Does PIPEDA apply to municipal activities?
Does PIPEDA apply to municipal activities?
By Alan Mcleod
August 2004, CBA Privacy Pages
There has been much discussion among municipal lawyers about the application of the Personal Information Protection and Electronic Documents Act, SC 2000, c. 5 [“PIPEDA”] which came into general force on Jan. 1, 2004, to the activities of municipalities. After all, don’t public-sector privacy laws already cover municipalities? The federal privacy commission has given indication that it may have little interest in pursuing complaints arising from violations of PIPEDA by municipalities. What is troubling about this position is that it does not appear to be well-founded in law, and could pose a risk to municipalities placing confidence in its protection.
On a plain reading of PIPEDA, municipalities are indistinguishable from any other “organization” to which the Act applies. That term is defined to include a “person,” which, under the federal Interpretation Act, includes corporations, thus effectively including municipalities under Section 4 of Ontario’s Municipal Act, 2001.
Further, municipalities clearly collect, retain, use, and disclose personal information on a regular basis. Personal information is defined under Section 2(1) of PIPEDA as follows:
"personal information" means information about an identifiable individual, but does not include the name, title, or business address or telephone number of an employee of an organization.
What is not required for data to fall into this definition is that the data be a comprehensive set of data about a person or that the data itself identifies the person. Partial data that can identify a person when combined with other data is also personal information. All it needs to do is “relate” to the person. Through their supply of services to citizens, municipalities are significant processors of this sort of data.
Personal information handling only triggers the provisions of PIPEDA where the organization collects, uses or discloses in the course of commercial activities. Commercial activities are defined in section 2(1) of PIPEDA:
"commercial activity" means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.
Prior to the introduction of PIPEDA, courts have confirmed the general principle that municipalities participate in commercial activities. (See, for example, Shell Canada Products Ltd. v. Vancouver (City), [1994] 1 S.C.R. 231 at para 11.) As a result, it is fair to say the commercial nature of certain transactions triggers the application of PIPEDA to municipalities. It is important to remember that personal data is also received through many non-commercial transactions. The data received through non-commercial transactions are not included in the Act where those occur in the non-market context. These would include licensing, parking fines, rates and planning charges, as a municipality is an effective non-commercial monopoly in relation to these matters. These matters clearly do not fall under PIPEDA.
Purchases of personal information through direct purchase or obtaining it indirectly as a part of procurements are identifiable municipal commercial activities. The acquisition of personal information through commercial supply to citizens is also a means to trigger the application of PIPEDA that should be appreciated. A municipality participates in commercial supply when it competes in a marketplace providing services that are also commercially available from the private sector. Consider each of the markets in which a municipality:
- Operates an airport
- Operates a parking lot
- Provides senior citizens housing
- Manages social housing tenant lists
In light of the above, the message that the federal privacy commissioner will not act upon complaints brought against municipalities is confusing. First, the basis in law for making such as assertion is unclear. The federal privacy commissioner has no statutory authority not to receive reasonable complaints relating to municipal breaches of PIPEDA. Further, the federal privacy commissioner does not control the process by which an individual complainant, unsatisfied with the position of the commissioner, brings a case to the Federal Court under s. 14(1), with the exception that the commissioner must first issue a report.
It is unclear how the commissioner would respond to a reasonable complaint made against a municipality or a corporation related to a municipality other than issuing a report of some sort -- even if it is only based on the simplest of investigations confirming the complaint relates solely to a municipality and that, as a result, the commissioner will not proceed further. Once a report is issued, where the complaint is founded on one or more of the classes of breach of PIPEDA set out in section 14(1), the still-dissatisfied complainant is free to proceed independently to Federal Court without the consent of the privacy commissioner.
Given that a complaint has this apparently-independent procedural avenue, it is prudent for municipalities to ensure that they are aware of PIPEDA and in reasonable compliance – if only to avoid becoming the test case before the Federal Court. The good news is this is not all-pain-for-no-gain, as a PIPEDA audit can save municipalities money in the long run. By reviewing personal information collection practices, municipalities may find that certain personal information gathering habits are not actually necessary.
For the most part, municipalities already have designated officers to undertake this task under Ontario’s Municipal Freedom of Information and Protection of Privacy Act or other comparable legislation in other provinces. It is also good human rights law that reflects the increasing demand on municipalities to use personal information, and the opposing pull from citizens to keep their personal information private in light of the increasingly intrusive capabilities of information technologies. As the point of the introduction of PIPEDA was to significantly diminish the unregulated commercial processing of personal information, leaving such a large gap as municipal participation poses problems.
Alan Mcleod is Senior Legal Counsel, Legal Services Division, City of Kingston, Ont. Opinions expressed are solely those of the author.
