Friday, July 1, 2022

Privacy Commissioner’s bulletin helps Canadian firms handle sensitive personal information

Canada’s federal privacy law requires companies to protect the sensitive information that they hold about employees, customers and partners.

But what is sensitive information, and how should it be protected?

This week, the Office of the Privacy Commissioner of Canada (OPC) issued an interpretation bulletin to help data privacy officers, CISOs and IT leaders follow the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).

The bulletin is a compilation of court and OPC rulings on how companies should define and protect sensitive information. It joins a number of other interpretive bulletins covering the meaning of terms like accountability, personal information, and the consent needed to legally gather personal information.

Toronto Privacy lawyer Barry Sookman of the McCarthy Tetrault law firm noted one of the functions of the OPC is to help educate the public, so this bulletin could be useful.

PIPEDA and its accompanying explanatory principles say personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The principles say some information (for example, medical records and income records) is almost always considered to be sensitive. However, it adds, any information can be sensitive, depending on the context.

The names and addresses of subscribers to a news magazine would generally not be considered sensitive information, the OPC says. However, the names and addresses of subscribers to some websites  — for example, an adult dating site — might be considered sensitive.

“Information that will generally be considered sensitive and require a higher degree of protection includes health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious or philosophical beliefs,” the bulletin says.

PIPEDA also says personal information shall be protected by security safeguards appropriate to the sensitivity of the information. More sensitive information should be safeguarded by a higher level of protection.

One of the bulletin’s uses is as a quick reference for finding these principles in PIPEDA’s sections.

The other is for referencing previous court and OPC rulings — all of which are publicly reported on or available — on what sensitive information includes. These rulings are necessary because laws can’t cover every eventuality. Certain types of personal information will generally be considered sensitive because of the specific risks to individuals associated with the collection, use, or disclosure of these categories of information, the OPC notes.

One OPC decision that privacy and IT pros might take note of is a 2020 case involving two Dell employees who sold customer data to crooks who used it in an IT support scam. As part of that decision, the OPC said profiles created by combining several data elements (such as customer names, contact details and interactions with an organization) can have a certain degree of sensitivity which can be further heightened by the known risk environment — in this case, the proliferation of tech support scams — and the potential resulting harms from a data breach.

The bulletin also references a 2010 court decision that said information about how often an individual attends a fitness centre per week is on the low end of the scale of sensitivity. However, the court added, information about what an individual does at a fitness centre, how long they remain there, the nature of their training regimen, and their level of fitness, is more sensitive.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.