Federal (Canada) Privacy Decisions

An individual complained that Veterans Affairs improperly collected his personal information by searching for and disclosing a URL linking to a Google group discussion page containing his email address and personal opinions. The OPC found that while the information was publicly available, its collection by Veterans Affairs did not relate directly to an operating program or activity of the institution, violating the Privacy Act. The complaint was well-founded, and Veterans Affairs apologized and deleted the email.

• Whether the collection of a URL linking to publicly available personal information relates directly to an operating program or activity of a federal institution.
• The distinction between the use/disclosure of publicly available information and its collection under the Privacy Act.

A customer complained that his cell phone service provider disclosed his personal information to an imposter and inadequately responded to his request for access to his data. The Office of the Privacy Commissioner of Canada (OPC) found that the provider contravened PIPEDA by allowing an employee to disclose sensitive account details without proper authentication. The OPC also found that the provider initially failed to meet the 30-day deadline for responding to the customer's access request, but this aspect was later resolved. The OPC recommended the company review its privacy management programs.

• Disclosure of personal information without consent
• Failure to properly authenticate a caller
• Adequacy and timeliness of response to access request
• Effectiveness of employee training and adherence to procedures

A complainant alleged that a telecommunications firm failed to provide her with access to her personal information, specifically notes and transcripts of recorded conversations relating to her account dispute. The investigation found that the firm failed to respond to the access request within the statutory time limits and deleted records that were the subject of the request, contravening PIPEDA. The firm accepted recommendations to amend its policies, procedures, and provide enhanced training to staff, leading to the resolution of the complaint.

• Timeliness of response to access requests
• Retention of personal information subject to an access request
• Adequacy of privacy policies and staff training

The Office of the Privacy Commissioner of Canada investigated a complaint concerning the Public Service Commission of Canada's collection and disclosure of an individual's medical release information from the Canadian Forces. The information was used for a priority hiring program for ex-military staff. The investigation found that the complainant had consented to the collection and disclosure.

• Collection and disclosure of personal information
• Consent to collection and disclosure
• Use of personal information for priority hiring program

A former inmate complained after a psychiatric nurse employed by the Keele Community Correctional Centre left his treatment file on a bus. The OPC confirmed that the inmate's privacy had been breached and upheld the complaint as well-founded. The Centre, which falls under the jurisdiction of the Correctional Service of Canada, took appropriate corrective measures, including reminding the nurse of his duty to safeguard personal information and not to transport files unless encrypted.

• Duty to safeguard personal information
• Appropriate measures to prevent recurrence

A letter carrier complained that his supervisor had opened and read a sealed medical form submitted for a disability insurance claim. The investigation confirmed the supervisor used information from the form to challenge other medical documentation from the employee. The OPC found that the employee's personal information was used for an incompatible purpose without consent, upholding the complaint as well-founded.

• Unauthorized access to personal health information
• Use of personal information for an incompatible purpose
• Failure to ensure personal information was used only for the purpose for which it was collected

Two prisoners complained after a report containing their personal information was found among a fellow inmate's belongings. An investigation determined that a contract worker printed the report, which was then accessible to a welding instructor. While the report was later discovered with another inmate's effects, it could not be determined how it got there. The Office of the Privacy Commissioner confirmed the privacy rights of the complainants had been breached.

• Unauthorized disclosure of personal information
• Safeguarding of personal information by staff and contractors
• Accountability for handling sensitive reports

An inmate at Kent Institution complained after a 10-page National Parole Board decision concerning him was intercepted, photocopied, and circulated among other inmates. The OPC investigated and found that the disclosure violated the Privacy Act. Following the incident, Kent Institution implemented changes to its mail delivery process, including placing confidential documents in sealed envelopes.

• Unauthorized disclosure of personal information
• Adequacy of security measures for sensitive documents
• Compliance with the Privacy Act

The Office of the Privacy Commissioner of Canada investigated a complaint from an individual who was asked to provide his driver's licence number to close his postal box with Canada Post. Canada Post stated this was necessary to prevent fraudulent activity and for investigations into illegal shipments. The OPC found Canada Post's collection of identification numbers to be reasonable and consistent with its mandate to provide secure postal services. The complaint was dismissed as not well-founded.

