On 13 August 2021, the OPC released an announcement that they have amended several guidance documents to reaffirm some of the types of personal information the OPC has generally interpreted as sensitive in the context of PIPEDA.
Under PIPEDA any personal information can be considered sensitive depending on the context. The updated guidance sets out that certain types of personal information will generally be considered sensitive because of the specific risks to individuals when it is collected, used or disclosed, and which requires a higher degree of protection. These include health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious/philosophical beliefs.
The OPC provides a list of the updates guidance documents which are:
- Guidelines for obtaining meaningful consent;
- What you need to know about mandatory reporting of breaches of security safeguards;
- Guidelines on privacy and online behavioural advertising;
- Policy Position on online behavioural advertising;
- PIPEDA fair information principle 7 – safeguards;
- Personal information retention and disposal: principles and best practices;
- PIPEDA self-assessment tool.
The updates relate to discussions with Industry, Science and Economic Development Canada (ISED) with respect to an ongoing review by the European Commission about the “adequacy” of Canada’s privacy legislation, and aim to better explain the concept of sensitive information under PIPEDA so it can be evaluated more accurately against the GDPR.
Under GDPR adequacy decisions must be reviewed every 4 years, a process involving a comprehensive assessment of the country’s privacy regime and which is currently underway in Canada. The result of this review could have a profound impact on data transfers between the EU and Canada if our adequacy decision was lost.
The OPC will issue an Interpretation Bulletin sometime later this year to further explain issues relating to sensitive personal information.
The updated guidance includes considerations for businesses evaluating what types of information are “sensitive”. Under PIPEDA, organizations must protect personal information with appropriate safeguarding measures commensurate with the sensitivity of the information, and seek express consent when the information is likely to be considered sensitive.