BreachOfPrivacy
Menu
Register / Login

No account? Contact us

Decisions/Federal (Canada)/Personal Information Protection and Electronic Documents Act/PIPEDA Findings #2021-002: Investigation into CoreFour Inc.’s compliance with PIPEDA
Federal (Canada)Office of the Privacy Commissioner of CanadaPersonal Information Protection and Electronic Documents ActPIPEDA Findings #2021-002Well-founded & conditionally resolved
Flag of Canada

PIPEDA Findings #2021-002: Investigation into CoreFour Inc.’s compliance with PIPEDA

Organization: CoreFour Inc.
Decision: Mar 29, 2021Published: Mar 29, 2021
Official Decision ↗BookmarkView Governing Law
Plain-Language Summary

The Office of the Privacy Commissioner of Canada (OPC) investigated CoreFour Inc. concerning its compliance with PIPEDA regarding its learning management system, Edsby. The OPC found that CoreFour's safeguards were not adequate due to vulnerabilities in password requirements and protection of student profile pictures, and a lack of an overarching information security framework. The OPC also found that CoreFour lacked a robust accountability framework, including written policies and adequate privacy training. However, the OPC found CoreFour to be in compliance with its breach reporting and notification obligations. CoreFour has accepted the recommendations and is implementing corrective measures.

Key Issues
  • Adequacy of safeguards for personal information
  • Breach reporting and notification obligations
  • Accountability for privacy compliance
  • Development of privacy management and information security frameworks
Outcome

Complaint findings well-founded and conditionally resolved regarding safeguards and accountability, and not well-founded regarding breach reporting.

Reasoning

The OPC found that while CoreFour had addressed specific vulnerabilities, it lacked a comprehensive information security framework and adequate accountability measures, leading to the safeguards and accountability issues being well-founded. The breach reporting obligations were met, rendering that aspect not well-founded.

AI-generated summary for reference only. Always verify against the official decision ↗

Decision Notes
Recommended action / remedy

CoreFour was recommended to implement an information security management framework, enhance IT security resources, conduct malware scans on uploads, train staff, and build a comprehensive privacy management framework, including complaint handling and data retention procedures. They were also asked to provide a third-party report confirming implementation.

Statutory provisions cited
  • Principle 4.7 PIPEDA
  • Principle 4.1.4 PIPEDA
  • s. 10.1 PIPEDA
  • s. 10.2 PIPEDA
  • s. 10.3 PIPEDA

This summary is informational only and not legal advice.