Federal (Canada) Privacy Decisions

The complainant requested his minor child's passport application from Immigration, Refugees and Citizenship Canada (IRCC), citing a court order granting him access to his children's information. IRCC denied the request, stating the child's consent was required. The OPC found that while the complainant had legal authorization to act on his child's behalf, the request was not made for the child's benefit or best interests, a key condition under the Privacy Regulations. Therefore, the OPC concluded that the complainant did not have a right of access to the child's personal information.

• Whether a parent has an automatic right of access to a minor child's personal information under the Privacy Act.
• Interpretation of the Privacy Regulations regarding requests made on behalf of a minor.
• Whether the complainant's request served the child's best interests.
• The decision-making capacity of a minor regarding their personal information.

The complainant, as executor of a deceased individual's estate, requested personal information from the Department of National Defence (DND). DND refused to disclose most information, citing Privacy Act exemptions and arguing the request didn't meet the criteria for accessing information on behalf of a deceased person. The OPC found that the complainant was entitled to make the request for estate administration purposes and that DND failed to conduct an adequate search. DND agreed to conduct searches and provide a new response, leading to the complaint being conditionally resolved.

• Eligibility of an estate executor to request personal information of a deceased individual.
• Proper application of section 26 of the Privacy Act (disclosure of personal information about others).
• Adequacy of DND's search for requested records.
• DND's obligation to process formal access requests even if informal avenues exist.

The OPC investigated a complaint that the Canada Revenue Agency (CRA) failed to ensure the accuracy of a taxpayer's personal information used for administrative decisions. An imposter used the complainant's compromised CRA My Account to fraudulently receive COVID-19 benefits and Employment Insurance. The investigation found that the CRA's inadequate safeguards allowed unauthorized access and modification, contravening section 6(2) of the Privacy Act. The CRA has since implemented corrective measures.

• Adequacy of safeguards to protect against unauthorized access and modification of personal information.
• Reasonable steps taken by the CRA to ensure the accuracy of personal information used for administrative decisions.
• Timeliness of notification and privacy breach reporting.
• Impact of identity theft on tax reassessments.

The Office of the Privacy Commissioner of Canada investigated a complaint from a federal government employee who alleged that her personal information was repeatedly disclosed to another employee with the same name, and that administrative errors occurred in their files. The OPC found that the institution contravened the Privacy Act by improperly disclosing the complainant's personal information and by failing to ensure the accuracy of information used for administrative purposes. The complaint was found to be well-founded but conditionally resolved after the institution committed to implementing corrective measures.

• Unauthorized disclosure of personal information under section 8 of the Privacy Act.
• Failure to ensure the accuracy and completeness of personal information used for administrative purposes under subsection 6(2) of the Privacy Act.
• Lack of employee awareness regarding privacy breach reporting procedures.
• Systemic nature of errors due to employees having the same name.

A representative acting for the executor of an estate requested personal information about a deceased individual from the Department of National Defence (DND). DND determined the representative was not entitled to the information under paragraph 10(b) of the Privacy Regulations because they did not sufficiently demonstrate a connection between the information sought and the administration of the estate. While DND processed the request informally and disclosed some information under another provision of the Act, they did not clearly state the grounds for refusal. The OPC found the complaint not well-founded as the representative failed to adequately articulate and substantiate the estate's purposes and how the records would serve them.

• Whether the representative was authorized to make a request on behalf of the deceased under paragraph 10(b) of the Privacy Regulations for the purpose of administering the estate.
• Whether the representative sufficiently demonstrated a connection between the information sought and the administration of the deceased's estate.
• Whether DND properly notified the representative of the refusal and the basis for it.
• Whether DND properly handled the request informally.

This special report from the OPC investigated the RCMP's Project Wide Awake initiative, which uses third-party services to collect open-source information. The investigation found that the RCMP did not conduct adequate due diligence to ensure that the personal information collected via the Babel X service and its data providers was compliant with Canadian privacy laws. Additionally, the RCMP failed to meet its transparency obligations under the Privacy Act by providing inadequate descriptions of its open-source information collection practices and purposes in its Personal Information Banks.

• Compliance with collection provisions of the Privacy Act
• Adequacy of due diligence regarding third-party data collection practices
• Adequacy of transparency obligations under the Privacy Act
• Sufficiency of Personal Information Bank descriptions

This special report details an investigation into cyber attacks that compromised sensitive personal information held by the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC). Attackers used stolen credentials to access online accounts, leading to unauthorized disclosures, modifications, and identity theft. The investigation found that both departments failed to implement adequate authentication, security decision-making, and monitoring practices, contravening sections 8 and 6(2) of the Privacy Act. While both departments accepted recommendations for improvement, some weaknesses persist.

• Inadequate identity and credential assurance measures
• Insufficiently informed and accountable security decision-making
• Lack of effective monitoring and timely breach containment
• Contravention of Privacy Act sections 8 (disclosure) and 6(2) (accuracy)

Immigration, Refugees and Citizenship Canada (IRCC) contravened the Privacy Act when an employee inadvertently sent 497 emails containing personal information to the wrong email addresses. The investigation found that IRCC had insufficient administrative and procedural controls to prevent such errors. While IRCC took steps to notify affected individuals and mitigate harm, the Office of the Privacy Commissioner recommended improvements to prevent future breaches. IRCC accepted these recommendations and implemented enhanced measures, leading the OPC to consider the matter resolved.

• Whether IRCC contravened section 8 of the Privacy Act by disclosing personal information to unintended recipients.
• Adequacy of IRCC's administrative and procedural controls to prevent accidental disclosures.
• Effectiveness of IRCC's measures to mitigate the impact of the breach on affected individuals.
• Sufficiency of IRCC's actions to reduce the risk of recurrence.