Federal (Canada) Privacy Decisions

This investigation examined allegations that the Canada Revenue Agency (CRA) inappropriately disclosed an adopted child's adoptive name, and the adoptive mother's personal information, to the child's biological mother. The OPC found that, on the balance of probabilities, the CRA likely disclosed the child's adoptive name, contravening section 8 of the Privacy Act. Deficiencies were also identified in the CRA's internal procedures for safeguarding adopted children's personal information. The complaint was found to be well-founded but not resolved, as the CRA agreed to implement some, but not all, of the OPC's recommendations.

• Whether the CRA disclosed the child's adoptive name and the adoptive mother's personal information to the biological mother without consent.
• Whether the CRA's internal procedures adequately protected the personal information of adopted children.
• Whether the CRA's actions contravened section 8 of the Privacy Act.
• Whether the complaint was resolved based on the CRA's response to the OPC's recommendations.

The complainant alleged that the Canada Revenue Agency (CRA) improperly denied access to personal information related to five grievances, relying on exceptions under the Privacy Act. The OPC found that while the CRA conducted reasonable searches, it failed to adequately substantiate its use of paragraph 22(1)(b) of the Act to withhold information. Much of the withheld information was transactional and did not demonstrate a clear risk of harm upon disclosure. The complaint was found to be well-founded, but unresolved, as the CRA maintained its position on the withheld information.

• Proper application of paragraph 22(1)(b) of the Privacy Act regarding risk of harm.
• Adequacy of government institution's searches for responsive records.
• Substantiation of claims for withholding information under statutory exemptions.
• Requirement for case-by-case assessment when applying exemptions.

This investigation examined complaints regarding the National Security and Intelligence Review Agency's (NSIRA) Secretariat's request for access to polygraph records as part of a review of the Communications Security Establishment. The OPC found that the anonymization measures significantly reduced re-identification risks, and the polygraph recordings themselves contained no personal information. However, concerns were raised about the timeliness of the Secretariat's requests to Treasury Board Secretariat for approval of Personal Information Banks (PIBs). The collection issue was found not well-founded, but the timeliness of PIB updates was found well-founded and subsequently resolved.

• Whether the NSIRA Secretariat collected personal information without a direct relationship to its operating programs or activities.
• Whether the NSIRA Secretariat complied with its obligations to include all personal information under its control in Personal Information Banks (PIBs).
• Assessment of privacy mitigation measures implemented by CSE to anonymize polygraph records.
• Timeliness of the NSIRA Secretariat's requests for PIB approvals and publication of its Info Source page.