Federal (Canada) Privacy Decisions

The OPC investigated a complaint that Public Executions Inc. was disclosing debtors' personal information without consent on its website for profit. The OPC found that the website's activities constituted a commercial activity under PIPEDA, and that its primary purpose was not journalistic, but rather to shame debtors into paying. The OPC determined the complaint was well-founded, leading to legal proceedings. Subsequently, the website was taken down, and the OPC discontinued its court application.

• Whether the website's operation constituted a 'commercial activity' under PIPEDA.
• Whether the website's purpose qualified as 'journalistic' and was therefore exempt from PIPEDA's consent requirements.
• Whether the disclosure of personal information for the purpose of shaming debtors into paying was an 'appropriate purpose' under PIPEDA.
• Whether section 7(3)(b) of PIPEDA permitted the broad disclosure of judgment debtor information.

A complainant filed a complaint against a financial technology (FinTech) company after being required to provide personal information to access an investment account management agreement. The company initially cited regulatory requirements for collecting the data before an individual became a client. The OPC advised the company that prospective clients should be able to review agreements and understand privacy implications before providing personal information to ensure meaningful consent.

• Purpose of information collection
• Meaningful consent
• Regulatory requirements for collection

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding the MyDemocracy.ca website, operated by the Privy Council Office (PCO). The complainant alleged that despite promises of anonymity, the website used Facebook Connect tracking, potentially disclosing personal information to Facebook. The OPC found that the website's design led to the automatic disclosure of IP addresses and browser information to Facebook upon visiting the site, even before users chose to share content. While PCO made some changes and no evidence suggested PCO used the data to identify individuals, the OPC concluded that the initial disclosure was not consensual and violated section 8 of the Privacy Act. Consequently, the complaint was found well-founded.

• Disclosure of personal information to third parties (Facebook) without consent.
• Whether IP addresses and browser characteristics constitute 'personal information' under the Privacy Act.
• Adequacy of privacy notices and consent mechanisms for third-party data sharing.
• Failure to conduct a Privacy Impact Assessment (PIA).

An individual complained that a bank performed multiple credit checks on her without her consent, even though she had not been a client for many years. The bank initially stated the inquiries were from its marketing group but later found they originated from an unactivated credit card application. While the bank’s policy suggested it could continue soft credit inquiries after a relationship ended, the OPC expressed concerns about this practice. The bank agreed to end the practice and update its privacy policy, leading to the complaint being early resolved. The OPC confirmed the practice has ceased and the policy has been updated.

• Consent for credit checks after termination of a business relationship
• Continued collection of sensitive personal information without a legal requirement
• Accuracy and completeness of information provided to individuals about data handling practices

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Health Canada was over-collecting personal information, specifically diagnostic details, for medical transportation and specialist services under its Non-Insured Health Benefits (NIHB) Program. The OPC found that while Health Canada's intention was to confirm policy requirements for travel, the form used inadvertently led to the collection of unnecessary diagnostic information. Health Canada has since removed the problematic field from the form.

• Whether Health Canada collected more personal information than necessary for the administration of the NIHB Program.
• Whether the collection of diagnostic information for medical transportation and specialist services contravened the Privacy Act.
• The adequacy of Health Canada's NIHB Medical Transportation and Specialist Referral Form in preventing over-collection of personal information.

The Office of the Privacy Commissioner (OPC) investigated three complaints concerning privacy breaches within the Phoenix pay system. The investigation revealed that Public Services and Procurement Canada (PSPC) had inadequate testing, coding errors, and insufficient controls, leading to multiple breaches of federal public servants' personal information. These breaches exposed names, Personal Record Identifier (PRI) numbers, and salary information, with some vulnerabilities being government-wide and potentially allowing data changes. The OPC found the complaints to be well-founded, citing the system's vulnerabilities and PSPC's initial underreporting of the scope of the breaches.

• Unauthorized access to and disclosure of personal information within the Phoenix pay system.
• Inadequacy of PSPC's testing, coding, and security controls for the Phoenix system.
• Scope and impact of the privacy breaches on federal public servants.
• Timeliness and adequacy of PSPC's notification to affected individuals.

This report details three incidents in 2017 where Canadian organizations experienced data breaches due to password reuse by their customers. In each case, attackers used login credentials obtained from unrelated breaches to access customer accounts. The Office of the Privacy Commissioner of Canada found the organizations' responses to be appropriate, including actions like password resets, enhanced security measures, and customer notifications, and encouraged other organizations to adopt similar preventative strategies.

• Impact of password reuse on personal information security
• Adequacy of organizational responses to data breaches
• Effectiveness of safeguards against unauthorized access
• Communication and notification obligations to individuals

This investigation concerned a complaint that the Royal Canadian Mounted Police (RCMP) inappropriately disclosed the complainant's personal information, including details of a past suicide attempt, to US Customs and Border Protection (CBP) via the Canadian Police Information Centre (CPIC). The complainant alleged this disclosure led to her being deemed inadmissible to the US. The Office of the Privacy Commissioner of Canada (OPC) found the disclosure was not authorized under the Privacy Act, as it did not meet the criteria for law enforcement or criminal justice purposes as defined by the Memorandum of Cooperation (MOC) between the RCMP and the FBI. Although the RCMP implemented some changes to CPIC policies, the OPC concluded they remained unclear and did not sufficiently protect against unauthorized disclosures.

