Federal (Canada) Privacy Decisions

This special report details an investigation into unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency (CRA). The Office of the Privacy Commissioner (OPC) found that the CRA contravened the Privacy Act regarding accuracy and disclosure of personal information. While the CRA has made efforts to improve its security, shortcomings remain in prevention, monitoring, detection, remediation, and governance, particularly concerning the handling of "Unauthorized Use of Taxpayer Information by a Third Party" (UUTP) incidents. The investigation concluded that the CRA contravened subsections 6(2) and 8(2) of the Act.

• Adequacy of safeguards to protect taxpayer personal information from unauthorized disclosure and modification.
• Timeliness and strength of multi-factor authentication implementation.
• Effectiveness of monitoring and detection mechanisms for UUTPs.
• Coordination and proactivity of the CRA's governance for addressing UUTPs.

The OPC investigated Loblaw Companies Ltd. regarding complaints about the deletion of PC Optimum Loyalty Program accounts. The investigation found Loblaw contravened PIPEDA by taking an unreasonable amount of time to address deletion requests and by failing to ensure that retained purchase history data was sufficiently anonymized after account closures. Loblaw has agreed to take corrective actions, including a third-party assessment of its anonymization processes.

• Adequacy of Loblaw's processes for addressing individual privacy challenges regarding account deletion.
• Compliance with PIPEDA's retention principle regarding anonymization of purchase history data.
• Timeliness of Loblaw's response to customer deletion requests.
• Sufficiency of Loblaw's anonymization techniques for retained data.

An inmate alleged that Correctional Service Canada (CSC) failed to retain video footage of use of force incidents involving them, violating the Privacy Act's retention obligations. The OPC found that CSC did dispose of footage that it was obligated to retain for at least two years under the Act. CSC agreed to implement enhanced oversight, including monthly attestations and quarterly audits of use of force footage retention in its Pacific Region.

• Obligation to retain personal information used for administrative purposes under the Privacy Act
• Adequacy of institutional policies for video retention
• Ensuring reasonable access to personal information
• Effectiveness of oversight measures for compliance

The Office of the Privacy Commissioner of Canada (OPC) investigated Bell Canada after a complainant alleged Bell contravened PIPEDA by not responding to an access request within 30 days and denying access to cellphone logs. The OPC found Bell contravened PIPEDA by delaying its response to the access request and by denying the complainant access to his phone logs, which were determined to be his personal information. Bell also failed to be open about its policies regarding shared account information. Bell has agreed to provide the requested logs and implement recommendations to improve its procedures for handling shared account requests and its privacy communications.

• Timeliness of response to an access request
• Access to personal information held by a service provider on a shared account
• Definition of personal information in the context of phone logs
• Openness of an organization's privacy policies and practices

This investigation examined Staples Canada's practices concerning the removal of personal information from returned laptops resold through its Openbox program. The Office of the Privacy Commissioner of Canada (OPC) found that Staples had deficiencies in its policies, procedures, and employee training regarding data wiping. Specifically, the OPC determined that Staples did not consistently ensure full data sanitization according to manufacturer guidelines, leading to residual personal information being found on some devices. Staples agreed to implement corrective measures, including updating procedures, enhancing training, and engaging third-party spot checks.

• Adequacy of safeguards for personal information on returned electronic devices
• Sufficiency of Staples' policies and procedures for data wiping
• Effectiveness of employee training on data sanitization
• Compliance with PIPEDA Principles 4.7.1 and 4.7.3

This joint investigation by Canadian privacy authorities found that TikTok's collection and use of personal information, particularly from children, for ad targeting and content personalization was inappropriate and lacked valid consent. TikTok failed to implement adequate age verification measures, leading to the collection of data from underage users without a legitimate purpose. The investigation also found that TikTok's privacy communications were unclear, not easily accessible, and not available in French, failing to provide meaningful consent from adult and youth users for its data practices.

• Appropriate purpose for collecting and using children's personal information.
• Obtaining valid and meaningful consent for tracking, profiling, and targeted advertising.
• Transparency obligations regarding collection and use of personal information for user profiling.
• Adequacy of age assurance measures to prevent underage users from accessing the platform.

The complainant, as executor of a deceased individual's estate, requested personal information from the Department of National Defence (DND). DND refused to disclose most information, citing Privacy Act exemptions and arguing the request didn't meet the criteria for accessing information on behalf of a deceased person. The OPC found that the complainant was entitled to make the request for estate administration purposes and that DND failed to conduct an adequate search. DND agreed to conduct searches and provide a new response, leading to the complaint being conditionally resolved.

• Eligibility of an estate executor to request personal information of a deceased individual.
• Proper application of section 26 of the Privacy Act (disclosure of personal information about others).
• Adequacy of DND's search for requested records.
• DND's obligation to process formal access requests even if informal avenues exist.

The OPC investigated a complaint that the Canada Revenue Agency (CRA) failed to ensure the accuracy of a taxpayer's personal information used for administrative decisions. An imposter used the complainant's compromised CRA My Account to fraudulently receive COVID-19 benefits and Employment Insurance. The investigation found that the CRA's inadequate safeguards allowed unauthorized access and modification, contravening section 6(2) of the Privacy Act. The CRA has since implemented corrective measures.

