Updated guidance provides instructions for applying the 'invasion-of-privacy test'
The Office of the Privacy Commissioner of Canada has recently issued updated guidance for federal institutions concerning disclosing personal information under s. 8(2)m of the Privacy Act.
Released on Apr. 21, the updated guidance briefly explains the importance of s. 8(2)m and provides instructions for applying the “invasion-of-privacy test.”
Under s. 8(2)m, disclosure of personal information without the consent of an individual is authorized if, in the opinion of a federal institution head, the public interest clearly outweighs any invasion of privacy that could result from the disclosure or the disclosure would clearly benefit the individual to whom the information relates.
In the updated guidance, the privacy commissioner said that s. 8(2)(m) is an important provision since it provides federal institutions with a tool to help them effectively balance an individual’s right to privacy with other important contextual interests. Moreover, the provision is being used and appears helpful in some cases, such as notifying public health authorities charged with informing individuals of their potential exposure to a communicable disease and locating the next of kin of an injured or deceased individual.
However, the privacy commissioner noted that the decision to disclose under s. 8(2)(m) requires a careful balancing of potentially competing interests and should be exercised with restraint.
“Section 8(2)(m) is applied in unique, fact-specific situations,” the privacy commissioner said. “In other words, institutions should exercise discretion to disclose personal information pursuant to this section in unique circumstances where disclosure is truly justified.”
The privacy commissioner also urged federal institutions to apply the “invasion-of-privacy” test to determine privacy risk in the disclosure. This test involves a detailed review of three interrelated risk factors to help federal institutions determine if the public interest clearly outweighs any invasion of privacy that could result from the disclosure.
The three factors are the following: (1) sensitivity of the information; (2) expectations of the individual; and (3) probability and degree of injury.
Regarding the first factor, the privacy commissioner advised federal institutions to consider whether the type of information is “detailed or highly personal” in nature, evaluate the context in which the information was collected, and determine whether any “contextual sensitivities” apply to the information.
As to the second factor, the privacy commissioner directed federal institutions to evaluate the conditions under which the personal information was collected and consider what expectations they may have established for its confidentiality, for instance, whether the possibility of disclosure is conveyed in an applicable privacy notice statement.
Regarding the third factor, the privacy commissioner suggested that federal institutions consider the probability and degree of injury relative to the benefits of the disclosure to the public.
“This could include personal or physical injury or damage to the reputation of an individual or others, which causes adverse consequences (e.g., any harm or embarrassment that negatively affects an individual’s career, reputation, financial position, safety, health, or well-being),” the privacy commissioner said.
In addition, the privacy commissioner provided alternatives to public interest disclosure under s. 8(2)(m).
“Whether in the context of an access request, open government or otherwise, federal institutions can often be open and transparent about their activities where there is a public interest in doing so without resorting to disclosing personal information pursuant to section 8(2)(m),” the privacy commissioner said.
The privacy commissioner recommended that federal institutions provide the public with access to information on the application or outcomes of government policies in a format that does not include personal information, such as program evaluation reports.
“They can also release information that has been de-identified to the point that there is no longer a serious possibility that it can be used to identify an individual, either through that information alone or in combination with other available information,” the privacy commissioner added.