Interpretation Bulletin: Sensitive Information
One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. Findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues may crystallize into general principles that can serve as helpful guidance for organizations.
In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined.
Relevant Statutory Provisions
of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA)
Principle 4.3.4: The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.
Principle 4.7: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Principle 4.7.2: The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.
Subsection 7.2(1)(a)(ii): In addition to the circumstances set out in subsections 7(2) and 7(3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual if the organizations have entered into an agreement that requires the organization that receives the personal information to protect that information by security safeguards appropriate to the sensitivity of the information.
Subsection 7.2(2)(a)(ii): In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, if the business transaction is completed, organizations that are parties to the transaction may use and disclose personal information, which was disclosed under subsection (1), without the knowledge or consent of the individual if the organizations have entered into an agreement that requires each of them to protect that information by security safeguards appropriate to the sensitivity of the information.
Subsection 10.1 (8): The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include
- the sensitivity of the personal information involved in the breach;
- the probability that the personal information has been, is being or will be misused; and
- any other prescribed factor.
Application by the Courts and the OPC in Different Contexts
While under PIPEDA any personal information can be sensitive depending on the context, we have found that certain types of personal information will generally be considered sensitive because of the specific risks to individuals associated with the collection, use or disclosure of these categories of information.
Information that will generally be considered sensitive and require a higher degree of protection includes health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious or philosophical beliefs.
Whether personal information is considered “sensitive” under PIPEDA will vary depending on the facts of each case. The following highlights cases where considerations around the sensitivity of information were relevant to the analysis.
Context is relevant to the assessment of sensitivity
- “Clause 4.3.4 sets up a standard of ‘sensitivity of the information,’ only to add that ‘any information can be sensitive, depending on the context.’ Clause 4.3.5 then goes on to say that ‘[i]n obtaining consent, the reasonable expectations of the individual are also relevant’ (…) All of this to say that, even though Part 1 and Schedule 1 of the Act purport to protect the right of privacy, they also purport to facilitate the collection, use and disclosure of personal information by the private sector. In interpreting this legislation, the court must strike a balance between two competing interests.” (Englander v Telus Communications Inc., 2004 FCA 387 at paras. 45 and 46)
- Although there may always be unique circumstances that heighten the sensitivity of otherwise non-sensitive personal information, the interpretation of PIPEDA calls for a reasonable, pragmatic approach. Furthermore, in keeping with the purpose of the Act, there is a need to balance the privacy rights of individuals with the need to facilitate the use of personal information for appropriate commercial purposes.
- Email addresses could be considered sensitive in certain unique contexts.
- Information that in isolation might be regarded as innocuous in a different context (such as names or email addresses) can take on a more sensitive nature when connected to services that may reveal the personal activities and preferences of its users.
Information can become sensitive when combined with other information
- That sensitive information is used to generate non-sensitive interest categories does not change the fact that the underlying information being used is sensitive. Where sensitive information is used to generate non-sensitive interest categories, both the underlying information and the resulting categories that are derived from such information must be assessed in determining the sensitivity of the information at issue.
- Profiles created by combining several data elements (i.e. customer names, contact details, interactions with an organization) can have a certain degree of sensitivity which can be further heightened by the known risk environment (in this case, the proliferation of targeted tech support scams) and the potential resulting harms from a breach.
- Data elements, when combined, can be exploited by malicious individuals to steal the identities of the persons concerned. The safeguards used to protect the information should therefore be commensurately high.
Health information as sensitive information
- The Federal Court accepted that medical information is of the utmost sensitivity and should receive the highest degree of protection. (Townsend v Sun Life Financial, 2012 FC 550 at para. 38)
- Information about how often an individual attends a fitness centre per week is on the low end of the scale of sensitivity and may, in most circumstances, be subject to implied consent. However, information about what an individual does at a fitness centre, how long they remain there, the nature of their training regime and their level of fitness, is more sensitive. (Randall v. Nubodys Fitness Centres, 2010 FC 681 at para. 42)
- The delivery of online behavioural advertising requires meaningful and express consent when it relates to the collection and use of the sensitive health information of the user.
- Financial institutions must have adequate consent when disclosing a customer’s sensitive personal health information to credit reporting agencies.
