The Privacy Commissioner of Canada Releases Interpretation Bulletin on Sensitive Personal Information

On May 16, 2022, the Office of the Privacy Commissioner of Canada (the OPC) released an Interpretation Bulletin on sensitive information (the Bulletin), which summarizes general principles from judicial decisions and the OPC’s findings to date to guide organizations in meeting their compliance requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA).

An organization’s practices under PIPEDA may be heavily influenced by the sensitivity of the information that it handles. For example, PIPEDA requires the form of consent used in an organization’s collection process to account for the sensitivity of the information being collected. The sensitivity of an organization’s information is also a relevant factor when determining the adequacy of its security safeguards and fulfillment of security breach obligations.

While PIPEDA allows for any personal information to be deemed sensitive depending on the context, the Bulletin describes the following factors as relevant when examining the sensitivity of personal information:

1. Combined Information. In combining data elements (e.g. customer names, contact details, etc.), organizations may add a degree of sensitivity to the information that is further increased in certain risk situations, such as scams and data breaches. Accordingly, organizations should implement safeguards that meet these higher risks when dealing with combinations of data.
2. Health Information. The OPC mentions that medical and biometric information is usually considered sensitive and should be awarded a high degree of protection. However, there still exists some variation on the degree of sensitivity for certain types of personal health information. For example, an individual’s attendance for a fitness class may be on the lower end of the scale of sensitivity, but their activities in the class may be deemed more sensitive.
3. Financial Information. In referencing past court decisions on the matter, the OPC describes financial information as sensitive and relating to an individual’s “biographical core”. The OPC further advises that relevant weight should be afforded to the context of the situation as this may affect the degree of sensitivity attributed to the information. For example, the current balance of an individual’s mortgage should be assessed against related information that is already publicly available, the purpose of making such types of information public, and the relationships of the parties involved.
4. Reputation Information. Information that can impact an individual’s reputation and cause embarrassment may be highly sensitive under PIPEDA. Unlike with health and financial data, reputation information is not restricted to traditional information categories and may include financial personal information, information pertaining to an individual’s relationship status, and even court or tribunal decisions.
5. Other Information Generally Considered Sensitive. In addition to the above categories, the OPC mentions that information concerning individuals’ drug and alcohol use, mental health, ethnicity, political affiliations, and sexual preferences are generally considered very sensitive personal information.

Although the Bulletin does not provide a binding legal interpretation on what is sensitive information, the OPC’s breakdown of relevant considerations and references to specific case law and investigations is very helpful for organizations reviewing their information handling practices.

Summary By: Imtiaz Karamat