Tag Archives: personal information

The Australian “Ben Grubb” decision and its link to Canada

24 Jan

There’s been some talk about the Federal Court of Australia’s recent decision in the “Ben Grubb” case – Mr. Grubb being the journalist who requested and was denied access to certain data related to his mobile phone usage from his carrier. Although the data was linked to Mr. Grubb’s mobile phone usage, the Court held it was not “information about” Mr. Grubb and therefore was not “personal information” that Mr. Grubb could access under the Australia Privacy Act. The Court explained:

…in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.

In some instances the evaluative conclusion will not be difficult. For example, although information was provided to Mr Grubb about the colour of his mobile phone and his network
type (3G), we do not consider that that information, by itself or together with other information, was about him. In other instances, the conclusion might be more difficult. Further, whether information is “about an individual” might depend upon the breadth that is given to the expression “from the information or opinion”. In other words, the more loose the
causal connection required by the word “from”, the greater the amount of information which could potentially be “personal information” and the more likely it will be that the words
“about an individual” will exclude some of that information from National Privacy Principle 6.1

In other words, there must be more than a link between information and an individual for the information to be “personal” information. The information must also reveal something “about” the person in a way that engages a reasonable expectation of privacy. I am not sure whether this “guts” the rights provided by the Australia Privacy Act as reported, but this reasoning has been a feature of Canadian law, most notably supported in our Federal Court of Appeal’s Nav Canada case – an authority the Australian court relied upon in determining the outcome of Mr. Grubb’s access request.

Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (19 January 2017).

Alberta CA comments on meaning of “personal information”

19 Apr

Whether information is “personal information” – information about an identifiable individual – depends on the context. The Court of Appeal of Alberta issued an illustrative judgement on April 14th. It held that a request for information about a person’s property was, in the context, a request for personal information. The Court explained:

In general terms, there is some universality to the conclusion in Leon’s Furniture that personal information has to be essentially “about a person”, and not “about an object”, even though most objects or properties have some relationship with persons. As the adjudicator recognized, this concept underlies the definitions in both the FOIPP Act and the Personal Information Protection Act. It was, however, reasonable for the adjudicator to observe that the line between the two is imprecise. Where the information related to property, but also had a “personal dimension”, it might sometimes properly be characterized as “personal information”. In this case, the essence of the request was for complaints and opinions expressed about Ms. McCloskey. The adjudicator’s conclusion (at paras. 49-51) that this type of request was “personal”, relating directly as it did to the conduct of the citizen, was one that was available on the facts and the law.

The requester wanted information about her property because she was looking for complaints related to her actions. The request was therefore for the requester’s personal information. Note the Court’s use of the word “sometimes”: context matters.

Edmonton (City) v Alberta (Information and Privacy Commissioner), 2016 ABCA 110 (CanLII).

Reasonable necessity not enough to justify collection under Ontario’s public sector statutes

8 May

Section 38(2) is an important provision of Ontario’s provincial public sector privacy statue. It requires institutions to satisfy a necessity standard in collecting personal information. Ontario’s municipal public sector privacy statute contains the same provision.

On May 4th, the Divisional Court dismissed an Liquor Control Board of Ontario argument that the Information and Privacy Commissioner/Ontario had erred by applying a higher standard than “reasonable necessity” in resolving a section 38(2) issue. The Divisional Court held that the Court of Appeal for Ontario’s Cash Converters case establishes just such a standard:

The LCBO relies upon Cash Converters to support its submission that the IPC erred in not interpreting “necessary” as meaning “reasonably necessary.” However, Cash Converters does not interpret “necessary” in this way. In fact, it suggests the opposite. Arguably, something that is “helpful” to an activity could be “reasonably necessary” to that activity. Yet, the Court of Appeal makes it clear that “helpful” is not sufficient.

It’s hard to fathom a legislative intent to prohibit a practice that is, by definition “reasonable.” If the LCBO seeks and is granted leave to appeal this could lead to an important clarification from the Court of Appeal on a strict interpretation of section 38(2) that has stood for some time. The LCBO practice at issue – which involves collecting the non-sensitive information of wine club members to control against the illegal stockpiling and reselling of alcohol – is a good one for testing the line.

Liquor Control Board of Ontario v Vin De Garde Wine Club, 2025 ONSC 2537.

BC commissioner uses fleet management complaint to answer BIG questions about PIPA

9 Jan

On December 19th, the British Columbia Office of the Information and Privacy Commissioner dismissed a complaint about the collection and use of vehicle location and operation data for the purpose of managing employee performance. In doing so, the OIPC opined broadly on the meaning of “personal information” and “work product information” and on the standard of reasonableness for collecting and using employee personal information under BC PIPA.

