Federal (Canada) Privacy Decisions

The Office of the Privacy Commissioner of Canada investigated the RCMP's collection of personal information from Clearview AI, a company that scraped billions of images from the internet for facial recognition. The OPC found that the RCMP contravened the Privacy Act by collecting this information, as Clearview had collected it unlawfully. While the RCMP disagreed with this finding, it agreed to implement the OPC's recommendations to improve its policies and systems for tracking and assessing novel collections of personal information.

• Whether the RCMP's collection of personal information from Clearview AI related directly to an operating program or activity of the institution.
• Whether the RCMP had adequate controls in place to prevent future contraventions of the Privacy Act.
• The lawfulness of Clearview AI's data collection practices.
• The adequacy of the RCMP's assessment of privacy risks associated with new technologies.

The institution applied for approval to decline acting on an access request for all internal correspondence over seven years, arguing it was an abuse of the right of access. The requester did not make submissions. The Commissioner found the request, due to its overbroad scope in combination with the institution's small size and limited resources, constituted an abuse of the right of access, and granted the institution's application.

• Whether the request constitutes an abuse of the right of access under subsection 6.1(1) of the ATIA.
• Whether the institution fulfilled its duty to assist the requester under subsection 4(2.1) of the ATIA.

The complainant alleged that Transport Canada improperly withheld information related to mediation services provided by the Canadian Institute for Conflict Resolution (CICR) under paragraph 20(1)(b) of the Access to Information Act. The Information Commissioner found that while the third party's hourly rate and hours billed were properly withheld, the description of services, dates, subtotals, taxes, total amount, and amount paid were not. The Commissioner ordered Transport Canada to disclose this latter information, and the Minister agreed to implement the order.

• Applicability of paragraph 20(1)(b) to financial and commercial information.
• Confidentiality of information provided by a third party.
• Discretionary application of exemptions by the institution.
• Requirement for information to be supplied by a third party.

The Information Commissioner ceased an investigation into a complaint regarding an institution's search for records. The OIC had previously investigated and issued a final report on an identical matter concerning the institution's search for records from the 1990s. As continuing the investigation was deemed unnecessary and the complainant did not respond to an offer to provide further representations, the investigation was discontinued.

• Whether continuing the investigation was unnecessary
• Whether the matter had already been the subject of a previous investigation or final report

The complainant requested information from Health Canada regarding problems with implantable medical devices. Health Canada failed to respond within the extended time limit and was deemed to have refused access. The institution faced delays due to third-party objections and a judicial review application, which was later withdrawn. The Information Commissioner recommended that Health Canada provide a final response to the complainant by May 26, 2021, and the Minister agreed to implement this recommendation.

• Failure to respond within statutory time limits
• Deemed refusal of access
• Impact of third-party objections and judicial review on processing
• Timeliness of final response

The complainant alleged that Library and Archives Canada (LAC) failed to respond to an access request within the statutory time limits. LAC took an extensive extension but still missed the deadline, resulting in a deemed refusal. The delay was partly due to a consultation with CSIS and LAC's lack of infrastructure to process Top Secret records. The Information Commissioner found the complaint well founded, recommending immediate action and a permanent solution for processing classified records.

• Failure to respond within statutory time limits.
• Validity of 425-day time extension.
• LAC's lack of infrastructure to process classified records.
• Deemed refusal under subsection 10(3) ATIA.

The complainant alleged that Employment and Social Development Canada (ESDC) wrongly refused to process an access request for emails containing specific keywords, claiming they were not under its control. The emails were stored on ESDC servers and sent using a government account. However, the OIC found that the emails were entirely personal, had no institutional purpose, and were not integrated with ESDC's records. Therefore, the OIC concluded the emails were not under ESDC's control and not subject to the Access to Information Act, resulting in the complaint being not well founded.

• Whether the requested emails were under the control of Employment and Social Development Canada for the purposes of the Access to Information Act.

This report follows up on an earlier investigation into Statistics Canada's Financial Transactions Project and Credit Agency Data Project. While the initial investigation found no contraventions, it raised significant privacy concerns. This compliance monitoring report assesses whether Statistics Canada’s redesigned projects adequately incorporate the principles of necessity and proportionality. Although Statistics Canada has made progress in reducing the scope of data collection and implementing privacy-enhancing measures, the report concludes that the project plans still fall short in adequately describing public goals, demonstrating effectiveness, and analyzing privacy impacts.

