Federal (Canada) Privacy Decisions

The Information Commissioner initiated a systemic investigation into Library and Archives Canada (LAC) due to consistently delayed responses to access requests over several years. The investigation found that nearly 80% of requests completed by LAC during the period under review did not meet the timeframes stipulated by the Access to Information Act. The Commissioner made ten recommendations to the Minister of Canadian Heritage, and subsequently tabled a special report in Parliament highlighting issues at LAC and broader challenges within the access to information system.

• Timeliness of access to information requests
• Consultation processes between institutions
• Lack of a government-wide declassification framework

A joint investigation by Canadian privacy authorities found that Clearview AI, Inc. contravened PIPEDA and provincial privacy laws by collecting, using, and disclosing personal information without consent and for inappropriate purposes. Clearview's facial recognition tool scraped billions of images from the internet to create biometric facial arrays, which were then provided to law enforcement and other clients. The authorities concluded that Clearview's mass collection and use of sensitive biometric data was not for an appropriate purpose, nor was it obtained with the requisite consent.

• Whether Clearview obtained requisite consent for the collection, use, and disclosure of personal information.
• Whether Clearview collected, used, and disclosed personal information for an appropriate purpose.
• Whether Clearview satisfied its biometric obligations in Quebec.
• Whether Canadian privacy authorities had jurisdiction over Clearview's activities.

This investigation examined Desjardins' compliance with PIPEDA following a significant data breach that occurred between 2017 and 2019, affecting nearly 9.7 million individuals. The Office of the Privacy Commissioner of Canada (OPC) found that Desjardins contravened PIPEDA principles regarding accountability, data retention, and security safeguards. While Desjardins' mitigation measures for affected individuals were deemed adequate, the OPC issued recommendations to address the identified contraventions.

• Adequacy of security safeguards throughout the personal information lifecycle.
• Compliance with accountability principles, including implementing procedures and training staff.
• Appropriateness of data retention and destruction practices.
• Effectiveness of mitigation measures offered to individuals affected by the breach.

This report details a review of passport protection practices by four federal institutions: IRCC, ESDC, GAC, and CPC. While the institutions generally had reasonable measures to prevent unauthorized passport disclosures, the review identified areas for improvement in incident detection, remediation for affected individuals, and learning from past breaches. The institutions agreed to implement the OPC's recommendations to enhance these processes.

• Adequacy of measures to prevent unauthorized disclosure of passports
• Effectiveness of incident detection mechanisms
• Sufficiency of remediation measures for affected individuals
• Processes for learning from past passport breach incidents

This report details a systemic investigation into how the Department of National Defence (DND) processed access to information requests between January 1, 2017, and December 21, 2018. The investigation examined six key offices and DND's ATIP Directorate, reviewing their internal processes, training, and statistics. The Commissioner made nine recommendations to the Minister of National Defence to address identified shortcomings, which the Minister accepted and agreed to implement.

• Timeliness of access to information request processing
• Adherence to legislative obligations under the Access to Information Act
• Effectiveness of internal procedures and training for ATIP staff
• Improvement of ATIP compliance metrics

This investigation examined complaints concerning Statistics Canada's collection of personal financial and credit information from a credit bureau and financial institutions for two projects. The OPC found Statistics Canada had the legal authority for the Credit Information Project, deeming that aspect not well-founded. However, the OPC had serious concerns that the Financial Transactions Project, as originally designed, would have exceeded Statistics Canada's legal authority. As this project was halted before any data was collected, no finding was made. Despite finding no contravention of the Privacy Act, the OPC identified significant privacy concerns regarding necessity, proportionality, and transparency in both projects as originally designed, and made recommendations for improvement.

• Legal authority for collecting personal information under the Statistics Act and Privacy Act
• Necessity and proportionality of collecting sensitive personal information
• Adequacy of transparency regarding data collection
• Safeguards for handling collected personal information

This joint investigation by the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found that AggregateIQ Data Services Ltd. (AIQ) contravened Canadian privacy laws (PIPEDA and PIPA) in its handling of personal information for political campaigns. AIQ failed to ensure adequate consent for the collection, use, and disclosure of personal information, particularly when sharing data with platforms like Facebook for targeted advertising and analytics. Additionally, AIQ's inadequate security measures led to a data breach involving the personal information of millions of individuals.

• AIQ's collection, use, and disclosure of personal information for political campaigns.
• AIQ's compliance with consent requirements for personal information.
• AIQ's implementation of reasonable security measures to protect personal information.
• Cross-jurisdictional data handling and privacy obligations.

