Federal (Canada) Privacy Decisions

The Office of the Privacy Commissioner of Canada investigated a complaint from a federal government employee who alleged that her personal information was repeatedly disclosed to another employee with the same name, and that administrative errors occurred in their files. The OPC found that the institution contravened the Privacy Act by improperly disclosing the complainant's personal information and by failing to ensure the accuracy of information used for administrative purposes. The complaint was found to be well-founded but conditionally resolved after the institution committed to implementing corrective measures.

• Unauthorized disclosure of personal information under section 8 of the Privacy Act.
• Failure to ensure the accuracy and completeness of personal information used for administrative purposes under subsection 6(2) of the Privacy Act.
• Lack of employee awareness regarding privacy breach reporting procedures.
• Systemic nature of errors due to employees having the same name.

This special report from the OPC investigated the RCMP's Project Wide Awake initiative, which uses third-party services to collect open-source information. The investigation found that the RCMP did not conduct adequate due diligence to ensure that the personal information collected via the Babel X service and its data providers was compliant with Canadian privacy laws. Additionally, the RCMP failed to meet its transparency obligations under the Privacy Act by providing inadequate descriptions of its open-source information collection practices and purposes in its Personal Information Banks.

• Compliance with collection provisions of the Privacy Act
• Adequacy of due diligence regarding third-party data collection practices
• Adequacy of transparency obligations under the Privacy Act
• Sufficiency of Personal Information Bank descriptions

Immigration, Refugees and Citizenship Canada (IRCC) contravened the Privacy Act when an employee inadvertently sent 497 emails containing personal information to the wrong email addresses. The investigation found that IRCC had insufficient administrative and procedural controls to prevent such errors. While IRCC took steps to notify affected individuals and mitigate harm, the Office of the Privacy Commissioner recommended improvements to prevent future breaches. IRCC accepted these recommendations and implemented enhanced measures, leading the OPC to consider the matter resolved.

• Whether IRCC contravened section 8 of the Privacy Act by disclosing personal information to unintended recipients.
• Adequacy of IRCC's administrative and procedural controls to prevent accidental disclosures.
• Effectiveness of IRCC's measures to mitigate the impact of the breach on affected individuals.
• Sufficiency of IRCC's actions to reduce the risk of recurrence.