Canada’s federal privacy law requires companies to protect the sensitive information that they hold about employees, customers and partners.
But what is sensitive information, and how should it be protected?
This week, the Office of the Privacy Commissioner of Canada (OPC) issued an interpretation bulletin to help data privacy officers, CISOs and IT leaders follow the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA).
The bulletin is a compilation of court and OPC rulings on how companies should define and protect sensitive information. It joins a number of other interpretive bulletins covering the meaning of terms like accountability, personal information, and the consent needed to legally gather personal information.
Toronto Privacy lawyer Barry Sookman of the McCarthy Tetrault law firm noted one of the functions of the OPC is to help educate the public, so this bulletin could be useful.
PIPEDA and its accompanying explanatory principles say personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The principles say some information (for example, medical records and income records) is almost always considered to be sensitive. However, it adds, any information can be sensitive, depending on the context.
The names and addresses of subscribers to a news magazine would generally not be considered sensitive information, the OPC says. However, the names and addresses of subscribers to some websites — for example, an adult dating site — might be considered sensitive.
“Information that will generally be considered sensitive and require a higher degree of protection includes health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious or philosophical beliefs,” the bulletin says.
PIPEDA also says personal information shall be protected by security safeguards appropriate to the sensitivity of the information. More sensitive information should be safeguarded by a higher level of protection.
One of the bulletin’s uses is as a quick reference for finding these principles in PIPEDA’s sections.
The other is for referencing previous court and OPC rulings — all of which are publicly reported on or available — on what sensitive information includes. These rulings are necessary because laws can’t cover every eventuality. Certain types of personal information will generally be considered sensitive because of the specific risks to individuals associated with the collection, use, or disclosure of these categories of information, the OPC notes.
One OPC decision that privacy and IT pros might take note of is a 2020 case involving two Dell employees who sold customer data to crooks who used it in an IT support scam. As part of that decision, the OPC said profiles created by combining several data elements (such as customer names, contact details and interactions with an organization) can have a certain degree of sensitivity which can be further heightened by the known risk environment — in this case, the proliferation of tech support scams — and the potential resulting harms from a data breach.
The bulletin also references a 2010 court decision that said information about how often an individual attends a fitness centre per week is on the low end of the scale of sensitivity. However, the court added, information about what an individual does at a fitness centre, how long they remain there, the nature of their training regimen, and their level of fitness, is more sensitive.