Federal (Canada) Privacy Decisions

The complainant alleged that Health Canada improperly withheld records related to a COVID-19 vaccine safety update report, citing exemptions for confidential government information, personal information, and third-party commercial information. The Information Commissioner found that while some information was properly withheld under exemptions for confidential government information (section 13(1)) and personal information (section 19(1)), Health Canada failed to properly exercise its discretion regarding publicly available information under section 13(1). The Commissioner also found that exemptions for third-party commercial or financial information (section 20(1)(b) and (c)) were not met. The Commissioner ordered Health Canada to disclose the information withheld under third-party exemptions and reconsider the disclosure of publicly available information under section 13(1).

• Proper application of section 13(1) (confidential information from government bodies)
• Proper application of section 19(1) (personal information)
• Proper application of section 20(1)(b) (confidential third-party financial, commercial, scientific or technical information)
• Proper application of section 20(1)(c) (financial impact on a third party)

The OPC investigated a complaint alleging that Immigration, Refugees and Citizenship Canada (IRCC) improperly withheld access to personal information. The complainant requested the "History Section" of their case file, but IRCC only provided a subset of information from other sections, referred to as the "Short Form" report. The OPC found that IRCC's practice of systematically retrieving and processing only the Short Form report contravenes section 12 of the Privacy Act, as it fails to provide individuals with access to all personal information under the government's control. Although the specific file was eventually provided, IRCC refused to update its procedures to address the systemic issue.

• Whether IRCC's practice of only retrieving and processing a "Short Form" subset of records in response to access requests complies with the Privacy Act's access obligations.
• Whether the "History Section" of the Global Case Management System (GCMS) file contains personal information.
• Whether IRCC's assertion that information outside the "Short Form" would always be withheld under exemptions is valid.
• Whether IRCC's failure to commit to updating its procedures constitutes a continuing contravention of the Privacy Act.

This compliance letter concerns a privacy breach at Nova Scotia Power that began around March 19, 2025. A malware attack allowed a threat actor to access and exfiltrate sensitive customer information, including names, contact details, financial information, and SINs, affecting approximately 375,000 current and 540,000 former customers. Nova Scotia Power has committed to specific actions, including deleting customer SINs and undergoing an external security assessment, to address the breach. Upon the Commissioner's satisfaction with these commitments, the investigation will be discontinued.

• Adequacy of security safeguards following a significant data breach.
• Timeliness and method of notification to affected individuals.
• Collection and retention of Social Insurance Numbers (SINs).
• Breach response and remediation efforts.

An employee of the Canada Border Services Agency (CBSA) complained that their personal information was inadvertently disclosed to colleagues due to improperly set folder permissions in the CBSA's information management system, Apollo. The CBSA confirmed the contravention of section 8 of the Privacy Act. While the CBSA took steps to correct the issue and improve practices, it did not commit to mandatory, trackable training for managing permissions, leading the OPC to find the complaint well-founded but unresolved.

• Whether CBSA contravened section 8 of the Privacy Act by improperly disclosing employee personal information.
• Adequacy of CBSA's response and corrective measures.
• Whether CBSA's training and awareness initiatives for managing information system permissions are sufficient.
• Whether the matter is resolved given CBSA's non-commitment to mandatory, trackable training.

The complainant alleged that Transport Canada failed to respond to an access to information request within the legislated 30-day timeframe. The request, for correspondence regarding the Greater Toronto Airports Authority, was significantly delayed due to the slow retrieval of records by a key office within Transport Canada, further exacerbated by a building fire. The Information Commissioner found the complaint to be well-founded, ordering Transport Canada to provide a complete response within 120 business days.

• Timeliness of response to access request
• Institution's duty to assist requesters
• Impact of building fire on record retrieval
• Processing of electronic vs. paper records

The complainant alleged that the Privy Council Office (PCO) did not conduct a reasonable search for records related to a previous access request and a "Lessons Learned" document. The OIC found that PCO did not provide sufficient evidence to demonstrate a reasonable search was conducted. The Information Commissioner ordered PCO to conduct a new search and provide a supplementary response to the complainant.

• Reasonableness of the search conducted by the institution
• Sufficiency of documentation provided by the institution regarding its search efforts
• Burden of proof on institutions to demonstrate a reasonable search

This investigation examined the Treasury Board of Canada Secretariat's (TBS) handling of employee personal information related to the administration of the Direction on Prescribed Presence in the Workplace, which mandates minimum on-site workdays. The Office of the Privacy Commissioner of Canada (OPC) found that TBS's practices for both organizational compliance reporting (using aggregated data like turnstile and HR data) and individual compliance monitoring (relying on manager observation and self-reporting) were compliant with the Privacy Act. The OPC concluded that the complaint was not well-founded, noting TBS's effective balance between operational needs and employee privacy.

• Collection of employee personal information for hybrid work model compliance
• Retention and disposal of personal information
• Use and disclosure of personal information
• Transparency and adequacy of Personal Information Banks (PIBs)

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) unreasonably extended the time to respond to an access request for Microsoft Teams messages and related policies. The investigation found that ISED's justification for a 390-day extension was inadequate, as it failed to demonstrate a link between the reasons for the extension and its length, or that a serious attempt was made to assess this length. The OIC also noted significant delays in processing. The Commissioner ordered ISED to provide a complete response within 60 business days.

