Chapter 7: Privacy Fundamentals
One of the primary purposes of the legislation is to protect the privacy of individuals with respect to their personal information in the custody or control of institutions. This chapter introduces the concepts of privacy protection and personal information.
The legislation protects privacy by providing rules for institutions to follow for the collection, use, disclosure, accurate maintenance, retention, security and disposal of personal information. This chapter reviews these privacy rules in detail and outlines how institutions can be compliant with the legislation.
Chapter 8: Personal Information and Correction Requests explains special considerations for requests for an individual’s own personal information and requests to correct personal information in the custody or control of an institution. Chapter 9: Privacy Management provides best practices for how institutions can create a privacy management program to ensure compliance with the legislation.
Some institutions may also be subject to the Personal Health Information Protection Act. These institutions will have additional considerations for rules regarding the collection, use and disclosure of personal health information within their custody. This chapter does not provide guidance on this topic, and institutions should refer to the IPC for more information.
The legislation does not define privacy explicitly. The legislation defines personal information and sets out privacy rules regarding the collection, use, disclosure, retention, security, disposal and destruction of personal information that institutions must follow.
The legislation protects privacy by:
- Providing rules as to what and how personal information can be collected by institutions;
- Providing rules on how institutions handle, manage, and share personal information between institutions and other government organizations; and
- Establishing procedures for individuals to access their own personal information, subject to some necessary and defined exemptions.
The legislation defines personal information as recorded information about an identifiable individual. Personal information does not include information about an individual that has been deceased for more than 30 years.
Information will likely qualify as personal information if an individual can reasonably be identified from either the information alone, or from the information in combination with other information.
An important exception to the definition of a “record” is that personal information may also include information that is not recorded (e.g., a verbal disclosure).
Personal information includes, but is not limited to:
- Personal address
- Personal email address
- Personal telephone number
- National origin
- Ethnic origin
- Skin colour
- Date of birth
- Sexual orientation
- Marital status
- Family status
- Medical history
- Employment history
- Financial transactions involving the individual
- Identifying number
- Identifying symbol
- Photograph of the individual
- Other identifying particular
- Finger prints
- Blood type
- Correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, or replies to the correspondence that would reveal the contents of the original correspondence
- The personal opinions or view of the individual except where they relate to another individual
- The views or personal opinions of another individual about the individual
Business Identity Information
The legislation clarifies what is not personal information in a business context.
Business identity information includes the name, title, contact information or designation of an individual that identifies the individual in a business, professional, or official capacity.
Business identify information applies even if an individual carries out business, professional or official responsibilities from their home or dwelling, and the contact information relates to the dwelling.
Customer Service Information
FIPPA authorizes a service provider organization to collect the customer service information of an individual with their consent. In the Ontario Government ServiceOntario is an example of a service provider organization.
Customer service information is a separate category of personal information that includes:
- The name, address, and telephone number or other contact information;
- The transaction or receipt number provided;
- Information relating to the payment of any fee; and
- Other prescribed information.
Common Examples of Personal Information
A name by itself is not personal information by definition. A name is personal information, where it appears with other personal information relating to an individual or where the disclosure of the name would reveal other personal information about the individual.
Information that relates to an individual’s characteristics, background and history are common examples of personal information. Examples include race, ethnicity, country of origin, gender, gender identity, employment history, educational history and more.
An identifying number is typically a unique number connected to an individual in a particular context. Examples include Health Card number, medical record numbers assigned by hospitals, Social Insurance Number (SIN), driver’s licence number, student numbers, and address information. It may also include personal fax numbers or Internet Protocol addresses.
An identifying symbol is something that stands for, or suggests, something else by reason of relationship, association, convention, or accidental resemblance. Examples include a signature, a degree or professional designation, a tattoo, an emblem, or a scar.
Other identifying particulars may include biometrics such as a handprint, footprint, iris scan or DNA. Behavioural biometrics may include keystrokes and voiceprints.
In order to deliver services and programs to the public, institutions need to collect, manage, disclose and dispose of personal information. Institutions should ensure that the manner of collection, use, disclosure and disposition of personal information is in compliance with the privacy rules outlined in the legislation.
As the privacy rules in the legislation are general, most institutions have other privacy policies, standards or procedures that assist in operationalizing these rules within the specific context of the institution. For instance, internal policies may outline roles and responsibilities within the institution for various privacy-related activities.
The privacy rules apply to all personal information held by institutions with the exception of public records of personal information discussed at the end of the chapter and certain employment-related and labour relations records.
The privacy rules and their main purpose are summarized below, followed by a more detailed discussion.
Authority to collect: Limits the collection of personal information by institutions to authorized activities.
