Federal Privateness Commissioner publishes steering on what’s “delicate” private info


On Could 16, 2022, the Workplace of the Privateness Commissioner of Canada (“OPC”) issued an interpretation bulletin (“Bulletin”) of what it considers “delicate” private info below the Federal Regulation. Private Info Safety and Digital Paperwork Act (“Pipeda”). The Bulletin is supposed to function a consolidated information based mostly on numerous interpretations of key ideas of jurisprudence, regulatory findings and pipeda over time.

The sensitivity of non-public info performs numerous essential roles below PIPEDA. Specifically, it notifies:

  • Acceptable type of consent to the gathering, use and disclosure of non-public info;
  • the adequacy of safety safeguards used to guard private info;
  • whether or not the non-public info could also be used or disclosed with out the person’s information or consent (for instance, within the context of a possible enterprise transaction); And
  • Whether or not the OPC is to report the breach of safety safeguards and inform the affected individuals.

Private info shouldn’t be scrutinized in a vacuum. As a substitute, the OPC recommends assessing the encircling circumstances which will enhance the sensitivity of in any other case non-sensitive private info. For instance, primary contact particulars could seem comparatively intuitive. Nevertheless, the place it reveals private preferences and actions, it could possibly have iconic results.

Based on the Bulletin, the next elements needs to be thought-about when assessing the sensitivity of non-public info:

  1. mixed info

Various kinds of private info, when mixed, can carry a excessive diploma of sensitivity relying on the dangers inherent within the group’s surroundings. For instance, within the case of a expertise firm, clients could use telephone numbers, electronic mail addresses, sort of gadget and historical past of technical assist interactions in discovering tech assist scams to defraud people. In different circumstances, mixed private info (eg, web site and app use) could also be used to deduce a variety of normal and particular pursuits, leading to multi-dimensional profiles. The mix of those seemingly innocuous classes can considerably enhance an individual’s sensitivity to non-public info.

  1. well being info

Whereas medical info is taken into account extremely delicate, various kinds of well being info have various levels of sensitivity. For instance, the truth that an individual goes to a health middle has a low sensitivity ranking; Nevertheless, when added with extra particulars corresponding to their schedule and coaching regime, the knowledge turns into extra delicate. Whereas these particulars could not appear delicate at first look, cautious evaluation of the context is required when amassing, utilizing or disclosing any private info. Extra express types of well being info, corresponding to biometric information, fall on the upper finish of the sensitivity spectrum.

  1. monetary info

Like well being info, monetary info is mostly thought-about “extraordinarily delicate,” however it could possibly additionally fall below sensitivity. Components influencing this evaluation embrace the character of the knowledge balanced in opposition to the knowledge already obtainable within the public area. You will need to word that monetary info is commonly collected, used or disclosed along with figuring out info corresponding to a person’s social insurance coverage quantity (“SIN”), which will increase its sensitivity. The OPC highlights that combining this info could enhance the potential for phishing or id theft: PIPEDA Report of Findings #2015-007.

  1. reputational loss

Private info that may have an effect on an individual’s repute and trigger embarrassment when disclosed has a excessive diploma of sensitivity. The OPC cited three regulatory selections as examples of non-public info when the potential reputational results of disclosure have been taken into consideration (PIPEDA Report of Findings #2015-002, PIPEDA Report of Findings #2016-005 and PIPEDA Report of Findings #2016-005). Findings #2019- 001) referred to delicate private info, the place it might embrace a person’s credentials (or lack thereof), relationship standing within the context of a courting web site, and courtroom/tribunal outcomes (eg, divorce, custody, human rights complaints, in relation to immigration). and chapter, to call just a few).

  1. different issues

Usually talking, private info regarding drug and alcohol use, melancholy, sexual preferences and practices, ethnicity, and political leanings or affiliations is taken into account delicate. Like well being and monetary info, the sensitivity of the non-public info it accommodates requires contextual evaluation of the knowledge and the sorts of damages which will consequence.

takeaway

The Bulletin gives a related framework when assessing the sensitivity of non-public info. The elements listed by the OPC are essential however not exhaustive. Organizations ought to use this chance to evaluation their privateness frameworks (particularly with regard to the adequacy of consent based mostly on the gathering, use and disclosure of non-public info).



Supply hyperlink