Federal (Canada) Privacy Decisions

An individual complained that a sports facilities company disclosed his personal information regarding an outstanding debt to a related sports association on two occasions without his consent. The company argued that PIPEDA did not apply because it answered a direct question and there was an expectation of privacy. The OPC found that disclosing debt information is sensitive and requires consent unless a specific exemption applies. As the disclosures were not for the purpose of collecting the debt, the exemption in subsection 7(3)(b) of PIPEDA did not apply, making the complaint well-founded.

• Was the disclosure of an outstanding debt considered personal information?
• Did the disclosure of debt information fall under the exemption for debt collection purposes?
• Does an 'expectation of privacy' or answering a direct question exempt an organization from obtaining consent for disclosure?
• Did the company obtain the individual's knowledge and consent for the disclosure of his debt information?

A condominium owner complained that a developer failed to provide access to his personal information at minimal or no cost. The owner was initially told that thousands of pages of documents would cost over $200, or he could view them for free at the developer’s lawyer's office. The OPC's early resolution unit helped negotiate a compromise where the owner narrowed his request, and the developer agreed to provide free copies of the specific documents he sought. The owner was ultimately satisfied with this resolution.

• Whether the proposed fees for access to personal information complied with the "minimal or no cost" requirement.
• Whether the offer to view documents for free, but not receive copies, met the organization's access obligations.
• The reasonable accommodation of an individual with a disability in fulfilling an access request.

This report details a joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Australian Office of the Information Commissioner (OAIC) into Avid Life Media Inc. (ALM), the operator of Ashley Madison. The investigation followed a significant data breach where personal information of millions of users was exposed. The OPC found that ALM contravened PIPEDA regarding information security, indefinite retention of user data, accuracy of email addresses, and transparency with users. ALM has entered into a compliance agreement with the OPC to address these issues.

• Adequacy of information security safeguards
• Indefinite retention of user data
• Accuracy of collected email addresses
• Transparency and user consent regarding data handling practices

An individual complained that an online service company was not addressing an issue where another client's personal information was appearing on his account. The company, after intervention from the OPC, investigated and found the problem was a technical glitch involving another organization's software interface. The glitch was corrected, and the company updated its internal policies and established contractual agreements with the other organization to prevent future breaches.

• Adequate training of front-line staff on privacy policies and procedures.
• Need for contractual agreements to mitigate data breaches when integrating online services.
• Effectiveness of escalation processes for client privacy concerns.
• Resolution of technical glitches leading to inadvertent disclosure of personal information.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a psychiatrist's handling of a patient's personal information. The patient had requested access to his information following a medical assessment conducted as part of a civil lawsuit defence. However, the OPC determined that the psychiatrist's activities were not commercial in nature but were for the purpose of defending a lawsuit. As PIPEDA only applies to commercial activities, the OPC concluded it lacked jurisdiction to investigate the complaint.

• Whether the collection and use of personal information for the purpose of defending a civil lawsuit constitutes a commercial activity under PIPEDA.
• Whether the OPC has jurisdiction to investigate complaints falling outside the scope of PIPEDA.
• The application of the 'commercial activity' exemption in PIPEDA.

The complainant alleged that a telecommunications company's response to her access request was incomplete, specifically regarding disclosures of her personal information to third parties, including law enforcement. The Office of the Privacy Commissioner found that the company's standard response did not meet its obligations under Principle 4.9 of PIPEDA. The company has since provided a direct response to the complainant and has amended its policy to ensure compliance with access to information requests.

• Adequacy of response to an access request concerning disclosure of personal information.
• Compliance with PIPEDA Principle 4.9 regarding informing individuals of disclosures.
• Application of PIPEDA subsections 9(2.1) to 9(2.4) concerning disclosures to government institutions.
• Obligations regarding disclosures to third parties beyond government institutions.

An individual complained to the OPC after receiving a credit report containing unrecognized inquiries and a notation of an "AUTOMATIC COMBINE" of accounts, which merged his file with that of another individual. The OPC found that while there was no unauthorized use or disclosure of personal information, the credit reporting agency failed to maintain the accuracy of the complainant's information when it merged the files. The agency took corrective actions, including separating the files and notifying creditors of the corrections.

• Accuracy of personal information when merging files
• Unauthorized use or disclosure of personal information

A First Nation band council developed a privacy policy after an employee complained about lost doctor's notes required to approve his leave. While the band council did not confirm losing the notes, it worked with the OPC to create a privacy policy and adopt best practices. The employee considered his complaint resolved, recognizing the issue would be addressed under the Canada Labour Code, and was pleased the band council was implementing a privacy policy.