The Office of the Privacy Commissioner of Canada (OPC) investigated Equifax Inc. and Equifax Canada Co. following a 2017 data breach that compromised the personal information of approximately 19,000 Canadians. The OPC found that both Equifax Inc. and Equifax Canada contravened PIPEDA concerning inadequate safeguards, data retention, accountability, and consent for the disclosure of personal information. The investigation also found Equifax Canada's post-breach safeguards to be inadequate for protecting affected Canadians. Equifax Canada has committed to corrective measures, and the matters are conditionally resolved.

• Adequacy of security safeguards for Canadian personal information held by Equifax Inc.
• Equifax Inc.'s data retention and destruction practices for Canadian personal information.
• Equifax Canada's accountability for Canadian personal information handled by Equifax Inc.
• Adequacy of consent obtained for the collection and disclosure of Canadian personal information to Equifax Inc.
• Adequacy of safeguards and post-breach measures for Canadian personal information held by Equifax Canada.

This is a systemic investigation report that examined how federal institutions handle access to information requests related to scientists and scientific information. The investigation was initiated by a complaint from the Environmental Law Clinic at the University of Victoria and Democracy Watch. It concluded that while some progress had been made, challenges remained in ensuring timely and complete access to information concerning scientists within federal institutions.

• Timeliness of access to information requests concerning scientists
• Completeness of information provided in response to requests about scientists
• Impact of institutional practices on the right of access to information regarding scientists

This report details three incidents in 2017 where Canadian organizations experienced data breaches due to password reuse by their customers. In each case, attackers used login credentials obtained from unrelated breaches to access customer accounts. The Office of the Privacy Commissioner of Canada found the organizations' responses to be appropriate, including actions like password resets, enhanced security measures, and customer notifications, and encouraged other organizations to adopt similar preventative strategies.

• Impact of password reuse on personal information security
• Adequacy of organizational responses to data breaches
• Effectiveness of safeguards against unauthorized access
• Communication and notification obligations to individuals

This report details a joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Australian Office of the Information Commissioner (OAIC) into Avid Life Media Inc. (ALM), the operator of Ashley Madison. The investigation followed a significant data breach where personal information of millions of users was exposed. The OPC found that ALM contravened PIPEDA regarding information security, indefinite retention of user data, accuracy of email addresses, and transparency with users. ALM has entered into a compliance agreement with the OPC to address these issues.

• Adequacy of information security safeguards
• Indefinite retention of user data
• Accuracy of collected email addresses
• Transparency and user consent regarding data handling practices

This document is a systemic investigation into Parks Canada's approach to processing access requests, completed in 2015-2016. It highlights how cooperation with the Information Commissioner's Office can lead to positive systemic changes in how access rights are managed. The report uses Parks Canada's practices as an example for improvement.

• Effectiveness of Parks Canada's access to information request processing
• Impact of leadership and collaboration on access rights
• Systemic changes in access to information practices

This report details an incident where a fraudster impersonated an unknown individual to trick a financial institution's employees into revealing customer contact information. The fraudster then used this information to extract further personal details from approximately 100 customers, increasing their risk of identity theft. The financial institution took immediate steps to mitigate the breach, including offering credit monitoring and enhancing staff training.

• Effectiveness of internal controls to prevent unauthorized disclosure of personal information
• Adequacy of breach response and mitigation measures
• Risks of identity theft and fraud due to personal information disclosure

The requester sought access to the Firearms Registry database from the RCMP on March 27, 2012. The RCMP provided an incomplete response, which the requester argued was not justified and that the destruction of records obstructed their access rights. The OIC investigated the complaint.

• Incompleteness of the provided information
• Lack of justification for incomplete response
• Destruction of records obstructing right of access under section 67.1 of the ATIA

A woman received the personal information of five strangers along with her daughter's tax documents from the Canada Revenue Agency (CRA). She attempted to return the information to the CRA through various channels but faced difficulties. The OPC launched a Commissioner-initiated investigation, which concluded that the CRA had breached the privacy rights of the individuals whose information was improperly disclosed. The CRA has since implemented remedial measures to improve its procedures for handling misdirected mail and facilitating breach reporting.

• Adequacy of CRA's procedures for handling misdirected personal information.
• Effectiveness of CRA's channels for the public to report privacy breaches.
• Timeliness and appropriateness of CRA's response to the breach.