Federal (Canada) Privacy Decisions

The complainant alleged that the Canada Border Services Agency (CBSA) improperly withheld the source code for the ArriveCAN application under subsection 16(2) of the Access to Information Act, which allows withholding information that could facilitate the commission of an offence. The CBSA argued that disclosure could allow malicious actors to hack the application or compromise user data. The Information Commissioner found that the CBSA reasonably exercised its discretion to withhold the source code at the time of the request, considering the sensitive nature of the application and the risks of disclosure.

• Whether the ArriveCAN source code could reasonably be expected to facilitate the commission of an offence if disclosed.
• Whether the CBSA reasonably exercised its discretion in deciding to withhold the source code.
• Whether severance of the source code was possible and reasonable.

The complainant alleged that the Royal Canadian Mounted Police (RCMP) improperly withheld their own DNA profile, citing subsection 24(1) of the Access to Information Act (disclosure restricted by another law). The RCMP argued that section 6.6 of the DNA Identification Act prohibits the disclosure of such information. The Information Commissioner found that the DNA Identification Act, which is listed in Schedule II of the ATIA, indeed restricts the disclosure of DNA profiles, and therefore upheld the RCMP's decision.

• Interpretation of subsection 24(1) of the Access to Information Act
• Application of section 6.6 of the DNA Identification Act
• Whether the complainant's DNA profile is information whose disclosure is restricted by another law

The complainant alleged that the Royal Canadian Mounted Police (RCMP) improperly withheld investigation reports into the deaths of two individuals under subsection 16(1)(a) of the Access to Information Act. The OIC found that the RCMP met all requirements for this exemption and reasonably exercised its discretion in withholding the information. The Commissioner recommended legislative amendments to allow disclosure of personal information about deceased individuals for compassionate reasons.

• Proper application of exemption 16(1)(a) (investigative bodies)
• Reasonable exercise of discretion by the institution
• Consideration of disclosure for compassionate reasons
• Overlap between the Privacy Act and Access to Information Act for deceased individuals

The complainant alleged that the Canada Border Services Agency (CBSA) did not conduct a reasonable search for records related to companies that worked on the ArriveCAN application. Specifically, the complainant questioned the absence of text messages in the provided records. The OIC investigated CBSA's search process and policies regarding text message management. The Information Commissioner concluded that CBSA's search was reasonable, as text messages are often considered transitory and are not retained if business value is captured in other formats, aligning with Treasury Board Secretariat guidance. Therefore, the complaint was found not to be well founded.

• Reasonableness of the search conducted by the CBSA
• Whether text messages related to the ArriveCAN application were properly searched for and provided
• CBSA's policies and practices regarding the management of transitory records, including text messages

The complainant requested his minor child's passport application from Immigration, Refugees and Citizenship Canada (IRCC), citing a court order granting him access to his children's information. IRCC denied the request, stating the child's consent was required. The OPC found that while the complainant had legal authorization to act on his child's behalf, the request was not made for the child's benefit or best interests, a key condition under the Privacy Regulations. Therefore, the OPC concluded that the complainant did not have a right of access to the child's personal information.

• Whether a parent has an automatic right of access to a minor child's personal information under the Privacy Act.
• Interpretation of the Privacy Regulations regarding requests made on behalf of a minor.
• Whether the complainant's request served the child's best interests.
• The decision-making capacity of a minor regarding their personal information.

The complainant alleged that the 1,000-day time extension taken by Health Canada to respond to an access request was unreasonable. The request concerned information about an application for religious exemption to serve ayahuasca. Health Canada claimed the extension was necessary due to the large volume and complexity of the records, which required extensive internal consultations. The Commissioner found that Health Canada met the requirements for claiming the extension under paragraphs 9(1)(a) and 9(1)(b) of the Access to Information Act. Therefore, the complaint was determined not to be well founded.

• Reasonableness of a 1,000-day time extension claimed by Health Canada
• Whether the large volume of records unreasonably interfered with Health Canada's operations
• Whether necessary consultations could reasonably be completed within 30 days
• Whether the duration of the extension was reasonable under the circumstances

The complainant alleged that the Canada Border Services Agency (CBSA) did not conduct a reasonable search for records concerning cybersecurity and data breach risks associated with the ArriveCan application. The complainant specifically questioned the absence of information related to certain companies and expenses. The Office of the Information Commissioner (OIC) investigated CBSA's search process and concluded that the relevant branch searched appropriate repositories and provided responsive records. Therefore, the OIC found the search to be reasonable and the complaint not well-founded.

• Whether the institution conducted a reasonable search for records.
• Definition of a reasonable search under the Access to Information Act.
• Adequacy of search efforts by the Information, Science and Technology Branch.

The complainant alleged that the Public Health Agency of Canada (PHAC) took an unreasonably long extension of time to respond to an access request for records related to social distancing guidance. PHAC claimed a 1,380-day extension, making the response date February 11, 2027. The OIC found that PHAC met all the requirements for the extension, concluding it was reasonable and the complaint was not well founded.

• Reasonableness of time extension claimed by PHAC under subsection 9(1) of the ATIA
• Whether PHAC met the requirements of paragraphs 9(1)(a) and 9(1)(b) of the ATIA

A representative acting for the executor of an estate requested personal information about a deceased individual from the Department of National Defence (DND). DND determined the representative was not entitled to the information under paragraph 10(b) of the Privacy Regulations because they did not sufficiently demonstrate a connection between the information sought and the administration of the estate. While DND processed the request informally and disclosed some information under another provision of the Act, they did not clearly state the grounds for refusal. The OPC found the complaint not well-founded as the representative failed to adequately articulate and substantiate the estate's purposes and how the records would serve them.

• Whether the representative was authorized to make a request on behalf of the deceased under paragraph 10(b) of the Privacy Regulations for the purpose of administering the estate.
• Whether the representative sufficiently demonstrated a connection between the information sought and the administration of the deceased's estate.
• Whether DND properly notified the representative of the refusal and the basis for it.
• Whether DND properly handled the request informally.