Federal (Canada) Privacy Decisions

This investigation concerned a complaint that Fido Solutions Inc. failed to safeguard a customer's personal information, allowing fraudsters to access and alter account details. It was found that Fido's customer service representatives repeatedly failed to follow authentication protocols, leading to unauthorized access. Additionally, the complaint alleged Fido failed to provide a requested transcript in an understandable format. Fido has committed to implementing enhanced safeguards regarding authentication protocols and has since provided the requested transcripts.

• Adequacy of safeguards to protect customer personal information from unauthorized access.
• Effectiveness of authentication protocols and employee adherence.
• Proper response to customer requests for access to personal information.
• Provision of personal information in a generally understandable format.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a charitable organization's donor list trading program. The OPC found that the charity required express opt-in consent, not opt-out, for sharing donor contact information, as this practice fell outside donors' reasonable expectations. The OPC also determined that the information provided to donors was insufficient to ensure meaningful consent, lacking details about what information would be shared with whom and for what purpose. The charity agreed to implement recommendations to obtain opt-in consent and provide clearer information.

• Requirement for opt-in versus opt-out consent for donor list trading.
• Sufficiency of information provided to donors for meaningful consent.
• Application of the 'reasonable expectations' principle under PIPEDA.
• Compliance with PIPEDA's requirements for consent for information sharing.

This investigation report concerns a large-scale breach of personal information at the Bank of Montreal (BMO), affecting approximately 113,000 customers. The OPC found that BMO's online banking software had significant vulnerabilities, including issues with developer security testing, vulnerability management, and oversight/monitoring, which allowed attackers to access sensitive data such as financial account numbers and SINs. BMO has since implemented substantial improvements to its security safeguards.

• Adequacy of BMO's technical safeguards to protect personal information.
• Effectiveness of BMO's developer security testing and evaluation processes.
• Sufficiency of BMO's vulnerability management protocols.
• Appropriateness of BMO's oversight and monitoring capabilities for detecting cyberattacks.

The Office of the Privacy Commissioner of Canada (OPC) investigated CoreFour Inc. concerning its compliance with PIPEDA regarding its learning management system, Edsby. The OPC found that CoreFour's safeguards were not adequate due to vulnerabilities in password requirements and protection of student profile pictures, and a lack of an overarching information security framework. The OPC also found that CoreFour lacked a robust accountability framework, including written policies and adequate privacy training. However, the OPC found CoreFour to be in compliance with its breach reporting and notification obligations. CoreFour has accepted the recommendations and is implementing corrective measures.

• Adequacy of safeguards for personal information
• Breach reporting and notification obligations
• Accountability for privacy compliance
• Development of privacy management and information security frameworks

The complainant alleged that a computer services company remotely accessed his laptop without his express consent during a help desk call. The Office of the Privacy Commissioner of Canada (OPC) found that the company failed to obtain meaningful express consent for remote access and did not have adequate safeguards to protect customer information. The company has since restructured, ceased offering personal help desk services, and no longer uses the remote access software, leading the OPC to find the complaint well-founded and resolved.

• Whether meaningful express consent was obtained for remote computer access.
• Whether adequate safeguards were in place to protect customer data during remote access.
• The nature of consent required for accessing potentially sensitive personal information on a customer's laptop.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a truck driver alleging that his employer, Oculus Transport Ltd., collected personal information through audio surveillance in the truck cab for inappropriate purposes. The OPC found that while Oculus had a legitimate business need for some surveillance, the continuous audio recording, even when drivers were off-duty, was excessively intrusive and disproportionate to the benefits. Oculus has since stopped using audio surveillance.

• Whether the purposes for which Oculus collected audio recordings were appropriate under PIPEDA's section 5(3).
• Whether less privacy-invasive means were available to Oculus to achieve its stated purposes.
• Whether the intrusion on drivers' privacy was proportionate to the benefits gained by Oculus.

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) took an unreasonable extension of time to respond to an access request for information related to the Competition Bureau's bread price-fixing investigation. The request involved over 75 million pages of records. ISED calculated the extension by considering the volume of records, the time needed for the program area to gather records, and the time needed by the Access to Information and Privacy Office to analyze exemptions. The Information Commissioner found the complaint not well founded, agreeing that the extension was reasonable and that ISED followed the proper procedures.

• Whether the extension of time taken by the institution was reasonable under paragraph 9(1)(a) of the Access to Information Act.
• Whether the request involved a large number of records or required searching through a large number of records.
• Whether meeting the 30-day deadline would unreasonably interfere with the institution's operations.
• Whether the duration of the extension was reasonable given the circumstances.

The complainant alleged that Public Safety Canada refused to process an access request for records related to various keywords. Public Safety argued parts of the request did not meet the Act's requirements and processing it would be overly burdensome. The Commissioner found the complaint well-founded, agreeing that some parts of the request were too vague but that Public Safety improperly refused to process the parts that did meet the criteria. Public Safety Canada committed to processing 5,000 pages per year of the relevant records.

