Federal (Canada) Privacy Decisions

This investigation examined the Treasury Board of Canada Secretariat's (TBS) handling of employee personal information related to the administration of the Direction on Prescribed Presence in the Workplace, which mandates minimum on-site workdays. The Office of the Privacy Commissioner of Canada (OPC) found that TBS's practices for both organizational compliance reporting (using aggregated data like turnstile and HR data) and individual compliance monitoring (relying on manager observation and self-reporting) were compliant with the Privacy Act. The OPC concluded that the complaint was not well-founded, noting TBS's effective balance between operational needs and employee privacy.

• Collection of employee personal information for hybrid work model compliance
• Retention and disposal of personal information
• Use and disclosure of personal information
• Transparency and adequacy of Personal Information Banks (PIBs)

The Office of the Privacy Commissioner of Canada (OPC) investigated the Canada Border Services Agency's (CBSA) contracting practices related to the ArriveCAN application following a complaint and a request from a parliamentary committee. The investigation examined whether contractors had inappropriate access to travellers' personal information. While the OPC found no contravention of the Privacy Act, it identified shortcomings in the CBSA's contracting processes, such as issues with the timeliness and accuracy of security assessments and broad task descriptions in contracts. The OPC made recommendations to improve the CBSA's practices, which the agency accepted.

• Whether CBSA authorized contractors to access personal information without required security clearances.
• Accuracy and timeliness of security requirement assessments for contracts.
• Clarity and specificity of task descriptions in contracts and task authorizations.
• CBSA's compliance with security requirements for personnel and organizations involved in ArriveCAN contracts.

The complainant alleged that Library and Archives Canada (LAC) failed to respond to an access request within the 30-day timeframe. The request sought extensive information on Métis Nation land titles, treaties, and communications with Indigenous organizations. LAC determined the request was too broad and lacked specificity for their employees to identify records with reasonable effort, and thus did not meet the requirements of section 6 of the Access to Information Act. The Information Commissioner agreed that the request was too vague and did not require LAC to respond.

• Whether the access request provided sufficient detail to identify records with reasonable effort, as required by section 6 of the ATIA.
• Whether LAC made reasonable efforts to seek clarification from the complainant.
• Whether LAC was required to undertake extensive historical and legal research to identify responsive records.

The complainant alleged that the Privy Council Office's (PCO) record-keeping practices for appointment processes did not comply with the Access to Information Act, specifically regarding interview notes. PCO stated that interview notes are considered transitory records, used to support deliberations, and are destroyed after appointments, with only the final advice letter to the Minister being the official record. The Commissioner found no evidence that records were destroyed with the intent to deny access, concluding the notes were transitory and their destruction did not violate the Act. The complaint was therefore not well founded.

• Whether PCO's practice of destroying interview notes constitutes non-compliance with the Access to Information Act.
• Whether the interview notes qualify as transitory records that can be disposed of.
• Whether the destruction of interview notes with intent to deny access constitutes an offence under section 67.1 of the Act.

The complainant alleged that the Department of National Defence (DND) improperly refused to issue a new response letter for a request concerning authority to generate Branch Standing Orders. DND stated that no records were found after a thorough search and included additional contextual information and hyperlinks to publicly available documents. The complainant argued this contextual information was speculative and breached DND's duty to assist. The Information Commissioner of Canada (OIC) found that DND's response was complete and appropriate, and the supplementary information was provided in good faith to assist the requester without misrepresenting the search results or creating new records.

• Whether DND improperly refused to issue a new response letter.
• Whether DND's inclusion of contextual information breached its duty to assist requesters.
• Whether DND's response accurately and completely addressed the access request.

The complainant alleged that Correctional Service Canada (CSC) improperly withheld records from an inmate's file, citing several provisions of the Access to Information Act, primarily subsection 19(1) concerning personal information. The investigation focused on whether CSC met the requirements for withholding personal information and if it reasonably exercised its discretion in denying access. The Commissioner found that the records contained sensitive personal information and that CSC had met the requirements of subsection 19(1). Furthermore, CSC reasonably exercised its discretion in deciding not to disclose the information, as the public interest in disclosure did not clearly outweigh the invasion of privacy. Consequently, the complaint was found not to be well-founded.

• Whether the records constituted personal information under subsection 19(1) of the ATIA.
• Whether CSC met the requirements for withholding personal information under subsection 19(1).
• Whether CSC reasonably exercised its discretion under subsection 19(2) regarding consent, public availability, and public interest in disclosure.
• Whether constitutional principles related to transparency and openness of judicial proceedings applied to the Parole Board of Canada.

The complainant alleged that the Royal Canadian Mounted Police (RCMP) improperly withheld their own DNA profile, citing subsection 24(1) of the Access to Information Act (disclosure restricted by another law). The RCMP argued that section 6.6 of the DNA Identification Act prohibits the disclosure of such information. The Information Commissioner found that the DNA Identification Act, which is listed in Schedule II of the ATIA, indeed restricts the disclosure of DNA profiles, and therefore upheld the RCMP's decision.

