OPC provides clarity on the interpretation of "sensitive information" under PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private sector privacy protection legislation, provides that organizations must protect personal information with appropriate safeguarding measures.

These measures must be proportionate with the sensitivity of the information, which is also essential in determining the form of consent that organizations must obtain, as well as in assessing whether a breach of security safeguards creates a real risk of significant harm to an individual.

Over the years, general principles to interpret the concept of sensitive information have emerged from court decisions and findings by the Office of the Privacy Commissioner of Canada (OPC). Following an initial announcement in August 2021, these principles are now summarized in an Interpretation Bulletin published on May 16, 2022 which provides an update to the OPC guidance as it relates to the interpretation of the term "sensitive information" under PIPEDA.

Though the OPC’s interpretations are not legally binding, they can serve as helpful guidance for organizations. The term "sensitive information" had previously been discussed broadly in the context of mandatory breach reporting guidelines and in the Interpretation Bulletin regarding “personal information”. However, this is the first Interpretation Bulletin on the topic since the adoption of PIPEDA.

Context in the assessment of sensitivity

Under PIPEDA, there are categories of information that will generally always be considered sensitive (and therefore require a higher degree of protection). These include health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious or philosophical beliefs.

However, other kinds of personal information can also be considered sensitive, depending on the context.

The OPC reminds us there may be unique circumstances that heighten the sensitivity of otherwise non-sensitive personal information. The Supreme Court of Canada established this principle in R v Spencer, a case involving a request from a police officer to an Internet Service Provider to obtain the subscriber information associated with an IP address. For instance, the OPC notes that email addresses could be considered sensitive in certain unique contexts, namely if the information takes on a more sensitive nature when connected to services that may reveal a user's personal activities and preferences. However, given PIPEDA’s purpose, there is also a need to balance the privacy rights of individuals with the need to facilitate the use of personal information for appropriate commercial purposes.

Examples of "sensitive information"

The Federal Court has ruled that health and medical information is of the utmost sensitivity and should therefore receive the highest degree of protection. Similarly, the OPC points out that financial information and detailed identification information, such as a social insurance number, a date of birth, or answers to security questions, are generally considered extremely sensitive. The personal information that risks affecting an individual's reputation, such as human rights complaints, immigration hearings or bankruptcy proceedings are also considered sensitive.

The OPC adopts a more flexible approach regarding certain other information such as email addresses that can nevertheless be considered sensitive in “certain unique contexts”. The OPC also recognizes that the combination of several data elements can have a certain degree of sensitivity which can be further heightened by the known risk environment.

Quebec's Bill 64 

In comparison, an amendment brought by Bill 64 to Quebec's Act respecting the protection of personal information in the private sector provides that consent must be given expressly when it concerns sensitive personal information. While not yet in force, the amendment also provides that for the purposes of this Act, personal information is "sensitive if, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or communication, it entails a high level of reasonable expectation of privacy."

Compliance with the GDPR

The General Data Protection Regulation (GDPR) harmonizes privacy legislation in the EU. The GDPR provides for a review of the laws of other jurisdictions every four years to determine their adequacy in relation to GDPR standards.

Canada’s PIPEDA was recognized by the EU as providing adequate protection in 2001. For data to be allowed to flow freely between Canada and the EU, it is essential for Canada to maintain this adequacy status which is currently under review. Given that the GDPR has defined specific categories of sensitive personal information, the clarification in the OPC’s latest Interpretation Bulletin aims to allow a more accurate comparison to support Canada’s continuing adequacy status.

For any questions that your organization may have regarding this Interpretation Bulletin, general compliance with PIPEDA and other Canadian privacy legislation including the recent amendments in Quebec, please do not hesitate to reach out to us.