• Adequacy of public goal descriptions for necessity and proportionality assessment.
• Demonstration of project effectiveness.
• Sufficiency of privacy impact analysis, including risk of harm.
• Alignment of Statistics Canada's necessity and proportionality framework with OPC criteria.

The complainant alleged that Public Services and Procurement Canada (PSPC) failed to respond to an access request for COVID-19 related contracts within the statutory time limit. PSPC cited pandemic measures as a reason for the delay. The Information Commissioner found that institutions cannot suspend access request processing due to the pandemic and that PSPC failed to respond within the required timeframe. Therefore, the complaint was deemed well-founded, and PSPC is considered to have refused access.

• Failure to respond within the statutory time limit
• Justification for delay due to pandemic measures
• Application of subsection 10(3) of the ATIA (deemed refusal)

This report details a systemic investigation into Immigration, Refugees and Citizenship Canada's (IRCC) handling of access to information requests, particularly for immigration application files. The investigation found that IRCC's practice of automatically extending response times for frequent requesters violated the Access to Information Act. The Information Commissioner made five recommendations to improve IRCC's processes, including ceasing this practice, developing a work plan for performance improvements, enhancing the availability of client information through other means, and securing adequate resources for the ATIP office.

• Timeliness of response to access to information requests
• Proper application of time extension provisions under the ATIA
• Systemic issues in processing high volumes of access requests
• Accessibility of immigration application information through alternative channels

The complainant alleged that the Privy Council Office (PCO) improperly withheld the names of employees within the Prime Minister's Office. The information was requested in relation to records concerning an announcement about audits of registered charities for political activities. The OIC found that the withheld names constituted personal information and met the requirements for exemption under subsection 19(1) of the Access to Information Act. The OIC was also satisfied that none of the exceptions allowing for disclosure under subsection 19(2) applied. Therefore, the complaint was not well-founded.

• Whether the names of Prime Minister's Office employees constitute personal information under subsection 19(1) of the ATIA.
• Whether the information fell under exceptions to the definition of personal information.
• Whether the institution properly exercised its discretion to disclose the information under subsection 19(2) of the ATIA.

The complainant requested information regarding legal fees for a specific litigation file from the Department of Justice Canada. The Department withheld expense details and disbursements under section 23 (legal advice and litigation privilege), citing solicitor-client privilege and a presumption of privilege for legal bills. The Information Commissioner found that while disbursements are generally presumed privileged, this presumption was rebutted in this case. The Commissioner concluded that the information was not subject to privilege as there was no reasonable possibility that it could be used to deduce protected communications, and recommended its disclosure. The Department of Justice Canada agreed to implement this recommendation.

• Whether section 23 (legal advice and litigation privilege) of the ATIA applied to the withheld expense details and disbursements.
• Whether the presumption of privilege for legal bills, as established in Maranda v. Richer, was rebutted.
• Whether the withheld information could be used by an assiduous inquirer to deduce privileged communications.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a charitable organization's donor list trading program. The OPC found that the charity required express opt-in consent, not opt-out, for sharing donor contact information, as this practice fell outside donors' reasonable expectations. The OPC also determined that the information provided to donors was insufficient to ensure meaningful consent, lacking details about what information would be shared with whom and for what purpose. The charity agreed to implement recommendations to obtain opt-in consent and provide clearer information.

• Requirement for opt-in versus opt-out consent for donor list trading.
• Sufficiency of information provided to donors for meaningful consent.
• Application of the 'reasonable expectations' principle under PIPEDA.
• Compliance with PIPEDA's requirements for consent for information sharing.

This investigation report concerns a large-scale breach of personal information at the Bank of Montreal (BMO), affecting approximately 113,000 customers. The OPC found that BMO's online banking software had significant vulnerabilities, including issues with developer security testing, vulnerability management, and oversight/monitoring, which allowed attackers to access sensitive data such as financial account numbers and SINs. BMO has since implemented substantial improvements to its security safeguards.

• Adequacy of BMO's technical safeguards to protect personal information.
• Effectiveness of BMO's developer security testing and evaluation processes.
• Sufficiency of BMO's vulnerability management protocols.
• Appropriateness of BMO's oversight and monitoring capabilities for detecting cyberattacks.