Federal (Canada) Privacy Decisions

This compliance letter concerns a privacy breach at Nova Scotia Power that began around March 19, 2025. A malware attack allowed a threat actor to access and exfiltrate sensitive customer information, including names, contact details, financial information, and SINs, affecting approximately 375,000 current and 540,000 former customers. Nova Scotia Power has committed to specific actions, including deleting customer SINs and undergoing an external security assessment, to address the breach. Upon the Commissioner's satisfaction with these commitments, the investigation will be discontinued.

• Adequacy of security safeguards following a significant data breach.
• Timeliness and method of notification to affected individuals.
• Collection and retention of Social Insurance Numbers (SINs).
• Breach response and remediation efforts.

The Office of the Information Commissioner (OIC) received a complaint alleging that a federal institution did not respond to an access request within an extended timeframe and raised concerns about the institution's communication conduct. The OIC accepted the complaint regarding the delay but found the complaint about inappropriate conduct inadmissible as it was filed outside the 60-day time limit. The OIC determined the time limit for the conduct complaint began on May 2, 2022, when the institution first communicated its proposed response, not when the extended response deadline passed.

• Timeliness of filing a complaint regarding alleged inappropriate communication
• Determination of when the 60-day time limit to file a complaint begins
• The impact of an institution's communication conduct on the complainant's awareness of grounds for complaint

The Information Commissioner determined that a complaint was inadmissible because it was not filed within the 60-day time limit required by section 31 of the Access to Information Act. The complainant argued that the time limit should start from when they recovered a deleted email from the institution, but the Commissioner found that the period for submitting the complaint began the day after the institution's response was received. The Act does not grant the Commissioner the power to extend this mandatory time limit.

• Timeliness of complaint submission under section 31 of the ATIA
• Interpretation of 'in any other case' in section 31
• Commencement date for the 60-day complaint period

The Information Commissioner of Canada gave notice that she ceased to investigate a complaint. The Commissioner determined the complaint was trivial, as the complainant wished to pursue the matter as a point of principle, despite the issue having already been settled and showing a seeming lack of interest in obtaining the records.

• Whether the complaint was trivial, frivolous, or vexatious under subsection 30(4)(a) of the ATIA.

The complainant filed a complaint under the Access to Information Act (ATIA) concerning an institution's response to their request. The institution argued the complaint was filed outside the 60-day time limit stipulated by section 31 of the ATIA. The complainant acknowledged the delay but requested the Information Commissioner extend the deadline due to the institution's undated covering letter and the misplacement of the response. The Commissioner rejected the complaint, stating she lacks the authority to extend statutory timeframes.

• Timeliness of complaint submission
• Commissioner's discretion to extend statutory time limits
• Interpretation of section 31 of the ATIA

The Information Commissioner ceased an investigation into a complaint that a federal institution failed to provide documents in French. During the investigation, the institution translated and provided the documents to the complainant. The Commissioner determined that continuing the investigation was unnecessary as the complainant had received the documents in their official language of choice.

• Whether the investigation should cease under subsection 30(4)(b) of the ATIA as unnecessary.

The Information Commissioner ceased an investigation into a complaint regarding an institution's search for records. The OIC had previously investigated and issued a final report on an identical matter concerning the institution's search for records from the 1990s. As continuing the investigation was deemed unnecessary and the complainant did not respond to an offer to provide further representations, the investigation was discontinued.

• Whether continuing the investigation was unnecessary
• Whether the matter had already been the subject of a previous investigation or final report

An individual complained that a real estate management company failed to obtain consent for the collection of his personal information through video surveillance at a shopping mall. The complainant alleged inadequate signage and over-collection of his information when a camera was focused on him. The company responded by posting new signage and providing additional training to staff. The Office of the Privacy Commissioner discontinued the investigation, finding the company’s response to be fair and reasonable.

• Adequacy of signage for video surveillance
• Over-collection of personal information
• Consent to collection of personal information

The complainant settled a legal dispute with a retailer by signing a mutual release, which included releasing the retailer from all past, present, and future claims and complaints. Subsequently, the complainant filed a privacy complaint alleging the retailer failed to provide access to her personal information. The Office of the Privacy Commissioner of Canada (OPC) discontinued the investigation, finding the complaint was made in bad faith because the complainant had already released the retailer from such claims.

• Whether the complaint was made in bad faith
• The effect of a mutual release on a privacy complaint

The Office of the Privacy Commissioner investigated a website that was broadcasting live audio from cellular telephones onto the internet. The investigation was discontinued after the Internet Service Provider shut down the Ottawa-based website due to bandwidth issues. The website had moved to a server in New York under new management.

• Unauthorized interception and broadcasting of private cell phone conversations
• Privacy implications of using scanners to capture cellular traffic
• Responsibility of Internet Service Providers for content hosted on their networks

The Information Commissioner of Canada gave notice that she ceased investigating seventeen complaints. The complainant alleged that an institution's time extensions on seventeen access requests were unreasonable. However, the Commissioner found the requests were vexatious and substantively duplicative of a previous request where the institution's time extension was deemed reasonable. The Commissioner also noted the institution was providing interim responses as committed, and the complainant's actions suggested an attempt to circumvent previous findings.

• Whether the complaints were vexatious
• Whether further investigation was unnecessary
• Whether the requests were duplicative of a previous request
• Whether the complainant was attempting to circumvent previous findings

The complainant alleged that a federal institution had failed to respond to an access request within the prescribed time limit, resulting in a deemed refusal. The Information Commissioner found the complaint inadmissible because it was not submitted within the 60-day time limit required by section 31 of the Access to Information Act. The Commissioner determined that the complainant's awareness of the deemed refusal began when the institution first failed to meet the statutory deadline, not on the date the complaint was filed.

• Timeliness of complaint submission under section 31 of the ATIA
• Definition of 'day on which the requester becomes aware' for deemed refusals
• Interpretation of 'ongoing' or 'continuing' deemed refusals
• Applicability of Federal Court and OIC precedent on complaint timeliness

The complainant filed a complaint with the Information Commissioner's office regarding an access to information request. The institution provided its response in October 2021, including a notice that the complainant had sixty days to file a complaint. The complainant submitted their complaint in January 2022, which was outside the mandated timeframe. The Information Commissioner rejected the complaint because it was filed after the statutory deadline.

• Timeliness of complaint submission under section 31 of the ATIA
• Mandatory nature of statutory timeframes under the ATIA
• Commissioner's authority to extend statutory timeframes