Federal (Canada) Privacy Decisions

This special report details an investigation into unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency (CRA). The Office of the Privacy Commissioner (OPC) found that the CRA contravened the Privacy Act regarding accuracy and disclosure of personal information. While the CRA has made efforts to improve its security, shortcomings remain in prevention, monitoring, detection, remediation, and governance, particularly concerning the handling of "Unauthorized Use of Taxpayer Information by a Third Party" (UUTP) incidents. The investigation concluded that the CRA contravened subsections 6(2) and 8(2) of the Act.

• Adequacy of safeguards to protect taxpayer personal information from unauthorized disclosure and modification.
• Timeliness and strength of multi-factor authentication implementation.
• Effectiveness of monitoring and detection mechanisms for UUTPs.
• Coordination and proactivity of the CRA's governance for addressing UUTPs.

This joint investigation by privacy authorities across Canada found that OpenAI contravened privacy laws in its collection, use, and disclosure of personal information through its ChatGPT models GPT-3.5 and GPT-4. Specifically, the investigation found that OpenAI's collection of personal information from publicly accessible websites for training purposes was overbroad and inappropriate. The company also failed to obtain valid consent and be sufficiently transparent about its data practices. While OpenAI has since implemented new mitigation measures and committed to further improvements, some provincial authorities found the new measures insufficient to meet their specific legislative requirements.

• Appropriateness of purpose for data collection and use
• Validity of consent and transparency obligations
• Accuracy of generated information
• Individual rights to access, correction, and deletion

The complainant alleged that Health Canada improperly withheld records related to a COVID-19 vaccine safety update report, citing exemptions for confidential government information, personal information, and third-party commercial information. The Information Commissioner found that while some information was properly withheld under exemptions for confidential government information (section 13(1)) and personal information (section 19(1)), Health Canada failed to properly exercise its discretion regarding publicly available information under section 13(1). The Commissioner also found that exemptions for third-party commercial or financial information (section 20(1)(b) and (c)) were not met. The Commissioner ordered Health Canada to disclose the information withheld under third-party exemptions and reconsider the disclosure of publicly available information under section 13(1).

• Proper application of section 13(1) (confidential information from government bodies)
• Proper application of section 19(1) (personal information)
• Proper application of section 20(1)(b) (confidential third-party financial, commercial, scientific or technical information)
• Proper application of section 20(1)(c) (financial impact on a third party)

The OPC investigated a complaint alleging that Immigration, Refugees and Citizenship Canada (IRCC) improperly withheld access to personal information. The complainant requested the "History Section" of their case file, but IRCC only provided a subset of information from other sections, referred to as the "Short Form" report. The OPC found that IRCC's practice of systematically retrieving and processing only the Short Form report contravenes section 12 of the Privacy Act, as it fails to provide individuals with access to all personal information under the government's control. Although the specific file was eventually provided, IRCC refused to update its procedures to address the systemic issue.

• Whether IRCC's practice of only retrieving and processing a "Short Form" subset of records in response to access requests complies with the Privacy Act's access obligations.
• Whether the "History Section" of the Global Case Management System (GCMS) file contains personal information.
• Whether IRCC's assertion that information outside the "Short Form" would always be withheld under exemptions is valid.
• Whether IRCC's failure to commit to updating its procedures constitutes a continuing contravention of the Privacy Act.