There are many issues in Canada where we as privacy pros have to contemplate the implications of the term "publicly available personal information."
In the Personal Information Protection and Electronic Documents Act, it says organizations do not need consent prior to collecting or processing publicly available personal information. The trick, however, is that the law goes on to define the term publicly available in a very narrow way.
Much of what, by any common-sense thinking, is available for free for everyone to see on the internet would not even be considered publicly available under the private sector's standard. Remember, this is why Clearview AI got into trouble when it collected images from people found on the internet. That information did not meet the definition of publicly available, so consent was still required prior to Clearview collecting those images.
Our federal public sector law, meanwhile, does not define the term publicly available in the same narrow way. In fact, there is no definition of the term in the Privacy Act. What the law does say is that government institutions can use and disclose personal information without consent if it is publicly available.
The catch is that the government cannot, without justification, simply collect all the publicly available information out there. There's a threshold that must be met prior to the collection — even if the data is found on the public internet. That threshold, in the law, is that the information must "relate" to an operating program or activity of that government institution.
Still a bit loose, right? Then, by way of policy — and by way of the expectations of the Office of the Privacy Commissioner of Canada — the law is supplemented to say that the government institution must only collect publicly available personal information if it is "necessary" for a program or activity.
So, there are important rules in both our private and public laws when it comes to publicly available personal information and just because some of this information can be easily found online does not mean it can be used without issue. And, while our public sector federal law remains woefully out of date, I'm happy to see that we do have efforts by those at the Treasury Board Secretariat who are creating some new guidance on how to fill the gaps in our 1970s-era law.
The TBS recently released new guidance reminding government institutions of the legal and policy restrictions on collecting and processing personal information that is publicly available. While it remains at a pretty high level, I think it's a decent tool and I hope our federal institutions get wind of and actually pay attention to it.
At least we have progress like this until we actually get a modern public sector law that better deals with these issues. Now who's holding their breath for that one?
If you want to comment on this post, you need to login.