Federal (Canada) Privacy Decisions

The complainant alleged that Health Canada collected more personal information than necessary for adjudicating claims under its Non-Insured Health Benefits (NIHB) Program. Specifically, concerns were raised about the detailed patient information required for the approval of drug benefits. Health Canada demonstrated that the information collected through Limited Use forms for drug benefits was directly related to the administration of the NIHB Program and necessary for determining eligibility based on established clinical criteria.

• Was the personal information collected by Health Canada directly related to an operating program or activity of the institution?
• Was the information collected necessary for the adjudication of claims for limited use drug benefits under the NIHB Program?
• Did Health Canada require more personal information than necessary for the adjudication of claims?

The Office of the Privacy Commissioner of Canada investigated Wajam Internet Technologies Inc. after receiving complaints about its software, which tracked online search queries and displayed ads. The investigation found that Wajam breached multiple provisions of PIPEDA, including failing to obtain meaningful consent, inadequately safeguarding personal information, and having insufficient accountability policies. Although Wajam ceased operations and sold its assets, the OPC concluded the matters examined were well-founded.

• Meaningful consent for software installation and data collection.
• Adequate safeguarding of personal information during transmission and storage.
• Effectiveness of uninstallation processes and withdrawal of consent.
• Lack of a privacy accountability framework and policies.

A complainant alleged that Jet Airways did not provide complete access to her personal information following an incident where she and her companion were denied boarding. The airline cited solicitor-client privilege, litigation privilege, and formal dispute resolution processes as reasons for withholding certain documents. The OPC found the complaint well-founded regarding the airline's failure to respond within the statutory timeframe and its improper application of the formal dispute resolution exemption. However, the OPC could not make a finding on the privilege claims due to legal precedents limiting its ability to investigate privileged documents.

• Timeliness of response to access request
• Applicability of solicitor-client and litigation privilege exemptions
• Applicability of formal dispute resolution exemption
• Overbroad claims of privilege

This investigation was initiated following a complaint that the RCMP used cell site simulators, also known as "Stingray" devices or "IMSI catchers," without confirming or denying their use. The complainant was concerned these devices could intercept private communications and extract encryption keys. The investigation found that while the RCMP's cell site simulators cannot intercept private communications, there were six instances where they were used without prior judicial authorization or exigent circumstances, which constituted a contravention of the Privacy Act. The RCMP has since implemented a policy requiring prior judicial authorization for all deployments unless exigent circumstances exist.

• Use of cell site simulators (mobile device identifiers) by the RCMP
• Capability of cell site simulators to intercept private communications
• Requirement for judicial authorization for the collection of personal information using cell site simulators
• Handling and retention of data collected from third-party devices

The OPC investigated a complaint that Public Executions Inc. was disclosing debtors' personal information without consent on its website for profit. The OPC found that the website's activities constituted a commercial activity under PIPEDA, and that its primary purpose was not journalistic, but rather to shame debtors into paying. The OPC determined the complaint was well-founded, leading to legal proceedings. Subsequently, the website was taken down, and the OPC discontinued its court application.

• Whether the website's operation constituted a 'commercial activity' under PIPEDA.
• Whether the website's purpose qualified as 'journalistic' and was therefore exempt from PIPEDA's consent requirements.
• Whether the disclosure of personal information for the purpose of shaming debtors into paying was an 'appropriate purpose' under PIPEDA.
• Whether section 7(3)(b) of PIPEDA permitted the broad disclosure of judgment debtor information.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding the MyDemocracy.ca website, operated by the Privy Council Office (PCO). The complainant alleged that despite promises of anonymity, the website used Facebook Connect tracking, potentially disclosing personal information to Facebook. The OPC found that the website's design led to the automatic disclosure of IP addresses and browser information to Facebook upon visiting the site, even before users chose to share content. While PCO made some changes and no evidence suggested PCO used the data to identify individuals, the OPC concluded that the initial disclosure was not consensual and violated section 8 of the Privacy Act. Consequently, the complaint was found well-founded.

• Disclosure of personal information to third parties (Facebook) without consent.
• Whether IP addresses and browser characteristics constitute 'personal information' under the Privacy Act.
• Adequacy of privacy notices and consent mechanisms for third-party data sharing.
• Failure to conduct a Privacy Impact Assessment (PIA).

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Health Canada was over-collecting personal information, specifically diagnostic details, for medical transportation and specialist services under its Non-Insured Health Benefits (NIHB) Program. The OPC found that while Health Canada's intention was to confirm policy requirements for travel, the form used inadvertently led to the collection of unnecessary diagnostic information. Health Canada has since removed the problematic field from the form.

• Whether Health Canada collected more personal information than necessary for the administration of the NIHB Program.
• Whether the collection of diagnostic information for medical transportation and specialist services contravened the Privacy Act.
• The adequacy of Health Canada's NIHB Medical Transportation and Specialist Referral Form in preventing over-collection of personal information.

The Office of the Privacy Commissioner (OPC) investigated three complaints concerning privacy breaches within the Phoenix pay system. The investigation revealed that Public Services and Procurement Canada (PSPC) had inadequate testing, coding errors, and insufficient controls, leading to multiple breaches of federal public servants' personal information. These breaches exposed names, Personal Record Identifier (PRI) numbers, and salary information, with some vulnerabilities being government-wide and potentially allowing data changes. The OPC found the complaints to be well-founded, citing the system's vulnerabilities and PSPC's initial underreporting of the scope of the breaches.

