Federal (Canada) Privacy Decisions

The complainant requested historical Canadian intelligence assessment records. The Privy Council Office (PCO) initially withheld information under subsections 15(1) (national security) and 19(1) (personal information) of the Access to Information Act. While the OIC found PCO's use of subsection 19(1) justified, it determined that PCO failed to demonstrate how disclosing the remaining information under subsection 15(1) would cause harm. The Information Commissioner ordered PCO to disclose the records.

• Whether the Privy Council Office met the requirements of subsection 15(1) of the Access to Information Act for withholding records related to distribution markings, CSE employee names, and allied distribution lists.
• Whether the Privy Council Office met the requirements of subsection 19(1) of the Access to Information Act for withholding personal information.
• Whether the Privy Council Office reasonably exercised its discretion in deciding not to disclose the information withheld under subsection 15(1).
• The timeliness and appropriateness of the Privy Council Office's submissions following the issuance of the initial report.

The complainant alleged that the Canada Mortgage and Housing Corporation (CMHC) improperly withheld information under several sections of the Access to Information Act, including government information, personal information, third-party commercial information, advice, deliberations, and solicitor-client privilege. The scope of the complaint was narrowed during the investigation. While CMHC disclosed some information, it continued to withhold information under paragraph 20(1)(b) related to third parties TD Bank Financial Group and Andrew Kalotay Associates, Inc. The Information Commissioner found that CMHC failed to demonstrate that this information met the requirements of paragraph 20(1)(b) and ordered its disclosure.

• Applicability of paragraph 20(1)(b) to withheld information
• Confidentiality of third-party information
• Objective standard for confidentiality
• Third-party representations

This Special Report to Parliament details the OPC's investigations into federal government privacy practices during the COVID-19 pandemic. It examined vaccine mandates for travel and employment, the ArriveCAN app, and the use of mobility data. While most government measures complied with the Privacy Act, the OPC identified areas for improvement, including the need for clearer objectives in mandates and better documentation of less privacy-intrusive alternatives. An error in the ArriveCAN app led to incorrect quarantine notifications, and a PIPEDA investigation found a private company misused a traveller's contact information for marketing.

• Compliance of COVID-19 measures with the Privacy Act
• Necessity and proportionality of personal information collection
• Accuracy of personal information used in administrative decisions (ArriveCAN)
• Use of de-identified mobility data and PIPEDA compliance

This investigation examined the COVID-19 vaccination attestation requirements established by the Department of National Defence (DND) for members of the Canadian Armed Forces (CAF). The Office of the Privacy Commissioner of Canada (OPC) found that DND/CAF had the authority to collect this information under the National Defence Act and Part II of the Canada Labour Code. The use and disclosure of the information were generally consistent with the purposes for which it was collected. Although DND declined to implement a recommendation to strengthen oversight of access controls in the Monitor MASS system, the OPC found no instances of inappropriate access or disclosure. The OPC also determined that DND took reasonable steps to ensure the accuracy of the vaccination status information collected.

• Whether DND/CAF's collection of COVID-19 vaccination status information directly related to an operating program or activity of the institution.
• Whether the use of collected vaccination status information was authorized under section 7 of the Privacy Act.
• Whether the use of the Monitor MASS system resulted in unauthorized disclosure of information.
• Whether DND/CAF took reasonable steps to ensure the accuracy of vaccination status information.

This investigation examined whether the collection, use, retention, and disclosure of personal information by the Public Health Agency of Canada (PHAC) and the Canada Border Services Agency (CBSA) related to COVID-19 vaccine mandates for travellers entering Canada complied with the Privacy Act. The OPC found that the agencies had the authority to collect this information as it was directly related to their mandate under the Quarantine Act and the Emergency Orders. While the OPC identified some weaknesses in PHAC's documentation regarding the necessity and proportionality of the measures, overall, the collection, use, and disclosure of personal information were deemed compliant with the Act.

• Whether personal information collected was directly related to an operating program or activity of PHAC and CBSA.
• Whether personal information was used or disclosed for the purpose for which it was compiled or in accordance with an Act of Parliament.
• Whether personal information was disposed of in accordance with the Privacy Regulations and the Directive on Privacy Practices.
• Whether the collection of personal information under the Emergency Orders was necessary and proportional.

This investigation examined whether mobility data collected by the Public Health Agency of Canada (PHAC) during the COVID-19 pandemic contained personal information as defined under the Privacy Act. The investigation found that the de-identification techniques and safeguards against re-identification implemented by PHAC and its data providers reduced the risk of identifying individuals below the "serious possibility" threshold. Consequently, the complaints were deemed not well-founded, as PHAC did not contravene the Privacy Act.

• Whether the mobility data collected constituted personal information under the Privacy Act.
• The adequacy of de-identification and aggregation techniques to prevent re-identification.
• Whether access to data within a provider's system constitutes collection under the Act.
• The need for transparency regarding the use of de-identified data.

This investigation examined whether the collection, use, and disclosure of traveller vaccination status by Transport Canada, VIA Rail, and CATSA complied with the Privacy Act. The Office of the Privacy Commissioner found that the personal information was collected, used, and disclosed in compliance with the Act's requirements. While the Act does not mandate necessity and proportionality, the OPC also considered these principles and found the measures were generally necessary and proportional, though recommended clearer definition of objectives and documentation of less privacy-invasive alternatives for future initiatives.

• Whether the collection of vaccination information was directly related to the operating programs or activities of CATSA and VIA Rail.
• Whether the use and disclosure of personal information, and the centralized collection by Transport Canada, complied with sections 4, 7, and 8 of the Privacy Act.
• Whether the collection of personal information was necessary and proportional, considering the circumstances and available alternatives.

This investigation examined the COVID-19 vaccination attestation requirements for federal public servants. The OPC found that the collection of vaccination status was directly related to the employer's health and safety obligations. However, the Treasury Board of Canada Secretariat (TBS) contravened the Act by failing to update its index of personal information banks within the required timeframe. The OPC also assessed the necessity and proportionality of the measures, concluding they were justified given the pandemic context, though TBS's documentation and response during the investigation were found to be lacking.

• Whether the collection of employee vaccination status was directly related to an operating program or activity.
• Whether institutions met transparency requirements under the Act.
• Whether disclosures of personal information were authorized.
• Necessity and proportionality of the vaccination attestation measures.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding erroneous quarantine notifications sent by the ArriveCAN application to approximately 10,200 Apple device users. The OPC found that the Canada Border Services Agency (CBSA) did not take all reasonable steps to ensure the accuracy of the personal information used for administrative decisions, contravening subsection 6(2) of the Privacy Act. The CBSA disagreed with this finding and refused to correct the inaccurate information, although they later informed the OPC that the defect had been fixed and affected individuals notified.

• Whether the CBSA took all reasonable steps to ensure the accuracy of personal information used for administrative decisions.
• Whether the 'quarantine_exempted' data field constituted personal information used for an administrative purpose.
• Whether the CBSA's pre-release testing, human intervention, and correction mechanisms were adequate.
• Whether the CBSA should correct the erroneous information it holds despite the measures taken.