Personal Information ' You're So Sensitive!

• Published date: 27 May 2022
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: Cassels
• Author: Ms Bernice Karn and Courtney Wong

The Personal Information Protection and Electronic Documents Act (PIPEDA) defines "personal information" simply as "information about an identifiable individual." PIPEDA also requires organizations that handle personal information to protect it with safeguards appropriate to its sensitivity. What does that mean? How does one judge the sensitivity of personal information in order to determine the appropriate measures to protect it, especially given the rapidly changing technology landscape? Unfortunately, for those seeking specific guidance on how to comply with this requirement, PIPEDA is not terribly prescriptive.

Recognizing this need for up-to-date guidance, on May 16, 2022 the Office of the Privacy Commissioner of Canada (OPC) issued an Interpretation Bulletin on the topic of sensitive personal information and its treatment under PIPEDA. This Interpretation Bulletin is not meant to act as a binding legal interpretation, but rather a summary and guide for compliance with PIPEDA.

PIPEDA discusses the concept of sensitive personal information in several provisions, summarized as follows:

• Principle 4.3.4 - Form of Consent Required: The form of consent required by the organization varies depending on the circumstances and type and sensitivity of information. While some information is inherently sensitive, the sensitivity of other information can depend on the context in which it is used.
• Principle 4.7 - Security Safeguards: All safeguards to protect personal information should be appropriate to the level of sensitivity of the information.
• Principle 4.7.2 - Nature of Security Safeguards: The types of safeguards used to protect personal information will vary depending on factors such as its sensitivity, amount, distribution, format, and method of storage.
• Subsection 7.2(1)(a) - Prospective Business Transactions: In prospective business transactions organizations that are parties to the transaction may use and disclose personal information without knowledge or consent of the individual if, among other things, there is an agreement that requires the organization to utilize security safeguards appropriate to the sensitivity of the information.
• Subsection 7.2(2)(a) - Completed Business Transactions: In completed business transactions organizations that are parties to the transaction can use and disclose personal information that was disclosed as part of the transaction without knowledge or consent of the individual if among other things, there is an agreement that requires the parties to protect the information utilizing security safeguards appropriate to the sensitivity of the information.
• Subsection 10.1(8) - Factors to Assess Real Risk of Significant Harm: When assessing "real risk of significant harm" in a breach of...