Federal (Canada) Privacy Decisions

An individual complained to the OPC after receiving a credit report containing unrecognized inquiries and a notation of an "AUTOMATIC COMBINE" of accounts, which merged his file with that of another individual. The OPC found that while there was no unauthorized use or disclosure of personal information, the credit reporting agency failed to maintain the accuracy of the complainant's information when it merged the files. The agency took corrective actions, including separating the files and notifying creditors of the corrections.

• Accuracy of personal information when merging files
• Unauthorized use or disclosure of personal information

An individual complained that a retailer's salesperson signed him up for a credit card without his knowledge or consent, and that a bank subsequently conducted a credit check using inaccurate information. The Office of the Privacy Commissioner of Canada (OPC) found that the bank failed to demonstrate it obtained the complainant's consent for the credit check and that the collected information was sufficiently accurate. The bank apologized, cancelled the credit card, and removed the inquiry from the complainant's file. The bank also discontinued its pilot program for in-store credit applications.

• Adequacy of consent for a credit card application and credit check
• Accuracy of personal information collected
• Adequacy of procedures for collecting personal information and obtaining consent

An individual complained that his employer, an international trucking company, disclosed his positive drug test results to a provincial workers' compensation board (WCB) without his consent. The company claimed it was legally obligated to do so. The OPC found the disclosure was a contravention of PIPEDA as the company's belief of a legal obligation was inaccurate, and the WCB did not require the information. The complaint regarding disclosure to co-workers was not substantiated. The company implemented the OPC's recommendations, leading to the complaint being resolved.

• Whether disclosure of drug test results to WCB required consent
• Whether disclosure to WCB was a legal obligation under PIPEDA s. 7(3)(i)
• Whether drug test results were disclosed to co-workers
• Whether the company's random drug testing program violated PIPEDA

The Office of the Privacy Commissioner of Canada investigated a complaint regarding a property management company maintaining a "bad tenant" list for a landlord association. The complainant alleged improper collection, use, and disclosure of personal information without consent. The OPC found that the list functioned like a credit reporting agency and that consent was not properly obtained, nor was there a mechanism for individuals to challenge the accuracy of the information. The property management company agreed to destroy the list and cease its collection, leading to the matter being resolved.

• Adequacy of consent for collecting and using tenant information.
• Whether the "bad tenant" list functioned as a credit reporting agency.
• Ensuring the accuracy of personal information and the ability for individuals to challenge it.
• Appropriateness of the purpose for collecting, using, and disclosing tenant information.

The complainant alleged an insurance company refused to provide her with access to her personal information, including a recording of a telephone conversation, and documents related to her complaint to the company's ombudsman office. The company claimed the ombudsman process was a "formal dispute resolution process" exempt from PIPEDA and that the process was not a "commercial activity." The OPC found the company contravened PIPEDA by unduly delaying access to the recorded conversation and by incorrectly withholding documents from the ombudsman process. The OPC determined the ombudsman office was not a "formal dispute resolution process" and its activities were subject to PIPEDA.

• Is an internal ombudsman office a "formal dispute resolution process" under PIPEDA?
• Are the services of an internal ombudsman office considered "commercial activity" under PIPEDA?
• Does an organization need spousal consent to release joint account information when third-party information can be severed?
• What are the obligations of an organization responding to an access to information request under PIPEDA?

An individual complained that a collection agency refused to provide access to their personal information, despite multiple written requests. The agency failed to respond to several of these requests within the timeframes required by PIPEDA. Although the agency eventually sent the information, and the individual refused to sign for it, the agency was deemed to have provided access. The agency acknowledged it did not follow its own procedures for handling access requests and committed to revising them and providing refresher training.

• Timeliness of response to access requests
• Failure to follow internal procedures for handling access requests
• Adequacy of providing access to personal information

A customer complained that a retail store employee disclosed his personal information, including his name and in-store behaviour, to his employer without his knowledge or consent. The Office found that the disclosed information was personal information and that the store could not rely on implied consent for the disclosure, as the information was sensitive and disclosure to an employer was not a reasonable expectation. The matter was resolved after the store implemented recommendations to communicate its PIPEDA obligations.

• Whether information disclosed in a public store is personal information.
• Whether implied consent applied to the disclosure of sensitive personal information to an employer.
• Whether the disclosed information qualified as publicly available information under the regulations.

An individual complained that an estimator, subcontracted by a roofing company, disclosed his personal information to another roofing company without consent. The investigation found that the second roofing company was responsible for its estimator's actions and that there was a disclosure of personal information in contravention of PIPEDA. The second roofing company implemented a recommendation to establish agreements with subcontractors regarding privacy policies and training.

