Suggestions on the collection and handling of personal identifiable information

*The scope of personal information is “far-reaching” to an extent that along with some obvious things such as names, contact information (phone number or email), personal information might also include financial information, fingerprints (digital and physical), physical or facial features, or even some one’s voice (this, as described in Wyndowe v Rousseau, (2008).*

Access to personal information is widespread in today’s world, for purposes such as gaining access to online services or conducting transactions. Transparency of conduct with respect to personal information (including a disclosure of purpose), and protection of collected personal information are duties that are placed upon organizations that deal with personal information in Canada, by law. Personal Information as well as access to personal information falls under the sphere of “privacy” but, at the same time privacy is not necessarily limited to personal information but a lot of other things, which will be discussed further in this article. This article will discuss the Scope and Boundaries of Personal Information, and will provide some recommendations in the takeaways section on how to consider your information collection practices.

Personal Information - Scope and Boundaries

“Personal information” or “Personal Identifiable Information” or “PII” can be understood as information which is “related” to an individual and information which is “identifiable” for an individual. By way of example, the car number plate is not necessarily private information but an “identifiable information.”

The scope of “personal information” is evolving because: (a) the methods of collection and usage is also evolving over time; and (b) complaints made and disputes resolved in court are providing guidance on the limits and boundaries to that collection and usage. Here are a few examples of the boundaries placed upon the collection and use of personal information, as identified in disputes related to this topic.

  • The driver’s license of the complainant was scanned by the nightclub without his consent, which was then stored in their system. In this case, the court determined that this collection of personal information was not reasonable for the purpose of nightclubs. (Re Penny Lane Entertainment Ltd., Penny Lane Entertainment Group, Tantra Night Club Inc. (2008).
  • The court classified the class action wherein the defendant used the personal information of the Plaintiff’s data service customers for their own marketing purposes, without obtaining prior consent of the customers. (Tocco v. Bell Mobility Inc.,(2019)).
  • Between 2001-2005, the personal information of CIBC’s clients was inadvertently faxed to a company in the U.S as well as a business owner in Quebec, without the consent and knowledge of the clients, and CIBC was found to have failed to safeguard the personal information of these clients. (Speevak v. Canadian Imperial Bank of Commerce (2010).
  • When the complainant returned some goods with a valid receipt to the merchandiser, the manager requested for the complainant’s personal information in exchange for returning goods as a “condition”. The merchandiser claimed that this is done to prevent any future fraudulent activities related to returned goods. As there was a valid receipt and therefore no evidence of fraud or potential fraud, the merchandiser was overreaching in their request. (K. E. Gostlin Enterprises Ltd., Re, (2005); also see , British Columbia Information and Privacy Commissioner, KE. Gostlin Enterprises Ltd., Order P05-01, In both hearings, information collection for the purpose of a customer satisfaction follow-up was found to be a “purpose and use that must be made optional for customers”.
  • The defendants company’s systems were hacked by cybercriminals resulting in the theft of over 11,000 records of client’s personal information. The personal information was later released in public domain, without any prior consent. The Commissioner stated that the company failed to implement strong safety safeguards. (Tucci v Peoples Trust Company, (2017)

The snippets from the above mentioned case law help to provide a framework for information collection. The elements of protection are getting more granular over time as new cases present themselves, and this is just a survey of a few cases. These case laws are all similar yet different, therefore, it is important to note for the businesses that personal information CANNOT be limited or defined in few terms or with few examples. For your specific information collection, you should consult with trusted advisors or privacy counsel in order to determine whether you are conforming to legislation, case law and best practices for information collection.


  • Consider the purpose of collecting information. Why is the information being collected? Is it necessary/related to any commercial transaction? How is the collection of personal information justified?
  • Determine whether prior consent/ notice has been obtained. Is there a consent provision in your privacy policy? Has the customer/user been informed of the clear, concise and understandable information to which they consent?
  • Consider whether safeguards are adequate. Is your organisation taking relevant steps to ensure the protection of personal information? Are these steps mentioned in your privacy policy? Are you complying with the law of land for ensuring the protection? Are your customer/user aware of the steps the organisation is taking to ensure privacy compliance?
  • Where the obtaining of personal information is conditional, perhaps it can be optional. Is your organisation conditionally obtaining personal information, for instance “in order to leave a review, you must provide your address/contact information ” or “in order to read an online blog, you must provide your contact information”, and if so, is there a possibility to make this optional.
  • What limits can be placed upon retention. Is your organisation prohibiting its customers/ users from accessing their own product/report/review , which might contain their personal information? What is the purpose of such retention? Is the customer/user aware of the reasons for such retention?