Announcement

OPC updates guidance regarding sensitive information

August 13, 2021

The Office of the Privacy Commissioner of Canada (OPC) has updated several guidance documents to reaffirm some of the types of personal information generally considered sensitive in the context of the Personal Information Protection and Electronic Documents Act (PIPEDA).

The updated guidance includes considerations for businesses evaluating what types of information are “sensitive”. Under PIPEDA, organizations must protect personal information with appropriate safeguarding measures commensurate with the sensitivity of the information, and seek express consent when the information is likely to be considered sensitive.

These updates help to reflect how the OPC has interpreted sensitive information in the context of PIPEDA.

While under PIPEDA any personal information can be sensitive depending on the context, we have found that certain types of personal information will generally be considered sensitive because of the specific risks to individuals when said information is collected, used or disclosed.

The updated guidance sets out that certain types of information that will generally be considered sensitive and require a higher degree of protection. This includes health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious/philosophical beliefs.

The updates follow discussions with Industry, Science and Economic Development Canada (ISED) with respect to an ongoing review by the European Commission about the “adequacy” of Canada’s privacy legislation.

The General Data Protection Regulation (GDPR) requires adequacy decisions to be reviewed every four years. As a result, Canada’s adequacy status – which allows data to flow freely from the European Union (EU) to Canada – is now being reviewed.

An adequacy review involves a comprehensive assessment of the country’s privacy regime.

Other jurisdictions have defined specific categories of personal information in their laws, including the EU’s GDPR. The updated guidance aims to better explain the concept of sensitive information under PIPEDA so it can be evaluated more accurately against the GDPR. The OPC has consulted with business stakeholders on the updates.

The GDPR includes specific considerations for sensitive data that must be observed by commercial organizations engaged in processing special categories of personal data across international boundaries. It also requires that the personal data of EU residents receive an adequate level of protection to that provided by the GDPR if the information is transferred outside the EU.

The OPC will issue an Interpretation Bulletin later this year to further explain issues related to sensitive personal information, including categories of personal information we have found to generally be considered sensitive in previous reports of findings, guidance or in keeping with Canadian jurisprudence.

The updated guidance documents are:

• Guidelines for obtaining meaningful consent;
• What you need to know about mandatory reporting of breaches of security safeguards;
• Guidelines on privacy and online behavioural advertising;
• Policy Position on online behavioural advertising;
• PIPEDA fair information principle 7 – safeguards;
• Personal information retention and disposal: principles and best practices;
• PIPEDA self-assessment tool.