Federal (Canada) Privacy Decisions

This Special Report to Parliament details the OPC's investigations into federal government privacy practices during the COVID-19 pandemic. It examined vaccine mandates for travel and employment, the ArriveCAN app, and the use of mobility data. While most government measures complied with the Privacy Act, the OPC identified areas for improvement, including the need for clearer objectives in mandates and better documentation of less privacy-intrusive alternatives. An error in the ArriveCAN app led to incorrect quarantine notifications, and a PIPEDA investigation found a private company misused a traveller's contact information for marketing.

• Compliance of COVID-19 measures with the Privacy Act
• Necessity and proportionality of personal information collection
• Accuracy of personal information used in administrative decisions (ArriveCAN)
• Use of de-identified mobility data and PIPEDA compliance

Twenty federal employees complained after the Treasury Board of Canada Secretariat (TBS) mistakenly disclosed their email addresses and the fact they had filed claims for damages related to the Severe Phoenix Impacts program. The OPC found that TBS contravened the Privacy Act by improperly disclosing personal information. While TBS argued the breach was not material, the OPC disagreed, emphasizing the importance of contextual factors and the potential for harm, even if not all individuals experienced severe injury.

• Was the disclosure of personal information authorized under the Privacy Act?
• Was the privacy breach considered "material" by TBS?
• Did TBS conduct a holistic and context-informed assessment of the breach's materiality and potential harm?