Federal (Canada) Privacy Decisions

The OPC investigated a complaint alleging that Immigration, Refugees and Citizenship Canada (IRCC) improperly withheld access to personal information. The complainant requested the "History Section" of their case file, but IRCC only provided a subset of information from other sections, referred to as the "Short Form" report. The OPC found that IRCC's practice of systematically retrieving and processing only the Short Form report contravenes section 12 of the Privacy Act, as it fails to provide individuals with access to all personal information under the government's control. Although the specific file was eventually provided, IRCC refused to update its procedures to address the systemic issue.

• Whether IRCC's practice of only retrieving and processing a "Short Form" subset of records in response to access requests complies with the Privacy Act's access obligations.
• Whether the "History Section" of the Global Case Management System (GCMS) file contains personal information.
• Whether IRCC's assertion that information outside the "Short Form" would always be withheld under exemptions is valid.
• Whether IRCC's failure to commit to updating its procedures constitutes a continuing contravention of the Privacy Act.

An employee of the Canada Border Services Agency (CBSA) complained that their personal information was inadvertently disclosed to colleagues due to improperly set folder permissions in the CBSA's information management system, Apollo. The CBSA confirmed the contravention of section 8 of the Privacy Act. While the CBSA took steps to correct the issue and improve practices, it did not commit to mandatory, trackable training for managing permissions, leading the OPC to find the complaint well-founded but unresolved.

• Whether CBSA contravened section 8 of the Privacy Act by improperly disclosing employee personal information.
• Adequacy of CBSA's response and corrective measures.
• Whether CBSA's training and awareness initiatives for managing information system permissions are sufficient.
• Whether the matter is resolved given CBSA's non-commitment to mandatory, trackable training.

This investigation examined the Treasury Board of Canada Secretariat's (TBS) handling of employee personal information related to the administration of the Direction on Prescribed Presence in the Workplace, which mandates minimum on-site workdays. The Office of the Privacy Commissioner of Canada (OPC) found that TBS's practices for both organizational compliance reporting (using aggregated data like turnstile and HR data) and individual compliance monitoring (relying on manager observation and self-reporting) were compliant with the Privacy Act. The OPC concluded that the complaint was not well-founded, noting TBS's effective balance between operational needs and employee privacy.

• Collection of employee personal information for hybrid work model compliance
• Retention and disposal of personal information
• Use and disclosure of personal information
• Transparency and adequacy of Personal Information Banks (PIBs)

An inmate alleged that Correctional Service Canada (CSC) failed to retain video footage of use of force incidents involving them, violating the Privacy Act's retention obligations. The OPC found that CSC did dispose of footage that it was obligated to retain for at least two years under the Act. CSC agreed to implement enhanced oversight, including monthly attestations and quarterly audits of use of force footage retention in its Pacific Region.

• Obligation to retain personal information used for administrative purposes under the Privacy Act
• Adequacy of institutional policies for video retention
• Ensuring reasonable access to personal information
• Effectiveness of oversight measures for compliance

This report details an investigation into the unauthorized disclosure of personal information of over 18,000 Canada Border Services Agency (CBSA) employees due to improperly shared spreadsheets. While the CBSA contravened section 8 of the Privacy Act by disclosing information beyond what was necessary for the stated purposes, the agency took appropriate steps to notify affected individuals, contain the breaches, and implement measures to prevent recurrence. These measures included new data request procedures and the development of a new information management system.

• Whether the CBSA contravened section 8 of the Privacy Act by disclosing personal information.
• Whether the CBSA took adequate steps to notify affected individuals.
• Whether the CBSA took adequate steps to contain the impact of the breaches.
• Whether the CBSA took adequate steps to reduce the risk of future breaches.

This investigation examined allegations that the Canada Revenue Agency (CRA) inappropriately disclosed an adopted child's adoptive name, and the adoptive mother's personal information, to the child's biological mother. The OPC found that, on the balance of probabilities, the CRA likely disclosed the child's adoptive name, contravening section 8 of the Privacy Act. Deficiencies were also identified in the CRA's internal procedures for safeguarding adopted children's personal information. The complaint was found to be well-founded but not resolved, as the CRA agreed to implement some, but not all, of the OPC's recommendations.

• Whether the CRA disclosed the child's adoptive name and the adoptive mother's personal information to the biological mother without consent.
• Whether the CRA's internal procedures adequately protected the personal information of adopted children.
• Whether the CRA's actions contravened section 8 of the Privacy Act.
• Whether the complaint was resolved based on the CRA's response to the OPC's recommendations.

The complainant alleged that the Canada Revenue Agency (CRA) improperly denied access to personal information related to five grievances, relying on exceptions under the Privacy Act. The OPC found that while the CRA conducted reasonable searches, it failed to adequately substantiate its use of paragraph 22(1)(b) of the Act to withhold information. Much of the withheld information was transactional and did not demonstrate a clear risk of harm upon disclosure. The complaint was found to be well-founded, but unresolved, as the CRA maintained its position on the withheld information.

• Proper application of paragraph 22(1)(b) of the Privacy Act regarding risk of harm.
• Adequacy of government institution's searches for responsive records.
• Substantiation of claims for withholding information under statutory exemptions.
• Requirement for case-by-case assessment when applying exemptions.

This investigation examined complaints regarding the National Security and Intelligence Review Agency's (NSIRA) Secretariat's request for access to polygraph records as part of a review of the Communications Security Establishment. The OPC found that the anonymization measures significantly reduced re-identification risks, and the polygraph recordings themselves contained no personal information. However, concerns were raised about the timeliness of the Secretariat's requests to Treasury Board Secretariat for approval of Personal Information Banks (PIBs). The collection issue was found not well-founded, but the timeliness of PIB updates was found well-founded and subsequently resolved.