• Responsibility of a First Nation band council under PIPEDA
• Disposition of medical documentation
• Development of a privacy policy

This report details an investigation into Compu-Finder's practices of collecting and using email addresses for marketing its training courses without adequate consent. The Office of the Privacy Commissioner of Canada (OPC) found that Compu-Finder contravened PIPEDA by failing to obtain meaningful consent, lacking accountability frameworks, and not being transparent about its privacy practices. While Compu-Finder agreed to implement recommendations, the complaint was found to be well-founded and resolved in part, and well-founded and conditionally resolved in part, with a compliance agreement entered into.

• Collection and use of email addresses without consent
• Lack of accountability and transparency in privacy practices
• Use of address harvesting software
• Validity of implied and express consent claims

An individual complained that a retailer's salesperson signed him up for a credit card without his knowledge or consent, and that a bank subsequently conducted a credit check using inaccurate information. The Office of the Privacy Commissioner of Canada (OPC) found that the bank failed to demonstrate it obtained the complainant's consent for the credit check and that the collected information was sufficiently accurate. The bank apologized, cancelled the credit card, and removed the inquiry from the complainant's file. The bank also discontinued its pilot program for in-store credit applications.

• Adequacy of consent for a credit card application and credit check
• Accuracy of personal information collected
• Adequacy of procedures for collecting personal information and obtaining consent

An individual complained that his employer, an international trucking company, disclosed his positive drug test results to a provincial workers' compensation board (WCB) without his consent. The company claimed it was legally obligated to do so. The OPC found the disclosure was a contravention of PIPEDA as the company's belief of a legal obligation was inaccurate, and the WCB did not require the information. The complaint regarding disclosure to co-workers was not substantiated. The company implemented the OPC's recommendations, leading to the complaint being resolved.

• Whether disclosure of drug test results to WCB required consent
• Whether disclosure to WCB was a legal obligation under PIPEDA s. 7(3)(i)
• Whether drug test results were disclosed to co-workers
• Whether the company's random drug testing program violated PIPEDA

An incident occurred where employees of a financial management firm sent a client's sensitive financial information to her personal email account without proper security measures. This led to a situation where an individual, potentially a hacker, used this information to impersonate the client and attempt to transfer funds from her investment account. Although the client's money was not stolen due to the firm's established procedures, the firm's investigation revealed a breach of security protocols and inadequate employee training. The firm took corrective actions, including disciplinary measures for employees, additional privacy training, and reinforcing account security.

• Adequacy of security safeguards for personal information
• Effectiveness of employee training on privacy and security procedures
• Appropriateness of the organization's response to a data breach

The Office of the Privacy Commissioner of Canada investigated a complaint regarding a property management company maintaining a "bad tenant" list for a landlord association. The complainant alleged improper collection, use, and disclosure of personal information without consent. The OPC found that the list functioned like a credit reporting agency and that consent was not properly obtained, nor was there a mechanism for individuals to challenge the accuracy of the information. The property management company agreed to destroy the list and cease its collection, leading to the matter being resolved.

• Adequacy of consent for collecting and using tenant information.
• Whether the "bad tenant" list functioned as a credit reporting agency.
• Ensuring the accuracy of personal information and the ability for individuals to challenge it.
• Appropriateness of the purpose for collecting, using, and disclosing tenant information.

A financial institution reported a breach to the OPC after a printing error resulted in a few hundred clients receiving incorrect RRSP tax contribution statements. Some statements mistakenly included the personal information of other individuals, including names, addresses, account numbers, and Social Insurance Numbers. The institution promptly investigated, notified affected clients, provided new statements, increased account monitoring, and offered credit alert monitoring. They also reviewed and enhanced internal procedures to prevent future errors.

• Adequacy of safeguards to prevent privacy breaches
• Timeliness and appropriateness of breach response
• Notification of affected individuals
• Review and enhancement of internal policies and procedures

This report details an incident where a fraudster impersonated an unknown individual to trick a financial institution's employees into revealing customer contact information. The fraudster then used this information to extract further personal details from approximately 100 customers, increasing their risk of identity theft. The financial institution took immediate steps to mitigate the breach, including offering credit monitoring and enhancing staff training.

• Effectiveness of internal controls to prevent unauthorized disclosure of personal information
• Adequacy of breach response and mitigation measures
• Risks of identity theft and fraud due to personal information disclosure