2 Most of
these statutes were enacted i n the 1980s and 1990s, with the federal Act
replacing provisions deali ng with personal information that were added
to federal human rights legislation in the 1970s.3 Their purpose is to
provide a degree of transpa rency and control with respect to personal
information in governments’ ha nds, including giving individuals the
right to access and request correct ions to their own personal informat ion
and preventing unauthorized collect ion, use, and disclosure of personal
inform ation.4 The protection of privacy is considered sufficiently import-
ant that this legislation has been descr ibed as “quasi-constitutional” in
1 RSC 1985, c P-21 [Privac y Act].
2 In this ch apter, the terms “FOIP statutes” or “FOIP legisl ation” will be used to
refer to the provinc ial/territori al and federal legislat ion collectively.
3 Peter Gillis, “The Priv acy Act: A Legislative Hi story and Overview” (1987) 1987
Canadian Huma n Rights Yearbook 119 at 123.
4 See, for example, Freedom of Infor mation and Protection of Privac y Act, RSBC
1996, c 165, s 2(1) [BC FOIPPA].
Personal Infor mation in the Public Sector 233
nature;5 it ha s equal status with the general r ight of access to information,
and the two regimes must be i nterpreted together.6
Although the relevant statutes use the term “privacy” or “protec-
tion of privacy” in their titles and purpose statements, this is some-
what misle ading.7 Their substance is both narrower and broader than
it would suggest. Although the limits on collection, use, and d isclosure
do provide some protection for individuals’ privacy, in fact, the legis-
lation allows fairly broad latitude for the government to hold, use, and
share personal in formation for a variety of purposes. The provisions
also extend beyond privacy protection to a broader set of principles
dealing with t he management of personal informat ion. These princi-
ples, referred to as “fair in formation principles” or “fair information
practices,” are set out in Guidelines published in 1980 by the Organi-
sation for Economic Co-operation and Development (OECD),8 and can
be summari zed as follows:
Collection Limitation: Collection of personal dat a should be limited,
should be done by fair and lawful means, and should generally be
done with the knowledge and consent of the individual.
Data Qualit y: Personal data should be relevant to, and as accurate,
complete, and up-to-date as necessar y for, the purposes for which
they are used.
Purpose Specification: The purposes for which personal data are to
be used should be specified before data are collected and use should
be limited to these pur poses or compatible and specified pur poses.
Use Limitation: Personal data should be used for other purpose s only
with the individual’s consent or as authorized by law.
Security Safeguards: Personal d ata should be protected against loss or
unauthorized access, destruction, use, modification, or disclosure.
Openness: Developments, practices, and policies regarding personal
data should generally be open and individuals should be able to
readily determine the existence and nature of personal d ata, the use
of data, and the identity and location of the d ata controller.
5 See Lavigne v Canad a (Office of the Commissioner of Officia l Languages), 2002
SCC 53 at paras 23 –25 [Lavign e] (referring to the feder al Privacy Act).
6 Dagg v Canada (Minister of Finance), [1997] 2 SCR 403 at para 55, La Forest J [Dagg].
7 See Willi am Bonner & Mike Chiass on, “If Fair Information Pri nciples Are the
Answer, What Was the Q uestion? An Actor-Network Theory Investigation of t he
Modern Constit ution of Privacy” (2005) 15 Information & Organizat ion 267 at 280.
8 Organisation for Economic C o-operation and Developmen t, “OECD Guide-
lines on t he Protection of Privacy and Tran sborder Flows of Personal Data”
(23 September 1980), online:
Individual Participation: Individuals should have the right to obtain
confirmation of whether the dat a controller holds personal data on
them; have such data communicated to t hem, subject to exceptions
that are explai ned and can be challenged; and cha llenge and have
corrected personal dat a relating to them.
Accountability: A data controller should be accountable for compliance
with measure s giving effect to these pr inciples.
These principles strongly inf luenced legislation in Canada and else-
where.9 In Europe, the relevant legislation tends to use t he term “data
protection,” but reflects many of the same core principles. Although
these principles have remained relevant, Canada, like other juris-
dictions, is responding to changes in technology and international
developments by engaging in a process of review ing and modernizing
public sector pr ivacy legislation.10
The scope of application of public sector personal information legislation
parallels th at of access to information, in that it covers inform ation in
the custody or control of a “government institution” or “public body,” as
defined by the legislation.11 The bodies to which the legislation applies
are defined in each statute, often supplemented by a list in a schedule or
regulation to the statute. They include government ministries or depart-
ments, agencies, boards, and other public offices. Alt hough the scope is
broad, it does not necessarily include all organizations with important
public functions, with courts a nd political parties bei ng notable excep-
tions.12 There are a few instances in which a person or institution is sub-
ject to personal information provisions but not access to information:
9 See, for example, Bonner & Chias son, above note 7 at 275.
10 Canada, Depar tment of Justice, “Moderniz ing Canada’s Privac y Act” (2019),
online: a-lprp/modern.html. For di scussion of
relevant international developments, see Chapter 1, Section C.
11 See Chapter 3, Section A.
12 Depending on the juris diction, courts are not included a s public bodies, or
most court records (in some c ases, except for court admin istration records) are
excluded from the st atute’s scope, or both. On political p arties, see Dara Lith -
wick, “Priv acy and Politics: Federal Political Pa rties’ Adherence to Recogn ized
Fair Informat ion Practices” (2016) 10 Journal of Parliamentar y & Political Law
39; Information and P rivacy Commissioner of O ntario, Thirty Years of Access and
Privacy Ser vice: 2017 Annual Report (2 018), onli ne: ww content/
uplo ads /2 018/0 6/a r-2017-e- web.p df a t 47.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT