When I provide privacy training, we spend a fair amount of time discussing the definition of "personal information." One of the takeaways is how opinions about people are tricky because of how the definition is worded in our laws. “Information about an identifiable individual” is a simple enough phrase, but when it comes to opinions about people, it’s not always straightforward.
If you happen to think I’m great (don’t you?), then you have an opinion and that is information about you, but it’s also about me.
Our laws don’t always do an adequate job addressing this conundrum and, in the Federal Privacy Commissioner’s Annual Report (released Thursday), there’s a case when this challenge had to be dealt with.
The case concerned a dentist who complained that a “Rate your MD” website had collected, used and disclosed her personal information without her consent. Of course, the collection of information came in the form of soliciting opinions about the dentist by those who had used her office to receive care. The people who provided their opinions were providing their personal information with consent. The dentist had not consented. Conundrum.
Eventually, the commissioner concluded that the site, for the most part, was not violating PIPEDA in the provision of this service. He did this by essentially balancing the interests at play (i.e., the dentist’s interest in controlling her personal information versus the public interest in having an open discourse about service providers).
There’s a ton more in the annual report, but this case jumped out at me because, as I mentioned, I think more policy thinking has to go into resolving the issue of what happens when one piece of data is the personal information of more than one person. There are so many of these “Rate your whatever” sites out there that it will be interesting to see if this case influences the way they operate in any way. Without a clear right to be forgotten in the legislation, it appears there may be certain limits to protecting the person being rated on the site. I had hoped to see from the commissioner’s investigation whether or not the website itself — or others like it — might be considered exempt from PIPEDA because of the journalistic exemption, given the broad interpretation of journalism these days in the online world. Alas, that topic isn’t explored in the report so I suppose we will have to leave that one for another day.
Apart from the annual report, there’s a fair amount of other privacy news this week. Pour that coffee, and get caught up. Have a great long weekend, hopefully enjoying a little turkey with your bubble.