Federal (Canada) Privacy Decisions

Three individuals complained after discovering their sensitive dating profiles, posted on PositiveSingles.com, appeared on nearly 60 other affiliated dating websites without their knowledge or consent. The Office of the Privacy Commissioner of Canada found that while the profiles remained within the company's controlled network, users were not adequately informed about this practice. Furthermore, inadequate safeguards allowed some personal information to be accessed by non-members. The organization revamped its website to provide clearer disclosures about profile sharing and its network structure, and improved its security measures.

• Adequacy of consent for the use and disclosure of personal information across affiliated websites.
• Whether users were adequately informed about the company's network structure and profile sharing practices.
• Sufficiency of security safeguards to prevent unauthorized access to personal information.
• Transparency of privacy policies and practices regarding data management.

The OPC investigated a complaint alleging Apple used and shared a user's unique device identifier (UDID) without knowledge or consent for tracking and targeted advertising. While Apple initially argued UDID was not personal information, the OPC found it was, especially given Apple's ability to link it to account details. The OPC determined Apple's privacy policy lacked clarity on UDID use for advertising, though its administrative uses were acceptable. Apple has since ceased using UDID for advertising, replacing it with Ad ID, and enhanced opt-out mechanisms for Ad ID, leading the OPC to find the complaint well-founded and resolved.

• Whether UDID and Ad ID constitute personal information under PIPEDA.
• Whether Apple obtained meaningful consent for the collection, use, and disclosure of UDID and Ad ID for advertising purposes.
• Adequacy of notice provided by Apple regarding its use of UDID and Ad ID.
• Apple's responsibility for disclosures of UDID and Ad ID to third-party app developers.

An individual complained that a property management company was over-collecting personal information, including Social Insurance Number (SIN), driver's licence information, and banking information, on its rental application forms. The Office of the Privacy Commissioner of Canada (OPC) also investigated the company's lack of a privacy policy. The company committed to making it clear that the request for SIN, driver's licence, and banking information was optional and to posting a privacy policy on its website. The complainant was satisfied with these changes.

• Collection of SIN, driver's licence, and banking information on rental applications
• Requirement for a privacy policy on the company website
• Responsibility for third-party practices

A bank customer complained that the bank improperly demanded to record information from his driver's license when picking up a replacement credit card. The bank initially claimed this was for anti-money laundering purposes, but later admitted this explanation was incorrect. The Office found the demand for information was not well-founded as no information was actually collected. However, the bank contravened PIPEDA by misinforming the customer about the purpose of the collection, a contravention that was resolved by revised bank procedures and staff training.

• Whether the bank limited the collection of personal information to what was necessary.
• Whether the bank's employees could explain the purposes for collecting personal information.

An individual complained to the OPC after a telecommunications firm disclosed his personal account and debt information to his tenant without his consent. The firm had merged the landlord's account with the new tenant's account when the tenant opened his own account. The firm accepted responsibility, corrected the accounts, and made amends with the landlord, leading to the early resolution of the complaint.

• Disclosure of personal information without consent
• Merging of accounts belonging to different individuals
• Collection of debt without proper verification

A Canadian woman complained that her personal information, including her Social Insurance Number and tax assessment, was disclosed to a foreign national without her consent when he applied for a work permit. The information was sent by her MP to the Canadian High Commission in Dhaka. The High Commission returned all documents, including the woman's, to the applicant, who then allegedly shared them with others. The Office of the Privacy Commissioner of Canada found the complaint well-founded, noting that Citizenship and Immigration Canada acknowledged the lack of consent and that the disclosure should not have occurred.

• Disclosure of personal information without consent
• Adequacy of safeguards to prevent unauthorized disclosure
• Jurisdiction over foreign missions

An inmate at a federal penitentiary complained that the Correctional Service of Canada contravened the Privacy Act by openly posting his and other inmates' medical appointment details, including names and offender numbers, to the general penitentiary population. The institution acknowledged the breach and agreed to cease posting lists, opting instead for individual notifications. However, they did not accept the recommendation to use only partial offender numbers for individual notifications.

• Disclosure of personal information (medical appointment details)
• Adequacy of corrective measures

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a woman who alleged her personal information regarding a drug scan during a prison visit was inappropriately disclosed. The OPC found that the Correctional Service of Canada (CSC) failed to adequately investigate the disclosure, which resulted in the woman's ex-husband restricting access to their children. The OPC determined that CSC employees had disclosed the information, but could not identify the source or specific individuals involved. The complaint was upheld as well-founded due to the improper disclosure and CSC's inadequate handling of the issue.

