Federal (Canada) Privacy Decisions

The OPC investigated a complaint alleging that Immigration, Refugees and Citizenship Canada (IRCC) improperly withheld access to personal information. The complainant requested the "History Section" of their case file, but IRCC only provided a subset of information from other sections, referred to as the "Short Form" report. The OPC found that IRCC's practice of systematically retrieving and processing only the Short Form report contravenes section 12 of the Privacy Act, as it fails to provide individuals with access to all personal information under the government's control. Although the specific file was eventually provided, IRCC refused to update its procedures to address the systemic issue.

• Whether IRCC's practice of only retrieving and processing a "Short Form" subset of records in response to access requests complies with the Privacy Act's access obligations.
• Whether the "History Section" of the Global Case Management System (GCMS) file contains personal information.
• Whether IRCC's assertion that information outside the "Short Form" would always be withheld under exemptions is valid.
• Whether IRCC's failure to commit to updating its procedures constitutes a continuing contravention of the Privacy Act.

An employee of the Canada Border Services Agency (CBSA) complained that their personal information was inadvertently disclosed to colleagues due to improperly set folder permissions in the CBSA's information management system, Apollo. The CBSA confirmed the contravention of section 8 of the Privacy Act. While the CBSA took steps to correct the issue and improve practices, it did not commit to mandatory, trackable training for managing permissions, leading the OPC to find the complaint well-founded but unresolved.

• Whether CBSA contravened section 8 of the Privacy Act by improperly disclosing employee personal information.
• Adequacy of CBSA's response and corrective measures.
• Whether CBSA's training and awareness initiatives for managing information system permissions are sufficient.
• Whether the matter is resolved given CBSA's non-commitment to mandatory, trackable training.

This investigation examined allegations that the Canada Revenue Agency (CRA) inappropriately disclosed an adopted child's adoptive name, and the adoptive mother's personal information, to the child's biological mother. The OPC found that, on the balance of probabilities, the CRA likely disclosed the child's adoptive name, contravening section 8 of the Privacy Act. Deficiencies were also identified in the CRA's internal procedures for safeguarding adopted children's personal information. The complaint was found to be well-founded but not resolved, as the CRA agreed to implement some, but not all, of the OPC's recommendations.

• Whether the CRA disclosed the child's adoptive name and the adoptive mother's personal information to the biological mother without consent.
• Whether the CRA's internal procedures adequately protected the personal information of adopted children.
• Whether the CRA's actions contravened section 8 of the Privacy Act.
• Whether the complaint was resolved based on the CRA's response to the OPC's recommendations.

The complainant alleged that the Canada Revenue Agency (CRA) improperly denied access to personal information related to five grievances, relying on exceptions under the Privacy Act. The OPC found that while the CRA conducted reasonable searches, it failed to adequately substantiate its use of paragraph 22(1)(b) of the Act to withhold information. Much of the withheld information was transactional and did not demonstrate a clear risk of harm upon disclosure. The complaint was found to be well-founded, but unresolved, as the CRA maintained its position on the withheld information.

• Proper application of paragraph 22(1)(b) of the Privacy Act regarding risk of harm.
• Adequacy of government institution's searches for responsive records.
• Substantiation of claims for withholding information under statutory exemptions.
• Requirement for case-by-case assessment when applying exemptions.

This investigation examined complaints regarding the National Security and Intelligence Review Agency's (NSIRA) Secretariat's request for access to polygraph records as part of a review of the Communications Security Establishment. The OPC found that the anonymization measures significantly reduced re-identification risks, and the polygraph recordings themselves contained no personal information. However, concerns were raised about the timeliness of the Secretariat's requests to Treasury Board Secretariat for approval of Personal Information Banks (PIBs). The collection issue was found not well-founded, but the timeliness of PIB updates was found well-founded and subsequently resolved.

• Whether the NSIRA Secretariat collected personal information without a direct relationship to its operating programs or activities.
• Whether the NSIRA Secretariat complied with its obligations to include all personal information under its control in Personal Information Banks (PIBs).
• Assessment of privacy mitigation measures implemented by CSE to anonymize polygraph records.
• Timeliness of the NSIRA Secretariat's requests for PIB approvals and publication of its Info Source page.

The Office of the Privacy Commissioner of Canada investigated a complaint from a federal government employee who alleged that her personal information was repeatedly disclosed to another employee with the same name, and that administrative errors occurred in their files. The OPC found that the institution contravened the Privacy Act by improperly disclosing the complainant's personal information and by failing to ensure the accuracy of information used for administrative purposes. The complaint was found to be well-founded but conditionally resolved after the institution committed to implementing corrective measures.

• Unauthorized disclosure of personal information under section 8 of the Privacy Act.
• Failure to ensure the accuracy and completeness of personal information used for administrative purposes under subsection 6(2) of the Privacy Act.
• Lack of employee awareness regarding privacy breach reporting procedures.
• Systemic nature of errors due to employees having the same name.

This special report from the OPC investigated the RCMP's Project Wide Awake initiative, which uses third-party services to collect open-source information. The investigation found that the RCMP did not conduct adequate due diligence to ensure that the personal information collected via the Babel X service and its data providers was compliant with Canadian privacy laws. Additionally, the RCMP failed to meet its transparency obligations under the Privacy Act by providing inadequate descriptions of its open-source information collection practices and purposes in its Personal Information Banks.

• Compliance with collection provisions of the Privacy Act
• Adequacy of due diligence regarding third-party data collection practices
• Adequacy of transparency obligations under the Privacy Act
• Sufficiency of Personal Information Bank descriptions

Immigration, Refugees and Citizenship Canada (IRCC) contravened the Privacy Act when an employee inadvertently sent 497 emails containing personal information to the wrong email addresses. The investigation found that IRCC had insufficient administrative and procedural controls to prevent such errors. While IRCC took steps to notify affected individuals and mitigate harm, the Office of the Privacy Commissioner recommended improvements to prevent future breaches. IRCC accepted these recommendations and implemented enhanced measures, leading the OPC to consider the matter resolved.

• Whether IRCC contravened section 8 of the Privacy Act by disclosing personal information to unintended recipients.
• Adequacy of IRCC's administrative and procedural controls to prevent accidental disclosures.
• Effectiveness of IRCC's measures to mitigate the impact of the breach on affected individuals.
• Sufficiency of IRCC's actions to reduce the risk of recurrence.

The complainant alleged that Immigration, Refugees and Citizenship Canada (IRCC) failed to disclose all records sought under the Privacy Act. The investigation found that IRCC did not initially conduct a reasonable search for records, particularly concerning visa cancellations and reissuing. However, IRCC subsequently expanded its search to include all relevant offices, and although no additional information was found, the OPC was satisfied that its obligations under the Act were met, resolving the complaint.

• Reasonableness of IRCC's search for records.
• Whether IRCC failed to disclose all responsive information.
• Adequacy of IRCC's search scope and tasked offices.

An individual complained that Canada Post was using personal information collected from the outside of delivered mail to create marketing lists rented to private sector companies. The Office of the Privacy Commissioner of Canada (OPC) found that Canada Post's collection and use of this information for marketing purposes contravened section 5 of the Privacy Act because individuals were not authorized to have their information indirectly collected and used this way. While Canada Post disagreed with the findings and did not agree to cease the practice, it committed to improving transparency about its data usage.

• Whether Canada Post's collection of personal information from mail for marketing purposes complies with section 4 of the Privacy Act.
• Whether Canada Post's use and disclosure of personal information for marketing purposes complies with sections 7 and 8 of the Privacy Act.
• Whether Canada Post's indirect collection of personal information for marketing purposes, without explicit authorization, contravenes section 5 of the Privacy Act.
• What constitutes valid authorization for indirect collection of personal information under the Privacy Act.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding erroneous quarantine notifications sent by the ArriveCAN application to approximately 10,200 Apple device users. The OPC found that the Canada Border Services Agency (CBSA) did not take all reasonable steps to ensure the accuracy of the personal information used for administrative decisions, contravening subsection 6(2) of the Privacy Act. The CBSA disagreed with this finding and refused to correct the inaccurate information, although they later informed the OPC that the defect had been fixed and affected individuals notified.

• Whether the CBSA took all reasonable steps to ensure the accuracy of personal information used for administrative decisions.
• Whether the 'quarantine_exempted' data field constituted personal information used for an administrative purpose.
• Whether the CBSA's pre-release testing, human intervention, and correction mechanisms were adequate.
• Whether the CBSA should correct the erroneous information it holds despite the measures taken.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that the Canada Border Services Agency (CBSA) contravened the Privacy Act by collecting and using DNA from a complainant for genetic genealogy analysis to determine his nationality for deportation purposes. The OPC found that the CBSA contravened the Act by failing to obtain valid authorization for the indirect collection of the complainant's genetic information from FamilyTreeDNA (FTDNA), by improperly disclosing his personal information to other FTDNA users, and by failing to adequately describe the collection of relatives' genetic information in its public notices (PIBs).

• Was the CBSA's collection of genetic genealogy information directly related to its operations?
• Was the authorization for indirect collection from FTDNA valid?
• Did incidental disclosures of personal information contravene the Act?
• Were the transparency obligations under Section 11 met?

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint concerning the Immigration and Refugee Board of Canada's (IRB) improper disclosure of an employee's sensitive medical information to their management team. The IRB shared a "Fitness to Work" report containing intimate medical details without the employee's consent and beyond what was necessary for accommodation. The OPC found that while some information disclosure was consistent with the purpose of collection, the disclosure of highly sensitive medical information was not, thus contravening the Privacy Act. The IRB has since updated its policies and tools, but the OPC found the complaint to be well-founded and not adequately resolved, urging the IRB to implement its recommendations, including training and a meaningful apology.

• Whether the IRB obtained the complainant's consent to disclose their medical information.
• Whether the disclosure of the medical information in the FTW report to management constituted a "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• Whether the IRB's disclosure practices complied with the Treasury Board Secretariat's "Standard" on fitness to work evaluations.
• The adequacy of the IRB's response to the OPC's recommendations.

The Office of the Privacy Commissioner investigated a complaint where the Canada Border Services Agency (CBSA) disclosed a workplace review report containing an individual's personal information to the Information Commissioner. The OPC found that while disclosing information related to the complainant's access to information requests was a consistent use, disclosing the workplace review report was not. The CBSA contravened the Privacy Act by disclosing this report without consent and for a purpose inconsistent with its original collection.

• Whether disclosing a workplace review report to the Information Commissioner constituted a 'consistent use' under paragraph 8(2)(a) of the Privacy Act.
• The distinction between information collected for managing workplace conflict versus information collected for responding to access to information requests.
• Whether the CBSA reasonably expected the disclosure of the workplace review report.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Employment and Social Development Canada (ESDC) improperly used video surveillance footage to monitor an employee's departure times. The OPC found that ESDC's use of the footage for this purpose was not consistent with the stated security collection purpose and that employees were not adequately informed about the camera usage. ESDC agreed to implement a clear policy on video surveillance use and inform individuals about collection purposes.

• Use of personal information collected via video surveillance for purposes other than security.
• Failure to inform employees about the collection and purpose of video surveillance.
• Whether the use of video surveillance was an exceptional measure for a pressing problem.
• Adherence to the institution's Personal Information Bank (PIB) for consistent uses.