Accidental disclosure by Health Canada - March 3, 2015
This investigation concerned a complaint against Health Canada (HC) regarding the mailing of 41,514 letters using windowed envelopes that revealed the name of the "Marihuana Medical Access Program" (MMAP). The Office of the Privacy Commissioner of Canada (OPC) found that HC contravened the Privacy Act by disclosing sensitive personal information without consent or legitimate purpose. Although HC cited administrative error and argued implicit consent or consistent use, the OPC determined that the sensitive nature of the program name required greater protection. HC has since implemented stricter mail-out procedures and created a new working group.
- Whether the visible program name in the return address constituted a disclosure of personal information.
- Whether implied consent was obtained from recipients.
- Whether the disclosure was a 'consistent use' of information under section 8(2)(a) of the Privacy Act.
- Whether Health Canada took reasonable steps to protect sensitive personal information.
Complaint well-founded
Health Canada contravened the Privacy Act by disclosing sensitive personal information (association with the MMAP) through visible return addresses on envelopes without demonstrating valid consent or a permissible disclosure under section 8(2). The sensitive and stigmatized nature of the program meant recipients could not reasonably expect such information to be revealed.
AI-generated summary for reference only. Always verify against the official decision ↗
The OPC recommended that Health Canada continue to follow its new procedures for mail-outs, ensuring consideration is given to safeguarding clients' sensitive personal information to minimize the risk of unauthorized disclosure.
- s. 3 Privacy Act
- s. 8(1) Privacy Act
- s. 8(2)(a) Privacy Act
This summary is informational only and not legal advice.