Defining personal information
Population Data BC (PopData) has developed and implemented policies and procedures reflecting the B.C. legislative requirements concerning collection, use, and disclosure of Personal Information.
Schedule 1 of British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) defines “Personal Information” as “recorded information about an identifiable individual”, including:
- “Tombstone” Data (name, age, sex, race, etc.)
- Identifying numbers, symbols or other particulars assigned to an individual
- The individual’s fingerprints, blood type, or inheritable characteristics
- Information about the individual’s health care history, including a physical or mental disability
FIPPA does not prescribe what qualifies as “identifiable information”. However, it is generally recognized that an appropriate standard to apply is that “information is non-identifiable only if the information in issue cannot be used, linked, matched or manipulated ‘by a reasonably foreseeable method’ to identify the Data subject’s identity.”1,2
While Population Data BC processes Data so as to reduce their identifiability, some Data may be disclosed to or by Population Data BC which contain identifiable information, in accordance with Information Sharing Agreements and Research Agreements. Given this, Population Data BC treats all Data it holds and discloses as “Personal Information” and applies the same privacy protection standards required under FIPPA to all the Data, regardless of whether the Data contain personal identifiers or not.
Provincial privacy legislation - Freedom of Information and Protection of Privacy Act (FIPPA)
British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) provides individuals with privacy rights and information access with respect to information that is collected, used, disclosed or retained by public bodies in British Columbia. Individuals have two major rights under FIPPA:
- The right to protection of the privacy of Personal Information in the custody of, or under the control of, public bodies.
- The right of access to records in the custody or under the control of public bodies.
Population Data BC (as a unit of the University of British Columbia, which is a public body) is defined as a public body under Schedule 1 of FIPPA. Government ministries and provincial agencies are also defined as public bodies under FIPPA. The data sharing agreements between Population Data BC and the various Data Stewards are permitted under section 33 of FIPPA. Section 33 grants public bodies the authority to disclose information under various conditions, including to another public body where the information is necessary for the performance of the duties or operations of the receiving public body, and for research or statistical purposes pursuant to section 35.
Section 35(1) of FIPPA permits a public body to disclose Personal Information in its custody, or under its control, for a research or statistical purpose, providing the following conditions are met:
(a) the research purpose cannot reasonably be accomplished unless that information is provided in individually identifiable form or the research purpose has been approved by the commissioner,
(a.1) subject to subsection (2), the information is disclosed on condition that it not be used for the purpose of contacting a person to participate in the research,
(b) any record linkage is not harmful to the individuals that information is about and the benefits to be derived from the record linkage are clearly in the public interest,
(c) the head of the public body concerned has approved conditions relating to the following:
(i) security and confidentiality;
(ii) the removal or destruction of individual identifiers at the earliest reasonable time;
(iii) the prohibition of any subsequent use or disclosure of that information in individually identifiable form without the express authorisation of that public body, and
(d) the person to whom that information is disclosed has signed an agreement to comply with the approved conditions, this Act and any of the public body's policies and procedures relating to the confidentiality of Personal Information.
Subsection (2) states that subsection (1) (a.1) does not apply in respect of research in relation to health issues if the BC Information and Privacy Commissioner approves:
(a) the research purpose,
(b) the use of disclosed information for the purpose of contacting a person to participate in the research, and
(c) the manner in which contact is to be made, including the information to be made available to persons contacted.
More information and a full copy of FIPPA are available at the BC Office of the Information and Privacy Commissioner, www.oipc.bc.ca.
Other pertinent privacy legislation
British Columbia’s Personal Information Protection Act applies to the private sector, and does not have applicability to public bodies defined in FIPPA nor to Personal Information covered under FIPPA.
British Columbia’s E-Health (Personal Health Information Access and Protection of Privacy) Act, introduced on April 10, 2009, provides a legislative framework for governing the collection, use and disclosure of personal health information in electronic health records that will be held in databases called Health Information Banks. Disclosure of this information requires the approval of the Data Stewardship Committee(s), which has stewardship over the information in these Health Information Banks. Current Information Sharing Agreements with provincial ministries and other Data Stewards provide that to the extent that any Data are designated or prescribed under the E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008, a separate Information Sharing Agreement for the use of the affected information will need to be negotiated between the provincial ministries or Data Stewards and Population Data BC to ensure compliance with this specific law.
Canada has two federal privacy laws, the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Privacy Act imposes obligations on federal government departments and agencies by placing limits on the collection, use, and disclosure of Personal Information.
As of January 1, 2001, PIPEDA covered Personal Information that federally regulated private sector organisations collect, use, or disclose in the course of commercial activities. As of January 1, 2002, PIPEDA was extended to apply to Personal Information collected, used, or disclosed by these organisation, and to apply to information sold across provincial and territorial boundaries. As of January 1, 2004, PIPEDA also covered the collection, use or disclosure of Personal Information in the course of any commercial activity within a province, including provincially regulated organisations. The key element of PIPEDA is its application to commercial activities. While what constitutes “commercial activity” under PIPEDA is not entirely well defined, it is unlikely that Population Data BC’s activities would come within this legislation. Additionally, provinces may be exempted from PIPEDA if they have substantially similar legislation. British Columbia’s Personal Information Protection Act (discussed above) has been declared by the federal Governor in Council to be substantially similar to PIPEDA.
1. As defined in Ontario’s now-withdrawn Bill 159 and cited by BC’s Information and Privacy Commissioner, in a presentation to the Canadian Institute Conference, June 19, 2001, http://www.oipc.bc.ca/publications/speeches_presentations/speech_04.html. Last accessed August 6, 2009.
2. Ontario’s Personal Health Information Protection Act, 2004, section 4(2): “identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual. 2004, c. 3, Sched. A, s. 4 (2).