By Esther Shainblum and Martin U. Wissmath

Federal Privacy Commissioner Publishes Interpretation Bulletin on Sensitive Information

Some types of personal information are inherently more sensitive than others because of the specific risks posed to individuals by their collection, use and disclosure, and require a greater level of security protection, according to a new bulletin published by the Office of the Privacy Commissioner of Canada (OPC). Published May 16, 2022, the OPC’s Interpretation Bulletin: Sensitive Information (the “Bulletin”) interprets several provisions of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) in light of case law decisions and OPC findings. The OPC is careful to note that this new Bulletin on sensitive information, as with other Interpretation Bulletins published previously, “are not binding legal interpretations, but rather are intended as a guide for compliance with PIPEDA.” Interpretations may be updated by the OPC over time to reflect further developments in law and policy. While PIPEDA usually does not apply to charities and not-for-profits unless they collect, use or disclose personal information in the course of commercial activities, charities and not-for-profits should comply with the principles set out in Schedule 1 to PIPEDA, being the Principles Set out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information (the “Principles”), as privacy best practices. The Bulletin includes a selection of excerpts from case law and OPC reports.

Depending on the specific context, any personal information can be sensitive, or become sensitive when combined with other types of personal information.  However, certain types of personal information are generally considered sensitive because of “specific risks to individuals associated with the collection, use or disclosure of these categories of information,” the OPC stated in the Bulletin. Categories of inherently sensitive personal information include: health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious or philosophical beliefs. Whether or not personal information is considered “sensitive” under PIPEDA is fact-specific and depends on the circumstances of each case. Principle 4.3.4 states:

The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

The Bulletin makes it clear that health information is “of the utmost sensitivity and should receive the highest degree of protection”.  Financial information is also generally “extremely sensitive”, “falling at the heart of person’s biographical core”, although the degree of sensitivity of financial information will depend on the context of the situation.

The Bulletin states that it is crucial for organizations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise, especially where the personal information held includes information of a sensitive nature that, if compromised, could cause significant reputational or other harms to the individuals affected.

According to the Bulletin, any organization “that holds large amounts of personal information of a sensitive nature must have an adequate and coherent governance framework in order to properly address information security” including in the areas of organizational policies and procedures, employee training, access controls and data segregation, and oversight and monitoring.

Privacy breaches, especially those involving sensitive personal information, can present a significant risk to charities, not-for-profits and their boards of directors.  Charities and not-for-profits should be complying with the Principles and mindful of the OPC’s guidance, as set out in the Bulletin, in order to mitigate the risks of collecting, using and disclosing sensitive personal information.

​Read the May 2022 Charity & NFP Law Update