Federal (Canada) Privacy Decisions

An individual complained after Health Canada refused to provide him access to personal information collected about him during an occupational health and safety evaluation. Health Canada cited section 28 of the Privacy Act, which allows information to be withheld if disclosure would be contrary to the individual's best interests. The OPC found that the information sought was not solely related to the individual's health and therefore section 28 did not apply. The complaint was well-founded, but resolved after Health Canada agreed to release the information.

• Appropriateness of withholding personal health information under section 28 of the Privacy Act
• Scope of "physical or mental health" records for the purpose of section 28
• Requirement for consent when involving a medical professional for assessment under section 28

A complainant alleged that Canada Post collected excessive personal information when she applied for special paid leave to care for a relative. While Canada Post argued the extensive collection was necessary to prevent fraud and ensure fair administration of leave, the OPC found that too much personal data was requested, particularly about third parties. Canada Post accepted some recommendations, agreeing to collect only necessary information and update guidelines, but maintained its collection of data on other family members working at Canada Post to prevent abuse, a practice the OPC expressed reservations about.

• Necessity of collecting personal information for special leave applications
• Collection of personal information about third parties
• Balancing fraud prevention with privacy rights

A former inmate complained after a psychiatric nurse employed by the Keele Community Correctional Centre left his treatment file on a bus. The OPC confirmed that the inmate's privacy had been breached and upheld the complaint as well-founded. The Centre, which falls under the jurisdiction of the Correctional Service of Canada, took appropriate corrective measures, including reminding the nurse of his duty to safeguard personal information and not to transport files unless encrypted.

• Duty to safeguard personal information
• Appropriate measures to prevent recurrence

A woman complained that her Social Insurance Number (SIN) and other personal information were mishandled at a mandatory employment insurance (EI) information session. The attendance sheet containing the SINs of 32 participants went missing. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that HRSDC had not properly safeguarded the personal information, upholding the complaint as well-founded. HRSDC has since implemented new procedures to protect SINs at these sessions.

• Safeguarding of SINs and other personal information
• Adequacy of breach response and mitigation measures
• Preventing future breaches involving SINs

A letter carrier complained that his supervisor had opened and read a sealed medical form submitted for a disability insurance claim. The investigation confirmed the supervisor used information from the form to challenge other medical documentation from the employee. The OPC found that the employee's personal information was used for an incompatible purpose without consent, upholding the complaint as well-founded.

• Unauthorized access to personal health information
• Use of personal information for an incompatible purpose
• Failure to ensure personal information was used only for the purpose for which it was collected

An inmate at Kent Institution complained after a 10-page National Parole Board decision concerning him was intercepted, photocopied, and circulated among other inmates. The OPC investigated and found that the disclosure violated the Privacy Act. Following the incident, Kent Institution implemented changes to its mail delivery process, including placing confidential documents in sealed envelopes.

• Unauthorized disclosure of personal information
• Adequacy of security measures for sensitive documents
• Compliance with the Privacy Act

A complainant alleged that a market research firm unnecessarily collected her full date of birth and did not adequately inform her that survey responses would be added to her member profile. The Office of the Privacy Commissioner of Canada (OPC) found that collecting the full date of birth was not necessary and recommended collecting only the month and year. The OPC also found that the firm failed to adequately inform participants that their survey responses would be linked to their profiles. While the firm agreed to clarify consent language, it refused to stop collecting or using the day of birth, leading the OPC to find the complaint well-founded but partially unresolved.

• Necessity of collecting full date of birth for market research demographics
• Necessity of confirming full date of birth in profiling surveys
• Adequacy of notice and consent regarding the linking of survey responses to member profiles

A veteran complained that Veterans Affairs Canada (VAC) had inappropriately used and shared his sensitive medical information in briefing notes to the Minister, and had transferred his medical file to a VAC-administered hospital without his consent. The investigation found that the briefing notes contained excessive medical details and that sensitive information was shared widely within VAC without a need-to-know. The transfer of the medical file also occurred without the required consent. The complaint was found to be well-founded.

• Inappropriate use and disclosure of sensitive medical information in briefing notes.
• Transfer of personal medical information to a hospital without consent.
• Failure to limit access to personal information on a need-to-know basis.
• Compliance with section 7 of the Privacy Act regarding use of personal information.

