Municipalities in Ontario are facing important changes in the law relating to the handling of personal information. The expansion of the Federal Personal Information Protection and Electronic Documents Act, SC 2000, c. 5 [“PIPEDA”] from matters of Federal jurisdiction into general application on 1 January 2004 now challenges municipalities to determine whether and when their activities may qualify as “commercial”. In addition, the Province’s Bill 31, the Health Information Protection Act, 2003, received second reading on 8 April 2004 and is proceeding to becoming law later this year. Both these statutes will layer on top of Ontario’s Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c.M.56 [“MFIPPA”]. Municipalities, like other organizations, face difficulties in interpreting the obligations required of them under these laws, which are just part of the complex new personal information protection laws coming into force recently.

1. PIPEDA and municipalities

Municipalities may find themselves subject to uncertainly as to the application of PIPEDA. Although some informal indication has been given by the Federal Privacy Commission that it may have little interest in pursuing complaints arising from violations of PIPEDA by municipalities, it does not appear that this position is expressly set out in law and, as a result, could pose a risk to municipalities placing confidence in its protection. Municipalities, on a plain reading of PIPEDA, are indistinguishable from any other “organization” to which the Act applies. Further, municipalities clearly collect, retain, use and disclose personal information as part of normal operations. Personal information is defined under section 2(1) of PIPEDA as follows:

"personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

Through their supply of services to citizens, municipalities are significant handlers of this sort of data and have handled this information subject to MFIPPA for over a decade. The key difference under PIPEDA, however, is that it only applies where the organization collects, uses or discloses this information in the course of “commercial activities” which is defined broadly to include “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character...” Where that is the case, PIPEDA may also apply.

A municipality participates in commercial activities when it competes in the marketplace providing or receiving goods or services which are also commercially available from the private sector. Fees, fines and taxes would not apply as these are not marketplace activities but consider each of the following municipal commercial activities

• Procurements
• Operation of an airport
• Utility services
• Operates a parking lot
• Provides senior citizens housing
• Manages social housing tenant lists for third party housing providers

In light of the obvious involvement above, the message that the Federal Privacy Commissioner will not act upon complaints brought against municipalities is confusing. The Federal Privacy Commissioner has no statutory authority not to receive reasonable complaints relating to municipal breaches of PIPEDA and does not control the process by which an individual complainant, unsatisfied with the position of the Commissioner brings a case to the Federal Court under s. 14(1).

Given that confusion, municipalities would do well to consider the requirements of PIPEDA, including the detailed restrictions on collecting personal information as compared to the Municipal Freedom of Information and Protection of Privacy Act where the collection occurs in a commercial context. Collection can only occur under PIPEDA with the consent of the person, where the record falls into limited public categories or where:

(a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;

(b) it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; or

(c) the collection is solely for journalistic, artistic or literary purposes.

Similar - but different - restricted rules apply to the use and disclosure of personal information under PIPEDA. The Act also has a set of ten general principles to be applied in the administration of personal information all of which have to be applied wherever a municipality handles information falling under the statute’s application.

2. Bill 31 – the Health Information Protection Act, 2003

Like PIPEDA, Bill 31 will bring in a separate set of rules in relation to a distinct class of personal information. This statute will apply to municipalities in Ontario which act as “health information custodians” whether in the operation of a long-term care facility or otherwise. The purposes of Bill 31 include the establishment of rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care;

Bill 31 does try to define its own scope of application. Section 8(2) of Bill 31 states that, except in certain circumstances, the Municipal Freedom of Information and Protection of Privacy Act does not apply to personal health information collected by a health information custodian or in the custody or under the control of a health information custodian. Further, like PIPEDA, Bill 31 proposes a set of principles which apply wherever a municipality handles information falling under the statute’s application. However, Bill 31 does not reference the Federal statute PIPEDA and provides for a set of rules for the handling of personal information which, though similar to those in PIPEDA, are not identical to those set out under Federal law. For example, PIPEDA speaks of implied consent to a collection in certain circumstances where Bill 31 uses the alternate concept of approved indirect collection.

One can see that where personal information is handled in a commercial health related context that there is an opportunity for overlap between Bill 31 and PIPEDA and – given the right circumstances - MFIPPA as well. One such example might arise with a municipal long-term care facility where residents personally pay for the services they receive and where those residents could have also chosen a private facility for their care. While the Federal Privacy Commission might state that they would not engage with a PIPEDA complaint, from the point of view of the municipality any complaint would have to be assessed and given response potentially under all three statutes.

3. Conclusion

The illustration above is indicative of how at the edges many of the personal information protections being legislated at this time are not well-dove tailed with each other. Further, the unraveling of Federal and Provincial jurisdiction over privacy law is a matter which is presently before the Courts based on a case brought by the Province of Quebec against the Federal Government at the end of last year. This case, however, will not likely be ruled upon before the passing of Bill 31 and will not be given in the context of the obligations of a municipality under these three statutes. In the interim and likely beyond, municipalities will have to make practical determinations based on available resources, the goal of good client services as well as something approaching best intentions to comply with the multi-layered and unaligned nature of current personal information protection law.