• Unauthorized access to and disclosure of personal information within the Phoenix pay system.
• Inadequacy of PSPC's testing, coding, and security controls for the Phoenix system.
• Scope and impact of the privacy breaches on federal public servants.
• Timeliness and adequacy of PSPC's notification to affected individuals.

This investigation concerned a complaint that the Royal Canadian Mounted Police (RCMP) inappropriately disclosed the complainant's personal information, including details of a past suicide attempt, to US Customs and Border Protection (CBP) via the Canadian Police Information Centre (CPIC). The complainant alleged this disclosure led to her being deemed inadmissible to the US. The Office of the Privacy Commissioner of Canada (OPC) found the disclosure was not authorized under the Privacy Act, as it did not meet the criteria for law enforcement or criminal justice purposes as defined by the Memorandum of Cooperation (MOC) between the RCMP and the FBI. Although the RCMP implemented some changes to CPIC policies, the OPC concluded they remained unclear and did not sufficiently protect against unauthorized disclosures.

• Whether the disclosure of personal information related to a suicide attempt to US border officials via CPIC was authorized under subsection 8(2)(f) of the Privacy Act.
• Whether the disclosure was authorized under subsection 8(2)(a) of the Privacy Act as a use consistent with the original purpose of information collection.
• Whether CPIC policies adequately protected against unauthorized disclosure of sensitive personal information.
• The interpretation of 'law enforcement' and 'criminal justice purposes' in the context of border security assessments.

An individual complained that a sports facilities company disclosed his personal information regarding an outstanding debt to a related sports association on two occasions without his consent. The company argued that PIPEDA did not apply because it answered a direct question and there was an expectation of privacy. The OPC found that disclosing debt information is sensitive and requires consent unless a specific exemption applies. As the disclosures were not for the purpose of collecting the debt, the exemption in subsection 7(3)(b) of PIPEDA did not apply, making the complaint well-founded.

• Was the disclosure of an outstanding debt considered personal information?
• Did the disclosure of debt information fall under the exemption for debt collection purposes?
• Does an 'expectation of privacy' or answering a direct question exempt an organization from obtaining consent for disclosure?
• Did the company obtain the individual's knowledge and consent for the disclosure of his debt information?

The Office of the Privacy Commissioner (OPC) investigated two complaints against the Parole Board of Canada (PBC) concerning access to record suspension information. The OPC found that the PBC improperly refused to process access requests submitted by a third-party screening company and also improperly required requesters to provide excessive identification information. The OPC concluded that the PBC's reliance on paragraph 22(1)(b) of the Privacy Act was not justified in most cases, and its identification requirements went beyond what was necessary.

• Can a requester ask to confirm that no personal information exists?
• Is paragraph 22(1)(b) of the Privacy Act properly applied to refuse access requests for record suspension information?
• Are the PBC's identification requirements for processing requests excessive?

The OPC investigated two complaints regarding the Canada Border Services Agency's (CBSA) participation in the TV show "Border Security: Canada's Front Line". The investigation focused on a complaint filed by the British Columbia Civil Liberties Association on behalf of an individual filmed during a CBSA enforcement activity. The OPC found that the CBSA's participation and disclosure of personal information to the production company, Force Four, violated sections 4 and 8 of the Privacy Act due to issues with informed consent and improper disclosure of information. The OPC recommended the CBSA cease its participation in the TV program, which the CBSA accepted.

• Validity of consent obtained for filming and disclosure of personal information
• CBSA's ability to contract out of Privacy Act obligations
• Adequacy of facial blurring to protect identity
• Disclosure of information about an intended subject prior to filming

The complainant alleged that the RCMP inappropriately used employees' personal information during a training course. The RCMP used real personal information from 91 employees for a data entry exercise without their consent and without advising participants of the data's sensitive nature. The RCMP acknowledged the contravention of section 7 of the Privacy Act and notified the affected employees.

• Use of personal information for training purposes without consent
• Adequacy of notification to affected individuals
• Consistency of use with the original purpose of collection

The complainant alleged that the Parole Board of Canada (PBC) contravened the Privacy Act by disclosing her medical information to external parties involved in a Public Service Staffing Tribunal (PSST) hearing. The PBC acknowledged that a human resources employee inadvertently emailed documents containing the complainant's medical information, which was outside the scope of the PSST's order. The PBC apologized to the complainant, ensured the recipients disposed of the information, and reported the breach internally.

• Was the complainant's medical information disclosed without consent or lawful authority?
• Did the disclosure contravene the Privacy Act's provisions on disclosure of personal information?
• Were the corrective actions taken by the PBC satisfactory?

The OPC discontinued further complaints against Globe24h.com concerning the collection, use, and disclosure of personal information from Canadian court and tribunal decisions. While initial complaints were found to be well-founded, additional complaints were discontinued as the issues had already been investigated and reported on. The matter was further resolved when the Federal Court ordered Globe24h to remove personal information from its website and the website subsequently ceased operations.

• Collection, use, and disclosure of personal information from public court decisions
• Consent for republishing personal information
• Discontinuance of investigation based on prior report
• Circumvention of privacy laws by republishing sensitive data