Federal (Canada) Privacy Decisions

The Office of the Privacy Commissioner of Canada (OPC) investigated Ticketmaster Canada Limited (TM) following a complaint that its practices regarding the collection, disclosure, and use of customer information did not comply with PIPEDA. The investigation found that TM's privacy policy was too long and complex, failing the openness principle. Furthermore, TM was using customer information for marketing purposes without adequately obtaining consent, violating the consent principle. TM has since revised its policies and practices to be more transparent and to provide customers with clear opt-in choices for marketing.

• Adequacy of TM's privacy policy in terms of openness and transparency.
• Lawfulness of using customer personal information for marketing purposes without explicit consent.
• Requirement for opt-in/opt-out mechanisms for secondary uses of personal information.
• Responsibility of TM for ensuring third-party compliance with customer consent preferences.

A former client complained that her lawyer refused to grant her access to her personal information, citing an outstanding account and a solicitor's lien. The OPC found that a solicitor's lien is not a valid reason to deny access under PIPEDA. The lawyer eventually provided the client with her full file, and the matter was settled.

• Can a solicitor's lien be used to deny a client access to their personal information?
• What are the grounds for refusing access to personal information under PIPEDA?

This investigation concerned allegations that SWIFT inappropriately disclosed personal information from Canadian financial institutions to the US Department of the Treasury (UST) via administrative subpoenas. The Privacy Commissioner of Canada determined that SWIFT was subject to PIPEDA due to its operations in Canada and its commercial activities involving Canadian banks. While SWIFT disclosed data held in the US to the UST in response to a subpoena, the Commissioner found this disclosure was permissible under the Act's exceptions to consent.

• Whether SWIFT is subject to PIPEDA
• Whether SWIFT inappropriately disclosed personal information to the UST
• Applicability of PIPEDA exceptions to disclosure in response to a subpoena

An individual complained that a department store's method for collecting provincial tax exemption information exposed customers' personal data to other customers. The store used a petition-style form where multiple customers' information was visible. Following the complaint, the store revised its process by implementing a new form and reconfiguring cash registers to generate individual receipts that were then secured. The complainant was satisfied with the changes, and the matter was settled.

• Visibility of personal information to other customers
• Safeguarding of personal information during collection
• Adequacy of corrective measures to protect privacy

A complainant was required to provide his driver's licence details to rent DVDs from a store. He objected to the store entering these details into its database, believing it unnecessary. The store initially defended the practice but later revised its membership application process after realizing it did not use the driver's licence data to trace members. The revised process allows for alternative forms of identification, and only a general confirmation of verification is entered into the database.

• Necessity of collecting driver's licence details
• Use of personal information for membership verification
• Revision of data collection practices

The complainant alleged that a counselling firm, which provided services through her employer's employee assistance program, improperly disclosed sensitive information about her to her employer. The firm revealed that the complainant was using their services and believed she was a danger to herself, which led to her supervisor and coworkers becoming aware of her EAP use. The matter was settled when the firm revised its disclosure policies and counsellors were advised to take more detailed notes and disclose only essential information when a client is believed to be in danger.

• Confidentiality of employee assistance program services
• Disclosure of sensitive information to employer
• Accurate assessment of client risk
• Misinterpretation of client statements

An individual complained that a loyalty program had provided his children's names and addresses to its partner credit card companies, resulting in the children receiving unsolicited marketing materials. The issue arose because the loyalty program did not record the dates of birth for its minor members, meaning they were not identified as minors in its system. Although the program updated the children's profiles and removed their information from the system, ongoing marketing mailings persisted for a period due to advance list generation.

• Disclosure of children's personal information to third parties for marketing purposes.
• Failure to identify and protect the personal information of minors.
• Unreasonable delay in resolving the issue and stopping marketing mailings.

An individual complained that a web-based company retained his personal information for too long after cancelling his free trial membership. The complainant also alleged the company lacked accountability as it did not answer all his privacy questions and had no designated privacy officer. As a result of the complaint, the company revised its privacy policy to clarify retention periods and purposes, and designated a privacy officer. The complainant was satisfied with these changes, and the complaint was settled.

• Excessive retention of personal information
• Lack of accountability and designated privacy officer

A tenant complained that the caretaker of his apartment building disclosed to other tenants that his rent cheque had bounced. The caretaker's wife confirmed the disclosure and also shared other tenants' confidential rental information. The building management firm apologized to the tenant and reminded the caretaker and his wife of their privacy obligations. The firm was also advised to create a privacy policy.

• Disclosure of tenant's rent cheque status
• Disclosure of other tenants' financial information
• Adequacy of management firm's response
• Need for a privacy policy

An individual complained that her dental clinic disclosed information about her overdue account to a person who had referred her to the clinic. The clinic contacted the referral source to inquire about the complainant’s whereabouts and disclosed that her bill was overdue, the amount owing, and that it would be sent to collections. The clinic acknowledged this was against its privacy policy. The parties reached a monetary settlement, including an apology, and the OPC agreed the matter was settled.

• Disclosure of personal information to a third party
• Disclosure of account status and amount owing

An individual complained about receiving promotional material and telemarketing calls after applying for a department store credit card, believing she had not consented to this use of her information. The store explained that its application form provided opt-out information below the signature line, which the complainant had signed. The OPC confirmed this opt-out mechanism was permissible under the Act. The complainant was satisfied with the explanation and requested removal from marketing lists, which the store fulfilled, settling the complaint.

• Consent for marketing purposes
• Clarity of opt-out mechanisms on application forms

An individual complained that her condominium corporation disclosed information about a dispute she was involved in to all condominium owners. The corporation initially believed the disclosed information was only publicly available contact details. The OPC clarified that the information about the dispute itself was personal information that had been disclosed without consent. The corporation apologized, and the matter was considered settled.

• Definition of personal information
• Disclosure of sensitive personal information without consent
• Disclosure of information about disputes

An individual complained that a business failed to provide him with his personal information and its privacy policy. The business initially refused access to information predating its PIPEDA obligations and did not have a privacy policy. After the OPC intervened, the business provided the remaining information and drafted a privacy policy, which was given to the complainant, settling the matter.

• Access to personal information
• Availability of privacy policy

A student complained about being required to provide his Social Insurance Number (SIN) to rent an apartment. The property management firm initially required the SIN for identity verification, credit checks, and collections. Following the OPC's guidance and federal policy against the SIN becoming a universal identifier, the firm revised its lease agreement to only require a driver's license for identification, making SIN provision optional.

• Necessity of collecting SIN for identity verification and credit checks
• Requirement of SIN as a condition of service for renting an apartment
• Overtly indicating to the customer that SIN provision is optional

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an individual concerned that her credit card receipt contained her name, credit card number, and expiry date. The OPC found that while the restaurant's equipment did not mask this information, it was collected, used, and stored in a manner consistent with privacy principles, and there was no unauthorized disclosure. The matter was settled when the complainant was informed that industry-wide masking of credit card receipts was expected by 2007.

• Collection, use, and storage of credit card information on receipts
• Adequacy of credit card receipt masking technology
• Compliance with privacy principles despite lack of masking