Federal (Canada) Privacy Decisions

The Office of the Privacy Commissioner of Canada investigated a complaint regarding the improper disclosure of personal information by Aboriginal Affairs and Northern Development Canada (AANDC). The complainant was concerned that AANDC created a document listing individuals who had requested information about a former minister under the Access to Information Act, and that this document was subsequently disclosed to La Presse newspaper. The investigation found that AANDC improperly shared the document with staff who did not have a need-to-know the identities of the requesters, and that the document was ultimately disclosed to La Presse, violating the Privacy Act.

• Whether the document contained personal information.
• Whether AANDC officials who accessed the document had a need-to-know.
• Whether the disclosure of the document to La Presse constituted a contravention of the Privacy Act.

The complainant alleged that the Public Service Commission of Canada (PSC) contravened the Privacy Act by disclosing her private medical information to multiple witnesses during an investigation into potential fraud. The OPC found that while the PSC's collection and use of the information were justified, the disclosure of the doctor's letter to all witnesses was not a "consistent use" and thus contravened the Act. The PSC has committed to implementing new procedures to ensure future compliance.

• Whether the disclosure of medical information to all witnesses in an investigation complied with the Privacy Act's "consistent use" provision.
• Whether the PSC's disclosure of medical information was necessary for procedural fairness.
• Whether the PSC's interpretation of "affected person" was overly broad, leading to excessive disclosure.

An individual complained that a videographer hired to record her wedding shared her personal information without consent by posting the wedding video online for business promotion. The OPC found that using the video for promotional purposes was a commercial activity requiring consent, which the videographer had not obtained. Although the videographer initially disputed this, they eventually removed the video and agreed to include consent provisions in future contracts, leading to the complaint being resolved.

• Was the use of the wedding video for promotional purposes considered a commercial activity under PIPEDA?
• Did the videographer obtain the complainant's informed consent for the use of her personal information?
• Did any exemptions under PIPEDA apply to the videographer's use of the video without consent?

The complainant alleged that Apple Canada Inc. ("Apple") unnecessarily required payment information and date of birth for downloading a free application. The investigation found that while the date of birth collection was acceptable for authentication, Apple's privacy policy did not fully identify the purposes for its collection. The collection of payment information was also found to be an issue, as Apple did not clearly communicate that it was not required for downloading free applications. Apple agreed to revise its privacy policy and implement recommendations to improve clarity and user experience.

• Identification of purposes for collection of personal information
• Limiting collection of personal information to what is necessary
• Openness about information management policies and practices
• Requirement of payment information for free application downloads

The Information Commissioner initiated an investigation into Public Works and Government Services Canada (PWGSC) regarding the processing of eight access to information requests made between July 2008 and January 2010. The investigation focused on potential interference in how these requests were handled. The Commissioner has reported her findings.

• Possibility of interference in the processing of access to information requests
• Timeliness and completeness of response by PWGSC

This report details an investigation into the loss of an external hard drive at Employment and Social Development Canada (ESDC), which contained the personal information of 583,000 Canada student loan borrowers and 250 employees. The Office of the Privacy Commissioner of Canada (OPC) found that while ESDC had appropriate policies in place, there was a significant gap in their implementation, leading to inadequate physical, technical, administrative, and personnel security controls. Consequently, ESDC was found to be in contravention of sections 6(3), 7, and 8 of the Privacy Act. ESDC accepted all of the OPC's recommendations for improvement.

• Adequacy of physical security controls for storing personal information on portable media.
• Sufficiency of technical safeguards, such as encryption, for personal information on external hard drives.
• Effectiveness of administrative controls, including asset management and inventory of portable devices.
• Level of employee awareness and training regarding the risks associated with handling personal information on portable devices.

A life insurance company discovered a potential breach of personal information when a new envelope design exposed sensitive data, including SINs, of 53 pension plan members. The company took prompt action by notifying affected individuals, offering credit monitoring services, and implementing new security measures to prevent recurrence. The OPC noted the company's response demonstrated best practices in handling such incidents.

• Potential exposure of sensitive personal information (SIN, date of birth, beneficiary information) due to envelope design.
• Adequacy of the company's response to the potential breach.
• Measures taken to prevent future incidents.

A complainant alleged that the RCMP continued to retain and use personal information from the long-gun registry after it was legally required to be destroyed. The investigation focused on whether the RCMP used this information in contravention of section 7 of the Privacy Act. While the RCMP provided evidence that the registry records were destroyed, the complainant pointed to instances suggesting otherwise. However, the OPC could not find evidence to support the allegation that the RCMP used deleted long-gun registry information and noted that subsequent legislation retroactively exempted certain information from the Privacy Act.

• Whether the RCMP retained and used personal information from the long-gun registry after it was legally required to be destroyed.
• Whether the alleged use of this information contravened section 7 of the Privacy Act.
• The impact of retroactive legislative amendments on the investigation and the application of the Privacy Act.

An individual complained that her bank required her to provide the last six digits of her Social Insurance Number (SIN) to set up a verified credit account for online purchases. The complainant believed this collection was unnecessary and sought an alternative. The bank initially maintained its practice but, after being informed of a similar OPC finding regarding transparency, discontinued the practice and updated its website to remove this authentication method. The complaint was resolved.

• Bank's collection of partial SIN for account verification
• Transparency of alternative authentication methods
• Adequacy of information provided on the bank's website

A customer complained that his investment firm's Know Your Client (KYC) form required an unreasonable amount of personal information, contrary to PIPEDA. The firm argued the information was necessary to comply with regulatory obligations set by the Investment Industry Regulatory Organization of Canada (IIROC). The OPC investigated whether the firm collected more information than necessary for legitimate purposes. Ultimately, the OPC found that the firm's collection of detailed financial and personal information, including spousal income and investment experience, was justified to meet IIROC's KYC and suitability requirements.

• Whether the investment firm explicitly specified the purposes for collecting personal information.
• Whether the stated purposes for collection were legitimate.
• Whether the firm collected more personal information than necessary to fulfill those purposes.
• Whether the collection was a condition of service that violated PIPEDA.

An individual complained to the OPC after an internet search engine continued to display her résumé and personal information, even after she had it removed from the original job posting site. The search engine initially did not comply with her requests to remove the information. The OPC intervened, and the search engine subsequently removed the cached copy of the information using its URL removal tool.

• Right to withdraw consent for use/disclosure of personal information
• Search engine's obligation to de-index personal information
• Effectiveness of search engine URL removal tools

An investigation was launched after a complaint that Google's AdSense service delivered targeted advertisements for CPAP devices based on the complainant's online search for medical devices. The OPC found that Google used online behavioural advertising (OBA) to deliver these ads, which involved sensitive health information, without express consent. Google argued the ads were contextual, but the OPC determined they constituted OBA and contravened PIPEDA Principles 4.3 and 4.3.6 regarding consent for the use of sensitive information. Following recommendations, Google implemented remedial measures, leading to the complaint being conditionally resolved.

• Was sensitive health information used for online behavioural advertising without express consent?
• Did Google's practices comply with PIPEDA Principles 4.3 and 4.3.6 regarding knowledge and consent for the use of personal information?
• Did Google's privacy policy accurately reflect its practices regarding the use of sensitive health information for targeted advertising?
• Were Google's monitoring and compliance mechanisms adequate to prevent policy violations?