Federal (Canada) Privacy Decisions

This investigation examined the Treasury Board of Canada Secretariat's (TBS) handling of employee personal information related to the administration of the Direction on Prescribed Presence in the Workplace, which mandates minimum on-site workdays. The Office of the Privacy Commissioner of Canada (OPC) found that TBS's practices for both organizational compliance reporting (using aggregated data like turnstile and HR data) and individual compliance monitoring (relying on manager observation and self-reporting) were compliant with the Privacy Act. The OPC concluded that the complaint was not well-founded, noting TBS's effective balance between operational needs and employee privacy.

• Collection of employee personal information for hybrid work model compliance
• Retention and disposal of personal information
• Use and disclosure of personal information
• Transparency and adequacy of Personal Information Banks (PIBs)

The Office of the Privacy Commissioner of Canada (OPC) investigated the Canada Border Services Agency's (CBSA) contracting practices related to the ArriveCAN application following a complaint and a request from a parliamentary committee. The investigation examined whether contractors had inappropriate access to travellers' personal information. While the OPC found no contravention of the Privacy Act, it identified shortcomings in the CBSA's contracting processes, such as issues with the timeliness and accuracy of security assessments and broad task descriptions in contracts. The OPC made recommendations to improve the CBSA's practices, which the agency accepted.

• Whether CBSA authorized contractors to access personal information without required security clearances.
• Accuracy and timeliness of security requirement assessments for contracts.
• Clarity and specificity of task descriptions in contracts and task authorizations.
• CBSA's compliance with security requirements for personnel and organizations involved in ArriveCAN contracts.