Manner of collection: Ensures the collection of personal information is directly from the individual, except in limited circumstances.
Notice requirements: Informs the individual of the collection of personal information.
Proper use and disclosure: Limits use and controls sharing or distribution of personal information for authorized activities.
Accuracy: Ensures processes are in place to keep personal information accurate.
Retention: Ensures that an individual can obtain access to their own personal information for a certain period.
Security: Ensures the security and confidentiality of personal information.
Disposal and destruction: Ensures disposal and destruction of personal information is authorized and secure.
Authority to Collect
An institution can only collect personal information under one of these conditions:
- The collection of personal information is expressly authorized by a statute;
- The information collected is used for the purposes of law enforcement; or
- The collection is necessary for the proper administration of a lawfully authorized activity.
The phrase “expressly authorized by statute” requires that the specific types of personal information be described in a statute (i.e., law) or a general reference to the activity be set out in the statute.
“Purposes of law enforcement” refers to the definition of law enforcement that is outlined in section 2 of the legislation. Refer to the section on Law Enforcement in Chapter 5: Exemptions and Exclusions for more information on the definition of law enforcement.
“Necessary to administer a lawfully authorized activity” refers to instances where institutions need to collect personal information in order to deliver a service or program that is authorized by the government. For provincial ministries, authorization may include legislation, regulations or orders-in-council. For municipal institutions, authorization may include statute, by-law or regulation.
A key word in this provision is “necessary.” Institutions should be able to show that each element of personal information that is collected for the administration of a program is necessary in order to properly and effectively administer the program. Personal information that is merely helpful to the institution would not qualify for this collection authorization.
A collection occurs when an institution actively acquires the information or invites an individual or others to send personal information to the institution. When an institution collects personal information in a non-written form (i.e., verbally), this activity would also be considered a collection of personal information.
Where an individual submits personal information without being requested by an institution, a collection is deemed to occur only if the institution keeps or uses the information.
Manner of Collection
The legislation requires that personal information be collected directly from the individual to whom the information relates.
The legislation provides limited circumstances where personal information can be collected indirectly, which means from a source other than the individual to whom the personal information relates.
Institutions may indirectly collect personal information when an individual consents to this manner of collection. Institutions should retain a record with the date and details of the authorization including the:
- Personal information to be collected;
- Source of the personal information; and
- Name of the collecting institution.
Other circumstances that permit indirect collection of personal information include:
- Where other statutes provide authority to collect in another manner; or
- Where institutions have legal authority to disclose personal information.
- For conducting a proceeding or a possible proceeding before a court or tribunal;
- For law enforcement purposes; and
- For determining suitability of an honour or award.
Examples of statutes that provide the authority for an institution to indirectly collect personal information include:
- The Assessment Act;
- The Family Responsibility and Support Arrears Enforcement Act,;
- The Municipal Health Services Act; and
- The Consumer Reporting Act.
Some examples of quasi-judicial proceedings or tribunals include the Ontario Municipal Board, Property Standards Committee, Social Assistance Review Board, and Committees of Adjustment.
In order to justify collecting personal information from another institution, an institution should be able to demonstrate that there is a common or shared purpose for the personal information.
Authority of the Information and Privacy Commissioner
The legislation gives the IPC the authority to permit an indirect collection where:
- The collection is not specifically allowed under this section; or
- It is not possible or practical to collect the personal information directly or to obtain authorization directly from the individual concerned.
An institution must make an application for an exemption to the IPC.
An institution must inform the individual to whom the information relates that a personal information collection has occurred. Whenever possible, the notice should be provided to an individual at the time of collection, or included on program forms and communications.
The notice to the individual must state:
- The legal authority for the collection;
- A reference to the specific law, section or by-law;
- The principal and any secondary uses of the personal information; and
- The title and business contact information of an official of the institution.
Notice must be provided each time there is a collection. The notice should address separate legal authorities or collections if a form is used for multiple purposes.
Notice should be stated or written clearly, and provide enough detail to inform the individual but not limit the institution unnecessarily. The needs of affected individuals and of the business should inform the manner in which notice is provided. There are many options available, such as providing the notice verbally, in writing, via mail outs, or through public advertisements.
Notice should be reviewed periodically to ensure the information is accurate and up to date. The designated official should be available and able to answer questions about privacy and how the personal information will be used and disclosed.
Exception to Notice Requirements
The legislation allows the Responsible Minister to grant a waiver for a notice of collection based on the merits of the case. A waiver request should apply to a class or group of individuals rather than an individual.
A waiver may be warranted in circumstances where:
- There is legal authority for an indirect collection;
- Notice would interfere with an indirect collection for unique programs or investigations;
- It is impossible or very difficult to provide notice;
- The administrative burden and cost of providing notice is excessive compared to the need for notice; and
- Subsequent disclosures from an institution are inconsistent with the first notice.
