Federal (Canada) Privacy Decisions

This special report details an investigation into unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency (CRA). The Office of the Privacy Commissioner (OPC) found that the CRA contravened the Privacy Act regarding accuracy and disclosure of personal information. While the CRA has made efforts to improve its security, shortcomings remain in prevention, monitoring, detection, remediation, and governance, particularly concerning the handling of "Unauthorized Use of Taxpayer Information by a Third Party" (UUTP) incidents. The investigation concluded that the CRA contravened subsections 6(2) and 8(2) of the Act.

• Adequacy of safeguards to protect taxpayer personal information from unauthorized disclosure and modification.
• Timeliness and strength of multi-factor authentication implementation.
• Effectiveness of monitoring and detection mechanisms for UUTPs.
• Coordination and proactivity of the CRA's governance for addressing UUTPs.

The Office of the Privacy Commissioner of Canada (OPC) investigated the Canada Border Services Agency's (CBSA) contracting practices related to the ArriveCAN application following a complaint and a request from a parliamentary committee. The investigation examined whether contractors had inappropriate access to travellers' personal information. While the OPC found no contravention of the Privacy Act, it identified shortcomings in the CBSA's contracting processes, such as issues with the timeliness and accuracy of security assessments and broad task descriptions in contracts. The OPC made recommendations to improve the CBSA's practices, which the agency accepted.

• Whether CBSA authorized contractors to access personal information without required security clearances.
• Accuracy and timeliness of security requirement assessments for contracts.
• Clarity and specificity of task descriptions in contracts and task authorizations.
• CBSA's compliance with security requirements for personnel and organizations involved in ArriveCAN contracts.

This investigation concerned the loss of an unencrypted USB storage device by the Royal Canadian Mounted Police (RCMP), which contained sensitive personal information of 1,741 individuals. The OPC found that the RCMP contravened section 8 of the Privacy Act by disclosing personal information without consent. The investigation also revealed failures in timely breach reporting and inadequate safeguards for personal information on USB devices, leading to the complaint being well-founded and unresolved.

• Contravention of section 8 of the Privacy Act regarding unauthorized disclosure of personal information
• Timeliness and appropriateness of the RCMP's response to the breach
• Sufficiency of RCMP measures to safeguard personal information on USB storage devices
• Adequacy of policies and enforcement regarding USB device usage

This special report details an investigation into cyber attacks that compromised sensitive personal information held by the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC). Attackers used stolen credentials to access online accounts, leading to unauthorized disclosures, modifications, and identity theft. The investigation found that both departments failed to implement adequate authentication, security decision-making, and monitoring practices, contravening sections 8 and 6(2) of the Privacy Act. While both departments accepted recommendations for improvement, some weaknesses persist.

• Inadequate identity and credential assurance measures
• Insufficiently informed and accountable security decision-making
• Lack of effective monitoring and timely breach containment
• Contravention of Privacy Act sections 8 (disclosure) and 6(2) (accuracy)

This special report from the OPC investigated the RCMP's Project Wide Awake initiative, which uses third-party services to collect open-source information. The investigation found that the RCMP did not conduct adequate due diligence to ensure that the personal information collected via the Babel X service and its data providers was compliant with Canadian privacy laws. Additionally, the RCMP failed to meet its transparency obligations under the Privacy Act by providing inadequate descriptions of its open-source information collection practices and purposes in its Personal Information Banks.

• Compliance with collection provisions of the Privacy Act
• Adequacy of due diligence regarding third-party data collection practices
• Adequacy of transparency obligations under the Privacy Act
• Sufficiency of Personal Information Bank descriptions

This Special Report to Parliament details the OPC's investigations into federal government privacy practices during the COVID-19 pandemic. It examined vaccine mandates for travel and employment, the ArriveCAN app, and the use of mobility data. While most government measures complied with the Privacy Act, the OPC identified areas for improvement, including the need for clearer objectives in mandates and better documentation of less privacy-intrusive alternatives. An error in the ArriveCAN app led to incorrect quarantine notifications, and a PIPEDA investigation found a private company misused a traveller's contact information for marketing.

• Compliance of COVID-19 measures with the Privacy Act
• Necessity and proportionality of personal information collection
• Accuracy of personal information used in administrative decisions (ArriveCAN)
• Use of de-identified mobility data and PIPEDA compliance

This investigation examined the COVID-19 vaccination attestation requirements for federal public servants. The OPC found that the collection of vaccination status was directly related to the employer's health and safety obligations. However, the Treasury Board of Canada Secretariat (TBS) contravened the Act by failing to update its index of personal information banks within the required timeframe. The OPC also assessed the necessity and proportionality of the measures, concluding they were justified given the pandemic context, though TBS's documentation and response during the investigation were found to be lacking.

• Whether the collection of employee vaccination status was directly related to an operating program or activity.
• Whether institutions met transparency requirements under the Act.
• Whether disclosures of personal information were authorized.
• Necessity and proportionality of the vaccination attestation measures.

This investigation examined whether mobility data collected by the Public Health Agency of Canada (PHAC) during the COVID-19 pandemic contained personal information as defined under the Privacy Act. The investigation found that the de-identification techniques and safeguards against re-identification implemented by PHAC and its data providers reduced the risk of identifying individuals below the "serious possibility" threshold. Consequently, the complaints were deemed not well-founded, as PHAC did not contravene the Privacy Act.

