Federal (Canada) Privacy Decisions

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding erroneous quarantine notifications sent by the ArriveCAN application to approximately 10,200 Apple device users. The OPC found that the Canada Border Services Agency (CBSA) did not take all reasonable steps to ensure the accuracy of the personal information used for administrative decisions, contravening subsection 6(2) of the Privacy Act. The CBSA disagreed with this finding and refused to correct the inaccurate information, although they later informed the OPC that the defect had been fixed and affected individuals notified.

• Whether the CBSA took all reasonable steps to ensure the accuracy of personal information used for administrative decisions.
• Whether the 'quarantine_exempted' data field constituted personal information used for an administrative purpose.
• Whether the CBSA's pre-release testing, human intervention, and correction mechanisms were adequate.
• Whether the CBSA should correct the erroneous information it holds despite the measures taken.

This investigation examined whether the collection, use, retention, and disclosure of personal information by the Public Health Agency of Canada (PHAC) and the Canada Border Services Agency (CBSA) related to COVID-19 vaccine mandates for travellers entering Canada complied with the Privacy Act. The OPC found that the agencies had the authority to collect this information as it was directly related to their mandate under the Quarantine Act and the Emergency Orders. While the OPC identified some weaknesses in PHAC's documentation regarding the necessity and proportionality of the measures, overall, the collection, use, and disclosure of personal information were deemed compliant with the Act.

• Whether personal information collected was directly related to an operating program or activity of PHAC and CBSA.
• Whether personal information was used or disclosed for the purpose for which it was compiled or in accordance with an Act of Parliament.
• Whether personal information was disposed of in accordance with the Privacy Regulations and the Directive on Privacy Practices.
• Whether the collection of personal information under the Emergency Orders was necessary and proportional.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that the Canada Border Services Agency (CBSA) contravened the Privacy Act by collecting and using DNA from a complainant for genetic genealogy analysis to determine his nationality for deportation purposes. The OPC found that the CBSA contravened the Act by failing to obtain valid authorization for the indirect collection of the complainant's genetic information from FamilyTreeDNA (FTDNA), by improperly disclosing his personal information to other FTDNA users, and by failing to adequately describe the collection of relatives' genetic information in its public notices (PIBs).

• Was the CBSA's collection of genetic genealogy information directly related to its operations?
• Was the authorization for indirect collection from FTDNA valid?
• Did incidental disclosures of personal information contravene the Act?
• Were the transparency obligations under Section 11 met?

The spouse of a Correctional Services Canada (CSC) employee complained that the employee's manager inappropriately collected personal information about them from their public Facebook page in relation to the employee's use of "Other leave with pay (699)". The OPC found that CSC contravened section 4 of the Privacy Act by collecting information that was not related directly to an operating program or activity of CSC. The OPC also noted that CSC's ATIP office incorrectly advised the complainant on how to raise a privacy concern.

• Whether the collection of personal information from a public Facebook page was related directly to an operating program or activity of CSC.
• Whether information collected from a public source is exempt from the collection provisions of the Privacy Act.
• Whether CSC's ATIP office provided appropriate guidance to a member of the public wishing to raise a privacy concern.

The complainant alleged that Transport Canada improperly withheld information regarding applications and Minimum Safe Manning Documents for the motor vessel Spirit of Vancouver Island, citing personal information and confidential third-party commercial/technical information exemptions. The Information Commissioner found that the personal information exemption was no longer at issue. While some information on page 50 met the criteria for the third-party emergency management plan exemption (paragraph 20(1)(b.1)), the Commissioner found that only the titles and headings of that document should be disclosed. The Commissioner also found that the third-party commercial/technical information exemption (paragraph 20(1)(b)) was not met for any of the remaining withheld information.

• Application of paragraph 20(1)(b.1) to emergency management plans
• Application of paragraph 20(1)(b) to confidential third-party information
• Whether Transport Canada properly exercised its discretion regarding disclosure
• Whether the institution met the burden of proof for the exemptions

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint concerning the Immigration and Refugee Board of Canada's (IRB) improper disclosure of an employee's sensitive medical information to their management team. The IRB shared a "Fitness to Work" report containing intimate medical details without the employee's consent and beyond what was necessary for accommodation. The OPC found that while some information disclosure was consistent with the purpose of collection, the disclosure of highly sensitive medical information was not, thus contravening the Privacy Act. The IRB has since updated its policies and tools, but the OPC found the complaint to be well-founded and not adequately resolved, urging the IRB to implement its recommendations, including training and a meaningful apology.

• Whether the IRB obtained the complainant's consent to disclose their medical information.
• Whether the disclosure of the medical information in the FTW report to management constituted a "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• Whether the IRB's disclosure practices complied with the Treasury Board Secretariat's "Standard" on fitness to work evaluations.
• The adequacy of the IRB's response to the OPC's recommendations.

