As Mr. Schaan pointed out, the context dependency for any analysis of sensitivity of any information is critical. It's a cornerstone of the OPC's submission to this committee that we start with a context analysis of collection, use or disclosure of any information. That's really important because, while there may be some scenarios where it is somewhat rare for a category to be considered sensitive or not sensitive, the contextual piece is what gives the commissioner the ability to ensure that privacy is being protected at the highest level.
With regard to the EU's GDPR, as Mr. Schaan already pointed out, financial data is not included in Quebec's Law 25, nor is it included in the EU or U.K. GDPR. Similarly, the aspect of passwords is not included in any other jurisdictions—save for California, where it's referenced in a very specific manner, which is that your login information for a sensitive use case would be considered sensitive information because it's what the password and the user credentials give access to. That's the nature of the sensitivity there.
Including passwords overall, of course, as we explained the last time we spoke at committee, is simply because it introduces a degree of non-neutrality in dealing with technologies that could also be problematic in some cases.
As Mr. Schaan already pointed out, a driver's licence has been specifically ruled not to be personal information by the OPC in two provinces, so adding the designation of sensitive personal information to something that the OPC himself has said is not personal information at all would be somewhat of a conflict.