Federal (Canada) Privacy Decisions

An incident occurred where employees of a financial management firm sent a client's sensitive financial information to her personal email account without proper security measures. This led to a situation where an individual, potentially a hacker, used this information to impersonate the client and attempt to transfer funds from her investment account. Although the client's money was not stolen due to the firm's established procedures, the firm's investigation revealed a breach of security protocols and inadequate employee training. The firm took corrective actions, including disciplinary measures for employees, additional privacy training, and reinforcing account security.

• Adequacy of security safeguards for personal information
• Effectiveness of employee training on privacy and security procedures
• Appropriateness of the organization's response to a data breach

A financial institution reported a breach to the OPC after a printing error resulted in a few hundred clients receiving incorrect RRSP tax contribution statements. Some statements mistakenly included the personal information of other individuals, including names, addresses, account numbers, and Social Insurance Numbers. The institution promptly investigated, notified affected clients, provided new statements, increased account monitoring, and offered credit alert monitoring. They also reviewed and enhanced internal procedures to prevent future errors.

• Adequacy of safeguards to prevent privacy breaches
• Timeliness and appropriateness of breach response
• Notification of affected individuals
• Review and enhancement of internal policies and procedures

The Office of the Privacy Commissioner of Canada investigated a complaint regarding a property management company maintaining a "bad tenant" list for a landlord association. The complainant alleged improper collection, use, and disclosure of personal information without consent. The OPC found that the list functioned like a credit reporting agency and that consent was not properly obtained, nor was there a mechanism for individuals to challenge the accuracy of the information. The property management company agreed to destroy the list and cease its collection, leading to the matter being resolved.

• Adequacy of consent for collecting and using tenant information.
• Whether the "bad tenant" list functioned as a credit reporting agency.
• Ensuring the accuracy of personal information and the ability for individuals to challenge it.
• Appropriateness of the purpose for collecting, using, and disclosing tenant information.

This report details an incident where a fraudster impersonated an unknown individual to trick a financial institution's employees into revealing customer contact information. The fraudster then used this information to extract further personal details from approximately 100 customers, increasing their risk of identity theft. The financial institution took immediate steps to mitigate the breach, including offering credit monitoring and enhancing staff training.

• Effectiveness of internal controls to prevent unauthorized disclosure of personal information
• Adequacy of breach response and mitigation measures
• Risks of identity theft and fraud due to personal information disclosure

The complainant alleged an insurance company refused to provide her with access to her personal information, including a recording of a telephone conversation, and documents related to her complaint to the company's ombudsman office. The company claimed the ombudsman process was a "formal dispute resolution process" exempt from PIPEDA and that the process was not a "commercial activity." The OPC found the company contravened PIPEDA by unduly delaying access to the recorded conversation and by incorrectly withholding documents from the ombudsman process. The OPC determined the ombudsman office was not a "formal dispute resolution process" and its activities were subject to PIPEDA.

• Is an internal ombudsman office a "formal dispute resolution process" under PIPEDA?
• Are the services of an internal ombudsman office considered "commercial activity" under PIPEDA?
• Does an organization need spousal consent to release joint account information when third-party information can be severed?
• What are the obligations of an organization responding to an access to information request under PIPEDA?

An individual complained that a collection agency refused to provide access to their personal information, despite multiple written requests. The agency failed to respond to several of these requests within the timeframes required by PIPEDA. Although the agency eventually sent the information, and the individual refused to sign for it, the agency was deemed to have provided access. The agency acknowledged it did not follow its own procedures for handling access requests and committed to revising them and providing refresher training.

• Timeliness of response to access requests
• Failure to follow internal procedures for handling access requests
• Adequacy of providing access to personal information

The OPC investigated a complaint concerning a cable provider that posted a list of customers with overdue accounts on a public Facebook page. The provider believed this was permissible, citing municipal practices of publishing names of those in property tax arrears. The OPC clarified that while PIPEDA permits disclosure of information for debt collection purposes to third parties, it does not authorize public dissemination without consent.

