Federal (Canada) Privacy Decisions

A customer complained that his investment firm's Know Your Client (KYC) form required an unreasonable amount of personal information, contrary to PIPEDA. The firm argued the information was necessary to comply with regulatory obligations set by the Investment Industry Regulatory Organization of Canada (IIROC). The OPC investigated whether the firm collected more information than necessary for legitimate purposes. Ultimately, the OPC found that the firm's collection of detailed financial and personal information, including spousal income and investment experience, was justified to meet IIROC's KYC and suitability requirements.

• Whether the investment firm explicitly specified the purposes for collecting personal information.
• Whether the stated purposes for collection were legitimate.
• Whether the firm collected more personal information than necessary to fulfill those purposes.
• Whether the collection was a condition of service that violated PIPEDA.

An individual complained to the OPC after an internet search engine continued to display her résumé and personal information, even after she had it removed from the original job posting site. The search engine initially did not comply with her requests to remove the information. The OPC intervened, and the search engine subsequently removed the cached copy of the information using its URL removal tool.

• Right to withdraw consent for use/disclosure of personal information
• Search engine's obligation to de-index personal information
• Effectiveness of search engine URL removal tools

An investigation was launched after a complaint that Google's AdSense service delivered targeted advertisements for CPAP devices based on the complainant's online search for medical devices. The OPC found that Google used online behavioural advertising (OBA) to deliver these ads, which involved sensitive health information, without express consent. Google argued the ads were contextual, but the OPC determined they constituted OBA and contravened PIPEDA Principles 4.3 and 4.3.6 regarding consent for the use of sensitive information. Following recommendations, Google implemented remedial measures, leading to the complaint being conditionally resolved.

• Was sensitive health information used for online behavioural advertising without express consent?
• Did Google's practices comply with PIPEDA Principles 4.3 and 4.3.6 regarding knowledge and consent for the use of personal information?
• Did Google's privacy policy accurately reflect its practices regarding the use of sensitive health information for targeted advertising?
• Were Google's monitoring and compliance mechanisms adequate to prevent policy violations?

An individual complained that an online dating service used his personal information without consent and failed to provide him access to his information after he cancelled his membership. The Office of the Privacy Commissioner of Canada (OPC) found that the original owner violated PIPEDA by denying the complainant access to his personal information and by continuing to send him marketing emails after consent was withdrawn. The OPC also found the service failed to have a privacy policy and safeguard information. While issues were found to be well-founded, they were resolved by the new owner who purged the data and implemented a privacy policy.

• Access to personal information
• Withdrawal of consent for marketing emails
• Retention of personal information
• Safeguarding of personal information

A complainant expressed concern that the online publication of her full name and date of birth in the Canada Gazette, as required by the agreement establishing the Qalipu Mi’kmaq First Nation Band, put her at risk of identity theft. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that the disclosure was consistent with the Privacy Act, as the information was published for the purpose for which it was originally collected: the identification and recognition of Band members. Therefore, the complaint was not well-founded.

• Disclosure of personal information without consent
• Purpose of collection and disclosure
• Risk of identity theft

The Office of the Privacy Commissioner investigated a complaint from an individual whose personal health information was accessed by an employee of National Defence. The investigation found that the employee improperly accessed the complainant's health records for personal reasons, not for any professional or authorized purpose. National Defence has since implemented new controls, updated policies, and provided training to its healthcare staff to prevent future breaches.

• Inappropriate access to personal health information
• Use of personal information for personal reasons
• Adequacy of National Defence's privacy training and controls

A complainant alleged that Correctional Service of Canada (CSC) denied him access to the full version of a report concerning his treatment and supervision. CSC initially provided a condensed version, which the OPC found to be a misrepresentation of the information and contrary to CSC's obligations under the Privacy Act. Following the OPC's investigation, CSC provided the complainant with the full report, with some personal information of other parties withheld, and committed to reviewing its access request handling procedures and communicating staff obligations under the Privacy Act.

• Was the respondent in compliance with its obligations to identify and provide all relevant information in response to an access request?
• Whether the respondent's provision of an abbreviated report was a misrepresentation of the information.

