Federal (Canada) Privacy Decisions

This special report details an investigation into unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency (CRA). The Office of the Privacy Commissioner (OPC) found that the CRA contravened the Privacy Act regarding accuracy and disclosure of personal information. While the CRA has made efforts to improve its security, shortcomings remain in prevention, monitoring, detection, remediation, and governance, particularly concerning the handling of "Unauthorized Use of Taxpayer Information by a Third Party" (UUTP) incidents. The investigation concluded that the CRA contravened subsections 6(2) and 8(2) of the Act.

• Adequacy of safeguards to protect taxpayer personal information from unauthorized disclosure and modification.
• Timeliness and strength of multi-factor authentication implementation.
• Effectiveness of monitoring and detection mechanisms for UUTPs.
• Coordination and proactivity of the CRA's governance for addressing UUTPs.

The OPC investigated a complaint alleging that Immigration, Refugees and Citizenship Canada (IRCC) improperly withheld access to personal information. The complainant requested the "History Section" of their case file, but IRCC only provided a subset of information from other sections, referred to as the "Short Form" report. The OPC found that IRCC's practice of systematically retrieving and processing only the Short Form report contravenes section 12 of the Privacy Act, as it fails to provide individuals with access to all personal information under the government's control. Although the specific file was eventually provided, IRCC refused to update its procedures to address the systemic issue.

• Whether IRCC's practice of only retrieving and processing a "Short Form" subset of records in response to access requests complies with the Privacy Act's access obligations.
• Whether the "History Section" of the Global Case Management System (GCMS) file contains personal information.
• Whether IRCC's assertion that information outside the "Short Form" would always be withheld under exemptions is valid.
• Whether IRCC's failure to commit to updating its procedures constitutes a continuing contravention of the Privacy Act.

An employee of the Canada Border Services Agency (CBSA) complained that their personal information was inadvertently disclosed to colleagues due to improperly set folder permissions in the CBSA's information management system, Apollo. The CBSA confirmed the contravention of section 8 of the Privacy Act. While the CBSA took steps to correct the issue and improve practices, it did not commit to mandatory, trackable training for managing permissions, leading the OPC to find the complaint well-founded but unresolved.

• Whether CBSA contravened section 8 of the Privacy Act by improperly disclosing employee personal information.
• Adequacy of CBSA's response and corrective measures.
• Whether CBSA's training and awareness initiatives for managing information system permissions are sufficient.
• Whether the matter is resolved given CBSA's non-commitment to mandatory, trackable training.

This investigation examined the Treasury Board of Canada Secretariat's (TBS) handling of employee personal information related to the administration of the Direction on Prescribed Presence in the Workplace, which mandates minimum on-site workdays. The Office of the Privacy Commissioner of Canada (OPC) found that TBS's practices for both organizational compliance reporting (using aggregated data like turnstile and HR data) and individual compliance monitoring (relying on manager observation and self-reporting) were compliant with the Privacy Act. The OPC concluded that the complaint was not well-founded, noting TBS's effective balance between operational needs and employee privacy.

• Collection of employee personal information for hybrid work model compliance
• Retention and disposal of personal information
• Use and disclosure of personal information
• Transparency and adequacy of Personal Information Banks (PIBs)

The Office of the Privacy Commissioner of Canada (OPC) investigated the Canada Border Services Agency's (CBSA) contracting practices related to the ArriveCAN application following a complaint and a request from a parliamentary committee. The investigation examined whether contractors had inappropriate access to travellers' personal information. While the OPC found no contravention of the Privacy Act, it identified shortcomings in the CBSA's contracting processes, such as issues with the timeliness and accuracy of security assessments and broad task descriptions in contracts. The OPC made recommendations to improve the CBSA's practices, which the agency accepted.

• Whether CBSA authorized contractors to access personal information without required security clearances.
• Accuracy and timeliness of security requirement assessments for contracts.
• Clarity and specificity of task descriptions in contracts and task authorizations.
• CBSA's compliance with security requirements for personnel and organizations involved in ArriveCAN contracts.

An inmate alleged that Correctional Service Canada (CSC) failed to retain video footage of use of force incidents involving them, violating the Privacy Act's retention obligations. The OPC found that CSC did dispose of footage that it was obligated to retain for at least two years under the Act. CSC agreed to implement enhanced oversight, including monthly attestations and quarterly audits of use of force footage retention in its Pacific Region.

• Obligation to retain personal information used for administrative purposes under the Privacy Act
• Adequacy of institutional policies for video retention
• Ensuring reasonable access to personal information
• Effectiveness of oversight measures for compliance

This report details an investigation into the unauthorized disclosure of personal information of over 18,000 Canada Border Services Agency (CBSA) employees due to improperly shared spreadsheets. While the CBSA contravened section 8 of the Privacy Act by disclosing information beyond what was necessary for the stated purposes, the agency took appropriate steps to notify affected individuals, contain the breaches, and implement measures to prevent recurrence. These measures included new data request procedures and the development of a new information management system.

• Whether the CBSA contravened section 8 of the Privacy Act by disclosing personal information.
• Whether the CBSA took adequate steps to notify affected individuals.
• Whether the CBSA took adequate steps to contain the impact of the breaches.
• Whether the CBSA took adequate steps to reduce the risk of future breaches.