I think it's important to recognize as well that the formulation of the list can be done in a way that unintentionally narrows. In this case what we're looking at specifically, in addition to the issues that Mr. Schaan mentioned, is that it might unintentionally reduce the range of personal information because it specifies only that which is used to identify an individual. That could exclude a series of very important buckets of information that are currently considered as being personal information under the act. An individual conducting certain types of searches or visiting certain types of websites online might not be information that identifies that individual, but it is about that individual.
The current definition of personal information is information about an identifiable individual, versus here in NDP-4, which has information “that can be used to identify them, directly or indirectly”. This goes back to Mr. Schaan's point about constructing the definitions in the manner that is the most inclusive and as broadly as possible to allow for jurisprudence to evolve and for the OPC to issue guidance to enable better understanding within the industry about what's meant, but without locking us in at the legislative level.