• Whether the mobility data collected constituted personal information under the Privacy Act.
• The adequacy of de-identification and aggregation techniques to prevent re-identification.
• Whether access to data within a provider's system constitutes collection under the Act.
• The need for transparency regarding the use of de-identified data.

This investigation examined whether COVID-19 vaccination attestation requirements implemented by several federal separate employers for their employees complied with the Privacy Act. The OPC found that the collection and use of vaccination status information, including for accommodation requests, was authorized under the Act and directly related to the employers' operating programs, specifically workplace health and safety during the pandemic. While not a strict legal requirement of the Act, the OPC also assessed the necessity and proportionality of these measures and found them to be reasonable given the exceptional circumstances of the pandemic.

• Whether the collection of COVID-19 vaccination status information was directly related to an operating program or activity of the institutions.
• Whether the use and disclosure of vaccination status information, including for accommodation requests, was authorized under the Privacy Act.
• The necessity and proportionality of the vaccination attestation measures in the context of the COVID-19 pandemic.

This investigation examined the COVID-19 vaccination attestation requirements established by the Department of National Defence (DND) for members of the Canadian Armed Forces (CAF). The Office of the Privacy Commissioner of Canada (OPC) found that DND/CAF had the authority to collect this information under the National Defence Act and Part II of the Canada Labour Code. The use and disclosure of the information were generally consistent with the purposes for which it was collected. Although DND declined to implement a recommendation to strengthen oversight of access controls in the Monitor MASS system, the OPC found no instances of inappropriate access or disclosure. The OPC also determined that DND took reasonable steps to ensure the accuracy of the vaccination status information collected.

• Whether DND/CAF's collection of COVID-19 vaccination status information directly related to an operating program or activity of the institution.
• Whether the use of collected vaccination status information was authorized under section 7 of the Privacy Act.
• Whether the use of the Monitor MASS system resulted in unauthorized disclosure of information.
• Whether DND/CAF took reasonable steps to ensure the accuracy of vaccination status information.

This investigation examined a privacy breach experienced by a contractor for the Canada Border Services Agency (CBSA), which was targeted by a ransomware attack. Personal information, specifically licence plate images captured at Canadian border crossings, was accessed and some was posted online. The OPC found that the CBSA had contravened the Privacy Act due to inadequate security safeguards in its contract with the contractor and its inconsistent handling of licence plate data as personal information. The investigation concluded the complaint was well-founded but resolved, as the CBSA agreed to implement recommendations to improve its contracting and data protection practices.

• Whether licence plate image files, including metadata, constitute personal information under the Privacy Act.
• Whether the CBSA contravened the disclosure provisions of the Privacy Act.
• Whether the CBSA had adequate security safeguards in its contract with a third-party contractor.
• Whether the CBSA adequately managed the retention of personal information.

This report details a review of passport protection practices by four federal institutions: IRCC, ESDC, GAC, and CPC. While the institutions generally had reasonable measures to prevent unauthorized passport disclosures, the review identified areas for improvement in incident detection, remediation for affected individuals, and learning from past breaches. The institutions agreed to implement the OPC's recommendations to enhance these processes.

• Adequacy of measures to prevent unauthorized disclosure of passports
• Effectiveness of incident detection mechanisms
• Sufficiency of remediation measures for affected individuals
• Processes for learning from past passport breach incidents

This investigation examined complaints concerning Statistics Canada's collection of personal financial and credit information from a credit bureau and financial institutions for two projects. The OPC found Statistics Canada had the legal authority for the Credit Information Project, deeming that aspect not well-founded. However, the OPC had serious concerns that the Financial Transactions Project, as originally designed, would have exceeded Statistics Canada's legal authority. As this project was halted before any data was collected, no finding was made. Despite finding no contravention of the Privacy Act, the OPC identified significant privacy concerns regarding necessity, proportionality, and transparency in both projects as originally designed, and made recommendations for improvement.

• Legal authority for collecting personal information under the Statistics Act and Privacy Act
• Necessity and proportionality of collecting sensitive personal information
• Adequacy of transparency regarding data collection
• Safeguards for handling collected personal information

A woman received the personal information of five strangers along with her daughter's tax documents from the Canada Revenue Agency (CRA). She attempted to return the information to the CRA through various channels but faced difficulties. The OPC launched a Commissioner-initiated investigation, which concluded that the CRA had breached the privacy rights of the individuals whose information was improperly disclosed. The CRA has since implemented remedial measures to improve its procedures for handling misdirected mail and facilitating breach reporting.

• Adequacy of CRA's procedures for handling misdirected personal information.
• Effectiveness of CRA's channels for the public to report privacy breaches.
• Timeliness and appropriateness of CRA's response to the breach.

This report details an investigation into the loss of a USB key containing the personal information of 5,045 Canada Pension Plan Disability appellants. The investigation found that both Employment and Social Development Canada (ESDC) and Justice Canada failed to adequately translate their privacy and security policies into practice, leading to weaknesses in physical, technological, administrative, and personnel controls. Both departments accepted nine recommendations to improve data protection, many of which were similar to those made in a previous investigation involving ESDC.

• Adequacy of physical, technological, administrative, and personnel security controls
• Failure to translate privacy and security policies into meaningful business practices
• Protection of sensitive personal information including SIN and medical details
• Custody and storage of portable electronic devices containing personal information