Appendix 8 is a form institutions can use to apply for a waiver from the Responsible Minister and provides an outline of considerations for institutions contemplating requesting a waiver of notice from the Responsible Minister. Institutions should consult Legal Counsel when considering a waiver of notice application.
Use and Disclosure of Personal Information
The legislation puts a number of conditions on the use and disclosure of personal information. In general, personal information can only be used or disclosed for the purpose for which it was collected.
There are circumstances where the use and disclosure of personal information is permitted for other purposes. These purposes are discussed in the sections below.
The legislation allows institutions to use and disclose personal information where it is consistent with the purpose indicated in the notice of collection. A purpose is consistent and compatible where an individual might reasonably have expected the use or disclosure of the personal information at the time of collection.
For example, disclosing the name and address of an individual to a courier company for the purpose of delivering a package would be considered a consistent purpose where the individual had requested new vehicle licence plates from the Ministry of Transportation.
In the context of an indirect collection from another institution, an institution must show compatibility with the original collection.
An individual can provide consent for an indirect collection or for a secondary use of personal information. An institution can also use and disclose personal information where the individual provides consent.
Consent should be in writing and the specific information for which consent is given must be identified. Where consent is not obtained in writing, institutions should document:
- The specific personal information to be disclosed;
- To whom the information may be disclosed and for what purpose it is to be used;
- The date of the consent; and
- The institution to which consent is given.
Compliance with Other Laws
An institution can use and disclose personal information for the purpose of complying with an Act of the Legislature or an Act of Parliament or a treaty, agreement or arrangement. The agreement or arrangement must be authorized by a federal or provincial law.
Some examples include:
- The Child, Youth and Family Services Act;
- The Highway Traffic Act; and
- The Ombudsman Act.
Performance of Duties
An institution may use or disclose personal information within an institution for purposes other than the purpose stated at collection where:
- The record is necessary for the proper discharge of an institution’s functions; and
- Needed by an officer, employee, consultant or agent of an institution for the performance of their duties.
There must be sufficient need and necessity. Disclosures that are merely based on concern or convenience are not permitted under this section.
The legislation allows institutions to disclose personal information for reasons other than the reasons for which the information was collected in limited and defined circumstances. Institutions can disclose personal information to other organizations or representatives such as:
- The Responsible Minister;
- The IPC;
- A member of the Legislative Assembly who has been authorized by a constituent under FIPPA;
- A member of a bargaining agent who has been authorized by an employee under FIPPA; or
- The Government of Canada in order to facilitate the auditing of shared cost programs (e.g., General Welfare Assistance Act).
An institution may disclose personal information in compassionate circumstances to facilitate contact with a relative or a friend of an injured, ill or deceased individual. The personal information to be disclosed may relate to either party. Only the information necessary to facilitate contact should be disclosed.
This section is not relevant in deciding whether personal information may be disclosed under an access request. Compassionate circumstances considerations for processing requests are discussed in Chapter 5: Exemptions and Exclusions in the section regarding the personal privacy exemption.
Educational institutions can use and disclose personal information from their alumni records and hospitals can use and disclose personal information from their hospital records for fundraising purposes provided that:
- Notice is given to an individual at first contact;
- Notice is given periodically to an individual; and
- A public notice is published periodically.
The purpose of the each type of notice is to inform and allow an individual to refuse or stop the use of their personal information for fundraising.
FIPPA requires that a fundraising agreement be in place between an educational institution or hospital with any person or associated organization that carries out fundraising activities.
Consult PHIPA for its fundraising provision for health information custodians and personal health information.
Health and Safety
An institution can disclose personal information in compelling circumstances affecting the health and safety of an individual. The disclosure must be followed by notification mailed to the last known address of the individual to whom the information relates.
An institution can disclose personal information for law enforcement purposes where disclosure is:
- By a law enforcement institution;
- To a law enforcement agency in a foreign country under an arrangement, a written agreement or treaty or legislative authority;
- To another law enforcement agency in Canada; and
- To an institution or law enforcement agency in Canada to aid an investigation that will likely result in a law enforcement proceeding.
Appropriate internal authorizations must be obtained prior to disclosure. Personal information should not be disclosed for general speculation or fact-finding and should only be disclosed for a specific law enforcement matter.
In some instances, the institution should insist on seeing an order or warrant before disclosing personal information to law enforcement.
An institution must take reasonable steps to ensure that personal information records used by the institution are accurate and up to date.
