The statutory definition
PIPEDA defines personal information as 'information about an identifiable individual'. The Privacy Act uses a similar definition for federal institutions. Provincial private-sector and health-privacy laws all track this language closely.
The key test is whether the information, alone or with other information, could reasonably identify someone.
Examples of personal information
Common examples include:
- Name, address, phone number, email.
- Social Insurance Number, driver's licence, passport number.
- Financial information, credit history, payment records.
- Health records, medical history, prescriptions.
- IP addresses, device identifiers, location data.
- Photos, video, voice recordings.
- Opinions, evaluations, and inferences about a person.
Aggregated and de-identified data
Information is no longer personal if it has been truly anonymized so that no individual can be re-identified.
Courts and commissioners have consistently warned that pseudonymized or poorly de-identified data can often still identify someone when combined with other data.