This investigation concerned a data spill involving 11,900 forms mailed to applicants for the Guaranteed Income Supplement. A mechanical malfunction caused some applicants to receive forms destined for other individuals, including names, addresses, and Social Insurance Numbers. Human error by the overseeing technician, who failed to use detection mechanisms and notify management, compounded the issue. The Office found the complaint well-founded and recommended that the department enhance employee awareness of their obligations to protect personal information.

• Adequacy of security safeguards for personal information
• Role of human error in compounding a mechanical defect
• Reporting obligations of employees regarding privacy breaches

This investigation was initiated following media reports that a Canada Revenue Agency (CRA) employee posted personal tax information of athletes to an Internet chat group. The OPC found that a former employee did post information, and other CRA employees inappropriately accessed the athletes' tax information out of curiosity, which constituted a breach of the Privacy Act. The CRA took corrective measures, including disciplinary action against employees and modernization of its audit trail system.

• Unauthorized access to taxpayer information by CRA employees
• Disclosure of taxpayer information to an external party
• Adequacy of CRA's corrective measures and audit systems

A Member of Parliament complained that an employee of the Toronto Port Authority used the organization's e-mail database to invite individuals to a political fundraising event. The investigation found that an employee sent an email using personal and business addresses obtained from business cards, soliciting donations. Although recipient addresses were in the BCC field, the employee's signature block indicated they worked for the Authority, implying institutional sanction.

• Use of institutional database for personal fundraising activities
• Collection and use of personal information for non-business purposes
• Impression of institutional sanction for personal activities

The Office of the Privacy Commissioner of Canada (OPC) received 82 complaints after Human Resources and Skills Development Canada (HRSDC) inadvertently disclosed the personal information of 191 Employment Insurance (EI) claimants. The disclosed information included names, dates of birth, employee identification numbers, and Social Insurance Numbers. HRSDC took immediate steps to retrieve the data, notify affected individuals, and implement preventative measures. The OPC found 79 of the 82 complaints to be well-founded.

• Inadvertent disclosure of personal information
• Adequacy of breach response measures
• Preventing recurrence of similar breaches

The Office of the Privacy Commissioner of Canada (OPC) investigated a Privacy Act complaint after media reported on the leak of a Canadian citizen's personal information from a Department of Foreign Affairs and International Trade (DFAIT) database. The investigation found that DFAIT lacked adequate controls, such as audit trails, to prevent or track unauthorized access and disclosure of the information. DFAIT agreed to implement better guidance and explore system changes to enhance security.

• Adequacy of security measures for personal information held in departmental computer systems.
• Lack of audit trail capability to track access to personal information.
• Responsibility of government institutions to protect personal information under the Privacy Act.

This investigation concerned a complaint that Accusearch Inc. (Abika.com), a U.S. company, was collecting, using, and disclosing Canadians' personal information without their knowledge or consent, compiling inaccurate information, and doing so for inappropriate purposes. The OPC found that Abika contravened PIPEDA by collecting, using, and disclosing personal information without knowledge or consent and for inappropriate purposes. However, the complaint regarding inaccurate information was not well-founded due to a lack of objective evidence. The OPC recommended Abika cease these practices.

• Collection, use, and disclosure of personal information without knowledge or consent
• Compilation and disclosure of inaccurate personal information
• Collection, use, and disclosure for inappropriate purposes
• Jurisdiction over U.S. companies and transborder data flows

This investigation concerned a complaint about the Law School Admission Council's (LSAC) requirement that students applying to write the Law School Admission Test (LSAT) in Canada have their fingerprints collected. LSAC, a US-based non-profit, argued that Canadian privacy law did not apply to its activities. The Assistant Privacy Commissioner found that despite LSAC's location, Canada had a sufficient link to LSAC's operations to bring it under the Act. The Commissioner determined that fingerprinting was not demonstrably necessary, likely ineffective, and the loss of privacy outweighed the benefits, particularly since the fingerprints were rarely used.

• Jurisdiction of the Privacy Act over a US-based organization
• Necessity and proportionality of collecting fingerprints for LSAT authentication
• Effectiveness of fingerprinting as a deterrent
• Privacy implications of collecting biometric data