Federal (Canada) Privacy Decisions

The complainant alleged that Immigration, Refugees and Citizenship Canada (IRCC) failed to disclose all records sought under the Privacy Act. The investigation found that IRCC did not initially conduct a reasonable search for records, particularly concerning visa cancellations and reissuing. However, IRCC subsequently expanded its search to include all relevant offices, and although no additional information was found, the OPC was satisfied that its obligations under the Act were met, resolving the complaint.

• Reasonableness of IRCC's search for records.
• Whether IRCC failed to disclose all responsive information.
• Adequacy of IRCC's search scope and tasked offices.

An individual complained that Canada Post was using personal information collected from the outside of delivered mail to create marketing lists rented to private sector companies. The Office of the Privacy Commissioner of Canada (OPC) found that Canada Post's collection and use of this information for marketing purposes contravened section 5 of the Privacy Act because individuals were not authorized to have their information indirectly collected and used this way. While Canada Post disagreed with the findings and did not agree to cease the practice, it committed to improving transparency about its data usage.

• Whether Canada Post's collection of personal information from mail for marketing purposes complies with section 4 of the Privacy Act.
• Whether Canada Post's use and disclosure of personal information for marketing purposes complies with sections 7 and 8 of the Privacy Act.
• Whether Canada Post's indirect collection of personal information for marketing purposes, without explicit authorization, contravenes section 5 of the Privacy Act.
• What constitutes valid authorization for indirect collection of personal information under the Privacy Act.

This investigation concerned an individual's complaint that their Permanent Resident Card renewal application, submitted to Immigration, Refugees and Citizenship Canada (IRCC), was inappropriately disclosed to the Canada Border Services Agency (CBSA). The complainant alleged this disclosure was contrary to the purpose for which the information was collected and that it was used in support of a cessation application to terminate refugee protection. The OPC found that the disclosure was consistent with the purpose for which the information was obtained, as both departments share a mandate under the Immigration and Refugee Protection Act and information sharing for immigration legislation enforcement is considered a consistent use. Therefore, the complaints against both departments were found not well-founded.

• Whether IRCC was authorized to disclose the complainant's personal information to the CBSA.
• Whether the disclosure was for a purpose for which the information was obtained or a consistent use.
• The interpretation of "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• The impact of the privacy notice on the PRC renewal application and the relevant Personal Information Bank (PIB).

This investigation examined whether the collection, use, and disclosure of traveller vaccination status by Transport Canada, VIA Rail, and CATSA complied with the Privacy Act. The Office of the Privacy Commissioner found that the personal information was collected, used, and disclosed in compliance with the Act's requirements. While the Act does not mandate necessity and proportionality, the OPC also considered these principles and found the measures were generally necessary and proportional, though recommended clearer definition of objectives and documentation of less privacy-invasive alternatives for future initiatives.

• Whether the collection of vaccination information was directly related to the operating programs or activities of CATSA and VIA Rail.
• Whether the use and disclosure of personal information, and the centralized collection by Transport Canada, complied with sections 4, 7, and 8 of the Privacy Act.
• Whether the collection of personal information was necessary and proportional, considering the circumstances and available alternatives.

This investigation examined whether mobility data collected by the Public Health Agency of Canada (PHAC) during the COVID-19 pandemic contained personal information as defined under the Privacy Act. The investigation found that the de-identification techniques and safeguards against re-identification implemented by PHAC and its data providers reduced the risk of identifying individuals below the "serious possibility" threshold. Consequently, the complaints were deemed not well-founded, as PHAC did not contravene the Privacy Act.

• Whether the mobility data collected constituted personal information under the Privacy Act.
• The adequacy of de-identification and aggregation techniques to prevent re-identification.
• Whether access to data within a provider's system constitutes collection under the Act.
• The need for transparency regarding the use of de-identified data.

This investigation examined whether the collection, use, retention, and disclosure of personal information by the Public Health Agency of Canada (PHAC) and the Canada Border Services Agency (CBSA) related to COVID-19 vaccine mandates for travellers entering Canada complied with the Privacy Act. The OPC found that the agencies had the authority to collect this information as it was directly related to their mandate under the Quarantine Act and the Emergency Orders. While the OPC identified some weaknesses in PHAC's documentation regarding the necessity and proportionality of the measures, overall, the collection, use, and disclosure of personal information were deemed compliant with the Act.

• Whether personal information collected was directly related to an operating program or activity of PHAC and CBSA.
• Whether personal information was used or disclosed for the purpose for which it was compiled or in accordance with an Act of Parliament.
• Whether personal information was disposed of in accordance with the Privacy Regulations and the Directive on Privacy Practices.
• Whether the collection of personal information under the Emergency Orders was necessary and proportional.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding erroneous quarantine notifications sent by the ArriveCAN application to approximately 10,200 Apple device users. The OPC found that the Canada Border Services Agency (CBSA) did not take all reasonable steps to ensure the accuracy of the personal information used for administrative decisions, contravening subsection 6(2) of the Privacy Act. The CBSA disagreed with this finding and refused to correct the inaccurate information, although they later informed the OPC that the defect had been fixed and affected individuals notified.

• Whether the CBSA took all reasonable steps to ensure the accuracy of personal information used for administrative decisions.
• Whether the 'quarantine_exempted' data field constituted personal information used for an administrative purpose.
• Whether the CBSA's pre-release testing, human intervention, and correction mechanisms were adequate.
• Whether the CBSA should correct the erroneous information it holds despite the measures taken.

