Federal (Canada) Privacy Decisions

The complainant alleged that Transport Canada improperly withheld records concerning the Boeing 737 MAX aircraft system (MCAS) under exemptions related to personal information, trade secrets, and financial impact on a third party. The Information Commissioner found that the institution and the third party (Boeing) failed to demonstrate that all withheld information met the criteria for these exemptions. The Commissioner ordered Transport Canada to disclose specific information and to re-exercise its discretion regarding disclosure for public safety reasons.

• Whether withheld information met the criteria for exemption under paragraph 20(1)(b) (confidential third-party financial, commercial, scientific or technical information).
• Whether withheld information met the criteria for exemption under paragraph 20(1)(a) (third-party trade secrets).
• Whether withheld information met the criteria for exemption under paragraph 20(1)(c) (financial impact on a third party).
• Whether Transport Canada reasonably exercised its discretion under subsection 20(6) for disclosure in the public interest.

The complainant alleged that Public Services and Procurement Canada (PSPC) failed to provide records related to a designated substances report. PSPC provided some records but claimed others were not under its control. The Information Commissioner found that these records, although not in PSPC's physical possession, were under its control due to contractual obligations with a third-party contractor. The Commissioner ordered PSPC to retrieve and process these records.

• Whether records held by a third-party contractor were under the control of PSPC for the purposes of the Access to Information Act.
• Whether PSPC conducted a reasonable search for the requested records.

The complainant alleged that the Transportation Safety Board of Canada (TSB) improperly withheld records related to an aircraft incident under various exemptions related to personal information and confidential third-party information. The OIC found that TSB failed to provide sufficient evidence to justify withholding the records under the claimed exemptions. Consequently, the Information Commissioner ordered TSB to disclose the records, and TSB agreed to comply.

• Failure to meet the requirements for withholding information under section 19(1) (personal information) of the ATIA.
• Failure to meet the requirements for withholding information under section 20(1)(b) (confidential third-party financial, commercial, scientific or technical information) of the ATIA.
• Failure to meet the requirements for withholding information under section 20(1)(c) (financial impact on a third party) of the ATIA.
• Failure to meet the requirements for withholding information under section 20(1)(d) (negotiations by a third party) of the ATIA.

The complainant alleged that Natural Resources Canada (NRCan) improperly withheld records concerning NRCan's representatives on the Board of Governors of the Maritime College of Forest Technology (MCFT). The exemptions cited were paragraphs 20(1)(b), 20(1)(c), and 20(1)(d) of the Access to Information Act, relating to confidential third-party information, financial impact, and negotiations. The Commissioner found that NRCan and MCFT failed to meet the criteria for these exemptions, particularly regarding confidentiality and the reasonable expectation of harm. Consequently, the Commissioner ordered NRCan to disclose the withheld information, except for any personal information or legal advice/litigation privilege that was also withheld.

• Confidentiality requirements for paragraph 20(1)(b)
• Reasonable expectation of harm for paragraphs 20(1)(c) and 20(1)(d)
• Burden of proof on institution and third party
• Control of records

The complainant alleged that the Atlantic Canada Opportunities Agency (ACOA) improperly withheld information related to a grant made to the Organisation for Economic Co-operation and Development (OECD) under sections 20(1)(b) and 20(1)(d) of the Access to Information Act. The Information Commissioner found that neither ACOA nor the OECD provided sufficient evidence to justify withholding the information under these exemptions. Consequently, the Commissioner ordered ACOA to disclose the records in their entirety, an order which ACOA stated it would implement.

• Whether information concerning a grant to a third party was properly withheld under subsection 20(1)(b) (confidential third-party financial, commercial, scientific or technical information).
• Whether information related to the grant was properly withheld under paragraph 20(1)(d) (contractual or other negotiations of a third party).
• The burden of proof on the institution and/or third party to demonstrate that exemptions apply.
• The nature of confidentiality and reasonable expectation of non-disclosure for financial information.

The complainant alleged that the Canada School of Public Service (CSPS) did not conduct a reasonable search for emails from a senior executive and that records were potentially deleted. The investigation found that the CSPS kept the request on hold without lawful authority, failed to retain records responsive to an active access request, and conducted an inadequate search. The Commissioner concluded the complaint was well-founded regarding the search, but found no evidence of an intent to deny access or that the requester's identity was considered. Additional records were eventually found and provided to the complainant.

• Reasonableness of search
• Failure to retain records
• Intent to deny access
• Consideration of requester's identity

The complainant alleged that the Immigration and Refugee Board of Canada (IRB) took an unreasonable amount of time to respond to an access request for records related to its "Weighing Evidence" document. The IRB claimed a 1,295-day extension, which would have pushed the response deadline to March 31, 2025. The Information Commissioner found that the IRB did not provide sufficient justification for the length of the extension, particularly regarding the time allocated for record review and approval processes. Consequently, the extension was deemed invalid, and the IRB was ordered to process the records as soon as possible, no later than April 18, 2023.

• Reasonableness of time extension claimed under paragraph 9(1)(a) of the ATIA
• Justification for allocated timeframes for record review and approval
• Whether concurrent processing of review stages is possible
• Calculation of time extension for large volume requests

The complainant alleged that Library and Archives Canada (LAC) improperly withheld information under subsection 15(1) of the Access to Information Act. The request was for historical documents concerning the defence of the Arctic region. The Information Commissioner found that LAC failed to demonstrate how disclosing the records would harm national security or the defence of Canada, especially given that similar information has been publicly disclosed by Canada and the United States. The Commissioner recommended that LAC disclose the records in their entirety, and LAC agreed to implement this recommendation.

