Federal (Canada) Privacy Decisions

A Canadian returning to Canada complained that the Canada Border Services Agency (CBSA) contravened the Privacy Act by requiring him to provide his cell phone passcode for inspection. The OPC found that while the CBSA has the authority under the Customs Act to require passcodes, it must follow its own policies and only retain personal information when necessary. The CBSA acknowledged policy failures and committed to improved training and policy revisions.

• CBSA's authority to require digital device passcodes under the Customs Act
• Whether the collection of the passcode was necessary
• CBSA's adherence to its internal policies regarding personal information collection and retention
• The sensitivity of digital device passcodes as personal information

A complainant objected to a retail store retaining records of her credit card transactions after she requested their deletion. The store initially cited contractual obligations to credit card companies, but later informed the OPC that the Excise Tax Act also legally required data retention. The OPC relayed this explanation to the complainant, who found it satisfactory, and the matter was resolved.

• Right to withdraw consent vs. legal and contractual retention obligations
• Adequacy of explanation provided to complainant

This report details three incidents in 2017 where Canadian organizations experienced data breaches due to password reuse by their customers. In each case, attackers used login credentials obtained from unrelated breaches to access customer accounts. The Office of the Privacy Commissioner of Canada found the organizations' responses to be appropriate, including actions like password resets, enhanced security measures, and customer notifications, and encouraged other organizations to adopt similar preventative strategies.

• Impact of password reuse on personal information security
• Adequacy of organizational responses to data breaches
• Effectiveness of safeguards against unauthorized access
• Communication and notification obligations to individuals

An incident occurred where employees of a financial management firm sent a client's sensitive financial information to her personal email account without proper security measures. This led to a situation where an individual, potentially a hacker, used this information to impersonate the client and attempt to transfer funds from her investment account. Although the client's money was not stolen due to the firm's established procedures, the firm's investigation revealed a breach of security protocols and inadequate employee training. The firm took corrective actions, including disciplinary measures for employees, additional privacy training, and reinforcing account security.

• Adequacy of security safeguards for personal information
• Effectiveness of employee training on privacy and security procedures
• Appropriateness of the organization's response to a data breach

A financial institution reported a breach to the OPC after a printing error resulted in a few hundred clients receiving incorrect RRSP tax contribution statements. Some statements mistakenly included the personal information of other individuals, including names, addresses, account numbers, and Social Insurance Numbers. The institution promptly investigated, notified affected clients, provided new statements, increased account monitoring, and offered credit alert monitoring. They also reviewed and enhanced internal procedures to prevent future errors.

• Adequacy of safeguards to prevent privacy breaches
• Timeliness and appropriateness of breach response
• Notification of affected individuals
• Review and enhancement of internal policies and procedures

This report details an incident where a fraudster impersonated an unknown individual to trick a financial institution's employees into revealing customer contact information. The fraudster then used this information to extract further personal details from approximately 100 customers, increasing their risk of identity theft. The financial institution took immediate steps to mitigate the breach, including offering credit monitoring and enhancing staff training.

• Effectiveness of internal controls to prevent unauthorized disclosure of personal information
• Adequacy of breach response and mitigation measures
• Risks of identity theft and fraud due to personal information disclosure

The OPC investigated a complaint concerning a cable provider that posted a list of customers with overdue accounts on a public Facebook page. The provider believed this was permissible, citing municipal practices of publishing names of those in property tax arrears. The OPC clarified that while PIPEDA permits disclosure of information for debt collection purposes to third parties, it does not authorize public dissemination without consent.

• Public dissemination of personal information for debt collection
• Application of PIPEDA's debt collection exemption
• Comparison of debt collection practices with municipal tax arrears publications

A complaint was made against a telecommunications company and a credit-reporting agency after a fraudulent telecommunications account led to a false debt appearing on the complainant's credit report. The telecommunications company initially refused to correct the information or prove the complainant opened the account. Following OPC's involvement, the company's fraud team investigated, confirmed the account was fraudulent, cancelled it, and updated the credit-reporting agency with accurate information.

