Federal (Canada) Privacy Decisions

An incident occurred where employees of a financial management firm sent a client's sensitive financial information to her personal email account without proper security measures. This led to a situation where an individual, potentially a hacker, used this information to impersonate the client and attempt to transfer funds from her investment account. Although the client's money was not stolen due to the firm's established procedures, the firm's investigation revealed a breach of security protocols and inadequate employee training. The firm took corrective actions, including disciplinary measures for employees, additional privacy training, and reinforcing account security.

• Adequacy of security safeguards for personal information
• Effectiveness of employee training on privacy and security procedures
• Appropriateness of the organization's response to a data breach

The Office of the Privacy Commissioner of Canada investigated a complaint regarding a property management company maintaining a "bad tenant" list for a landlord association. The complainant alleged improper collection, use, and disclosure of personal information without consent. The OPC found that the list functioned like a credit reporting agency and that consent was not properly obtained, nor was there a mechanism for individuals to challenge the accuracy of the information. The property management company agreed to destroy the list and cease its collection, leading to the matter being resolved.

• Adequacy of consent for collecting and using tenant information.
• Whether the "bad tenant" list functioned as a credit reporting agency.
• Ensuring the accuracy of personal information and the ability for individuals to challenge it.
• Appropriateness of the purpose for collecting, using, and disclosing tenant information.

A financial institution reported a breach to the OPC after a printing error resulted in a few hundred clients receiving incorrect RRSP tax contribution statements. Some statements mistakenly included the personal information of other individuals, including names, addresses, account numbers, and Social Insurance Numbers. The institution promptly investigated, notified affected clients, provided new statements, increased account monitoring, and offered credit alert monitoring. They also reviewed and enhanced internal procedures to prevent future errors.

• Adequacy of safeguards to prevent privacy breaches
• Timeliness and appropriateness of breach response
• Notification of affected individuals
• Review and enhancement of internal policies and procedures

This report details an incident where a fraudster impersonated an unknown individual to trick a financial institution's employees into revealing customer contact information. The fraudster then used this information to extract further personal details from approximately 100 customers, increasing their risk of identity theft. The financial institution took immediate steps to mitigate the breach, including offering credit monitoring and enhancing staff training.

• Effectiveness of internal controls to prevent unauthorized disclosure of personal information
• Adequacy of breach response and mitigation measures
• Risks of identity theft and fraud due to personal information disclosure

The complainant alleged an insurance company refused to provide her with access to her personal information, including a recording of a telephone conversation, and documents related to her complaint to the company's ombudsman office. The company claimed the ombudsman process was a "formal dispute resolution process" exempt from PIPEDA and that the process was not a "commercial activity." The OPC found the company contravened PIPEDA by unduly delaying access to the recorded conversation and by incorrectly withholding documents from the ombudsman process. The OPC determined the ombudsman office was not a "formal dispute resolution process" and its activities were subject to PIPEDA.

• Is an internal ombudsman office a "formal dispute resolution process" under PIPEDA?
• Are the services of an internal ombudsman office considered "commercial activity" under PIPEDA?
• Does an organization need spousal consent to release joint account information when third-party information can be severed?
• What are the obligations of an organization responding to an access to information request under PIPEDA?

An individual complained that a collection agency refused to provide access to their personal information, despite multiple written requests. The agency failed to respond to several of these requests within the timeframes required by PIPEDA. Although the agency eventually sent the information, and the individual refused to sign for it, the agency was deemed to have provided access. The agency acknowledged it did not follow its own procedures for handling access requests and committed to revising them and providing refresher training.

• Timeliness of response to access requests
• Failure to follow internal procedures for handling access requests
• Adequacy of providing access to personal information

Canada Post's collection of electronic signatures for mail tracking was investigated following a complaint. The OPC found that Canada Post's collection, use, and disclosure of signatures for tracking purposes complied with the Privacy Act, as it was consistent with the original purpose of collection and a permitted disclosure under paragraph 8(2)(a) of the Act. However, the OPC identified shortcomings in the security and privacy controls of Canada Post's online tracking website and made recommendations for improvement, which Canada Post accepted.

• Adequacy of notice provided to individuals regarding the collection, use, and disclosure of their electronic signatures.
• Compliance with the Privacy Act regarding the collection, use, and disclosure of personal information.
• Adequacy of security and privacy controls for digitized signatures displayed on Canada Post's online tracking website.

The OPC investigated a complaint concerning a cable provider that posted a list of customers with overdue accounts on a public Facebook page. The provider believed this was permissible, citing municipal practices of publishing names of those in property tax arrears. The OPC clarified that while PIPEDA permits disclosure of information for debt collection purposes to third parties, it does not authorize public dissemination without consent.

• Public dissemination of personal information for debt collection
• Application of PIPEDA's debt collection exemption
• Comparison of debt collection practices with municipal tax arrears publications

A customer complained that a retail store employee disclosed his personal information, including his name and in-store behaviour, to his employer without his knowledge or consent. The Office found that the disclosed information was personal information and that the store could not rely on implied consent for the disclosure, as the information was sensitive and disclosure to an employer was not a reasonable expectation. The matter was resolved after the store implemented recommendations to communicate its PIPEDA obligations.

• Whether information disclosed in a public store is personal information.
• Whether implied consent applied to the disclosure of sensitive personal information to an employer.
• Whether the disclosed information qualified as publicly available information under the regulations.