The complainant alleged that the Canada Revenue Agency (CRA) contravened the Privacy Act by improperly accessing his tax file. The investigation found that a CRA employee accessed the complainant's tax file without authorization and beyond the requirements of their position. The CRA has since confirmed the employee no longer has access to taxpayer information.

• Unauthorized access to personal information
• Contravention of use and disclosure provisions of the Privacy Act

Transport Canada denied a man's security clearance based on information from the RCMP. The man complained that the RCMP improperly disclosed his personal information, specifically details of an absolute discharge from a 2009 incident. The RCMP disclosed this information without the required ministerial approval, which contravened the Criminal Records Act.

• Disclosure of personal information by the RCMP.
• Compliance with the Criminal Records Act regarding absolute discharges.
• Authorization for disclosure of information for security clearances.

An estranged wife, employed as a civilian at a Canadian Forces Base, accessed her husband's medical records without authorization. She also deleted a physiotherapy appointment and accessed a paper file. The Department of National Defence (DND) determined this was a willful breach of rules and implemented restrictions on her access. The OPC found the complaint to be well-founded, as the access was inconsistent with the original purpose of the information and not a permissible use under the Privacy Act.

• Unauthorized access to medical records
• Access and use inconsistent with original purpose
• Willful breach of departmental rules

An inmate at a maximum-security penitentiary requested video recordings of incidents involving officers. The Correctional Service of Canada (CSC) denied access, citing third-party information and security concerns. The OPC found complaints regarding 16 destroyed videos to be well-founded, as CSC had not even reviewed them before denial. For two other videos, which CSC claimed contained third-party information and posed security risks, the OPC found CSC correctly applied exemptions, thus resolving those complaints.

• Timeliness of responding to access to information requests
• Destruction of records prior to fulfilling requests
• Application of exemptions for security of penal institutions
• Proper review of records before withholding information

The OPC investigated a complaint about an RCMP officer who accessed the CPIC database to conduct a criminal background check on a prospective tenant for a private rental. The investigation found the officer used the database for personal reasons, not for a legitimate law enforcement purpose. The RCMP took remedial actions, including an apology and a reminder to employees about database use policies, which satisfied the OPC.

• Unauthorized access to the CPIC database
• Use of personal information for non-law enforcement purposes
• Compliance with RCMP policies on database access

A formal investigation by the Office of the Privacy Commissioner of Canada concluded that Aboriginal Affairs and Northern Development Canada (AANDC) and the Department of Justice Canada wrongly collected personal information from activist Cindy Blackstock's personal Facebook page. The departments argued that information posted publicly on social media was not private, but the OPC rejected this argument, stating that public availability does not make information non-personal. The OPC recommended that both departments cease accessing personal information on social media without a direct link to government business and destroy improperly collected information, with both departments accepting the recommendations.

• Whether personal information posted on a public Facebook page is still considered private under the Privacy Act.
• Whether the collection of personal information from social media feeds was directly related to a government operating program or activity.
• Whether the departments' accessing of Indian status records was justified.

An individual complained that a legal firm failed to respond to his requests for estate information, in which he claimed beneficiary status. The Office of the Privacy Commissioner of Canada (OPC) found that the firm contravened PIPEDA by not responding within the 30-day time limit. However, the OPC also determined that the individual was only entitled to access his own personal information, not general estate information, and that the firm had conducted a reasonable search for any such information. The complaint was ultimately found to be well-founded and resolved.

• Individual's right to access general estate information as a beneficiary versus personal information.
• Organization's obligation to respond to an access request within 30 days, even if no responsive information is held.
• Determining what constitutes an individual's 'personal information' under PIPEDA in the context of estate administration.

An individual complained that a retailer withheld access to her personal information, which she stated was necessary for ongoing litigation between them. The Office of the Privacy Commissioner of Canada (OPC) declined to investigate, finding that court procedures offered a more appropriate means for the complainant to address her access issues. The OPC noted that a provincial court judge had indicated the complainant could seek further disclosure through cross-examination. Therefore, the OPC determined that the complaint could be more appropriately dealt with by the court.

• Whether court procedures provide a more appropriate means to address access issues related to ongoing litigation.
• Whether the retailer contravened PIPEDA by refusing access to personal information based on litigation privilege.
• Whether the OPC should decline to investigate when court procedures can address the access issues.