Federal (Canada) Privacy Decisions

This investigation concerned a complaint that Fido Solutions Inc. failed to safeguard a customer's personal information, allowing fraudsters to access and alter account details. It was found that Fido's customer service representatives repeatedly failed to follow authentication protocols, leading to unauthorized access. Additionally, the complaint alleged Fido failed to provide a requested transcript in an understandable format. Fido has committed to implementing enhanced safeguards regarding authentication protocols and has since provided the requested transcripts.

• Adequacy of safeguards to protect customer personal information from unauthorized access.
• Effectiveness of authentication protocols and employee adherence.
• Proper response to customer requests for access to personal information.
• Provision of personal information in a generally understandable format.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a charitable organization's donor list trading program. The OPC found that the charity required express opt-in consent, not opt-out, for sharing donor contact information, as this practice fell outside donors' reasonable expectations. The OPC also determined that the information provided to donors was insufficient to ensure meaningful consent, lacking details about what information would be shared with whom and for what purpose. The charity agreed to implement recommendations to obtain opt-in consent and provide clearer information.

• Requirement for opt-in versus opt-out consent for donor list trading.
• Sufficiency of information provided to donors for meaningful consent.
• Application of the 'reasonable expectations' principle under PIPEDA.
• Compliance with PIPEDA's requirements for consent for information sharing.

The Office of the Privacy Commissioner of Canada (OPC) investigated CoreFour Inc. concerning its compliance with PIPEDA regarding its learning management system, Edsby. The OPC found that CoreFour's safeguards were not adequate due to vulnerabilities in password requirements and protection of student profile pictures, and a lack of an overarching information security framework. The OPC also found that CoreFour lacked a robust accountability framework, including written policies and adequate privacy training. However, the OPC found CoreFour to be in compliance with its breach reporting and notification obligations. CoreFour has accepted the recommendations and is implementing corrective measures.

• Adequacy of safeguards for personal information
• Breach reporting and notification obligations
• Accountability for privacy compliance
• Development of privacy management and information security frameworks

This investigation concerned Yahoo! Canada's "Stay signed in" feature for its email service, which defaulted to keeping users logged in. The OPC found this practice posed significant privacy risks, especially on public or shared computers, as emails can contain highly sensitive personal information. Yahoo was found to have inadequate safeguards and failed to obtain meaningful consent for the disclosure of personal information that could result from this default setting. Yahoo committed to changing the feature to an opt-in basis and providing clearer warnings to users.

• Adequacy of safeguards against unauthorized access to sensitive email content.
• Whether "Stay signed in" default setting constitutes meaningful consent for disclosure of personal information.
• Clarity and prominence of privacy warnings associated with the "Stay signed in" feature.