Do You Know What Sensitive Data Is?
- August 15, 2022
- Clayton Rice, K.C.
Personal information is distinguishable from personally identifiable information in that the latter can be used to uniquely identify a specific individual. Both have been described as sensitive data although personal information cannot be used standing alone to uniquely identify an individual. Confidential information is another term used to describe sensitive data particularly in the context of a legal duty of confidentiality owed to a data subject by an individual or a commercial enterprise. What, then, does the term sensitive data actually mean and what does the legal landscape for the protection of sensitive data in civil society look like?
Sensitive data is confidential data that an individual or business chooses to keep private. One way of measuring the sensitivity of personal information stored electronically is to ask yourself this question: How would it impact me if this personal information was exposed? Another question to ask is: What steps have I taken to reduce the risk of a data breach? The answers to these questions may reveal whether you take reasonable precautions not only to protect your own data but that of others to whom you owe a legal or ethical obligation of confidentiality. Data integrity applies to both the data and the means of its protection. (here) Although the variety of information that may fall into the category of sensitive data is limitless it will always include personally identifiable information that reveals racial or ethnic origin; political opinions; religious or philosophical beliefs; genetic and biometric data; trade union membership; medical data; information revealing sexual orientation; and, data related to criminal convictions. (here and here)
2. The Regulatory Landscape
The statutory framework in Canada consists of federal and provincial legislation governing privacy and data protection. The aging federal Privacy Act defines personal information to mean information about an “identifiable individual” that is recorded in any form. Here are five of the specific categories of information listed in the definition:
- information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual;
- information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;
- any identifying number, symbol or other particular assigned to the individual;
- the address, fingerprints or blood type of the individual; and,
- the personal opinions or views of the individual except where they are about another individual or about a proposal for a grant, an award or a prize to be made to another individual by a government institution or a part of a government institution specified in the regulations. (here)
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) defines “personal information” to mean “information about an identifiable individual”. (here) The proposed Consumer Privacy Protection Act, Bill C-27, that I discussed in my last post to On The Wire (here) contains the same definition of “personal information” as PIPEDA. (here) And, at the provincial level, for example, the Personal Information Protection Act (PIPA) of Alberta also uses the same definition. (here)
The General Data Protection Regulation of the European Union (GDPR) is considered to be the gold standard in data protection. (here) The GDPR defines “personal data” more broadly in Article 4(1) to mean any information relating to an “identified or identifiable natural person” by reference to “an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that person.” (here)
This review of some statutory provisions shows that the terms “personal information” and “personally identifiable information” are used interchangeably. The legal definition of both terms varies depending on the jurisdiction and the purposes for which they are used. In the United States, the National Institute of Standards and Technology defines personally identifiable information (PII) as “any information that can be used to distinguish or trace an individual’s identity” and any other information that is “linked or linkable to an individual”. (here) For example, then, a user’s IP address is not personally identifiable information standing alone but, rather, linked PII. Under the GDPR, however, the IP address of an internet subscriber may be classified as “personal data”. (here) And, both have been described as “sensitive data”.
3. Examples of Sensitive Data
I will comment on three cases. The first is the high-profile breach into the computer systems of Equifax in 2017. The second is the scandal involving the notorious facial recognition company, Clearview AI, that Heather Ferg discussed in a previous post to On The Wire. (here) The third is a recent ruling of the Court of Justice of the European Union that extended the parameters of what the term “sensitive data” includes.
In Agnew-Americano v. Equifax Canada Co., the claim arose out of the intrusion by hackers into the computer systems of Equifax, a multinational consumer credit reporting agency, during May 13, 2017, through July 30, 2017. Equifax notified approximately 20,000 Canadians that their “personal information” including names, addresses and social insurance numbers had been compromised. On December 13, 2019, Justice B.T. Glustein released a ruling granting an application by the plaintiff, Alina Owsianik, for certification of the lawsuit as a class action. (here) Throughout the ruling Justice Glustein used the term “sensitive data” on multiple occasions to describe the compromised information without defining it or elaborating on what it means. The term “personal information” in the Freedom of Information and Protection of Privacy Act of Ontario, not at issue in Equifax, is defined as “recorded information about an identifiable individual” and specifically includes “information relating to financial transactions in which the individual has been involved”. (here) It appears that the terms “personal information” and “sensitive data” were used interchangeably and, at para. 289, compendiously as “sensitive personal information”.
