Federal (Canada) Privacy Decisions

An individual complained to the OPC after an insurance company denied access to parts of their insurance claim file, including case management notes and a video of an incident. The company claimed the notes were confidential commercial information and the video contained third-party images. Through the early resolution process, the company allowed the individual to view the video and provided a redacted version of the case management notes. The complaint was resolved early.

• Access to personal information, including insurance claim files and videos.
• Application of PIPEDA exemptions for confidential commercial information and third-party personal information.
• Severing or redaction of information to provide access.
• Obligation to provide access to personal information.

A complainant filed a complaint against a financial technology (FinTech) company after being required to provide personal information to access an investment account management agreement. The company initially cited regulatory requirements for collecting the data before an individual became a client. The OPC advised the company that prospective clients should be able to review agreements and understand privacy implications before providing personal information to ensure meaningful consent.

• Purpose of information collection
• Meaningful consent
• Regulatory requirements for collection

An individual complained that a bank performed multiple credit checks on her without her consent, even though she had not been a client for many years. The bank initially stated the inquiries were from its marketing group but later found they originated from an unactivated credit card application. While the bank’s policy suggested it could continue soft credit inquiries after a relationship ended, the OPC expressed concerns about this practice. The bank agreed to end the practice and update its privacy policy, leading to the complaint being early resolved. The OPC confirmed the practice has ceased and the policy has been updated.

• Consent for credit checks after termination of a business relationship
• Continued collection of sensitive personal information without a legal requirement
• Accuracy and completeness of information provided to individuals about data handling practices

A condominium owner complained that a developer failed to provide access to his personal information at minimal or no cost. The owner was initially told that thousands of pages of documents would cost over $200, or he could view them for free at the developer’s lawyer's office. The OPC's early resolution unit helped negotiate a compromise where the owner narrowed his request, and the developer agreed to provide free copies of the specific documents he sought. The owner was ultimately satisfied with this resolution.

• Whether the proposed fees for access to personal information complied with the "minimal or no cost" requirement.
• Whether the offer to view documents for free, but not receive copies, met the organization's access obligations.
• The reasonable accommodation of an individual with a disability in fulfilling an access request.

An individual complained that an online service company was not addressing an issue where another client's personal information was appearing on his account. The company, after intervention from the OPC, investigated and found the problem was a technical glitch involving another organization's software interface. The glitch was corrected, and the company updated its internal policies and established contractual agreements with the other organization to prevent future breaches.

• Adequate training of front-line staff on privacy policies and procedures.
• Need for contractual agreements to mitigate data breaches when integrating online services.
• Effectiveness of escalation processes for client privacy concerns.
• Resolution of technical glitches leading to inadvertent disclosure of personal information.

A First Nation band council developed a privacy policy after an employee complained about lost doctor's notes required to approve his leave. While the band council did not confirm losing the notes, it worked with the OPC to create a privacy policy and adopt best practices. The employee considered his complaint resolved, recognizing the issue would be addressed under the Canada Labour Code, and was pleased the band council was implementing a privacy policy.

• Responsibility of a First Nation band council under PIPEDA
• Disposition of medical documentation
• Development of a privacy policy

A telecommunications company erroneously continued to report a debt to a credit-reporting agency after the complainant was discharged from bankruptcy. This impacted the complainant's credit score and led to unwanted debt collection calls. The company investigated, corrected its records, notified the credit-reporting agency, and ensured the debt collection calls would cease.

• Accuracy and up-to-dateness of personal information
• Disclosure of personal information to third parties
• Appropriate use of personal information in decision-making

An individual complained to the OPC after a retailer's delivery person texted her inappropriate comments after obtaining her number from a work phone and transferring it to a personal device. The complainant also felt the retailer mishandled her initial complaint. The OPC's involvement led the retailer to implement new procedures for faulty work phones, retrain employees on its privacy policy, and take disciplinary action against the delivery person. The complainant was satisfied with the resolution.

• Unauthorized use of customer personal information
• Handling of customer complaints
• Employee training on privacy policies

An individual complained that a car dealership could not provide details about its personal information handling practices when asked. The dealership employee copied the complainant's driver's license and credit card without adequately explaining why or what safeguards were in place. The dealership agreed to hold an employee review session to ensure staff are knowledgeable about privacy policies and practices.

• Adequacy of employee training on privacy policies
• Transparency regarding collection and use of personal information
• Responding to individual inquiries about personal information handling practices

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an individual who alleged that a collection agency was pursuing him for a debt he did not owe and that inaccurate information was appearing on his credit report. The individual was unable to obtain validation of the debt from the agency. Following the OPC's intervention, the agency investigated, found discrepancies on the original credit application, ceased collection efforts, and agreed to correct the individual's credit report. The individual was satisfied with this resolution.

• Accuracy of personal information
• Access to personal information
• Debt collection practices
• Correction of credit reports

A customer complained that a department store was displaying photographs of individuals on a bulletin board to identify suspected shoplifters. The Office of the Privacy Commissioner of Canada (OPC) advised the store that posting such photographs without consent contravened PIPEDA. The store agreed to remove the pictures and discontinue the practice, opting instead to work with the police.

• Public display of photographs of suspected shoplifters without consent
• Application of PIPEDA to photographs taken from video surveillance

A couple complained after their personal information was fraudulently used by a marketing company posing as an employee of their anti-virus service provider. The couple suspected the service provider employee disclosed their account number to the marketing company. The OPC investigated and found the service provider had failed to adequately protect customer information. The service provider dismissed the employee responsible and implemented new safeguards, including an auditing system and a streamlined procedure for addressing privacy concerns.

• Adequacy of security safeguards
• Unauthorized access to personal information
• Complaint handling procedures
• Accountability for employee actions

An individual complained that her manager at a credit union accessed her personal bank account without consent. The manager suspected the employee was not actually sick and used her customer data to check her debit card usage outside the province. The credit union acknowledged the improper access and agreed to apologize and address the manager's conduct. The employee was satisfied, and the matter was resolved.

• Manager accessing employee's personal banking information without valid business purpose
• Use of personal information for a purpose other than that for which it was collected
• Employee's right to privacy while also being a customer of the institution

A complainant was concerned that a hotel chain linked her IP address to her phone number after she received a promotional phone call. The hotel chain clarified that it does not engage in promotional calls and that the call was a fraudulent telemarketing scam by an unrelated party. The complainant suggested the hotel warn its customers about such scams, which the hotel did, leading to the matter being resolved.

• Unauthorized collection of personal information
• Misrepresentation by a third party
• Complainant's concern about IP address linkage to phone number

A tenant complained about five video surveillance cameras installed in common areas of their office building by another tenant. The complainant was particularly concerned about two cameras that monitored activity near his office door and the elevators, viewing it as an invasion of privacy. Following the OPC's involvement, the cameras of most concern were relocated inside the other tenant's offices, resolving the complainant's privacy concerns.

• Appropriateness of video surveillance in common areas
• Collection of personal information in shared spaces
• Minimum collection principle for video surveillance