• Public dissemination of personal information for debt collection
• Application of PIPEDA's debt collection exemption
• Comparison of debt collection practices with municipal tax arrears publications

A customer complained that a retail store employee disclosed his personal information, including his name and in-store behaviour, to his employer without his knowledge or consent. The Office found that the disclosed information was personal information and that the store could not rely on implied consent for the disclosure, as the information was sensitive and disclosure to an employer was not a reasonable expectation. The matter was resolved after the store implemented recommendations to communicate its PIPEDA obligations.

• Whether information disclosed in a public store is personal information.
• Whether implied consent applied to the disclosure of sensitive personal information to an employer.
• Whether the disclosed information qualified as publicly available information under the regulations.

A telecommunications company erroneously continued to report a debt to a credit-reporting agency after the complainant was discharged from bankruptcy. This impacted the complainant's credit score and led to unwanted debt collection calls. The company investigated, corrected its records, notified the credit-reporting agency, and ensured the debt collection calls would cease.

• Accuracy and up-to-dateness of personal information
• Disclosure of personal information to third parties
• Appropriate use of personal information in decision-making

An employee complained that her pension and benefit provider improperly disclosed her unique identifier, failed to keep her address accurate, and did not implement adequate safeguards. An individual with the same name was mistakenly given the complainant's ID number, leading to her address being changed. Consequently, five mailings containing sensitive information were sent to the wrong address, and the complainant lost her life insurance coverage due to missed forms. The provider corrected the error and reinstated coverage.

• Disclosure of unique identifier to a third party without consent.
• Failure to maintain accurate client address information.
• Inadequate safeguards against unauthorized disclosure and modification of personal information.
• Improper authentication of caller identity.

An individual complained that a real estate management company failed to obtain consent for the collection of his personal information through video surveillance at a shopping mall. The complainant alleged inadequate signage and over-collection of his information when a camera was focused on him. The company responded by posting new signage and providing additional training to staff. The Office of the Privacy Commissioner discontinued the investigation, finding the company’s response to be fair and reasonable.

• Adequacy of signage for video surveillance
• Over-collection of personal information
• Consent to collection of personal information

An individual complained that an estimator, subcontracted by a roofing company, disclosed his personal information to another roofing company without consent. The investigation found that the second roofing company was responsible for its estimator's actions and that there was a disclosure of personal information in contravention of PIPEDA. The second roofing company implemented a recommendation to establish agreements with subcontractors regarding privacy policies and training.

• Whether the subcontractor's actions were attributable to the organization.
• Whether personal information was disclosed without consent.
• Whether the disclosure exceeded the purposes for which the information was collected.

An individual complained to the OPC after a retailer's delivery person texted her inappropriate comments after obtaining her number from a work phone and transferring it to a personal device. The complainant also felt the retailer mishandled her initial complaint. The OPC's involvement led the retailer to implement new procedures for faulty work phones, retrain employees on its privacy policy, and take disciplinary action against the delivery person. The complainant was satisfied with the resolution.

• Unauthorized use of customer personal information
• Handling of customer complaints
• Employee training on privacy policies

An individual complained that a car dealership could not provide details about its personal information handling practices when asked. The dealership employee copied the complainant's driver's license and credit card without adequately explaining why or what safeguards were in place. The dealership agreed to hold an employee review session to ensure staff are knowledgeable about privacy policies and practices.

• Adequacy of employee training on privacy policies
• Transparency regarding collection and use of personal information
• Responding to individual inquiries about personal information handling practices

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an individual who alleged that a collection agency was pursuing him for a debt he did not owe and that inaccurate information was appearing on his credit report. The individual was unable to obtain validation of the debt from the agency. Following the OPC's intervention, the agency investigated, found discrepancies on the original credit application, ceased collection efforts, and agreed to correct the individual's credit report. The individual was satisfied with this resolution.

• Accuracy of personal information
• Access to personal information
• Debt collection practices
• Correction of credit reports