Federal (Canada) Privacy Decisions

Immigration, Refugees and Citizenship Canada (IRCC) inadvertently disclosed the email addresses of 636 individuals seeking emergency assistance related to the situation in Afghanistan. These individuals were included in the "TO" field of mass emails, rather than the "BCC" field, exposing their contact information to other recipients. The Office of the Privacy Commissioner of Canada (OPC) found that IRCC contravened section 8 of the Privacy Act due to insufficient controls to prevent such disclosures and that the complaint was well-founded. While IRCC took immediate steps to mitigate the breach, the OPC emphasized the need for robust preventative measures.

• Disclosure of personal information without consent
• Adequacy of preventative measures for mass emails
• Mitigation of harm to affected individuals
• Risk of recurrence of similar breaches

The Department of National Defence (DND) disclosed the identity of a workplace violence (WPV) complainant and the investigation report to a second investigator, who was conducting a separate administrative investigation into the complainant's conduct. The OPC found that while disclosing the report to labour relations was a consistent use, disclosing it to the second investigator was not, as it was not a reasonably expected use of the information given the confidentiality assurances provided to the complainant. This disclosure was therefore found to be a contravention of the Privacy Act.

• Was the disclosure of the WPV complainant's identity and report to a second investigator a 'consistent use' under paragraph 8(2)(a) of the Privacy Act?
• Did DND's consent form clearly communicate potential uses and disclosures of the complainant's identity?
• Did the disclosure align with the reasonable expectations of the complainant regarding confidentiality?
• What corrective actions are necessary to ensure future compliance with privacy principles in WPV investigations?