The case deals with an elevator company and its field mechanics. The mechanics objected to the company’s collection of data about service vehicle location and data about service vehicle operation – e.g., distance travelled, speed and incidents of harsh braking. The company argued this information is not regulated by BC PIPA at all because it is not “personal information” or, alternatively, is “work product information.”

The OIPC rejected the company’s primary argument and held that vehicle location and operation data is personal information. In doing so it rejected a narrow definition of personal information that requires personal information to be “about an identifiable individual” in that it reveals something private or intimate about the individual – a concept accepted in some case law and loosely related to the “biographical core” concept featured in Charter search and seizure jurisprudence. Instead, the OIPC said that information about an identifiable individual is personal information if it “is collected, used or disclosed for a purpose related to the individual.”

The OIPC also rejected the company’s alternative argument and held that vehicle location and operation data is not work product information. It reasoned that vehicle location and operation data is not “prepared or collected” by an individual in the course of work and that, generally, data that is automatically recorded “without directed conscious input by an individual” is not work product information.

While these principles favour privacy protection, the OIPC also demonstrated respect for employer interests in finding the company’s collection and use of employee personal information was reasonable for its purposes. The OIPC expressly rejected a four part reasonableness test (generally disliked by employers) in favour of a more flexible “reasonableness in all the circumstances” test:

The assessment of reasonableness will occur in the context of the established purposes for the employer’s collection, use or disclosure and thus should have some regard to that context. But the assessment may also address a number of other possible considerations.

As part of its reasonableness discussion, the OIPC also noted that an organization need not adopt the least privacy-intrusive alternative regardless of cost or consequences (though should be able to demonstrate that it has given “reasonable consideration” to less intrusive alternatives).

Schindler Elevator Corporation (Re), 2012 BCIPC 25 (CanLII).

Case Report – Court upholds arbitrator order that stops call centre from recording calls… with reservations

30 Sep

Today, the Supreme Court of Nova Scotia upheld a labour arbitrator’s order that required the Halifax Regional Municipality to cease and desist from recording calls to its call centre for quality monitoring, coaching and dispute resolution purposes.

In resolving the employer’s application for judicial review, Wright J. displayed a remarkably honest application of the “reasonableness” standard of review by disagreeing with the arbitrator’s weighing of management versus employee interests but nonetheless upholding his decision as reasonable.

Though it did not affect the outcome of the application, Wright J.’s more legally significant finding was on whether the employee voice recordings at issue were protected as “personal information” under the applicable privacy legislation. He stressed that the recordings captured non-sensitive employee work product and, in the context, this feature of the recordings was more significant than anything personal that the characteristics of an employee’s voice might reveal (such as age or race).

It cannot be over emphasized that the recording of calls made to the call centre agents on the Primary Line is of a non-personal nature. The call centre agents answer inquires from the public about various municipal matters. There is no component of personal information in that. It is not recorded information about an identifiable individual within the meaning of s.461(f). Rather, the content of the calls, as earlier noted, is about such routine inquires as transit service times, tax bills, by-laws, parking information and municipal services. In my view, the question of whether voice recording in the fact situation at hand constitutes “personal information” cannot be decided irrespective of the content of those calls. Here, the content of those calls is undoubtedly of a non-personal nature made in the course of the performance of the job duties of these employees.

Halifax (Regional Municipality) v. Nova Scotia Union of Public and Private Employees, Local 13, 2009 NSSC 283.

Case Report – LSAC allowed to substitute submission of photos for fingerprints

16 Jun

You may have heard about the federal Privacy Commissioner’s May 29th report on the Law School Admission Council’s practice of collecting fingerprints from LSAT test takers.  Her office recommended that LSAC cease the practice but allowed it to substitute a practice of collecting test takers’ photographs.

There are some notable findings in the report.  Namely:

  • the OPC rejected LSAC’s argument that it was engaged in educational rather than commercial activity, finding that its core activities provided a service to its member law schools;
  • the OPC held that fingerprints are more sensitive than voice prints and less sensitive than one’s photographic image; and
  • the OPC made another comment de-emphasizing the significance of cross-border transfers of personal information.

The report also highlights the difficulty of sustaining a collection practice based on deterrence alone.  The case for deterrence is often logically compelling, but proving that collecting information effectively deters misconduct is hard.  (For more on this theme, see the IPC/Ontario’s recent surveillance report.)  LSAC had not once used a fingerprint to identify whether fraudulent test since it started collecting them in the mid-1970, so it was difficult for the LSAC to justify its practice on any ground other than deterrence.  It also claimed that it simply wanted to assure its members that it was doing all it could to ensure the security of the test.  The OPC seemed to accept this purpose as legitimate, but not compelling enough to justify collection of fingerprints. The LSAC proposed collecting photographs as a step-down solution mid-way through the investigation, and the OPC held that this alternative would achieve the appropriate balance because images are “marginally” less sensitive.

Report of Findings:  Law School Admission Council Investigation (29 May 2008, OPC).