However, this standard of accuracy does not apply to personal information if collected for law enforcement purposes in the course of an investigation. For instance, witness statements collected by law enforcement officers do not need to be changed if others disagree with the accuracy of the contents of the witness statements.
Records retention schedules may be impacted by various legal requirements, business needs, or information management policies. The legislation requires that personal information must be retained for a minimum of one year after its use to ensure that an individual has a reasonable opportunity to obtain access.
The retention requirements are set out in the regulations and allow for four exceptions that permit a destruction to occur earlier than the one year retention rule. These exceptions are:
- An individual may consent to an earlier destruction;
- If information is credit or debit card payment data;
- When a different retention period is set out by a municipal by-law (MFIPPA institutions only); and
- Personal information stored on telecommunication logger tapes may be disposed after 45 days (FIPPA institutions only).
The use of the personal information is important in determining retention requirements. For instance, personal information collected on surveillance video cameras would not be considered used if the tapes are not reviewed for security incident investigations. Therefore, institutions can develop shorter retention periods for surveillance tapes that are not used by the institution.
Further if institutions receive personal information in error that is not used by the institution, the institution is not required to retain the personal information for one year.
An institution must ensure the security and confidentiality of personal information records. Institutions must implement reasonable security measures such as policies, procedures, and standards to address various security requirements.
The security requirements set out in the regulations are summarized below:
- Access to an original record must ensure security;
- The identity of an individual seeking access to his or her personal information must be verified; and
- Unauthorized access must be prevented taking into account the nature of the records to be protected.
Additional security requirements are found in the disposal requirements set out in the next section.
The regulations require that institutions only dispose of personal information with authorization of the head. Institutions must maintain a disposal record setting out what information has been transferred or destroyed, and the date of transfer or destruction.
The transfer and destruction of personal information must meet security requirements, and the reconstruction or retrieval of destroyed personal information must not be possible.
Under FIPPA, institutions may dispose of personal information by:
- Transferring it to the Archives of Ontario; or
- Destroying it.
Further to this, an educational institution may only dispose of personal information by:
- Transferring it to the archives of an educational institution with an agreement authorizing the transfer; or
- Transferring it to the Archives of Ontario with an agreement authorizing the transfer; or
- Destroying it.
There is no similar regulation for MFIPPA institutions. However, MFIPPA institutions should follow the principles of Regulation 459 and dispose of personal information in a similar manner. MFIPPA institutions should seek approval before disposing of personal information and maintain a similar record of disposal. In accordance with the principles in Regulation 459, MFIPPA institutions should dispose of personal information by:
- Transferring it to a municipal or local government archive; or
- Destroying it.
Public Records of Personal Information
The legislation provides an exception to the privacy rules where personal information is maintained for the purpose of creating a record that is available to the public. However, the legislation does not include requirements for governing public records.
Public records of personal information are records to which access is given to all members of the public. Personal information that is only accessible to some members of the public and not others is not a public record.
Public records are maintained for some or all of the following reasons:
- Allow for the proper administration of programs, activities and services;
- Promote government accountability by providing information relating to the issuance of licenses, permits, government contracts, etc.;
- Promote informed choice and consumer protection; and
- Allow for the fair determination of rights.
A public record does not mean that there are no terms or conditions on public access. For example, access to public records may include fees.
Similar personal information may exist in multiple contexts. For instance, personal information may exist in one context for maintaining a public record, and another context for the administration of a program. Despite the availability of the personal information in the public record context, the personal information maintained in the alternative context remains confidential.
The public records exception applies only if the institution maintains the information expressly for the purpose of creating a public record. Other institutions cannot claim the benefit of the public records exception unless they too have the same authority.
The following list includes examples of records containing personal information that are maintained for the purposes of making the information publicly available:
- Assessment rolls created under the Assessment Act.
- Some conviction related information subject to the Regulatory Modernization Act.
- Lists of electors created under the Municipal Elections Act.
How Public Records Are Created
In Ontario, public records can be created either by statute or by a policy decision of the institution.
When a public record is created by statutes, regulations or by-laws they generally contain terms and conditions regarding the administration of the information such as the authority to charge fees, and the times and location of access.
When a public record is created by policy without statutory authority, the institution must establish a strong policy rationale that the public’s right to access the information outweighs the privacy rights of individuals to whom the information relates.
The following are some of the factors to consider in the creation and maintenance of public records:
- Does the public’s "need to know" outweigh the privacy rights of the individuals concerned?
- Will the release of the information advance informed choice?
- Will the information be accessible to everyone?
- Does the public need the information to assist in the conduct of business?
- If the information is made publicly available, would the disclosure constitute an unjustified invasion of personal privacy?
- Is the personal information particularly sensitive?
- Is the information relevant to the fair determination of a requester’s rights?