• Whether the disclosure of personal information related to a suicide attempt to US border officials via CPIC was authorized under subsection 8(2)(f) of the Privacy Act.
• Whether the disclosure was authorized under subsection 8(2)(a) of the Privacy Act as a use consistent with the original purpose of information collection.
• Whether CPIC policies adequately protected against unauthorized disclosure of sensitive personal information.
• The interpretation of 'law enforcement' and 'criminal justice purposes' in the context of border security assessments.

A complainant alleged that a financial institution refused to provide access to personal information related to a disputed credit card transaction. The institution initially claimed the information was confidential commercial information under PIPEDA. While the OPC found the institution's initial claim of exemption was unfounded, it later determined that the redacted information was not the complainant's personal information, but related to third parties. The OPC concluded the complaint was well-founded due to the delay and improper initial claim, but resolved as the complainant ultimately received access to his entitled personal information.

• Whether the financial institution properly withheld personal information under the confidential commercial information exemption (PIPEDA s. 9(3)(b)).
• Whether the financial institution responded to the access request within the time limits prescribed by PIPEDA.
• Whether the withheld information constituted the complainant's personal information or third-party information.
• Whether the complainant received appropriate access to personal information concerning a disputed credit card transaction.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against an insurance company that collected and used an individual's credit score during an auto insurance claims assessment. The OPC found that the company did not have a legal basis to use credit scores for fraud detection in this context and did not obtain meaningful consent from the individual because they failed to clearly state that providing consent was optional. The company also lacked openness in its policies regarding credit score usage.

• Appropriateness of using credit scores for fraud detection in auto insurance claims assessment.
• Whether meaningful consent was obtained for the collection and use of credit score.
• Whether the insurance company over-collected personal information.
• The company's openness regarding its credit score collection and use policies.

An individual complained that their former automobile insurance company refused to delete their personal information upon withdrawal of consent. The company initially refused, citing the need to provide insurance history to other insurers. The Office determined that the company should have treated the request as a withdrawal of consent. The company subsequently deleted the information from its records after the individual accepted the implications. However, the company was not required to ensure deletion from third-party records to which the information had been lawfully disclosed. The company was also found to be in contravention for not having clear policies on third-party disclosures.

• Withdrawal of consent for the continued use of personal information
• Deletion of personal information from an organization's records
• Deletion of personal information from third-party records after lawful disclosure
• Accountability for information disclosure policies and procedures

The complainant alleged that a doctor used and disclosed his personal information without consent during an insurance claim evaluation. The investigation focused on whether the complainant's consent, provided through accident benefit application forms (OCF-1 and OCF-19), extended to this specific doctor hired to prepare a summary report. The Office determined that the consent forms explicitly allowed the insurance company and other parties, including health professionals, to collect, use, and disclose personal information for the purposes of investigating and processing the insurance claim, including assessing catastrophic impairment. Therefore, the doctor did not contravene PIPEDA's consent provisions.

• Whether consent provided for an insurance claim extended to a third-party doctor hired to prepare a summary report.
• Whether the specific wording of consent forms (OCF-1 and OCF-19) covered the collection, use, and disclosure of personal information by the doctor.
• Whether the doctor collected, used, or disclosed personal information for purposes beyond those stated in the consent forms.

An individual complained that a sports facilities company disclosed his personal information regarding an outstanding debt to a related sports association on two occasions without his consent. The company argued that PIPEDA did not apply because it answered a direct question and there was an expectation of privacy. The OPC found that disclosing debt information is sensitive and requires consent unless a specific exemption applies. As the disclosures were not for the purpose of collecting the debt, the exemption in subsection 7(3)(b) of PIPEDA did not apply, making the complaint well-founded.

• Was the disclosure of an outstanding debt considered personal information?
• Did the disclosure of debt information fall under the exemption for debt collection purposes?
• Does an 'expectation of privacy' or answering a direct question exempt an organization from obtaining consent for disclosure?
• Did the company obtain the individual's knowledge and consent for the disclosure of his debt information?

The Office of the Privacy Commissioner (OPC) investigated two complaints against the Parole Board of Canada (PBC) concerning access to record suspension information. The OPC found that the PBC improperly refused to process access requests submitted by a third-party screening company and also improperly required requesters to provide excessive identification information. The OPC concluded that the PBC's reliance on paragraph 22(1)(b) of the Privacy Act was not justified in most cases, and its identification requirements went beyond what was necessary.

• Can a requester ask to confirm that no personal information exists?
• Is paragraph 22(1)(b) of the Privacy Act properly applied to refuse access requests for record suspension information?
• Are the PBC's identification requirements for processing requests excessive?

A condominium owner complained that a developer failed to provide access to his personal information at minimal or no cost. The owner was initially told that thousands of pages of documents would cost over $200, or he could view them for free at the developer’s lawyer's office. The OPC's early resolution unit helped negotiate a compromise where the owner narrowed his request, and the developer agreed to provide free copies of the specific documents he sought. The owner was ultimately satisfied with this resolution.

• Whether the proposed fees for access to personal information complied with the "minimal or no cost" requirement.
• Whether the offer to view documents for free, but not receive copies, met the organization's access obligations.
• The reasonable accommodation of an individual with a disability in fulfilling an access request.