• Adequacy of the request details under section 6 of the ATIA
• Institution's obligation to process requests in parts
• Institution's duty to assist requesters
• Timely processing of large volumes of records

This investigation concerned Yahoo! Canada's "Stay signed in" feature for its email service, which defaulted to keeping users logged in. The OPC found this practice posed significant privacy risks, especially on public or shared computers, as emails can contain highly sensitive personal information. Yahoo was found to have inadequate safeguards and failed to obtain meaningful consent for the disclosure of personal information that could result from this default setting. Yahoo committed to changing the feature to an opt-in basis and providing clearer warnings to users.

• Adequacy of safeguards against unauthorized access to sensitive email content.
• Whether "Stay signed in" default setting constitutes meaningful consent for disclosure of personal information.
• Clarity and prominence of privacy warnings associated with the "Stay signed in" feature.

The complainant alleged that the Royal Canadian Mounted Police (RCMP) improperly withheld information under subsection 19(1) of the Access to Information Act related to a follow-up investigation concerning a Code of Conduct decision against the complainant. The RCMP initially withheld information, but later released some of it, conceding it was not personal information. However, they continued to withhold other information under subsection 19(1). The OIC concluded that the remaining withheld information was indeed personal information concerning another individual and did not meet the exceptions in subsection 19(2), therefore the complaint was well founded.

• Application of subsection 19(1) (personal information) of the ATIA
• Whether withheld information constituted personal information of another individual
• Whether the exceptions in subsection 19(2) of the ATIA applied

The Office of the Privacy Commissioner of Canada (OPC) investigated a short-term lender, CashHere, after receiving an alert that it was collecting clients' online banking credentials (usernames, passwords, security questions and answers) as part of its payday loan application process. The OPC found that while the lender had a legitimate need to verify identity and income, collecting these highly sensitive credentials was not a purpose that a reasonable person would consider appropriate due to the significant privacy risks and the availability of less invasive alternatives. The investigation also uncovered a related entity, MoneyHome, engaging in similar practices.

• Appropriateness of collecting online banking credentials for loan applications
• Proportionality of privacy harms versus lender benefits
• Availability of less privacy-invasive means to verify identity and income
• Potential link between CashHere and MoneyHome

The complainant alleged that the Canadian Security Intelligence Service (CSIS) took an unreasonable amount of time to respond to an access to information request, specifically concerning a time extension for consultations. CSIS argued that the extension was necessary due to the sensitivity of the records, the need for on-site review, and limited workplace access, all exacerbated by the pandemic. The OIC found that CSIS made a reasonable effort to assess the extension period and concluded that the time taken was justified given the circumstances.

• Reasonableness of time extension for consultations under paragraph 9(1)(b) of the ATIA.
• Impact of the pandemic on the ability of institutions to complete consultations within the standard timeframes.
• Whether CSIS adequately demonstrated the necessity and duration of the time extension.

The Office of the Information Commissioner (OIC) received nine complaints concerning Global Affairs Canada's failure to meet deadlines or take unreasonable time extensions in responding to access requests. In four cases, the institution cited the COVID-19 pandemic as a significant factor. Global Affairs committed to finalizing all nine requests by October 15, 2021. The OIC found all nine complaints to be well founded.

• Timeliness of response to access to information requests
• Impact of COVID-19 on institution's ability to process requests
• Reasonableness of time extensions

The complainant alleged that the Royal Canadian Mounted Police (RCMP) improperly withheld information under paragraph 16(1)(a) of the Access to Information Act. The OIC found that the withheld information was obtained by the RCMP during a lawful investigation related to the suppression of crime and was created less than 20 years before the request. The OIC was also satisfied that the RCMP reasonably exercised its discretion in deciding to withhold the information.

• Whether the information was obtained or prepared by an investigative body in the course of a lawful investigation pertaining to the detection, prevention or suppression of crime.
• Whether the information came into existence less than twenty years prior to the request.
• Whether the RCMP reasonably exercised its discretion to withhold the information.

The complainant alleged that the Canada Revenue Agency (CRA) improperly withheld information concerning a specific individual's business ownership under subsection 24(1) of the Access to Information Act. The OIC found that the requested information was about an identifiable taxpayer (not the complainant) and was obtained by the CRA for the purposes of administering the Income Tax Act. As section 241 of the Income Tax Act restricts the disclosure of such information, the OIC concluded the CRA properly withheld the records.

• Whether the information requested was properly withheld under subsection 24(1) of the ATIA (disclosure restricted by another law).
• Whether the information constituted taxpayer information as defined by the Income Tax Act.
• Whether section 241 of the Income Tax Act restricted the disclosure of the requested information.