The federal Office of the Privacy Commissioner updated guidance documents regarding sensitive information. Canada is currently undergoing its “adequacy” review under the European Union’s General Data Protection Regulation (GDPR). In its announcement, the Privacy Commissioner stated that “[t]he updated guidance aims to better explain the concept of sensitive information under PIPEDA so it can be evaluated more accurately against the GDPR.” Maintaining its adequacy status ensures that personal information can more easily flow between the EU and Canada, a benefit to Canadian companies conducting business in the region.
The Personal Information Protection Electronic Documents Act (PIPEDA) indicates that the sensitivity of personal information is determined by the context (see Principle 4.3.4). However, the Privacy Commissioner has identified the following as types of information that will generally always be considered “sensitive information”:
- health and financial data,
- ethnic and racial origins,
- political opinions,
- genetic and biometric data,
- an individual’s sex life or sexual orientation, and
- religious/philosophical beliefs.
The personal information protections a company has in place are to be proportional to the sensitivity of that information. Additionally, a company should generally be obtaining express consent when it collects personal information that is sensitive. Alysia M. Christiaen, Lerners’ Chief Privacy Officer, is able to assist companies in determining whether their consent and privacy protections are sufficient given the sensitivity of the personal information it is collecting from clients.