Federal (Canada) Privacy Decisions

The OPC investigated a complaint alleging that Immigration, Refugees and Citizenship Canada (IRCC) improperly withheld access to personal information. The complainant requested the "History Section" of their case file, but IRCC only provided a subset of information from other sections, referred to as the "Short Form" report. The OPC found that IRCC's practice of systematically retrieving and processing only the Short Form report contravenes section 12 of the Privacy Act, as it fails to provide individuals with access to all personal information under the government's control. Although the specific file was eventually provided, IRCC refused to update its procedures to address the systemic issue.

• Whether IRCC's practice of only retrieving and processing a "Short Form" subset of records in response to access requests complies with the Privacy Act's access obligations.
• Whether the "History Section" of the Global Case Management System (GCMS) file contains personal information.
• Whether IRCC's assertion that information outside the "Short Form" would always be withheld under exemptions is valid.
• Whether IRCC's failure to commit to updating its procedures constitutes a continuing contravention of the Privacy Act.

An employee of the Canada Border Services Agency (CBSA) complained that their personal information was inadvertently disclosed to colleagues due to improperly set folder permissions in the CBSA's information management system, Apollo. The CBSA confirmed the contravention of section 8 of the Privacy Act. While the CBSA took steps to correct the issue and improve practices, it did not commit to mandatory, trackable training for managing permissions, leading the OPC to find the complaint well-founded but unresolved.

• Whether CBSA contravened section 8 of the Privacy Act by improperly disclosing employee personal information.
• Adequacy of CBSA's response and corrective measures.
• Whether CBSA's training and awareness initiatives for managing information system permissions are sufficient.
• Whether the matter is resolved given CBSA's non-commitment to mandatory, trackable training.