• Inappropriate disclosure of personal information
• Adequacy of investigation into the disclosure
• Responsibility of the institution for unauthorized access and disclosure

The Canada Revenue Agency (CRA) disclosed personal information to a third party without consent, a contravention of the Privacy Act. An employee mistakenly sent a letter containing the complainant's Social Insurance Number and details about her husband to her niece, who shares a similar name. While the CRA corrected the error and implemented measures to prevent recurrence, the Office found the complaint to be well-founded due to the failure to follow established procedures.

• Disclosure of personal information without consent
• Failure to follow internal procedures for information disclosure
• Adequacy of corrective measures

A complainant challenged Canada Post's practice of checking credit information during an online change of address request, alleging a violation of the Privacy Act. The OPC investigated and found that while Canada Post uses Equifax for identity verification, it does not conduct a credit check. Although no contravention of the Act was found regarding the information sharing itself, the OPC recommended and Canada Post implemented clearer notifications to individuals about the sharing of their personal information with Equifax for identity verification purposes.

• Whether Canada Post contravened the Privacy Act by sharing personal information with Equifax for identity verification.
• Adequacy of notice provided to individuals regarding the disclosure of personal information to Equifax.
• Canada Post's statutory authority to collect personal information for the online change of address process.

A woman complained to the Office of the Privacy Commissioner of Canada (OPC) after her tax information was inappropriately accessed by a Canada Revenue Agency (CRA) employee, who was the common-law spouse of her ex-husband. The OPC's investigation found the complaint to be well-founded, noting that while the CRA had a disciplinary policy, the investigation into the misconduct took too long. The OPC recommended enhanced privacy training and stressed the importance of timely investigations.

• Inappropriate access to taxpayer information by a CRA employee.
• Delay in investigating employee misconduct.
• Need for enhanced privacy training for employees.

The RCMP was investigated after a complainant alleged that a staff sergeant inappropriately disclosed that he was a suspect in a murder investigation at a community meeting. The Sergeant identified the man as a "person of interest" and stated he declined a polygraph test. While the RCMP believed the complainant had consented to the discussion due to his attendance at the meeting and assurances from group representatives, the OPC found the RCMP had erred in presuming consent. The onus was on the RCMP to actively obtain consent.

• Did the RCMP staff sergeant inappropriately disclose the complainant's status as a "person of interest" in a murder investigation at a community meeting?
• Did the complainant consent to the disclosure of his personal information by the RCMP staff sergeant?
• Was the disclosure of personal information reasonable and for a purpose authorized by the Privacy Act?

The adult children of a deceased veteran complained to the OPC after Veterans Affairs Canada refused to release their father's pension file. The Department argued the Pension Act required it to withhold the information for 20 years after death and that the children were not beneficiaries. The OPC found that the children, acting for the estate, were entitled to access the file under the Privacy Act's Regulations to administer the estate, and that the Department's reasoning was not reasonable. Veterans Affairs subsequently released the file.

• Right of access to personal information in a deceased individual's file by the estate administrator.
• Interpretation of the Privacy Act's Regulations regarding access to files for estate administration.
• Whether the Pension Act superseded the Privacy Act's access provisions in this context.

A complainant alleged that personal information about a "boat refugee" who was a wanted fugitive was disclosed by a federal institution to a National Post reporter. The OPC investigated and found that the information in question was publicly available on the INTERPOL website. Due to journalistic confidentiality, the OPC could not confirm how the reporter obtained the information, but found no evidence that any of the named federal institutions had disclosed it. The complaint was therefore not well-founded, though the OPC reminded departments of the sensitivity of refugee information.

• Whether personal information of a refugee was disclosed by a federal institution to a reporter
• The source of information published by the National Post
• The sensitivity of personal information of refugees

This investigation concerned a complaint that Veterans Affairs Canada (VAC) improperly disclosed the severity of a serving member of the Canadian Forces' disability pension to the Department of National Defence (DND). This disclosure, which included the exact percentage of the disability pension, was made without the veteran's consent and was not necessary for his medical treatment. The investigation found that the disclosure was not deliberate and did not meet the criteria for the "public interest" exemption under the Privacy Act. The complaint was upheld as well-founded, and VAC implemented recommendations to improve its policies and training on information sharing.

• Unauthorized disclosure of personal information (disability pension percentage)
• Applicability of the "public interest" exemption under the Privacy Act
• Compliance with internal policies and agreements for information sharing between government departments