Federal (Canada) Privacy Decisions

The requester sought access to the Firearms Registry database from the RCMP on March 27, 2012. The RCMP provided an incomplete response, which the requester argued was not justified and that the destruction of records obstructed their access rights. The OIC investigated the complaint.

• Incompleteness of the provided information
• Lack of justification for incomplete response
• Destruction of records obstructing right of access under section 67.1 of the ATIA

The complainant alleged that the Canada Border Services Agency (CBSA) improperly disclosed his personal information to his country of origin without consent. The CBSA disclosed a court judgment related to the complainant's criminal history to the High Commission of Canada to Ghana, which then forwarded it to Interpol for verification. The OPC found that while the disclosure was for a consistent purpose under the Privacy Act (enforcing immigration law), the CBSA's procedures for such disclosures were insufficient at the time, and the electronic transmission of information raised concerns.

• Disclosure of personal information to a foreign entity for verification purposes.
• Whether the disclosure constituted a consistent use of information under the Privacy Act.
• Adequacy of CBSA procedures for international disclosure and verification requests.
• Concerns regarding the electronic transmission of personal information.

An individual complained that an investment brokerage collected more personal information than necessary to open a self-directed investment account. The brokerage stated the information was required to comply with regulatory obligations, including "Know Your Client" rules from the Investment Industry Regulatory Organization of Canada (IIROC) and anti-money laundering (AML) requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), as well as provincial securities legislation. The OPC found that the requested information, including net worth, marital status, and spouse's occupation, was necessary for these regulatory purposes.

• Whether the brokerage collected more personal information than necessary for opening a self-directed investment account.
• Whether the collection of information was a condition of service contrary to PIPEDA.
• Whether the brokerage's collection purposes met regulatory requirements.
• The applicability of "Know Your Client" and AML rules to self-directed accounts.

The complainant alleged that Public Services and Procurement Canada (PWGSC) contravened the Privacy Act when a Director disclosed that the complainant had filed a harassment complaint against her during a management meeting. The investigation confirmed the disclosure, and found that the Director had not obtained the complainant's consent and that the attendees did not need to know the information. As a result, the complaint was found to be well-founded.

• Definition of personal information under section 3 of the Privacy Act
• Rules regarding the disclosure of personal information under section 8 of the Privacy Act
• Application of Treasury Board and departmental policies on confidentiality of harassment complaints

The Office of the Privacy Commissioner of Canada investigated Peoples Trust after a breach compromised the sensitive personal information of 12,000 customers. The investigation found that the financial institution failed to implement adequate safeguards in its online application portal and retained customer data unnecessarily on a vulnerable, unencrypted web server. These failures contravened PIPEDA's principles regarding safeguards and data retention. Following the breach, Peoples Trust took comprehensive remedial actions, including redesigning its portal, enhancing monitoring, and improving retention practices, which resolved the issues.

• Adequacy of information security safeguards for sensitive personal data.
• Unnecessary retention of personal information beyond required purposes.
• Vulnerabilities in web application portal development and maintenance.
• Effectiveness of breach response and risk mitigation measures.

A complainant was concerned that a hotel chain linked her IP address to her phone number after she received a promotional phone call. The hotel chain clarified that it does not engage in promotional calls and that the call was a fraudulent telemarketing scam by an unrelated party. The complainant suggested the hotel warn its customers about such scams, which the hotel did, leading to the matter being resolved.

• Unauthorized collection of personal information
• Misrepresentation by a third party
• Complainant's concern about IP address linkage to phone number

This investigation concerned a complaint against Health Canada (HC) regarding the mailing of 41,514 letters using windowed envelopes that revealed the name of the "Marihuana Medical Access Program" (MMAP). The Office of the Privacy Commissioner of Canada (OPC) found that HC contravened the Privacy Act by disclosing sensitive personal information without consent or legitimate purpose. Although HC cited administrative error and argued implicit consent or consistent use, the OPC determined that the sensitive nature of the program name required greater protection. HC has since implemented stricter mail-out procedures and created a new working group.

• Whether the visible program name in the return address constituted a disclosure of personal information.
• Whether implied consent was obtained from recipients.
• Whether the disclosure was a 'consistent use' of information under section 8(2)(a) of the Privacy Act.
• Whether Health Canada took reasonable steps to protect sensitive personal information.

The complainant, a former Canadian Forces member, alleged that the Department of National Defence (DND) contravened the Privacy Act by prematurely destroying an audio recording of his Progress Review Board (PRB) hearing. The OPC found that the recording contained personal information used for an administrative purpose and should have been retained for at least two years, as required by the Act, unless the complainant consented to its destruction. DND's destruction of the recording shortly after the hearing was deemed premature. The OPC recommended that DND develop a policy for retention and disposal of PRB hearing records and, in the interim, retain such recordings or transcriptions for at least two years.

• Whether the audio recording of the PRB hearing contained personal information used for an administrative purpose.
• Whether the complainant consented to the destruction of the audio recording.
• Whether DND's destruction of the audio recording violated the retention provisions of the Privacy Act.
• Whether DND provided access to accurate records following the hearing.

A tenant complained about five video surveillance cameras installed in common areas of their office building by another tenant. The complainant was particularly concerned about two cameras that monitored activity near his office door and the elevators, viewing it as an invasion of privacy. Following the OPC's involvement, the cameras of most concern were relocated inside the other tenant's offices, resolving the complainant's privacy concerns.

• Appropriateness of video surveillance in common areas
• Collection of personal information in shared spaces
• Minimum collection principle for video surveillance