• Whether subsection 15(1) of the ATIA was properly applied to withhold historical records.
• Whether the disclosure of the records could reasonably be expected to harm national security or the defence of Canada.
• Whether LAC provided sufficient evidence to justify the continued withholding of information.
• The relevance of prior disclosures of similar information by Canada and the United States.

The complainant alleged that the Office of the Auditor General of Canada (OAG) had incorrectly stated that witness statements and documentation supporting a harassment investigation report were not under its control. The OIC investigated whether these records were under the OAG's control, considering factors such as whether they related to an institutional matter and if the OAG had a legally enforceable right to access them. Ultimately, the OIC found that the records were indeed under the OAG's control, making the complaint well-founded.

• Determination of 'control' over records not in physical possession of an institution.
• Whether the OAG had a legally enforceable right of access to the investigation records.
• Whether the content of the records required OAG authorization for communication.
• Whether the OAG relied on the records when preparing other government records.

The complainant alleged that the Federal Economic Development Agency for Southern Ontario (FedDev Ontario) improperly withheld information related to funding applications from The Corporation of the Town of Niagara-on-the-Lake. The exemptions cited were for personal information, and confidential third-party financial, commercial, scientific, or technical information, and information affecting third-party negotiations. Neither the institution nor the third parties provided sufficient evidence to justify withholding the information. The Information Commissioner found the complaint well-founded and ordered the release of the records.

• Whether the withheld information met the requirements for exemption under subsection 19(1) (personal information) of the ATIA.
• Whether the withheld information met the requirements for exemption under paragraph 20(1)(b) (confidential third-party financial, commercial, scientific or technical information) of the ATIA.
• Whether the withheld information met the requirements for exemption under paragraph 20(1)(c) (financial impact on a third party) of the ATIA.
• Whether the withheld information met the requirements for exemption under paragraph 20(1)(d) (negotiations by a third party) of the ATIA.

The complainant alleged that the Canadian Security Intelligence Service (CSIS) did not conduct a reasonable search for records related to pay equity for unionized employees. CSIS argued that records held by its Departmental Legal Services Unit (DLSU) were under the control of the Department of Justice. The Information Commissioner found that CSIS had failed to establish it conducted a reasonable search, as records held by its DLSU might be under CSIS's control. The Commissioner recommended CSIS retrieve and review these records, but CSIS refused to implement the recommendations.

• Reasonableness of the search conducted by CSIS
• Determination of 'control' over records held by the Departmental Legal Services Unit
• Relationship between CSIS and the Department of Justice regarding information holdings

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a Trimac truck driver concerned about audio and video recording in his truck cabin. The OPC found that while Trimac had legitimate safety and asset protection goals, the continuous audio recording was too intrusive, especially when drivers were off-duty. Trimac was also not initially transparent about using the data for disciplinary purposes, failing to meet consent requirements under PIPEDA. Trimac has since implemented changes, limiting audio recording to on-duty hours and improving data access controls. The OPC found the complaint conditionally resolved regarding the intrusive nature of the recording and resolved regarding the consent issue, accepting Trimac's remedial actions.

• Appropriateness of continuous audio recording in truck cabins, including during off-duty hours.
• Whether Trimac provided adequate information about the use of collected data for disciplinary purposes.
• The proportionality of privacy intrusion versus business benefits.
• The requirement for employee consent for data collection in an employment context.

The complainant requested a summary of financial assistance provided by Export Development Canada (EDC) to Canadian companies in Honduras over $50,000 from 2009 to 2019. EDC withheld information under exemptions related to confidential business information and disclosure restricted by another law. The Information Commissioner found that EDC failed to demonstrate that the information belonged to EDC as required for the first exemption and that the information was "obtained by" EDC as required for the second exemption. The Commissioner ordered EDC to disclose policy types, policy numbers, and maximum liability amounts.

• Applicability of exemption s. 18.1(1) (confidential financial, commercial, scientific or technical information of EDC)
• Meaning of "belongs to" in s. 18.1(1) ATIA
• Interpretation of EDC's Disclosure Policy for confidentiality
• Applicability of exemption s. 24(1) (disclosure restricted by another law) citing s. 24.3(1) of the Export Development Act
• Distinction between information "obtained by" and "created by" EDC under s. 24.3(1) of the Export Development Act

The complainant alleged that the Old Port of Montreal Corporation Inc. improperly withheld records related to the loan of objects for an exhibit under several exemptions in the Access to Information Act. The exemptions claimed included those related to competitive advantage, government financial interests, personal information, and third-party financial interests and negotiations. The institution failed to provide sufficient representations to support the application of these exemptions. The OIC found that photographs of human remains could not be withheld under the personal information exemption, as the individuals were either not identifiable or had been deceased for over 20 years. The OIC ordered the disclosure of all information at issue, and the institution agreed to comply.

• Burden of proof for exemptions
• Definition of personal information for deceased individuals
• Adequacy of representations to support exemptions
• Status of the Coroner's office as a third party

Following a data breach involving the Starwood hotel database, the Office of the Privacy Commissioner of Canada (OPC) investigated Marriott International, Inc. The investigation found that Marriott's security safeguards, accountability measures, and information retention practices were inadequate at the time of the breach, leading to unauthorized access to personal information. While Marriott has taken remedial actions and the complaint is conditionally resolved, the OPC highlighted failures in access controls, antivirus software, logging and monitoring, and information storage. The OPC also found Marriott contravened accountability principles by not adequately assessing security risks during its acquisition of Starwood and retaining personal information longer than necessary.

• Adequacy of security safeguards for personal information
• Marriott's accountability and due diligence during the acquisition of Starwood
• Timeliness of information retention and deletion practices
• Adequacy of notification and mitigation measures for affected individuals