PIPEDA Findings #2023-002: Investigation into Agronomy’s privacy practices related to safeguards, accountability valid consent for the collection and use of personal information
The Office of the Privacy Commissioner of Canada investigated a complaint against Agronomy Company of Canada Ltd. (Agronomy) following a significant data breach. The investigation found that Agronomy lacked appropriate safeguards, including multi-factor authentication, network segregation, and encryption, which contributed to the breach affecting 845 individuals. The OPC also found Agronomy lacked accountability structures. However, the complaint regarding valid consent for credit services was found not well-founded. Agronomy has since made significant improvements to its security measures and accountability practices.
- Adequacy of security safeguards
- Accountability for personal information
- Validity of consent for collection and use of personal information
Safeguards and accountability aspects were well-founded and conditionally resolved; consent aspect was not well-founded.
The OPC found deficiencies in Agronomy's safeguards and accountability structures, leading to a data breach. However, Agronomy has implemented corrective measures and committed to further improvements, leading to a conditionally resolved outcome for these aspects. The consent issue was dismissed as the evidence indicated valid consent was obtained for credit services.
AI-generated summary for reference only. Always verify against the official decision ↗
Agronomy agreed to implement an incident management plan and a protocol for zero-day attacks within two months of the report's issuance, and to designate a Privacy Officer and develop a comprehensive privacy policy.
- Principle 4.7 PIPEDA
- Principle 4.7.1 PIPEDA
- Principle 4.7.3 PIPEDA
- Principle 4.1 PIPEDA
- Principle 4.1.4 PIPEDA
- Principle 4.3 PIPEDA
- Principle 4.3.6 PIPEDA
- Principle 4.3.2 PIPEDA
This is an informational summary and not legal advice.