The Office of the Privacy Commissioner of Canada (“OPC”) has updated several guidance documents dealing with the scope and handling of sensitive personal information in the context of the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Organizations should assess whether any of these updates, which include expanding and clarifying the scope of what is included in the term “sensitive personal information”, impact their obligations under PIPEDA.
Impetus for changes
In its announcement about the updates, the OPC states that the review follows discussions with respect to Canada’s adequacy status under EU privacy laws, a status which allows data to be transferred from the EU to Canada without additional protections (such as Standard Contract Clauses or other mechanism). Canada’s PIPEDA currently enjoys a finding of adequacy, however, this status is currently being reviewed. It is widely believed that PIPEDA in its current state may not receive a renewed adequacy finding.
There is no express definition in PIPEDA to distinguish personal information and sensitive personal information. Instead, organizations are required to assess the circumstances of their processing activities to determine whether the information could be considered as sensitive. According to the previous version of the guidance, as a general rule, financial information, health information and biometric information would “almost always” be considered sensitive personal and therefore require heighted privacy protections and express consent.
In previous submissions to the Standing Committee on Access to Information, Privacy and Ethics, the OPC recommended that any updated version of PIPEDA should contain a definition of sensitive information that would establish a general principle for sensitivity, and then follow with an open-ended list of examples. This is consistent with the model used by other jurisdictions; for example, the EU’s General Data Protection Regulation (“GDPR”) includes a provision which lists examples of special categories of personal information requiring additional protections. Closer to home, Bill 64, the bill seeking to amend Quebec’s private and public privacy laws, also includes special considerations for sensitive personal information. In particular, this bill requires express consent for the processing of sensitive information, and recently, an amendment to the bill was adopted to specify that medical, biometric or otherwise intimate information are considered as sensitive by nature, and that for these types of personal information, the determination that information is sensitive is not dependent on the context of the use or communication.
Under the GDPR’s Article 9, Processing of special categories of personal data, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership as well as genetic data, biometric data for the purpose of uniquely identifying a person, health data or data concerning a person’s sex life or sexual orientation are considered as “special” categories. The OPC’s new guidance takes a similar approach, and now lists “health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious/philosophical beliefs” as categories of personal information that are generally considered sensitive. With the exception of financial information (which is included in the OPC’s list) and the trade union membership information (included in the GDPR’s list), both lists are extremely similar.
Even under the previous solely contextual analysis, most organizations were likely treating the now-listed information as sensitive. However, there may be some ancillary impacts in certain areas.
Practical impacts on business
These changes have a significant impact on consent, specifically regarding the form of consent for the processing of personal information. The Guidelines for obtaining meaningful consent were updated to include the list of categories generally considered as sensitive, specifically due to the risks posed to individuals by the processing of these types of information. Furthermore, organizations are required to determine the form of consent needed for specific processing activities based on the nature of the information involved and the context of the collection, use and disclosure. Implied, or opt-out consent, can only be considered reasonable when the information is demonstrably not sensitive. However, considering this list expressly categorizes some personal information as information that is generally sensitive by its nature, organizations are now expected to gather express, or opt-in consent, when processing these types of personal information. This is highlighted in the OPC’s updated Guidelines on privacy and online behavioural advertising, its Policy position on behavioural advertising and the PIPEDA Self-Assessment Tool.
These updates also impact organizations’ obligations regarding mandatory breach reporting and their assessments of appropriate safeguards and third party providers. In the event of a breach of security safeguards, the organization must determine whether the breach creates a real risk of significant harm (“RROSH”) in which case it must then be reported and notifications made. Factors relevant to assess to determine whether a breach creates a RROSH, include the sensitivity of the information and the probability that the information has been, is being or will be misused. The guidance on mandatory breach reporting was updated to reflect the new approach. The contextual analysis which was previously required remains; however, when a breach now involves the listed types of personal information generally considered sensitive, there is more likely to be a RROSH and the reporting and notification obligations triggered.
Under the OPC’s guidance related to the Safeguards principle, the sensitivity of the information being protected and the risk of harm to the individual are both factors to consider when organizations are assessing the safeguards to employ in order to protect the information in a way that is appropriate to its sensitivity.
Because organizations have an obligation under PIPEDA to ensure service providers have “comparable protections” to their own in place, a review of data transfers to service providers and the contracts pursuant to which such transfers are made may be in order.
In a similar vein, in its guidance regarding the retention and destruction of personal information, the OPC made amendments to include specificity regarding the sensitivity of information, an important factor when organizations are outsourcing disposal functions to third parties. Commensurate steps to manage the risks, including acknowledging the sensitivity of the information and the ways third parties will protect that information appropriately during disposal operations, should be taken by organizations.
The OPC intends to issue an Interpretation Bulletin later this year to “further explain issues related to sensitive personal information”, including categories of personal information it has found to generally be considered sensitive in its previous reports of findings, or as set out in Canadian jurisprudence.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information.