Language selection

Search

Interpretation Bulletin: Sensitive Information

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. Findings on a given issue may differ depending on the facts of each case and the position of the parties. Over time, findings on certain key issues may crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretations of certain key concepts in PIPEDA. These Interpretations are not binding legal interpretations, but rather, are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretations may evolve and be further refined.

The OPC has also produced Guidelines for obtaining meaningful consent and an Interpretation Bulletin on form of consent (currently under review) which also discuss the sensitivity of information.

Relevant Statutory Provisions

of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (PIPEDA)

Principle 4.3.4: The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

Principle 4.7: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Principle 4.7.2: The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.

Subsection 7.2(1)(a)(ii): In addition to the circumstances set out in subsections 7(2) and 7(3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual if the organizations have entered into an agreement that requires the organization that receives the personal information to protect that information by security safeguards appropriate to the sensitivity of the information.

Subsection 7.2(2)(a)(ii): In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, if the business transaction is completed, organizations that are parties to the transaction may use and disclose personal information, which was disclosed under subsection (1), without the knowledge or consent of the individual if the organizations have entered into an agreement that requires each of them to protect that information by security safeguards appropriate to the sensitivity of the information.

Subsection 10.1 (8): The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include

  1. the sensitivity of the personal information involved in the breach;
  2. the probability that the personal information has been, is being or will be misused; and
  3. any other prescribed factor.

Application by the Courts and the OPC in Different Contexts

While under PIPEDA any personal information can be sensitive depending on the context, we have found that certain types of personal information will generally be considered sensitive because of the specific risks to individuals associated with the collection, use or disclosure of these categories of information.

Information that will generally be considered sensitive and require a higher degree of protection includes health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious or philosophical beliefs.

Whether personal information is considered “sensitive” under PIPEDA will vary depending on the facts of each case. The following highlights cases where considerations around the sensitivity of information were relevant to the analysis.

Context is relevant to the assessment of sensitivity

Information can become sensitive when combined with other information

Health information as sensitive information

Financial information as sensitive information

Personal information affecting an individual’s reputation

Security safeguards for sensitive information

Other information generally considered sensitive

Date modified: