Federal (Canada) Privacy Decisions

A Canadian returning to Canada complained that the Canada Border Services Agency (CBSA) contravened the Privacy Act by requiring him to provide his cell phone passcode for inspection. The OPC found that while the CBSA has the authority under the Customs Act to require passcodes, it must follow its own policies and only retain personal information when necessary. The CBSA acknowledged policy failures and committed to improved training and policy revisions.

• CBSA's authority to require digital device passcodes under the Customs Act
• Whether the collection of the passcode was necessary
• CBSA's adherence to its internal policies regarding personal information collection and retention
• The sensitivity of digital device passcodes as personal information

A complaint was filed against the Canada Border Services Agency (CBSA) alleging that its use of video surveillance to monitor employees at a border crossing contravened the Privacy Act. The complainant argued that the CBSA was using video technology to collect personal information for monitoring employee conduct and performance, beyond the initial safety and security purposes, and that signage was insufficient. While the CBSA's signage issue was resolved, the investigation focused on the collection of employee information for monitoring. The OPC found that the CBSA's updated policies and rationale for collecting personal information for integrity and quality assurance, including investigating serious misconduct, met the Act's requirements, but awaited confirmation of updated guidelines.

• Use of video surveillance for monitoring employee conduct and performance
• Necessity and proportionality of collecting personal information via video surveillance
• Sufficiency of signage informing employees of video monitoring
• Compliance with the Privacy Act's requirement that personal information collection relates directly to an operating program or activity

A complainant alleged that Correctional Service of Canada (CSC) denied him access to the full version of a report concerning his treatment and supervision. CSC initially provided a condensed version, which the OPC found to be a misrepresentation of the information and contrary to CSC's obligations under the Privacy Act. Following the OPC's investigation, CSC provided the complainant with the full report, with some personal information of other parties withheld, and committed to reviewing its access request handling procedures and communicating staff obligations under the Privacy Act.

• Was the respondent in compliance with its obligations to identify and provide all relevant information in response to an access request?
• Whether the respondent's provision of an abbreviated report was a misrepresentation of the information.