In PIPEDA Report of Findings No. 2021-001 released on February 2, 2021, the joint report by the offices of the Privacy Commissioner of Canada and three provincial counterparts in Quebec, Alberta and British Columbia, found that Clearview AI failed to obtain consent from individuals whose information it harvested from public websites. (here) Clearview’s facial recognition tool functions in four sequential steps. First, it “scrapes” images of faces and associated data from publicly accessible online sources, including social media, and stores that information in its database. Second, it creates biometric identifiers in the form of numerical representations for each image. Third, it allows users, including law enforcement, to upload an image which is then assessed against those biometric identifiers and matched to images in its database. Fourth, it provides a list of results, containing all matching images and metadata. If a user clicks on any of these results, they are directed to the original page of the image.
The report was specifically concerned with Clearview’s failure to comply with the consent requirements of PIPEDA and the three provincial statutes governing personal information. You will recall that, in particular, PIPEDA and the PIPA statute of Alberta define personal information as “information about an identifiable individual.” Yet, the term “sensitive nature” (sensitive data) is used in the report to describe information that is “information about an identifiable individual” and the term “personal information” is used to describe “source links” (linked data). Here are the two key passages from the report:
- [O]ur offices find the information at issue (facial biometrics generated from digital images) to be of a sensitive nature. Biometric information is distinctive, unlikely to vary over time, difficult to change and largely unique to the individual. Facial biometric data is particularly sensitive given that it is a key to an individual’s identity, supporting the ability to identify and surveil individuals. (para. 74)
- We further note that the additional contextual information provided by source links (that is, social media and websites) can include significant personal information of varying levels of sensitivity. Further, Clearview’s collection of information includes the mass indiscriminate collection of the personal information of minors, which would be considered particularly sensitive. (para. 75)
On August 1, 2022, the Court of Justice of the European Union (CJEU) released a preliminary ruling styled as OT v. Vyriausioji tarnybines etikos komisija requested by the Regional Administrative Court, Vilnius, Lithuania. (here) The ruling has significant implications for online platforms that use background tracking and profiling to target users with bahavioural advertising. Although the referral related specifically to Lithuanian anti-corruption legislation it has broad implications for how the GDPR should be interpreted when data can be used to draw sensitive inferences about an individual, referred to in the GDPR as the “data subject”.
OT is the director of QP, an establishment governed by Lithuanian law in receipt of funds which operates in the field of environmental protection. On February 7, 2018, the Chief Ethics Commission found that, by failing to file a declaration of private interests, OT infringed the law on the reconciliation of interests. On March 6, 2018, OT brought an action for annulment of that decision before the referring court. The referring court had doubts whether the law was compatible with Article 9(1) of the GDPR. It took the view that the personal data contained in a declaration of private interests was liable to reveal information about the private life of the declarant (and his or her spouse) with the result that disclosure is capable of infringing the right to respect for private life.
Article 9(1) of the GDPR prohibits the processing of personal data revealing “a natural person’s sex life or sexual orientation”. (here) The relevant portion of the ruling concerned whether the publication of the name of a spouse or partner amounted to the processing of “sensitive data” because it could reveal sexual orientation. The CJEU held, at para. 128, that Article 9(1) must be interpreted to mean that the publication of personal data on a public authority website that is liable to indirectly disclose a person’s sexual orientation constitutes processing of personal data. In an article titled Sensitive data ruling by Europe’s top court could force broad privacy reboot by Natasha Lomas, published by TechCrunch on August 2, 2022, cybersecurity consultant Dr. Lukasz Olejnik described the ruling as “the single, most important, unambiguous interpretation of GDPR so far.” (here)
Although there is a distinction between “personal information” and “personally identifiable information” the terms have been used interchangeably and sometimes conflated as in the Alberta statute, for example, where personal information is defined to mean “information about an identifiable individual”. Whether the distinction is one with a difference will depend on the nature of the data and the text of the relevant statute. The term “sensitive data” has been used in Canada to describe “personal information” under the Ontario Freedom of Information and Protection of Privacy Act and the Equifax ruling; and, as “personal data” under the GDPR and the OT ruling.
Privacy and cybersecurity experts continue to assert the need to protect users of internet platforms with respect to, not only their data, but the inferences that may be drawn from that data. It may be inferred, for example, that a person who accesses Alex Jones’ Infowars online holds extremist political views or that parenthood may be deduced from the purchase of a supply of diapers on Amazon. The CJEU emphasized, at para. 42, that the declaration of private interests in OT was liable to reveal “particularly sensitive information, such as the fact that the data subject is cohabiting or is living with another person of the same sex”. And that is the takeaway here. Inferred data is sensitive data.