• Interpretation of subsection 24(1) of the Access to Information Act
• Application of section 6.6 of the DNA Identification Act
• Whether the complainant's DNA profile is information whose disclosure is restricted by another law

The complainant alleged that the Canada Border Services Agency (CBSA) improperly withheld the source code for the ArriveCAN application under subsection 16(2) of the Access to Information Act, which allows withholding information that could facilitate the commission of an offence. The CBSA argued that disclosure could allow malicious actors to hack the application or compromise user data. The Information Commissioner found that the CBSA reasonably exercised its discretion to withhold the source code at the time of the request, considering the sensitive nature of the application and the risks of disclosure.

• Whether the ArriveCAN source code could reasonably be expected to facilitate the commission of an offence if disclosed.
• Whether the CBSA reasonably exercised its discretion in deciding to withhold the source code.
• Whether severance of the source code was possible and reasonable.

The complainant alleged that the Royal Canadian Mounted Police (RCMP) improperly withheld investigation reports into the deaths of two individuals under subsection 16(1)(a) of the Access to Information Act. The OIC found that the RCMP met all requirements for this exemption and reasonably exercised its discretion in withholding the information. The Commissioner recommended legislative amendments to allow disclosure of personal information about deceased individuals for compassionate reasons.

• Proper application of exemption 16(1)(a) (investigative bodies)
• Reasonable exercise of discretion by the institution
• Consideration of disclosure for compassionate reasons
• Overlap between the Privacy Act and Access to Information Act for deceased individuals

The complainant alleged that the Canada Border Services Agency (CBSA) did not conduct a reasonable search for records related to companies that worked on the ArriveCAN application. Specifically, the complainant questioned the absence of text messages in the provided records. The OIC investigated CBSA's search process and policies regarding text message management. The Information Commissioner concluded that CBSA's search was reasonable, as text messages are often considered transitory and are not retained if business value is captured in other formats, aligning with Treasury Board Secretariat guidance. Therefore, the complaint was found not to be well founded.

• Reasonableness of the search conducted by the CBSA
• Whether text messages related to the ArriveCAN application were properly searched for and provided
• CBSA's policies and practices regarding the management of transitory records, including text messages

The complainant requested his minor child's passport application from Immigration, Refugees and Citizenship Canada (IRCC), citing a court order granting him access to his children's information. IRCC denied the request, stating the child's consent was required. The OPC found that while the complainant had legal authorization to act on his child's behalf, the request was not made for the child's benefit or best interests, a key condition under the Privacy Regulations. Therefore, the OPC concluded that the complainant did not have a right of access to the child's personal information.

• Whether a parent has an automatic right of access to a minor child's personal information under the Privacy Act.
• Interpretation of the Privacy Regulations regarding requests made on behalf of a minor.
• Whether the complainant's request served the child's best interests.
• The decision-making capacity of a minor regarding their personal information.

The complainant alleged that the 1,000-day time extension taken by Health Canada to respond to an access request was unreasonable. The request concerned information about an application for religious exemption to serve ayahuasca. Health Canada claimed the extension was necessary due to the large volume and complexity of the records, which required extensive internal consultations. The Commissioner found that Health Canada met the requirements for claiming the extension under paragraphs 9(1)(a) and 9(1)(b) of the Access to Information Act. Therefore, the complaint was determined not to be well founded.

• Reasonableness of a 1,000-day time extension claimed by Health Canada
• Whether the large volume of records unreasonably interfered with Health Canada's operations
• Whether necessary consultations could reasonably be completed within 30 days
• Whether the duration of the extension was reasonable under the circumstances

The complainant alleged that the Canada Border Services Agency (CBSA) did not conduct a reasonable search for records concerning cybersecurity and data breach risks associated with the ArriveCan application. The complainant specifically questioned the absence of information related to certain companies and expenses. The Office of the Information Commissioner (OIC) investigated CBSA's search process and concluded that the relevant branch searched appropriate repositories and provided responsive records. Therefore, the OIC found the search to be reasonable and the complaint not well-founded.

• Whether the institution conducted a reasonable search for records.
• Definition of a reasonable search under the Access to Information Act.
• Adequacy of search efforts by the Information, Science and Technology Branch.

The complainant alleged that the Public Health Agency of Canada (PHAC) took an unreasonably long extension of time to respond to an access request for records related to social distancing guidance. PHAC claimed a 1,380-day extension, making the response date February 11, 2027. The OIC found that PHAC met all the requirements for the extension, concluding it was reasonable and the complaint was not well founded.

• Reasonableness of time extension claimed by PHAC under subsection 9(1) of the ATIA
• Whether PHAC met the requirements of paragraphs 9(1)(a) and 9(1)(b) of the ATIA

A representative acting for the executor of an estate requested personal information about a deceased individual from the Department of National Defence (DND). DND determined the representative was not entitled to the information under paragraph 10(b) of the Privacy Regulations because they did not sufficiently demonstrate a connection between the information sought and the administration of the estate. While DND processed the request informally and disclosed some information under another provision of the Act, they did not clearly state the grounds for refusal. The OPC found the complaint not well-founded as the representative failed to adequately articulate and substantiate the estate's purposes and how the records would serve them.

• Whether the representative was authorized to make a request on behalf of the deceased under paragraph 10(b) of the Privacy Regulations for the purpose of administering the estate.
• Whether the representative sufficiently demonstrated a connection between the information sought and the administration of the deceased's estate.
• Whether DND properly notified the representative of the refusal and the basis for it.
• Whether DND properly handled the request informally.