Federal (Canada) Privacy Decisions

The complainant alleged that Immigration, Refugees and Citizenship Canada (IRCC) failed to disclose all records sought under the Privacy Act. The investigation found that IRCC did not initially conduct a reasonable search for records, particularly concerning visa cancellations and reissuing. However, IRCC subsequently expanded its search to include all relevant offices, and although no additional information was found, the OPC was satisfied that its obligations under the Act were met, resolving the complaint.

• Reasonableness of IRCC's search for records.
• Whether IRCC failed to disclose all responsive information.
• Adequacy of IRCC's search scope and tasked offices.

An individual complained that Canada Post was using personal information collected from the outside of delivered mail to create marketing lists rented to private sector companies. The Office of the Privacy Commissioner of Canada (OPC) found that Canada Post's collection and use of this information for marketing purposes contravened section 5 of the Privacy Act because individuals were not authorized to have their information indirectly collected and used this way. While Canada Post disagreed with the findings and did not agree to cease the practice, it committed to improving transparency about its data usage.

• Whether Canada Post's collection of personal information from mail for marketing purposes complies with section 4 of the Privacy Act.
• Whether Canada Post's use and disclosure of personal information for marketing purposes complies with sections 7 and 8 of the Privacy Act.
• Whether Canada Post's indirect collection of personal information for marketing purposes, without explicit authorization, contravenes section 5 of the Privacy Act.
• What constitutes valid authorization for indirect collection of personal information under the Privacy Act.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding erroneous quarantine notifications sent by the ArriveCAN application to approximately 10,200 Apple device users. The OPC found that the Canada Border Services Agency (CBSA) did not take all reasonable steps to ensure the accuracy of the personal information used for administrative decisions, contravening subsection 6(2) of the Privacy Act. The CBSA disagreed with this finding and refused to correct the inaccurate information, although they later informed the OPC that the defect had been fixed and affected individuals notified.

• Whether the CBSA took all reasonable steps to ensure the accuracy of personal information used for administrative decisions.
• Whether the 'quarantine_exempted' data field constituted personal information used for an administrative purpose.
• Whether the CBSA's pre-release testing, human intervention, and correction mechanisms were adequate.
• Whether the CBSA should correct the erroneous information it holds despite the measures taken.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that the Canada Border Services Agency (CBSA) contravened the Privacy Act by collecting and using DNA from a complainant for genetic genealogy analysis to determine his nationality for deportation purposes. The OPC found that the CBSA contravened the Act by failing to obtain valid authorization for the indirect collection of the complainant's genetic information from FamilyTreeDNA (FTDNA), by improperly disclosing his personal information to other FTDNA users, and by failing to adequately describe the collection of relatives' genetic information in its public notices (PIBs).

• Was the CBSA's collection of genetic genealogy information directly related to its operations?
• Was the authorization for indirect collection from FTDNA valid?
• Did incidental disclosures of personal information contravene the Act?
• Were the transparency obligations under Section 11 met?

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint concerning the Immigration and Refugee Board of Canada's (IRB) improper disclosure of an employee's sensitive medical information to their management team. The IRB shared a "Fitness to Work" report containing intimate medical details without the employee's consent and beyond what was necessary for accommodation. The OPC found that while some information disclosure was consistent with the purpose of collection, the disclosure of highly sensitive medical information was not, thus contravening the Privacy Act. The IRB has since updated its policies and tools, but the OPC found the complaint to be well-founded and not adequately resolved, urging the IRB to implement its recommendations, including training and a meaningful apology.

• Whether the IRB obtained the complainant's consent to disclose their medical information.
• Whether the disclosure of the medical information in the FTW report to management constituted a "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• Whether the IRB's disclosure practices complied with the Treasury Board Secretariat's "Standard" on fitness to work evaluations.
• The adequacy of the IRB's response to the OPC's recommendations.