• Reasonableness of collecting driver's licence number for postal box closure.
• Consistency of collection with Canada Post's mandate and security requirements.
• Purpose of collecting personal information.

An individual complained after Health Canada refused to provide him access to personal information collected about him during an occupational health and safety evaluation. Health Canada cited section 28 of the Privacy Act, which allows information to be withheld if disclosure would be contrary to the individual's best interests. The OPC found that the information sought was not solely related to the individual's health and therefore section 28 did not apply. The complaint was well-founded, but resolved after Health Canada agreed to release the information.

• Appropriateness of withholding personal health information under section 28 of the Privacy Act
• Scope of "physical or mental health" records for the purpose of section 28
• Requirement for consent when involving a medical professional for assessment under section 28

A woman complained that her Social Insurance Number (SIN) and other personal information were mishandled at a mandatory employment insurance (EI) information session. The attendance sheet containing the SINs of 32 participants went missing. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that HRSDC had not properly safeguarded the personal information, upholding the complaint as well-founded. HRSDC has since implemented new procedures to protect SINs at these sessions.

• Safeguarding of SINs and other personal information
• Adequacy of breach response and mitigation measures
• Preventing future breaches involving SINs

A complainant alleged that Canada Post collected excessive personal information when she applied for special paid leave to care for a relative. While Canada Post argued the extensive collection was necessary to prevent fraud and ensure fair administration of leave, the OPC found that too much personal data was requested, particularly about third parties. Canada Post accepted some recommendations, agreeing to collect only necessary information and update guidelines, but maintained its collection of data on other family members working at Canada Post to prevent abuse, a practice the OPC expressed reservations about.

• Necessity of collecting personal information for special leave applications
• Collection of personal information about third parties
• Balancing fraud prevention with privacy rights

The Minister of Agriculture and Agri-Food Canada filed a privacy complaint against the Canadian Wheat Board (CWB) in November 2009, following media reports about an internal audit on the Permit Book process and concerns about potential improper disclosure of farmers' personal information, including Social Insurance Numbers (SINs), to third parties. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that the CWB had appropriate protocols in place to safeguard personal information and that SINs were not disclosed to third parties. The OPC also found that personal data was only shared with the Canada Revenue Agency when required by law. Consequently, the complaint was dismissed as not well-founded.

• Whether the Canadian Wheat Board improperly disclosed personal information, including Social Insurance Numbers (SINs), of grain producers to third parties.
• Whether the Canadian Wheat Board complied with privacy legislation regarding the collection, use, safeguarding, and sharing of personal information.

A complainant alleged that a market research firm unnecessarily collected her full date of birth and did not adequately inform her that survey responses would be added to her member profile. The Office of the Privacy Commissioner of Canada (OPC) found that collecting the full date of birth was not necessary and recommended collecting only the month and year. The OPC also found that the firm failed to adequately inform participants that their survey responses would be linked to their profiles. While the firm agreed to clarify consent language, it refused to stop collecting or using the day of birth, leading the OPC to find the complaint well-founded but partially unresolved.

• Necessity of collecting full date of birth for market research demographics
• Necessity of confirming full date of birth in profiling surveys
• Adequacy of notice and consent regarding the linking of survey responses to member profiles

A veteran complained that Veterans Affairs Canada (VAC) had inappropriately used and shared his sensitive medical information in briefing notes to the Minister, and had transferred his medical file to a VAC-administered hospital without his consent. The investigation found that the briefing notes contained excessive medical details and that sensitive information was shared widely within VAC without a need-to-know. The transfer of the medical file also occurred without the required consent. The complaint was found to be well-founded.

• Inappropriate use and disclosure of sensitive medical information in briefing notes.
• Transfer of personal medical information to a hospital without consent.
• Failure to limit access to personal information on a need-to-know basis.
• Compliance with section 7 of the Privacy Act regarding use of personal information.