Federal (Canada) Privacy Decisions

An individual complained that a lending institution disclosed information about her delinquent account to her uncle without her consent. The investigation found merit to the complaint. The institution agreed to apologize to the complainant, adjust her loan, implement privacy policies and practices, establish a privacy committee, provide employee training, and remind staff to limit disclosure during debt recovery. The complainant and the OPC were satisfied with the actions taken, and the case was settled.

• Unauthorized disclosure of personal information
• Lack of privacy policies and practices
• Compliance with PIPEDA obligations

A former employee complained that his former trucking company employer had disclosed personal information about him to other trucking firms after his employment was terminated. The complaint was settled after discussions between the company, the complainant, and the Office. The trucking company agreed to develop privacy policies and procedures and designated a privacy officer, which were confirmed to the Office.

• Disclosure of personal information
• Development of privacy policies and procedures
• Designation of a privacy officer

A doctor complained that his access request to a professional organization for personal information was ignored. The organization confirmed they did not act on the request, but also stated that the presentation the information was to be used for was cancelled, meaning no personal information was collected or held. The complainant accepted this and the file was closed as early resolved.

• Timeliness of access requests
• Existence of personal information

An employee of a national transportation company complained about the security of employee personal information in an automated crew management system. The complainant was concerned that unauthorized personnel, including union representatives, could access sensitive information like date of birth, SIN, and wage rates. The company agreed to modify the system to prevent the display of SIN, birth date, and health information on certain screens. As the complainant's concerns were addressed, the case was settled.

• Security of employee personal information
• Access to sensitive personal information (SIN, date of birth, health information) by unauthorized personnel
• Appropriate use and disclosure of employee data

An individual complained that a telecommunications company failed to obtain adequate consent for the secondary marketing use and disclosure of customer data. The investigation found that the company's privacy code, policy, and customer activation process sufficiently informed customers of its marketing practices and their right to opt-out. The company also complied with CRTC restrictions on disclosing customer information. As a result, the Assistant Privacy Commissioner concluded that the company was in compliance with PIPEDA.

• Adequacy of consent for secondary marketing purposes
• Clarity and accessibility of privacy policies
• Company's process for informing customers of data use and opt-out options

An individual complained that a telecommunications company failed to obtain proper consent for using and sharing customer data with affiliates for secondary marketing purposes. The company made its privacy policy available online and in distributed documents, but did not actively draw customers' attention to it during the sign-up process, making the information difficult to find. The Assistant Privacy Commissioner found that the company did not make reasonable efforts to inform customers about how their data would be used, leading to a contravention of PIPEDA principles regarding knowledge and consent for secondary uses of personal information.

• Adequacy of consent for secondary marketing purposes
• Company's efforts to inform customers of privacy practices
• Accessibility and clarity of privacy policy information
• Reasonable expectations of customers regarding data use

An individual complained that a bank failed to obtain adequate consent for using and sharing customer data with affiliates for secondary marketing purposes, arguing the bank did not clearly inform customers or provide an easy opt-out mechanism. The Office of the Privacy Commissioner of Canada (OPC) investigated and found the bank's practices and materials, including informing customers of privacy policies and providing an opt-out process, constituted a reasonable effort to ensure customer knowledge and consent. The OPC concluded the bank was in compliance with PIPEDA principles regarding secondary marketing.

• Adequacy of consent for secondary marketing purposes
• Clarity of information provided to customers about data use and sharing
• Availability and ease of the opt-out process
• Bank's compliance with PIPEDA principles on knowledge and consent

The Office of the Privacy Commissioner investigated a website that was broadcasting live audio from cellular telephones onto the internet. The investigation was discontinued after the Internet Service Provider shut down the Ottawa-based website due to bandwidth issues. The website had moved to a server in New York under new management.

• Unauthorized interception and broadcasting of private cell phone conversations
• Privacy implications of using scanners to capture cellular traffic
• Responsibility of Internet Service Providers for content hosted on their networks

The OPC investigated a complaint concerning a transportation company's practice of collecting passengers' dates of birth and citizenship for the Toronto-to-New York route and disclosing this information to U.S. Customs. The company confirmed this practice, which began in 2000, was an agreement with U.S. border agencies to minimize delays. The OPC determined that sales agents misrepresented the collection of this information as mandatory.

• Collection of personal information without adequate notice or consent
• Disclosure of personal information to a third party (U.S. Customs)
• Misrepresentation of information collection as mandatory

The complainant alleged that a federal institution had failed to respond to an access request within the prescribed time limit, resulting in a deemed refusal. The Information Commissioner found the complaint inadmissible because it was not submitted within the 60-day time limit required by section 31 of the Access to Information Act. The Commissioner determined that the complainant's awareness of the deemed refusal began when the institution first failed to meet the statutory deadline, not on the date the complaint was filed.

• Timeliness of complaint submission under section 31 of the ATIA
• Definition of 'day on which the requester becomes aware' for deemed refusals
• Interpretation of 'ongoing' or 'continuing' deemed refusals
• Applicability of Federal Court and OIC precedent on complaint timeliness

An institution applied to the Information Commissioner for approval to decline processing part of an access request, arguing it was duplicative of information previously released informally. The Commissioner found the institution failed to demonstrate the request was vexatious, made in bad faith, or an abuse of the right to access. The Commissioner also noted the institution did not provide sufficient evidence or explanation to support its claim of duplication. Therefore, the institution was ordered to process the access request.

• Whether the institution provided sufficient evidence to justify declining to act on part of an access request under section 6.1(1) of the ATIA.
• Whether the information sought in the formal request was duplicative of information previously released informally.
• Whether the Commissioner can make an informed decision based on the information provided by the institution.

The Information Commissioner of Canada gave notice that she ceased investigating seventeen complaints. The complainant alleged that an institution's time extensions on seventeen access requests were unreasonable. However, the Commissioner found the requests were vexatious and substantively duplicative of a previous request where the institution's time extension was deemed reasonable. The Commissioner also noted the institution was providing interim responses as committed, and the complainant's actions suggested an attempt to circumvent previous findings.

• Whether the complaints were vexatious
• Whether further investigation was unnecessary
• Whether the requests were duplicative of a previous request
• Whether the complainant was attempting to circumvent previous findings

The complainant filed a complaint with the Information Commissioner's office regarding an access to information request. The institution provided its response in October 2021, including a notice that the complainant had sixty days to file a complaint. The complainant submitted their complaint in January 2022, which was outside the mandated timeframe. The Information Commissioner rejected the complaint because it was filed after the statutory deadline.

• Timeliness of complaint submission under section 31 of the ATIA
• Mandatory nature of statutory timeframes under the ATIA
• Commissioner's authority to extend statutory timeframes