Federal (Canada) Privacy Decisions

A bank customer complained that the bank improperly demanded to record information from his driver's license when picking up a replacement credit card. The bank initially claimed this was for anti-money laundering purposes, but later admitted this explanation was incorrect. The Office found the demand for information was not well-founded as no information was actually collected. However, the bank contravened PIPEDA by misinforming the customer about the purpose of the collection, a contravention that was resolved by revised bank procedures and staff training.

• Whether the bank limited the collection of personal information to what was necessary.
• Whether the bank's employees could explain the purposes for collecting personal information.

A customer complained that his cell phone service provider disclosed his personal information to an imposter and inadequately responded to his request for access to his data. The Office of the Privacy Commissioner of Canada (OPC) found that the provider contravened PIPEDA by allowing an employee to disclose sensitive account details without proper authentication. The OPC also found that the provider initially failed to meet the 30-day deadline for responding to the customer's access request, but this aspect was later resolved. The OPC recommended the company review its privacy management programs.

• Disclosure of personal information without consent
• Failure to properly authenticate a caller
• Adequacy and timeliness of response to access request
• Effectiveness of employee training and adherence to procedures

A complainant alleged that a telecommunications firm failed to provide her with access to her personal information, specifically notes and transcripts of recorded conversations relating to her account dispute. The investigation found that the firm failed to respond to the access request within the statutory time limits and deleted records that were the subject of the request, contravening PIPEDA. The firm accepted recommendations to amend its policies, procedures, and provide enhanced training to staff, leading to the resolution of the complaint.

• Timeliness of response to access requests
• Retention of personal information subject to an access request
• Adequacy of privacy policies and staff training

A married couple complained that a bank mortgage specialist disclosed the husband's personal financial information to his wife without his consent. The bank argued there was implied consent given the purpose of applying for a joint mortgage. The Assistant Commissioner found the bank did not make a reasonable effort to inform the couple about potential disclosures between them, meaning consent was not meaningful. While a contravention was found, the bank had since adopted reasonable practices.

• Meaningful consent for disclosure of personal information to a spouse
• Reasonable efforts to inform individuals about purposes of disclosure
• Implied consent in the context of joint mortgage applications

CIPPIC filed a complaint alleging 24 violations of PIPEDA by Facebook across 12 subjects, focusing on knowledge and consent. The Assistant Privacy Commissioner found Facebook contravened the Act in areas such as default privacy settings, advertising, third-party applications, account deactivation/deletion, deceased users' accounts, and non-users' personal information. While some allegations were resolved through Facebook's proposed corrective measures, others remained unresolved, particularly concerning third-party applications and the safeguarding of user data.

• Adequacy of notice and consent for collection, use, and disclosure of personal information.
• Sufficiency of security safeguards for personal information.
• Transparency regarding new uses of personal information and the implications of privacy settings.
• Handling of personal information of non-users and deceased users.

The Office of the Privacy Commissioner of Canada investigated two separate incidents involving misdirected faxes containing personal information at two banks. In both cases, the banks failed to adequately safeguard personal information, leading to its disclosure to unintended recipients. While both banks took corrective actions, including revising policies and procedures, the OPC recommended further improvements in customer notification and information recovery.

• Adequacy of safeguards for personal information transmitted by fax
• Effectiveness of privacy policies and employee awareness
• Timeliness and scope of customer notification following a privacy breach
• Procedures for recovering erroneously transmitted personal information

This report details an investigation into CIBC's handling of misdirected faxes containing customer personal information, which occurred between 2001 and 2004. The investigation found that CIBC's privacy practices failed to adequately address these incidents, resulting in breaches of customer data and trust. The bank has since implemented significant remedial measures to enhance its privacy safeguards.

• Adequacy of CIBC's privacy policies and procedures
• Effectiveness of CIBC's response to misdirected fax incidents
• Timeliness and appropriateness of customer notification following a privacy breach
• Organizational awareness and adherence to privacy obligations

The OPC investigated two separate incidents where health information was sent by facsimile to the wrong recipient. In the first incident, Dynacare sent a misdirected fax containing personal health information. In the second incident, Viewpoint sent a medical evaluation to an incorrect number. Both companies were found to have contravened PIPEDA by disclosing personal information without consent. Recommendations were made to both companies regarding faxing procedures, employee training, and notification of affected individuals.

• Disclosure of personal health information without consent via misdirected facsimile transmission
• Responsibility for and accountability of employees in faxing personal information
• Adequacy of organizational policies and procedures for protecting personal information during transmission
• Notification of individuals whose personal information has been disclosed