Federal (Canada) Privacy Decisions

An individual complained that a bank employee improperly disclosed her account balance to her estranged husband. The bank acknowledged that its employee likely contravened PIPEDA by disclosing the information without consent. The matter was settled between the complainant and the bank, and the OPC agreed to consider the complaint settled, as no systemic issues were found.

• Improper disclosure of personal information by a bank employee.
• Lack of knowledge and consent for disclosure of personal information.
• Adequacy of bank's privacy policies and training.

An individual complained that a retail store inappropriately collected her personal information and disclosed it to a financial institution, and that the financial institution used and disclosed her information without consent. The retail store's salesperson processed the credit application before obtaining the customer's signature, leading to an approved credit card despite the customer's decision not to proceed. The financial institution stated it did not share information with third parties and took corrective actions, including removing an inquiry from the customer's credit file. The retail store also implemented new procedures.

• Inappropriate collection of personal information by a retail store
• Unauthorized disclosure of personal information to a financial institution
• Use and disclosure of personal information by a financial institution without consent
• Failure to obtain customer signature before processing credit application

An individual complained about receiving an unsolicited commercial email from a company's sales agent. The company was unaware of this practice, which it does not approve of. The company instructed the agent to cease using email for marketing, and the agent confirmed compliance. The complainant was satisfied, and the matter was settled.

• Use of unsolicited commercial email for marketing
• Company's awareness and control over agent practices
• Company's privacy policy and officer appointment

This report details an investigation into CIBC's handling of misdirected faxes containing customer personal information, which occurred between 2001 and 2004. The investigation found that CIBC's privacy practices failed to adequately address these incidents, resulting in breaches of customer data and trust. The bank has since implemented significant remedial measures to enhance its privacy safeguards.

• Adequacy of CIBC's privacy policies and procedures
• Effectiveness of CIBC's response to misdirected fax incidents
• Timeliness and appropriateness of customer notification following a privacy breach
• Organizational awareness and adherence to privacy obligations

The OPC investigated two separate incidents where health information was sent by facsimile to the wrong recipient. In the first incident, Dynacare sent a misdirected fax containing personal health information. In the second incident, Viewpoint sent a medical evaluation to an incorrect number. Both companies were found to have contravened PIPEDA by disclosing personal information without consent. Recommendations were made to both companies regarding faxing procedures, employee training, and notification of affected individuals.

• Disclosure of personal health information without consent via misdirected facsimile transmission
• Responsibility for and accountability of employees in faxing personal information
• Adequacy of organizational policies and procedures for protecting personal information during transmission
• Notification of individuals whose personal information has been disclosed

An individual complained that a department store disclosed his personal information to a third party for a mail solicitation, despite his prior request not to share his data. The investigation found that no personal information was actually disclosed; the mail-out was conducted by the department store on behalf of the third party. The store agreed to clarify its mailings and review its opt-out policies. The complaint was settled.

• Disclosure of personal information to a third party
• Clarity of consent and opt-out mechanisms
• Cross-promotion versus disclosure to non-affiliated third parties

The complainant alleged that a collection agency failed to report a paid-off debt to credit bureaux, negatively impacting his ability to secure credit. After the OPC's involvement, the agency investigated, confirmed the debt was paid, and updated the credit bureaux, resolving the issue. The complaint was settled during the investigation.

• Accuracy of credit reporting
• Timeliness of information updates to credit bureaux

Employees complained that a list containing their names, identification and seniority numbers, and social insurance numbers (SINs) was shared with their union without their knowledge or consent. The company admitted fault, stating the SIN was inadvertently included on one list and was visible on another shared with the union. The company implemented changes, including no longer requiring SINs for severance applications and amending consent forms for sharing employee information with the union.

• Disclosure of personal information to a third party (union)
• Inclusion of SIN on employee lists
• Lack of employee consent for disclosure

An individual complained that a bank inappropriately required him to consent to a credit check when applying online for a no-fee personal deposit account. He was also concerned about other information requested, including his Social Insurance Number. The bank agreed to modify its online application forms to clarify consent requirements for credit checks and to make the SIN optional. The length of employment will only be required for applicants seeking credit.

• Consent to credit check for deposit account
• Collection of Social Insurance Number (SIN)
• Clarity of information exchange with credit bureaus

An individual complained that a pharmacy required them to sign a consent form authorizing overly broad disclosure practices before providing medication. The complainant was concerned about information being disclosed for marketing purposes and their ability to obtain necessary medication if consent was refused. The OPC clarified with the pharmacy chain that they did not disclose customer information for secondary marketing. The company revised its consent form and implemented a policy allowing verbal consent for privacy practices.

• Consent to disclosure of personal information
• Disclosure of personal information for marketing purposes
• Impact of consent requirements on access to essential services

The Office investigated two complaints concerning banks revealing excessive personal information through envelope windows. In one case, Social Insurance Numbers were visible. In the other, bankruptcy information was inadvertently displayed on a dormant account notice. Both banks implemented new processes to prevent such disclosures, and the complaints were settled.

• Visibility of SINs through envelope windows
• Disclosure of bankruptcy status on envelopes
• Adequate protection of personal information in mailings

The complainant alleged his former employer, an interprovincial trucking company, disclosed his personal information to a creditor without his consent. The investigation found no evidence to support the allegation, and determined the complainant had provided some information himself. The company implemented a privacy policy and appointed an Information Officer.

• Disclosure of personal information without consent

The complainant alleged that an insurance company required her to consent to overly broad collection, use, and disclosure practices when applying for life insurance. While the company's actual practices were found to be consistent with the Act, it agreed to revise its consent language to be more precise and clear. The complainant was satisfied with these assurances, and the matter was settled.

• Clarity and precision of consent language
• Overly broad collection, use, and disclosure practices

A complainant's original laptop, containing her personal information, was sold by a store after it was returned for repair. The store had failed to wipe the data from the hard drive. The laptop was eventually retrieved and returned to the complainant. The store implemented new policies to ensure customer information is wiped from returned devices, resolving the complaint.

• Adequacy of safeguards for personal information on returned electronic devices
• Employee failure to follow data wiping procedures
• Unauthorized disclosure of personal information

A former employee complained that his former trucking company employer had disclosed personal information about him to other trucking firms after his employment was terminated. The complaint was settled after discussions between the company, the complainant, and the Office. The trucking company agreed to develop privacy policies and procedures and designated a privacy officer, which were confirmed to the Office.

• Disclosure of personal information
• Development of privacy policies and procedures
• Designation of a privacy officer