- Personal health information contained in an athlete anti-doping database, including a person’s medical conditions, medications and prescriptions, analyses of bodily samples and specimens as well as genetic information is highly sensitive. Multiple potential harms could result from a breach of this kind of information.
- Biometric information is sensitive in almost all circumstances, as it is intrinsically, and in most instances permanently, linked to the individual. It is distinctive, stable over time, difficult to change and largely unique to the individual.
- Facial biometric information is particularly sensitive as it may allow for the identification of an individual through comparison against a vast array of images available on the internet or via surreptitious surveillance.
- PIPEDA Report of Findings #2021-001 – Joint investigation of Clearview AI, Inc. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Information and Privacy Commissioner of British Columbia, and the Information of the Privacy Commissioner of Alberta
Financial information as sensitive information
- “In terms of sensitivity, I agree with the Privacy Commissioner that financial information is generally extremely sensitive. As this Court observed in R. v. Cole, 2012 SCC 53,  3 S.C.R. 34, financial information is one of the types of private information that falls at the heart of a person’s “biographical core” (paras. 47-48). However, the degree of sensitivity of specific financial information is a contextual determination. The sensitivity of financial information, here the current balance of a mortgage, must be assessed in the context of the related financial information already in the public domain, the purpose served by making the related information public, and the nature of the relationship between the mortgagor, mortgagee, and directly affected third parties.” (RBC v Trang, 2016 SCC 50 at para. 36)
- A bank’s disclosure of sensitive financial information to affiliates (in this case, social insurance numbers) was found to require opt-in consent.
- Sensitive personal information, such as financial information and/or detailed identification information (e.g., SIN, date of birth, and security question answers), risks being the target of phishing or identity theft attacks. As such, heightened safeguards should be in place by organizations to protect such sensitive information against unauthorized access.
Personal information affecting an individual’s reputation
- Indexing of court and tribunal decisions by search engines can provoke significant reputational harm and embarrassment to individuals by needlessly exposing sensitive personal information to inadvertent discovery (i.e. human rights complaints, immigration hearings, bankruptcy proceedings).
- It is crucial for organizations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise, especially where the personal information held includes information of a sensitive nature that, if compromised, could cause significant reputational or other harms to the individuals affected.
- Financial personal information is often reputationally sensitive, as it includes, in many cases, detailed information about individuals’ credit worthiness.
Security safeguards for sensitive information
- Where the unauthorized collection, use or disclosure of sensitive personal information (e.g., the fact that an individual has been diagnosed with a sexually transmitted disease) could lead to social stigmatization and long-term emotional and reputational harm for the individuals involved, the information must be protected by strong security safeguards.
- Any organization that holds large amounts of personal information of a sensitive nature must have an adequate and coherent governance framework in order to properly address information security.
- PIPEDA Report of Findings #2016-005 – Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner
- PIPEDA Report of Findings #2015-007 – Financial institution takes strong remedial measures after insufficient safeguards and unnecessary storage leaves sensitive data vulnerable to breach
- Where a substantial volume of sensitive personal information belonging to a large number of individuals is being handled over a prolonged period, the level of controls put in place to ensure the information is protected when processed by a third party should be commensurately high.
- When organizations combine personal data elements such as social insurance numbers and email addresses, they need to guard against the risk of such information being exploited by malicious individuals for the purpose of identity theft. This kind of personal information should therefore be protected with a commensurately high level of security safeguards.
Other information generally considered sensitive
- Pre-selecting user privacy settings to ‘visible to all’ is inappropriate when dealing with social networking profiles that may include very sensitive personal information such as drug and alcohol use, references to loneliness and depression, and sexual orientation.
- Information that reveals the sexual practices, preferences and fantasies of individuals is generally considered to be sensitive.
- Users of an operating system may consider that many of the online activities they engage in by means of that operating system are private. Personal information associated with those activities may be highly sensitive (e.g., information provided for a religion-specific dating app).
- Personal information that involves the collection, use and disclosure of an individual’s ethnicity is generally considered sensitive and would generally require express consent.
- Sharing an individual’s email address (potentially with other contact information) with another service for the purpose of delivering political communications to them could reveal their political leanings or affiliations, which is sensitive personal information.
- Date modified: