Federal (Canada) Privacy Decisions

This report details the OPC's investigation into six complaints concerning the Canada Border Services Agency's (CBSA) search of travellers' digital devices at the border. The OPC found that the CBSA contravened the Privacy Act by failing to adhere to its own policies and legal authorities regarding these searches, particularly concerning the scope of data accessed and the lack of proper documentation. The CBSA accepted most operational recommendations for improvement but disagreed with recommendations for legislative reform.

• CBSA's authority to examine digital devices at the border under the Customs Act
• Compliance with CBSA's internal policy on digital device examinations
• Collection and retention of personal information from digital devices
• Adequacy of training and oversight for CBSA officers

The complainant alleged that Global Affairs Canada (GAC) improperly collected personal information from his diplomatic passport for an administrative investigation. The complainant had used his diplomatic passport for personal travel, and GAC requested the original passport as evidence. GAC did not demonstrate how the personal travel information collected related to its operating programs or activities, nor did it provide sufficient cooperation to confirm its authority to collect this information.

• Whether GAC had the authority to collect personal travel information from a diplomatic passport.
• Whether the collection of personal travel information related directly to GAC's operating programs or activities.
• Whether GAC provided sufficient information regarding the administrative investigation and its authority to collect the passport.

The complainant alleged that Employment and Social Development Canada (ESDC) contravened the Privacy Act by collecting his personal information for a second time, despite his previous objection, through a third-party company. The OPC found that while ESDC's collection was not for an administrative purpose directly affecting the complainant, it failed to comply with section 4 of the Act because the information was not collected in accordance with the terms of its program, as the third party had obtained the information without consent. ESDC also continued to use the complainant's information despite his request to be removed from the list.

• Collection of personal information without consent
• Collection of personal information from a third party
• ESDC's responsibility to ensure third-party compliance with contractual obligations
• ESDC's continued collection of information after a request for removal

The complainant, an air passenger rights advocate, requested access to records about himself from the Canadian Transportation Agency (CTA). The CTA denied access to most records, arguing the information was not personal information, or that it was exempt under various provisions of the Privacy Act. The OPC found that the CTA had erred in withholding information and improperly invoked exemptions under section 70(1). However, most information withheld under sections 26 and 27 was found to be properly exempted, with specific exceptions.

• Whether records containing the complainant's name and discussions about his advocacy activities constituted personal information under the Privacy Act.
• Whether information withheld under paragraph 12(1)(b) was properly excluded from the scope of accessible personal information.
• Whether information was correctly exempted under sections 26 (third-party personal information), 27 (solicitor-client privilege), and subsection 70(1) (cabinet confidences).

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) contravened the accuracy provisions of the Privacy Act by using inaccurate information about him when staffing a position. ISED confirmed that it failed to ensure the accuracy of the information used, which was linked to the complainant’s profile in the MyGCHR human resources system. The investigation found the complaint to be well-founded.

• Whether ISED contravened the accuracy provisions of the Privacy Act.
• Whether ISED took reasonable steps to ensure the accuracy of personal information used for staffing.
• The role of the MyGCHR system in the accuracy of personal information.

The Office of the Privacy Commissioner of Canada investigated a complaint from a federal inmate who alleged that Correctional Service Canada (CSC) contravened the Privacy Act by denying him access to personal information, specifically video and audio recordings. This was a repeat issue, as similar allegations were found to be well-founded in a previous investigation. While CSC properly exempted some recordings, it failed to respond to some requests entirely and, critically, failed to retrieve and retain requested video recordings before they were overwritten in two instances, despite previous recommendations to improve processes for short-retention period records. The complaint was found well-founded due to these failures to provide timely access.

• Timeliness of responding to access to information requests.
• Retention and destruction of personal information, particularly video recordings.
• Appropriate application of exemptions to disclosure.
• Failure to implement previous recommendations regarding record retrieval.

Several complainants alleged that the Correctional Service Canada (CSC) unlawfully collected personal information through the use of a cell-site simulator near the Warkworth Institution. While CSC confirmed collecting six text messages, it denied intercepting conversations and stated the collection was not authorized. The Office of the Privacy Commissioner of Canada (OPC) found that while the collection of metadata was consistent with the Privacy Act given security concerns, the interception and collection of text message content was not authorized and therefore contravened the Act.

• Whether the collection of cell phone metadata and text messages by CSC constituted personal information under the Privacy Act.
• Whether the collection of cell phone metadata was directly related to CSC's operating programs or activities.
• Whether the interception and collection of text message content was authorized under the Privacy Act.

The complainant alleged that Health Canada collected more personal information than necessary for adjudicating claims under its Non-Insured Health Benefits (NIHB) Program. Specifically, concerns were raised about the detailed patient information required for the approval of drug benefits. Health Canada demonstrated that the information collected through Limited Use forms for drug benefits was directly related to the administration of the NIHB Program and necessary for determining eligibility based on established clinical criteria.

• Was the personal information collected by Health Canada directly related to an operating program or activity of the institution?
• Was the information collected necessary for the adjudication of claims for limited use drug benefits under the NIHB Program?
• Did Health Canada require more personal information than necessary for the adjudication of claims?

This investigation was initiated following a complaint that the RCMP used cell site simulators, also known as "Stingray" devices or "IMSI catchers," without confirming or denying their use. The complainant was concerned these devices could intercept private communications and extract encryption keys. The investigation found that while the RCMP's cell site simulators cannot intercept private communications, there were six instances where they were used without prior judicial authorization or exigent circumstances, which constituted a contravention of the Privacy Act. The RCMP has since implemented a policy requiring prior judicial authorization for all deployments unless exigent circumstances exist.

• Use of cell site simulators (mobile device identifiers) by the RCMP
• Capability of cell site simulators to intercept private communications
• Requirement for judicial authorization for the collection of personal information using cell site simulators
• Handling and retention of data collected from third-party devices

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding the MyDemocracy.ca website, operated by the Privy Council Office (PCO). The complainant alleged that despite promises of anonymity, the website used Facebook Connect tracking, potentially disclosing personal information to Facebook. The OPC found that the website's design led to the automatic disclosure of IP addresses and browser information to Facebook upon visiting the site, even before users chose to share content. While PCO made some changes and no evidence suggested PCO used the data to identify individuals, the OPC concluded that the initial disclosure was not consensual and violated section 8 of the Privacy Act. Consequently, the complaint was found well-founded.

• Disclosure of personal information to third parties (Facebook) without consent.
• Whether IP addresses and browser characteristics constitute 'personal information' under the Privacy Act.
• Adequacy of privacy notices and consent mechanisms for third-party data sharing.
• Failure to conduct a Privacy Impact Assessment (PIA).

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Health Canada was over-collecting personal information, specifically diagnostic details, for medical transportation and specialist services under its Non-Insured Health Benefits (NIHB) Program. The OPC found that while Health Canada's intention was to confirm policy requirements for travel, the form used inadvertently led to the collection of unnecessary diagnostic information. Health Canada has since removed the problematic field from the form.

• Whether Health Canada collected more personal information than necessary for the administration of the NIHB Program.
• Whether the collection of diagnostic information for medical transportation and specialist services contravened the Privacy Act.
• The adequacy of Health Canada's NIHB Medical Transportation and Specialist Referral Form in preventing over-collection of personal information.

The Office of the Privacy Commissioner (OPC) investigated three complaints concerning privacy breaches within the Phoenix pay system. The investigation revealed that Public Services and Procurement Canada (PSPC) had inadequate testing, coding errors, and insufficient controls, leading to multiple breaches of federal public servants' personal information. These breaches exposed names, Personal Record Identifier (PRI) numbers, and salary information, with some vulnerabilities being government-wide and potentially allowing data changes. The OPC found the complaints to be well-founded, citing the system's vulnerabilities and PSPC's initial underreporting of the scope of the breaches.

• Unauthorized access to and disclosure of personal information within the Phoenix pay system.
• Inadequacy of PSPC's testing, coding, and security controls for the Phoenix system.
• Scope and impact of the privacy breaches on federal public servants.
• Timeliness and adequacy of PSPC's notification to affected individuals.

This investigation concerned a complaint that the Royal Canadian Mounted Police (RCMP) inappropriately disclosed the complainant's personal information, including details of a past suicide attempt, to US Customs and Border Protection (CBP) via the Canadian Police Information Centre (CPIC). The complainant alleged this disclosure led to her being deemed inadmissible to the US. The Office of the Privacy Commissioner of Canada (OPC) found the disclosure was not authorized under the Privacy Act, as it did not meet the criteria for law enforcement or criminal justice purposes as defined by the Memorandum of Cooperation (MOC) between the RCMP and the FBI. Although the RCMP implemented some changes to CPIC policies, the OPC concluded they remained unclear and did not sufficiently protect against unauthorized disclosures.

• Whether the disclosure of personal information related to a suicide attempt to US border officials via CPIC was authorized under subsection 8(2)(f) of the Privacy Act.
• Whether the disclosure was authorized under subsection 8(2)(a) of the Privacy Act as a use consistent with the original purpose of information collection.
• Whether CPIC policies adequately protected against unauthorized disclosure of sensitive personal information.
• The interpretation of 'law enforcement' and 'criminal justice purposes' in the context of border security assessments.

The Office of the Privacy Commissioner (OPC) investigated two complaints against the Parole Board of Canada (PBC) concerning access to record suspension information. The OPC found that the PBC improperly refused to process access requests submitted by a third-party screening company and also improperly required requesters to provide excessive identification information. The OPC concluded that the PBC's reliance on paragraph 22(1)(b) of the Privacy Act was not justified in most cases, and its identification requirements went beyond what was necessary.

• Can a requester ask to confirm that no personal information exists?
• Is paragraph 22(1)(b) of the Privacy Act properly applied to refuse access requests for record suspension information?
• Are the PBC's identification requirements for processing requests excessive?

The OPC investigated two complaints regarding the Canada Border Services Agency's (CBSA) participation in the TV show "Border Security: Canada's Front Line". The investigation focused on a complaint filed by the British Columbia Civil Liberties Association on behalf of an individual filmed during a CBSA enforcement activity. The OPC found that the CBSA's participation and disclosure of personal information to the production company, Force Four, violated sections 4 and 8 of the Privacy Act due to issues with informed consent and improper disclosure of information. The OPC recommended the CBSA cease its participation in the TV program, which the CBSA accepted.

• Validity of consent obtained for filming and disclosure of personal information
• CBSA's ability to contract out of Privacy Act obligations
• Adequacy of facial blurring to protect identity
• Disclosure of information about an intended subject prior to filming