This investigation examined whether COVID-19 vaccination attestation requirements implemented by several federal separate employers for their employees complied with the Privacy Act. The OPC found that the collection and use of vaccination status information, including for accommodation requests, was authorized under the Act and directly related to the employers' operating programs, specifically workplace health and safety during the pandemic. While not a strict legal requirement of the Act, the OPC also assessed the necessity and proportionality of these measures and found them to be reasonable given the exceptional circumstances of the pandemic.

• Whether the collection of COVID-19 vaccination status information was directly related to an operating program or activity of the institutions.
• Whether the use and disclosure of vaccination status information, including for accommodation requests, was authorized under the Privacy Act.
• The necessity and proportionality of the vaccination attestation measures in the context of the COVID-19 pandemic.

This investigation examined the COVID-19 vaccination attestation requirements established by the Department of National Defence (DND) for members of the Canadian Armed Forces (CAF). The Office of the Privacy Commissioner of Canada (OPC) found that DND/CAF had the authority to collect this information under the National Defence Act and Part II of the Canada Labour Code. The use and disclosure of the information were generally consistent with the purposes for which it was collected. Although DND declined to implement a recommendation to strengthen oversight of access controls in the Monitor MASS system, the OPC found no instances of inappropriate access or disclosure. The OPC also determined that DND took reasonable steps to ensure the accuracy of the vaccination status information collected.

• Whether DND/CAF's collection of COVID-19 vaccination status information directly related to an operating program or activity of the institution.
• Whether the use of collected vaccination status information was authorized under section 7 of the Privacy Act.
• Whether the use of the Monitor MASS system resulted in unauthorized disclosure of information.
• Whether DND/CAF took reasonable steps to ensure the accuracy of vaccination status information.

This Special Report to Parliament details the OPC's investigations into federal government privacy practices during the COVID-19 pandemic. It examined vaccine mandates for travel and employment, the ArriveCAN app, and the use of mobility data. While most government measures complied with the Privacy Act, the OPC identified areas for improvement, including the need for clearer objectives in mandates and better documentation of less privacy-intrusive alternatives. An error in the ArriveCAN app led to incorrect quarantine notifications, and a PIPEDA investigation found a private company misused a traveller's contact information for marketing.

• Compliance of COVID-19 measures with the Privacy Act
• Necessity and proportionality of personal information collection
• Accuracy of personal information used in administrative decisions (ArriveCAN)
• Use of de-identified mobility data and PIPEDA compliance

This investigation examined the COVID-19 vaccination attestation requirements for federal public servants. The OPC found that the collection of vaccination status was directly related to the employer's health and safety obligations. However, the Treasury Board of Canada Secretariat (TBS) contravened the Act by failing to update its index of personal information banks within the required timeframe. The OPC also assessed the necessity and proportionality of the measures, concluding they were justified given the pandemic context, though TBS's documentation and response during the investigation were found to be lacking.

• Whether the collection of employee vaccination status was directly related to an operating program or activity.
• Whether institutions met transparency requirements under the Act.
• Whether disclosures of personal information were authorized.
• Necessity and proportionality of the vaccination attestation measures.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that the Canada Border Services Agency (CBSA) contravened the Privacy Act by collecting and using DNA from a complainant for genetic genealogy analysis to determine his nationality for deportation purposes. The OPC found that the CBSA contravened the Act by failing to obtain valid authorization for the indirect collection of the complainant's genetic information from FamilyTreeDNA (FTDNA), by improperly disclosing his personal information to other FTDNA users, and by failing to adequately describe the collection of relatives' genetic information in its public notices (PIBs).

• Was the CBSA's collection of genetic genealogy information directly related to its operations?
• Was the authorization for indirect collection from FTDNA valid?
• Did incidental disclosures of personal information contravene the Act?
• Were the transparency obligations under Section 11 met?

The spouse of a Correctional Services Canada (CSC) employee complained that the employee's manager inappropriately collected personal information about them from their public Facebook page in relation to the employee's use of "Other leave with pay (699)". The OPC found that CSC contravened section 4 of the Privacy Act by collecting information that was not related directly to an operating program or activity of CSC. The OPC also noted that CSC's ATIP office incorrectly advised the complainant on how to raise a privacy concern.

• Whether the collection of personal information from a public Facebook page was related directly to an operating program or activity of CSC.
• Whether information collected from a public source is exempt from the collection provisions of the Privacy Act.
• Whether CSC's ATIP office provided appropriate guidance to a member of the public wishing to raise a privacy concern.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint concerning the Immigration and Refugee Board of Canada's (IRB) improper disclosure of an employee's sensitive medical information to their management team. The IRB shared a "Fitness to Work" report containing intimate medical details without the employee's consent and beyond what was necessary for accommodation. The OPC found that while some information disclosure was consistent with the purpose of collection, the disclosure of highly sensitive medical information was not, thus contravening the Privacy Act. The IRB has since updated its policies and tools, but the OPC found the complaint to be well-founded and not adequately resolved, urging the IRB to implement its recommendations, including training and a meaningful apology.

• Whether the IRB obtained the complainant's consent to disclose their medical information.
• Whether the disclosure of the medical information in the FTW report to management constituted a "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• Whether the IRB's disclosure practices complied with the Treasury Board Secretariat's "Standard" on fitness to work evaluations.
• The adequacy of the IRB's response to the OPC's recommendations.

An individual complained that Transport Canada failed to publish a description of the Personal Information Bank (PIB) for its Incentives for Zero-Emission Vehicles Program. The investigation found that Transport Canada did not submit the PIB description for approval until 19 months after the program launched, and it was still not approved by the Treasury Board Secretariat (TBS) by the time the OPC's report was issued. Transport Canada has since confirmed the PIB has been approved and published.

• Failure to publish a Personal Information Bank (PIB) description for a program
• Timeliness of PIB approval and publication by government institutions and TBS
• Adequate notification to individuals about the collection and use of their personal information