PIPEDA case #2003-226 shows that the more sensitive personal information is, the more steps should be taken to protect it (see PIPEDA Case Summary #2003-226 Company’s collection of medical information unnecessary; safeguards are inappropriate). In this case, an employee’s medical reports were received in the company’s office by fax machine located in an unlocked, accessible room. Among other things, the Privacy Commissioner considered PIPEDA Principle 4.7. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. The Commissioner found employee medical reports were among the most sensitive medical information. The company violated Principle 4.7 in its use of the fax machine and not having strict safeguards to protect the medical reports.
SGIGs conducting social well-being data analysis need to be mindful to ensure security measures applied to sensitive information are proportionate to the sensitivity of the information. Medical information about individuals is to be given the highest level of protection. This protection principle is echoed in all privacy statutes across Canada. The Office of the Privacy Commissioner of Canada’s Guidance Document: Access to Data For Health Research outlines the legal provisions in BC that apply to the disclosure of personal information for health research. This includes the volume and sensitivity of personal information that may be disclosed. While SGIGs located outside of BC are not subject to this law, the principles contained in it may be helpful.