The complainant alleged that Public Safety Canada's 240-day extension to respond to an access request was unreasonable. The request was for correspondence between Public Safety and the RCMP in May 2022. Public Safety could not justify the lengthy extension, as the volume of records was not large and the RCMP's consultation timeline was based on service standards rather than record complexity. The Information Commissioner found the extension invalid, deeming the delay a refusal of access.

• Reasonableness of time extension under subsection 9(1) of the ATIA
• Definition of 'large number of records' under paragraph 9(1)(a)
• Justification for consultation delays under paragraph 9(1)(b)
• Timeliness of institution's response

The complainant alleged that the Public Health Agency of Canada (PHAC) did not conduct a reasonable search for records related to masks, requested under the Access to Information Act. PHAC initially stated no records existed as an employee deleted their entire email mailbox. During the investigation, PHAC conducted additional searches and found responsive records. The Commissioner found the complaints to be well-founded due to the initial inadequate search.

• Reasonableness of the search conducted by the institution
• Disposition of electronic records by an employee
• Institution's obligation to search beyond the employee's direct records
• Information management practices of the institution

The complainant alleged that Public Services and Procurement Canada (PSPC) failed to respond to an access request for records concerning the procurement of new handguns for the military within the 30-day time limit. PSPC did not respond by the due date of July 5, 2021, and cited backlogs, operational challenges, and staffing issues for the delay. The Information Commissioner found the complaint well-founded, noting that these reasons do not absolve PSPC of its statutory obligation.

• Timeliness of response to access request
• Effect of operational challenges and staffing shortages on statutory obligations
• Definition of a "response" under the Act

The complainant alleged that National Defence (DND) failed to respond to an access request within the 30-day timeframe. DND refused to process the request, believing it did not meet the clarity requirements of section 6 of the Access to Information Act. The Information Commissioner found that the request did meet the requirements and that DND should have processed it without clarification. DND was therefore deemed to have refused access. The Commissioner ordered DND to provide a complete response to the request, and DND indicated it would comply.

• Whether the access request met the requirements of section 6 of the Access to Information Act.
• Whether National Defence properly refused to process the access request.
• Whether National Defence failed to respond within the time limits set out in the Act.

The complainant alleged that CSIS failed to sufficiently identify which portions of the requested records were redacted and on what basis. CSIS used negative redactions and did not specify exemptions on the records themselves, claiming it could cause harm. The Information Commissioner found this insufficient, recommending CSIS provide a new response clearly identifying withheld portions and citing specific exemptions, cease using negative redactions, and cite exemptions on the records themselves. CSIS agreed to implement these recommendations.

• Adequacy of identification of redacted portions and grounds for withholding.
• Propriety of using negative redactions.
• Requirement to cite exemptions on the records themselves versus in response letters.
• CSIS's obligation to assist the requester.

The complainant alleged that National Defence did not conduct a reasonable search for records related to unidentified aerial phenomena (UAP). The investigation found that the institution misinterpreted the request and relied too heavily on a keyword search. An additional search was ordered, which located 11 pages of previously unreleased records. National Defence has stated it will comply with the order to release these records.

• Reasonableness of search
• Interpretation of access request
• Use of keyword search

An individual complained that Transport Canada failed to publish a description of the Personal Information Bank (PIB) for its Incentives for Zero-Emission Vehicles Program. The investigation found that Transport Canada did not submit the PIB description for approval until 19 months after the program launched, and it was still not approved by the Treasury Board Secretariat (TBS) by the time the OPC's report was issued. Transport Canada has since confirmed the PIB has been approved and published.

• Failure to publish a Personal Information Bank (PIB) description for a program
• Timeliness of PIB approval and publication by government institutions and TBS
• Adequate notification to individuals about the collection and use of their personal information

Twenty federal employees complained after the Treasury Board of Canada Secretariat (TBS) mistakenly disclosed their email addresses and the fact they had filed claims for damages related to the Severe Phoenix Impacts program. The OPC found that TBS contravened the Privacy Act by improperly disclosing personal information. While TBS argued the breach was not material, the OPC disagreed, emphasizing the importance of contextual factors and the potential for harm, even if not all individuals experienced severe injury.

• Was the disclosure of personal information authorized under the Privacy Act?
• Was the privacy breach considered "material" by TBS?
• Did TBS conduct a holistic and context-informed assessment of the breach's materiality and potential harm?

The complainant alleged that Library and Archives Canada (LAC) had improperly withheld information under subsection 15(1) (national security and international relations) of the Access to Information Act. The records requested were from the Intelligence Advisory Committee, 1989-1995, concerning migration trends and global developments. The OIC found that similar records had been disclosed previously and the information reflected public debate, thus not meeting the requirements of subsection 15(1). LAC disclosed the records in full on January 20, 2023.

• Applicability of subsection 15(1) to records concerning migration trends and global developments
• Burden of proof on the institution to justify withholding records
• Prior disclosure of similar information by the Canadian Government
• Information reflecting public and Parliamentary debate