• Adequacy of safeguards to protect against unauthorized access and modification of personal information.
• Reasonable steps taken by the CRA to ensure the accuracy of personal information used for administrative decisions.
• Timeliness of notification and privacy breach reporting.
• Impact of identity theft on tax reassessments.

This special report details an investigation into cyber attacks that compromised sensitive personal information held by the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC). Attackers used stolen credentials to access online accounts, leading to unauthorized disclosures, modifications, and identity theft. The investigation found that both departments failed to implement adequate authentication, security decision-making, and monitoring practices, contravening sections 8 and 6(2) of the Privacy Act. While both departments accepted recommendations for improvement, some weaknesses persist.

• Inadequate identity and credential assurance measures
• Insufficiently informed and accountable security decision-making
• Lack of effective monitoring and timely breach containment
• Contravention of Privacy Act sections 8 (disclosure) and 6(2) (accuracy)

The Office of the Privacy Commissioner of Canada investigated a complaint against Agronomy Company of Canada Ltd. (Agronomy) following a significant data breach. The investigation found that Agronomy lacked appropriate safeguards, including multi-factor authentication, network segregation, and encryption, which contributed to the breach affecting 845 individuals. The OPC also found Agronomy lacked accountability structures. However, the complaint regarding valid consent for credit services was found not well-founded. Agronomy has since made significant improvements to its security measures and accountability practices.

• Adequacy of security safeguards
• Accountability for personal information
• Validity of consent for collection and use of personal information

This Special Report to Parliament details the OPC's investigations into federal government privacy practices during the COVID-19 pandemic. It examined vaccine mandates for travel and employment, the ArriveCAN app, and the use of mobility data. While most government measures complied with the Privacy Act, the OPC identified areas for improvement, including the need for clearer objectives in mandates and better documentation of less privacy-intrusive alternatives. An error in the ArriveCAN app led to incorrect quarantine notifications, and a PIPEDA investigation found a private company misused a traveller's contact information for marketing.

• Compliance of COVID-19 measures with the Privacy Act
• Necessity and proportionality of personal information collection
• Accuracy of personal information used in administrative decisions (ArriveCAN)
• Use of de-identified mobility data and PIPEDA compliance

Twenty federal employees complained after the Treasury Board of Canada Secretariat (TBS) mistakenly disclosed their email addresses and the fact they had filed claims for damages related to the Severe Phoenix Impacts program. The OPC found that TBS contravened the Privacy Act by improperly disclosing personal information. While TBS argued the breach was not material, the OPC disagreed, emphasizing the importance of contextual factors and the potential for harm, even if not all individuals experienced severe injury.

• Was the disclosure of personal information authorized under the Privacy Act?
• Was the privacy breach considered "material" by TBS?
• Did TBS conduct a holistic and context-informed assessment of the breach's materiality and potential harm?

Immigration, Refugees and Citizenship Canada (IRCC) inadvertently disclosed the email addresses of 636 individuals seeking emergency assistance related to the situation in Afghanistan. These individuals were included in the "TO" field of mass emails, rather than the "BCC" field, exposing their contact information to other recipients. The Office of the Privacy Commissioner of Canada (OPC) found that IRCC contravened section 8 of the Privacy Act due to insufficient controls to prevent such disclosures and that the complaint was well-founded. While IRCC took immediate steps to mitigate the breach, the OPC emphasized the need for robust preventative measures.

• Disclosure of personal information without consent
• Adequacy of preventative measures for mass emails
• Mitigation of harm to affected individuals
• Risk of recurrence of similar breaches

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a Trimac truck driver concerned about audio and video recording in his truck cabin. The OPC found that while Trimac had legitimate safety and asset protection goals, the continuous audio recording was too intrusive, especially when drivers were off-duty. Trimac was also not initially transparent about using the data for disciplinary purposes, failing to meet consent requirements under PIPEDA. Trimac has since implemented changes, limiting audio recording to on-duty hours and improving data access controls. The OPC found the complaint conditionally resolved regarding the intrusive nature of the recording and resolved regarding the consent issue, accepting Trimac's remedial actions.

• Appropriateness of continuous audio recording in truck cabins, including during off-duty hours.
• Whether Trimac provided adequate information about the use of collected data for disciplinary purposes.
• The proportionality of privacy intrusion versus business benefits.
• The requirement for employee consent for data collection in an employment context.

Following a data breach involving the Starwood hotel database, the Office of the Privacy Commissioner of Canada (OPC) investigated Marriott International, Inc. The investigation found that Marriott's security safeguards, accountability measures, and information retention practices were inadequate at the time of the breach, leading to unauthorized access to personal information. While Marriott has taken remedial actions and the complaint is conditionally resolved, the OPC highlighted failures in access controls, antivirus software, logging and monitoring, and information storage. The OPC also found Marriott contravened accountability principles by not adequately assessing security risks during its acquisition of Starwood and retaining personal information longer than necessary.

• Adequacy of security safeguards for personal information
• Marriott's accountability and due diligence during the acquisition of Starwood
• Timeliness of information retention and deletion practices
• Adequacy of notification and mitigation measures for affected individuals