• Whether the NSIRA Secretariat collected personal information without a direct relationship to its operating programs or activities.
• Whether the NSIRA Secretariat complied with its obligations to include all personal information under its control in Personal Information Banks (PIBs).
• Assessment of privacy mitigation measures implemented by CSE to anonymize polygraph records.
• Timeliness of the NSIRA Secretariat's requests for PIB approvals and publication of its Info Source page.

The complainant requested his minor child's passport application from Immigration, Refugees and Citizenship Canada (IRCC), citing a court order granting him access to his children's information. IRCC denied the request, stating the child's consent was required. The OPC found that while the complainant had legal authorization to act on his child's behalf, the request was not made for the child's benefit or best interests, a key condition under the Privacy Regulations. Therefore, the OPC concluded that the complainant did not have a right of access to the child's personal information.

• Whether a parent has an automatic right of access to a minor child's personal information under the Privacy Act.
• Interpretation of the Privacy Regulations regarding requests made on behalf of a minor.
• Whether the complainant's request served the child's best interests.
• The decision-making capacity of a minor regarding their personal information.

The complainant, as executor of a deceased individual's estate, requested personal information from the Department of National Defence (DND). DND refused to disclose most information, citing Privacy Act exemptions and arguing the request didn't meet the criteria for accessing information on behalf of a deceased person. The OPC found that the complainant was entitled to make the request for estate administration purposes and that DND failed to conduct an adequate search. DND agreed to conduct searches and provide a new response, leading to the complaint being conditionally resolved.

• Eligibility of an estate executor to request personal information of a deceased individual.
• Proper application of section 26 of the Privacy Act (disclosure of personal information about others).
• Adequacy of DND's search for requested records.
• DND's obligation to process formal access requests even if informal avenues exist.

The OPC investigated a complaint that the Canada Revenue Agency (CRA) failed to ensure the accuracy of a taxpayer's personal information used for administrative decisions. An imposter used the complainant's compromised CRA My Account to fraudulently receive COVID-19 benefits and Employment Insurance. The investigation found that the CRA's inadequate safeguards allowed unauthorized access and modification, contravening section 6(2) of the Privacy Act. The CRA has since implemented corrective measures.

• Adequacy of safeguards to protect against unauthorized access and modification of personal information.
• Reasonable steps taken by the CRA to ensure the accuracy of personal information used for administrative decisions.
• Timeliness of notification and privacy breach reporting.
• Impact of identity theft on tax reassessments.

The Office of the Privacy Commissioner of Canada investigated a complaint from a federal government employee who alleged that her personal information was repeatedly disclosed to another employee with the same name, and that administrative errors occurred in their files. The OPC found that the institution contravened the Privacy Act by improperly disclosing the complainant's personal information and by failing to ensure the accuracy of information used for administrative purposes. The complaint was found to be well-founded but conditionally resolved after the institution committed to implementing corrective measures.

• Unauthorized disclosure of personal information under section 8 of the Privacy Act.
• Failure to ensure the accuracy and completeness of personal information used for administrative purposes under subsection 6(2) of the Privacy Act.
• Lack of employee awareness regarding privacy breach reporting procedures.
• Systemic nature of errors due to employees having the same name.

A representative acting for the executor of an estate requested personal information about a deceased individual from the Department of National Defence (DND). DND determined the representative was not entitled to the information under paragraph 10(b) of the Privacy Regulations because they did not sufficiently demonstrate a connection between the information sought and the administration of the estate. While DND processed the request informally and disclosed some information under another provision of the Act, they did not clearly state the grounds for refusal. The OPC found the complaint not well-founded as the representative failed to adequately articulate and substantiate the estate's purposes and how the records would serve them.

• Whether the representative was authorized to make a request on behalf of the deceased under paragraph 10(b) of the Privacy Regulations for the purpose of administering the estate.
• Whether the representative sufficiently demonstrated a connection between the information sought and the administration of the deceased's estate.
• Whether DND properly notified the representative of the refusal and the basis for it.
• Whether DND properly handled the request informally.

Immigration, Refugees and Citizenship Canada (IRCC) contravened the Privacy Act when an employee inadvertently sent 497 emails containing personal information to the wrong email addresses. The investigation found that IRCC had insufficient administrative and procedural controls to prevent such errors. While IRCC took steps to notify affected individuals and mitigate harm, the Office of the Privacy Commissioner recommended improvements to prevent future breaches. IRCC accepted these recommendations and implemented enhanced measures, leading the OPC to consider the matter resolved.

• Whether IRCC contravened section 8 of the Privacy Act by disclosing personal information to unintended recipients.
• Adequacy of IRCC's administrative and procedural controls to prevent accidental disclosures.
• Effectiveness of IRCC's measures to mitigate the impact of the breach on affected individuals.
• Sufficiency of IRCC's actions to reduce the risk of recurrence.

The complainant alleged that Immigration, Refugees and Citizenship Canada (IRCC) failed to disclose all records sought under the Privacy Act. The investigation found that IRCC did not initially conduct a reasonable search for records, particularly concerning visa cancellations and reissuing. However, IRCC subsequently expanded its search to include all relevant offices, and although no additional information was found, the OPC was satisfied that its obligations under the Act were met, resolving the complaint.

• Reasonableness of IRCC's search for records.
• Whether IRCC failed to disclose all responsive information.
• Adequacy of IRCC's search scope and tasked offices.