• Accuracy and completeness of personal information
• Correction of inaccurate personal information
• Adequacy of customer authentication procedures
• Accountability for information transferred to third parties

The requester sought access to the Firearms Registry database from the RCMP on March 27, 2012. The RCMP provided an incomplete response, which the requester argued was not justified and that the destruction of records obstructed their access rights. The OIC investigated the complaint.

• Incompleteness of the provided information
• Lack of justification for incomplete response
• Destruction of records obstructing right of access under section 67.1 of the ATIA

A complaint was filed against the Canada Border Services Agency (CBSA) alleging that its use of video surveillance to monitor employees at a border crossing contravened the Privacy Act. The complainant argued that the CBSA was using video technology to collect personal information for monitoring employee conduct and performance, beyond the initial safety and security purposes, and that signage was insufficient. While the CBSA's signage issue was resolved, the investigation focused on the collection of employee information for monitoring. The OPC found that the CBSA's updated policies and rationale for collecting personal information for integrity and quality assurance, including investigating serious misconduct, met the Act's requirements, but awaited confirmation of updated guidelines.

• Use of video surveillance for monitoring employee conduct and performance
• Necessity and proportionality of collecting personal information via video surveillance
• Sufficiency of signage informing employees of video monitoring
• Compliance with the Privacy Act's requirement that personal information collection relates directly to an operating program or activity

A life insurance company discovered a potential breach of personal information when a new envelope design exposed sensitive data, including SINs, of 53 pension plan members. The company took prompt action by notifying affected individuals, offering credit monitoring services, and implementing new security measures to prevent recurrence. The OPC noted the company's response demonstrated best practices in handling such incidents.

• Potential exposure of sensitive personal information (SIN, date of birth, beneficiary information) due to envelope design.
• Adequacy of the company's response to the potential breach.
• Measures taken to prevent future incidents.

An individual complained that her bank required her to provide the last six digits of her Social Insurance Number (SIN) to set up a verified credit account for online purchases. The complainant believed this collection was unnecessary and sought an alternative. The bank initially maintained its practice but, after being informed of a similar OPC finding regarding transparency, discontinued the practice and updated its website to remove this authentication method. The complaint was resolved.

• Bank's collection of partial SIN for account verification
• Transparency of alternative authentication methods
• Adequacy of information provided on the bank's website

A complainant alleged that Correctional Service of Canada (CSC) denied him access to the full version of a report concerning his treatment and supervision. CSC initially provided a condensed version, which the OPC found to be a misrepresentation of the information and contrary to CSC's obligations under the Privacy Act. Following the OPC's investigation, CSC provided the complainant with the full report, with some personal information of other parties withheld, and committed to reviewing its access request handling procedures and communicating staff obligations under the Privacy Act.

• Was the respondent in compliance with its obligations to identify and provide all relevant information in response to an access request?
• Whether the respondent's provision of an abbreviated report was a misrepresentation of the information.

An individual complained that a property management company was over-collecting personal information, including Social Insurance Number (SIN), driver's licence information, and banking information, on its rental application forms. The Office of the Privacy Commissioner of Canada (OPC) also investigated the company's lack of a privacy policy. The company committed to making it clear that the request for SIN, driver's licence, and banking information was optional and to posting a privacy policy on its website. The complainant was satisfied with these changes.

• Collection of SIN, driver's licence, and banking information on rental applications
• Requirement for a privacy policy on the company website
• Responsibility for third-party practices

The OPC investigated a complaint concerning a transportation company's practice of collecting passengers' dates of birth and citizenship for the Toronto-to-New York route and disclosing this information to U.S. Customs. The company confirmed this practice, which began in 2000, was an agreement with U.S. border agencies to minimize delays. The OPC determined that sales agents misrepresented the collection of this information as mandatory.

• Collection of personal information without adequate notice or consent
• Disclosure of personal information to a third party (U.S. Customs)
• Misrepresentation of information collection as mandatory