• Whether the subcontractor's actions were attributable to the organization.
• Whether personal information was disclosed without consent.
• Whether the disclosure exceeded the purposes for which the information was collected.

An individual complained that her telecommunications provider disclosed her personal information without consent when a technical support representative remotely accessed her computer to fix an email issue. The representative inadvertently set up an automatic email forwarding to an acquaintance's address, causing personal emails, including a temporary password, to be sent to the wrong recipient. While the provider implemented corrective measures, the OPC noted the provider initially misrepresented steps taken to address the issue.

• Disclosure of personal information without consent
• Accuracy of representations made to the OPC
• Adequacy of internal procedures and training

The Office of the Privacy Commissioner of Canada investigated Peoples Trust after a breach compromised the sensitive personal information of 12,000 customers. The investigation found that the financial institution failed to implement adequate safeguards in its online application portal and retained customer data unnecessarily on a vulnerable, unencrypted web server. These failures contravened PIPEDA's principles regarding safeguards and data retention. Following the breach, Peoples Trust took comprehensive remedial actions, including redesigning its portal, enhancing monitoring, and improving retention practices, which resolved the issues.

• Adequacy of information security safeguards for sensitive personal data.
• Unnecessary retention of personal information beyond required purposes.
• Vulnerabilities in web application portal development and maintenance.
• Effectiveness of breach response and risk mitigation measures.

An individual complained that a videographer hired to record her wedding shared her personal information without consent by posting the wedding video online for business promotion. The OPC found that using the video for promotional purposes was a commercial activity requiring consent, which the videographer had not obtained. Although the videographer initially disputed this, they eventually removed the video and agreed to include consent provisions in future contracts, leading to the complaint being resolved.

• Was the use of the wedding video for promotional purposes considered a commercial activity under PIPEDA?
• Did the videographer obtain the complainant's informed consent for the use of her personal information?
• Did any exemptions under PIPEDA apply to the videographer's use of the video without consent?

An individual complained that an online dating service used his personal information without consent and failed to provide him access to his information after he cancelled his membership. The Office of the Privacy Commissioner of Canada (OPC) found that the original owner violated PIPEDA by denying the complainant access to his personal information and by continuing to send him marketing emails after consent was withdrawn. The OPC also found the service failed to have a privacy policy and safeguard information. While issues were found to be well-founded, they were resolved by the new owner who purged the data and implemented a privacy policy.

• Access to personal information
• Withdrawal of consent for marketing emails
• Retention of personal information
• Safeguarding of personal information

An individual complained that a legal firm failed to respond to his requests for estate information, in which he claimed beneficiary status. The Office of the Privacy Commissioner of Canada (OPC) found that the firm contravened PIPEDA by not responding within the 30-day time limit. However, the OPC also determined that the individual was only entitled to access his own personal information, not general estate information, and that the firm had conducted a reasonable search for any such information. The complaint was ultimately found to be well-founded and resolved.

• Individual's right to access general estate information as a beneficiary versus personal information.
• Organization's obligation to respond to an access request within 30 days, even if no responsive information is held.
• Determining what constitutes an individual's 'personal information' under PIPEDA in the context of estate administration.

Three individuals complained after discovering their sensitive dating profiles, posted on PositiveSingles.com, appeared on nearly 60 other affiliated dating websites without their knowledge or consent. The Office of the Privacy Commissioner of Canada found that while the profiles remained within the company's controlled network, users were not adequately informed about this practice. Furthermore, inadequate safeguards allowed some personal information to be accessed by non-members. The organization revamped its website to provide clearer disclosures about profile sharing and its network structure, and improved its security measures.

• Adequacy of consent for the use and disclosure of personal information across affiliated websites.
• Whether users were adequately informed about the company's network structure and profile sharing practices.
• Sufficiency of security safeguards to prevent unauthorized access to personal information.
• Transparency of privacy policies and practices regarding data management.

The OPC investigated a complaint alleging Apple used and shared a user's unique device identifier (UDID) without knowledge or consent for tracking and targeted advertising. While Apple initially argued UDID was not personal information, the OPC found it was, especially given Apple's ability to link it to account details. The OPC determined Apple's privacy policy lacked clarity on UDID use for advertising, though its administrative uses were acceptable. Apple has since ceased using UDID for advertising, replacing it with Ad ID, and enhanced opt-out mechanisms for Ad ID, leading the OPC to find the complaint well-founded and resolved.

• Whether UDID and Ad ID constitute personal information under PIPEDA.
• Whether Apple obtained meaningful consent for the collection, use, and disclosure of UDID and Ad ID for advertising purposes.
• Adequacy of notice provided by Apple regarding its use of UDID and Ad ID.
• Apple's responsibility for disclosures of UDID and Ad ID to third-party app developers.