Federal (Canada) Privacy Decisions

This investigation examined a privacy breach experienced by a contractor for the Canada Border Services Agency (CBSA), which was targeted by a ransomware attack. Personal information, specifically licence plate images captured at Canadian border crossings, was accessed and some was posted online. The OPC found that the CBSA had contravened the Privacy Act due to inadequate security safeguards in its contract with the contractor and its inconsistent handling of licence plate data as personal information. The investigation concluded the complaint was well-founded but resolved, as the CBSA agreed to implement recommendations to improve its contracting and data protection practices.

• Whether licence plate image files, including metadata, constitute personal information under the Privacy Act.
• Whether the CBSA contravened the disclosure provisions of the Privacy Act.
• Whether the CBSA had adequate security safeguards in its contract with a third-party contractor.
• Whether the CBSA adequately managed the retention of personal information.

This investigation concerned MGM Resorts International's handling of a 2019 data breach that affected millions of guests, including nearly two million Canadians. The OPC initiated a complaint after media reports indicated a breach and MGM had not reported it. The investigation found that MGM failed to promptly assess the risk of significant harm (RROSH) posed by the breach and did not report it to the OPC or notify affected Canadians as soon as feasible. MGM has committed to updating its privacy breach response framework to ensure timely RROSH assessments and reporting.

• Whether the personal information involved in the breach posed a real risk of significant harm (RROSH) to affected Canadians.
• Whether MGM adequately assessed the RROSH.
• Whether MGM reported the breach to the OPC and notified affected Canadians as soon as feasible.
• Whether MGM's delay in assessing the breach and notifying Canadians contravened PIPEDA's mandatory breach reporting obligations.

The Department of National Defence (DND) disclosed the identity of a workplace violence (WPV) complainant and the investigation report to a second investigator, who was conducting a separate administrative investigation into the complainant's conduct. The OPC found that while disclosing the report to labour relations was a consistent use, disclosing it to the second investigator was not, as it was not a reasonably expected use of the information given the confidentiality assurances provided to the complainant. This disclosure was therefore found to be a contravention of the Privacy Act.

• Was the disclosure of the WPV complainant's identity and report to a second investigator a 'consistent use' under paragraph 8(2)(a) of the Privacy Act?
• Did DND's consent form clearly communicate potential uses and disclosures of the complainant's identity?
• Did the disclosure align with the reasonable expectations of the complainant regarding confidentiality?
• What corrective actions are necessary to ensure future compliance with privacy principles in WPV investigations?

The complainant alleged that Shared Services Canada (SSC) wrongfully refused to process an access request for records related to informal official language complaints. SSC argued that the request, even after narrowing its scope, did not meet the requirements of section 6 of the Access to Information Act because it would require tasking too many employees and would impose an unreasonable administrative burden. The Information Commissioner disagreed, finding the request sufficiently detailed and ordering SSC to process it.

• Whether the access request provided sufficient detail to enable an experienced employee to identify records with reasonable effort.
• Whether administrative burden on an institution is a valid reason to refuse processing a request.
• Whether the scope of the request necessitated tasking all employees of the department.
• Whether section 6.1 of the Act was the appropriate process to address claims of vexatious requests.

Biron Health Group sent promotional emails to travellers who had undergone COVID-19 testing upon arrival in Canada, using their email addresses collected for testing purposes. The complainant alleged this violated PIPEDA. Biron argued they assumed implicit consent due to a business relationship, but the OPC found this assumption unreasonable given the mandatory nature of the testing. Biron has since ceased the practice, deleted affected email addresses, and the complaint was settled.

• Use of personal information for secondary marketing purposes without consent
• Reasonableness of assuming implicit consent in a mandatory service context
• Nature of consent required for collecting and using health-related information

The complainant alleged that Public Services and Procurement Canada (PSPC) failed to provide records regarding a specific contract. PSPC stated they could not identify relevant records, claiming they were not in their possession. The Information Commissioner found that while the records (a subcontract and related documents) were not in PSPC's physical possession, they were under PSPC's control for the purposes of the Access to Information Act. Therefore, PSPC should have retrieved and processed these records.

• Whether records held by a third-party contractor are under the control of a federal institution.
• Whether the institution conducted a reasonable search for the requested records.
• The interpretation of the 'under the control' clause in the Access to Information Act.

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) improperly withheld job creation estimates under paragraph 20(1)(c) of the Access to Information Act. The scope was narrowed to 11 third parties. Only one third party, Toyota, provided representations to support the exemption. The Information Commissioner found that neither ISED nor Toyota sufficiently demonstrated that disclosure would cause material financial harm or prejudice competitive position. The Commissioner recommended disclosure of all information, but ISED stated it would continue to withhold certain information related to Toyota.

• Application of paragraph 20(1)(c) (financial impact on a third party)
• Sufficiency of representations from third parties
• Reasonable expectation of harm
• Necessity of an explanatory note

The Information Commissioner initiated a systemic investigation into Library and Archives Canada (LAC) due to consistently delayed responses to access requests over several years. The investigation found that nearly 80% of requests completed by LAC during the period under review did not meet the timeframes stipulated by the Access to Information Act. The Commissioner made ten recommendations to the Minister of Canadian Heritage, and subsequently tabled a special report in Parliament highlighting issues at LAC and broader challenges within the access to information system.

• Timeliness of access to information requests
• Consultation processes between institutions
• Lack of a government-wide declassification framework

The complainant alleged that the Vancouver Fraser Port Authority (VFPA) improperly withheld records related to $103 million in funding from the National Trade Corridors Fund. The VFPA cited exemptions related to government interests, negotiations, and confidential third-party information. The Information Commissioner found that the VFPA failed to demonstrate that all withheld information met the requirements for exemptions under paragraphs 18(b) and 18(d). Furthermore, the VFPA and the third party, Canadian National Railway, did not demonstrate that the exemptions under paragraphs 20(1)(b) and 20(1)(d) were met. The Commissioner ordered the disclosure of all information withheld under paragraphs 20(1)(b) and 20(1)(d), and specific information withheld under paragraphs 18(b) and 18(d). The VFPA agreed to implement the order.

• Whether the Vancouver Fraser Port Authority properly applied exemptions under paragraphs 18(b), 18(d), 20(1)(b), and 20(1)(d) of the Access to Information Act.
• Whether the Vancouver Fraser Port Authority discharged its burden to demonstrate that the withheld information met the requirements of the cited exemptions.
• Whether the third party, Canadian National Railway, met the requirements for the application of exemptions under paragraphs 20(1)(b) and 20(1)(d).
• Whether the Vancouver Fraser Port Authority reasonably exercised its discretion in withholding information.