Federal (Canada) Privacy Decisions

The Office of the Privacy Commissioner of Canada investigated Wajam Internet Technologies Inc. after receiving complaints about its software, which tracked online search queries and displayed ads. The investigation found that Wajam breached multiple provisions of PIPEDA, including failing to obtain meaningful consent, inadequately safeguarding personal information, and having insufficient accountability policies. Although Wajam ceased operations and sold its assets, the OPC concluded the matters examined were well-founded.

• Meaningful consent for software installation and data collection.
• Adequate safeguarding of personal information during transmission and storage.
• Effectiveness of uninstallation processes and withdrawal of consent.
• Lack of a privacy accountability framework and policies.

A complainant alleged that Jet Airways did not provide complete access to her personal information following an incident where she and her companion were denied boarding. The airline cited solicitor-client privilege, litigation privilege, and formal dispute resolution processes as reasons for withholding certain documents. The OPC found the complaint well-founded regarding the airline's failure to respond within the statutory timeframe and its improper application of the formal dispute resolution exemption. However, the OPC could not make a finding on the privilege claims due to legal precedents limiting its ability to investigate privileged documents.

• Timeliness of response to access request
• Applicability of solicitor-client and litigation privilege exemptions
• Applicability of formal dispute resolution exemption
• Overbroad claims of privilege

This investigation was initiated following a complaint that the RCMP used cell site simulators, also known as "Stingray" devices or "IMSI catchers," without confirming or denying their use. The complainant was concerned these devices could intercept private communications and extract encryption keys. The investigation found that while the RCMP's cell site simulators cannot intercept private communications, there were six instances where they were used without prior judicial authorization or exigent circumstances, which constituted a contravention of the Privacy Act. The RCMP has since implemented a policy requiring prior judicial authorization for all deployments unless exigent circumstances exist.

• Use of cell site simulators (mobile device identifiers) by the RCMP
• Capability of cell site simulators to intercept private communications
• Requirement for judicial authorization for the collection of personal information using cell site simulators
• Handling and retention of data collected from third-party devices

The OPC investigated a complaint that Public Executions Inc. was disclosing debtors' personal information without consent on its website for profit. The OPC found that the website's activities constituted a commercial activity under PIPEDA, and that its primary purpose was not journalistic, but rather to shame debtors into paying. The OPC determined the complaint was well-founded, leading to legal proceedings. Subsequently, the website was taken down, and the OPC discontinued its court application.

• Whether the website's operation constituted a 'commercial activity' under PIPEDA.
• Whether the website's purpose qualified as 'journalistic' and was therefore exempt from PIPEDA's consent requirements.
• Whether the disclosure of personal information for the purpose of shaming debtors into paying was an 'appropriate purpose' under PIPEDA.
• Whether section 7(3)(b) of PIPEDA permitted the broad disclosure of judgment debtor information.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding the MyDemocracy.ca website, operated by the Privy Council Office (PCO). The complainant alleged that despite promises of anonymity, the website used Facebook Connect tracking, potentially disclosing personal information to Facebook. The OPC found that the website's design led to the automatic disclosure of IP addresses and browser information to Facebook upon visiting the site, even before users chose to share content. While PCO made some changes and no evidence suggested PCO used the data to identify individuals, the OPC concluded that the initial disclosure was not consensual and violated section 8 of the Privacy Act. Consequently, the complaint was found well-founded.

• Disclosure of personal information to third parties (Facebook) without consent.
• Whether IP addresses and browser characteristics constitute 'personal information' under the Privacy Act.
• Adequacy of privacy notices and consent mechanisms for third-party data sharing.
• Failure to conduct a Privacy Impact Assessment (PIA).

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Health Canada was over-collecting personal information, specifically diagnostic details, for medical transportation and specialist services under its Non-Insured Health Benefits (NIHB) Program. The OPC found that while Health Canada's intention was to confirm policy requirements for travel, the form used inadvertently led to the collection of unnecessary diagnostic information. Health Canada has since removed the problematic field from the form.

• Whether Health Canada collected more personal information than necessary for the administration of the NIHB Program.
• Whether the collection of diagnostic information for medical transportation and specialist services contravened the Privacy Act.
• The adequacy of Health Canada's NIHB Medical Transportation and Specialist Referral Form in preventing over-collection of personal information.

The Office of the Privacy Commissioner (OPC) investigated three complaints concerning privacy breaches within the Phoenix pay system. The investigation revealed that Public Services and Procurement Canada (PSPC) had inadequate testing, coding errors, and insufficient controls, leading to multiple breaches of federal public servants' personal information. These breaches exposed names, Personal Record Identifier (PRI) numbers, and salary information, with some vulnerabilities being government-wide and potentially allowing data changes. The OPC found the complaints to be well-founded, citing the system's vulnerabilities and PSPC's initial underreporting of the scope of the breaches.

• Unauthorized access to and disclosure of personal information within the Phoenix pay system.
• Inadequacy of PSPC's testing, coding, and security controls for the Phoenix system.
• Scope and impact of the privacy breaches on federal public servants.
• Timeliness and adequacy of PSPC's notification to affected individuals.

This investigation concerned a complaint that the Royal Canadian Mounted Police (RCMP) inappropriately disclosed the complainant's personal information, including details of a past suicide attempt, to US Customs and Border Protection (CBP) via the Canadian Police Information Centre (CPIC). The complainant alleged this disclosure led to her being deemed inadmissible to the US. The Office of the Privacy Commissioner of Canada (OPC) found the disclosure was not authorized under the Privacy Act, as it did not meet the criteria for law enforcement or criminal justice purposes as defined by the Memorandum of Cooperation (MOC) between the RCMP and the FBI. Although the RCMP implemented some changes to CPIC policies, the OPC concluded they remained unclear and did not sufficiently protect against unauthorized disclosures.

• Whether the disclosure of personal information related to a suicide attempt to US border officials via CPIC was authorized under subsection 8(2)(f) of the Privacy Act.
• Whether the disclosure was authorized under subsection 8(2)(a) of the Privacy Act as a use consistent with the original purpose of information collection.
• Whether CPIC policies adequately protected against unauthorized disclosure of sensitive personal information.
• The interpretation of 'law enforcement' and 'criminal justice purposes' in the context of border security assessments.