On May 16, 2022, the Office of the Privacy Commissioner of Canada (the “OPC”) released an Interpretation Bulletin (the “Bulletin”) on what it considers to be “sensitive” personal information under the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Bulletin is meant to act as a consolidated guide based on jurisprudence, regulatory findings, and various interpretations of PIPEDA’s key concepts over the years.
The sensitivity of personal information plays a number of key roles under PIPEDA. Specifically, it informs:
- The appropriate form of consent for the collection, use and disclosure of personal information;
- The adequacy of security safeguards used to protect personal information;
- Whether personal information may be used or disclosed without the individual’s knowledge or consent (for example, in the context of a prospective business transaction); and
- Whether to report a breach of security safeguards to the OPC and notify impacted individuals.
Personal information should not be examined in a vacuum. Instead, the OPC recommends assessing the surrounding circumstances that can heighten the sensitivity of otherwise non-sensitive personal information. For example, basic contact details may appear relatively innocuous. However, where it reveals personal preferences and activities, it could have reputational implications.
According to the Bulletin, the following factors are to be considered when assessing the sensitivity of personal information:
- Combined Information
Various types of personal information, when combined, can carry a heightened degree of sensitivity based on inherent risks in the organization’s environment. For example, in the case of a technology company, customer phone numbers, email addresses, device type and a history of tech support interactions may be used by fraudsters in pursuit of tech support scams to deceive individuals. In other cases, combined personal information (e.g., website and app use) can be used to infer a wide range of general and specific interests that may result in multi-dimensional profiles. The combination of these seemingly innocuous categories can drastically increase the sensitivity of an individual’s personal information.
- Health Information
While medical information is considered to be highly sensitive, different types of health information have varying degrees of sensitivity. For example, the fact that an individual attends a fitness centre has a low-sensitivity rating; however, when combined with additional details such as their schedule, and training regime, the information becomes more sensitive. While these details may not appear to be sensitive at first glance, a careful analysis of the context is required when collecting, using, or disclosing any personal information. More obvious forms of health information, such as biometric data, falls on the higher end of the sensitivity spectrum.
- Financial Information
As with health information, financial information is generally considered to be “extremely sensitive,” but can also fall on a spectrum of sensitivity. Factors that affect this analysis include the nature of the information balanced against what is already available in the public sphere. It is important to note that financial information is often collected, used or disclosed with identification information such as an individual’s social insurance number (“SIN”), thereby increasing its sensitivity. The OPC highlights that the combination of this information can lead to an increased chance of phishing or identity theft: PIPEDA Report of Findings #2015-007.
- Reputational Harm
Personal information that can impact an individual’s reputation and cause embarrassment if disclosed, carries a higher degree of sensitivity. The OPC cited three regulatory decisions as examples of personal information considered sensitive when the potential reputational impacts of disclosure were taken into account (PIPEDA Report of Findings #2015-002, PIPEDA Report of Findings #2016-005 and PIPEDA Report of Findings #2019-001) that noted sensitive personal information where it related to an individual’s creditworthiness (or lack thereof), relationship status in the context of a dating website, and court/tribunal outcomes (e.g., regarding a divorce, custody, human rights complaints, immigration, and bankruptcy, to name a few).
- Other Considerations
Generally speaking, personal information pertaining to drug and alcohol use, depression, sexual preferences and practices, ethnicity, and political leanings or affiliations are considered sensitive. As with health and financial information, the sensitivity of the personal information involved requires a contextual analysis of the information and the types of harm that may result.
The Bulletin introduces a contextual framework when assessing the sensitivity of personal information. The factors listed by the OPC are important but not exhaustive. Organizations should use this opportunity to review their privacy frameworks (especially with respect to the adequacy of the consent underpinning the collection, use and disclosure of personal information).