• Reasonableness of time extension under subsection 9(1)
• Justification for length of extension for record volume and operational interference
• Justification for length of extension for consultations
• Deemed refusal under subsection 10(3) due to invalid time extension

The complainant alleged that Employment and Social Development Canada (ESDC) improperly withheld records related to the Canada Student Service Grant. The complainant also alleged that ESDC did not conduct a reasonable search. The Information Commissioner found that ESDC improperly withheld information under exemptions related to third-party commercial information, advice and deliberations, and solicitor-client privilege. The Commissioner also found that ESDC did not reasonably exercise its discretion for some of these exemptions. The Commissioner ordered ESDC to disclose certain information and re-exercise its discretion on others. The complaint was found to be well founded.

• Improperly withheld third-party commercial information
• Improperly withheld advice or recommendations and accounts of deliberations
• Improperly withheld information under solicitor-client privilege
• Failure to reasonably exercise discretion

The complainant alleged that Public Services and Procurement Canada (PSPC) improperly withheld information regarding leases valued over $500,000 annually. The complainant sought records for leases signed between 2018-2022 in specific cities. PSPC invoked exemptions under paragraphs 18(b) and 20(1)(b) of the Access to Information Act, claiming harm to its competitive position and the confidentiality of third-party financial information. The Information Commissioner found that neither PSPC nor the third parties established the requirements for these exemptions, noting that rent amounts were negotiated terms and the claims of harm were speculative. The Commissioner ordered PSPC to disclose the records in full.

• Whether the annual rent figures for leases were properly withheld under paragraph 18(b) (competitive position of government institutions).
• Whether the annual rent figures were properly withheld under paragraph 20(1)(b) (confidential third-party financial or commercial information).
• Whether the annual rent figures were properly withheld under paragraph 20(1)(c) (material financial impact on a third party).
• Whether the annual rent figures were properly withheld under paragraph 20(1)(d) (interference with third-party negotiations).

The complainant alleged that Indigenous Services Canada (ISC) failed to conduct a reasonable search for records concerning a specific video posted on Facebook. During the investigation, it was found that ISC had initially excluded records interpreted as drafts, leading to the retrieval of 1,087 additional pages. The Information Commissioner found the original search unreasonable but concluded that ISC had since conducted a reasonable search. The Commissioner ordered ISC to process and respond to the additional records within 36 business days.

• Reasonableness of the search conducted by the institution
• Interpretation and application of exclusion criteria for records

The OPC investigated Loblaw Companies Ltd. regarding complaints about the deletion of PC Optimum Loyalty Program accounts. The investigation found Loblaw contravened PIPEDA by taking an unreasonable amount of time to address deletion requests and by failing to ensure that retained purchase history data was sufficiently anonymized after account closures. Loblaw has agreed to take corrective actions, including a third-party assessment of its anonymization processes.

• Adequacy of Loblaw's processes for addressing individual privacy challenges regarding account deletion.
• Compliance with PIPEDA's retention principle regarding anonymization of purchase history data.
• Timeliness of Loblaw's response to customer deletion requests.
• Sufficiency of Loblaw's anonymization techniques for retained data.

An inmate alleged that Correctional Service Canada (CSC) failed to retain video footage of use of force incidents involving them, violating the Privacy Act's retention obligations. The OPC found that CSC did dispose of footage that it was obligated to retain for at least two years under the Act. CSC agreed to implement enhanced oversight, including monthly attestations and quarterly audits of use of force footage retention in its Pacific Region.

• Obligation to retain personal information used for administrative purposes under the Privacy Act
• Adequacy of institutional policies for video retention
• Ensuring reasonable access to personal information
• Effectiveness of oversight measures for compliance

The complainant alleged that the Privy Council Office (PCO) improperly withheld information related to a meeting, citing exemptions under subsection 16(2) (facilitating the commission of an offence) and subsection 19(1) (personal information) of the Access to Information Act. The OIC found that PCO failed to demonstrate that a signature and two initials, withheld under subsection 19(1), met the requirements of the exemption, particularly considering they related to official duties and transparency. Although PCO initially applied subsection 16(2) to a phone number, the OIC concluded this exemption was met. However, the OIC ordered PCO to disclose the information withheld under subsection 19(1).

• Application of subsection 16(2) to a phone number
• Application of subsection 19(1) to signatures and initials
• Whether signatures/initials used for official duties are excluded from the definition of personal information under paragraph 3(j) of the Privacy Act
• Reasonableness of the institution's exercise of discretion to withhold information

The complainant alleged that Transport Canada improperly withheld information related to a workplace fatality under several exemptions, including personal information and third-party commercial/technical information. The complainant also alleged that Transport Canada had not conducted a reasonable search. The OIC found that while the initial search was not reasonable, it was resolved during the investigation. The Commissioner ordered Transport Canada to disclose certain information that did not meet the criteria for third-party exemptions, and re-exercise discretion on other withheld information.

• Proper application of the personal information exemption (s.19(1) ATIA).
• Proper application of third-party information exemptions (s.20(1)(b) and (c) ATIA).
• Proper application of investigation conduct exemption (s.16(1)(c) ATIA).
• Reasonableness of the search for records.