Federal (Canada) Privacy Decisions

This special report details an investigation into unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency (CRA). The Office of the Privacy Commissioner (OPC) found that the CRA contravened the Privacy Act regarding accuracy and disclosure of personal information. While the CRA has made efforts to improve its security, shortcomings remain in prevention, monitoring, detection, remediation, and governance, particularly concerning the handling of "Unauthorized Use of Taxpayer Information by a Third Party" (UUTP) incidents. The investigation concluded that the CRA contravened subsections 6(2) and 8(2) of the Act.

• Adequacy of safeguards to protect taxpayer personal information from unauthorized disclosure and modification.
• Timeliness and strength of multi-factor authentication implementation.
• Effectiveness of monitoring and detection mechanisms for UUTPs.
• Coordination and proactivity of the CRA's governance for addressing UUTPs.

This joint investigation by privacy authorities across Canada found that OpenAI contravened privacy laws in its collection, use, and disclosure of personal information through its ChatGPT models GPT-3.5 and GPT-4. Specifically, the investigation found that OpenAI's collection of personal information from publicly accessible websites for training purposes was overbroad and inappropriate. The company also failed to obtain valid consent and be sufficiently transparent about its data practices. While OpenAI has since implemented new mitigation measures and committed to further improvements, some provincial authorities found the new measures insufficient to meet their specific legislative requirements.

• Appropriateness of purpose for data collection and use
• Validity of consent and transparency obligations
• Accuracy of generated information
• Individual rights to access, correction, and deletion

The Office of the Privacy Commissioner of Canada (OPC) investigated the Canada Border Services Agency's (CBSA) contracting practices related to the ArriveCAN application following a complaint and a request from a parliamentary committee. The investigation examined whether contractors had inappropriate access to travellers' personal information. While the OPC found no contravention of the Privacy Act, it identified shortcomings in the CBSA's contracting processes, such as issues with the timeliness and accuracy of security assessments and broad task descriptions in contracts. The OPC made recommendations to improve the CBSA's practices, which the agency accepted.

• Whether CBSA authorized contractors to access personal information without required security clearances.
• Accuracy and timeliness of security requirement assessments for contracts.
• Clarity and specificity of task descriptions in contracts and task authorizations.
• CBSA's compliance with security requirements for personnel and organizations involved in ArriveCAN contracts.

This joint investigation by Canadian privacy authorities found that TikTok's collection and use of personal information, particularly from children, for ad targeting and content personalization was inappropriate and lacked valid consent. TikTok failed to implement adequate age verification measures, leading to the collection of data from underage users without a legitimate purpose. The investigation also found that TikTok's privacy communications were unclear, not easily accessible, and not available in French, failing to provide meaningful consent from adult and youth users for its data practices.

• Appropriate purpose for collecting and using children's personal information.
• Obtaining valid and meaningful consent for tracking, profiling, and targeted advertising.
• Transparency obligations regarding collection and use of personal information for user profiling.
• Adequacy of age assurance measures to prevent underage users from accessing the platform.

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

• Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
• Timeliness and completeness of breach notifications to regulators and affected individuals.
• Risk of harm to individuals due to the sensitive nature of compromised personal information.
• 23andMe's assessment of and response to the identified security deficiencies.

This investigation concerned the loss of an unencrypted USB storage device by the Royal Canadian Mounted Police (RCMP), which contained sensitive personal information of 1,741 individuals. The OPC found that the RCMP contravened section 8 of the Privacy Act by disclosing personal information without consent. The investigation also revealed failures in timely breach reporting and inadequate safeguards for personal information on USB devices, leading to the complaint being well-founded and unresolved.

• Contravention of section 8 of the Privacy Act regarding unauthorized disclosure of personal information
• Timeliness and appropriateness of the RCMP's response to the breach
• Sufficiency of RCMP measures to safeguard personal information on USB storage devices
• Adequacy of policies and enforcement regarding USB device usage

This special report from the OPC investigated the RCMP's Project Wide Awake initiative, which uses third-party services to collect open-source information. The investigation found that the RCMP did not conduct adequate due diligence to ensure that the personal information collected via the Babel X service and its data providers was compliant with Canadian privacy laws. Additionally, the RCMP failed to meet its transparency obligations under the Privacy Act by providing inadequate descriptions of its open-source information collection practices and purposes in its Personal Information Banks.

• Compliance with collection provisions of the Privacy Act
• Adequacy of due diligence regarding third-party data collection practices
• Adequacy of transparency obligations under the Privacy Act
• Sufficiency of Personal Information Bank descriptions

This special report details an investigation into cyber attacks that compromised sensitive personal information held by the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC). Attackers used stolen credentials to access online accounts, leading to unauthorized disclosures, modifications, and identity theft. The investigation found that both departments failed to implement adequate authentication, security decision-making, and monitoring practices, contravening sections 8 and 6(2) of the Privacy Act. While both departments accepted recommendations for improvement, some weaknesses persist.

• Inadequate identity and credential assurance measures
• Insufficiently informed and accountable security decision-making
• Lack of effective monitoring and timely breach containment
• Contravention of Privacy Act sections 8 (disclosure) and 6(2) (accuracy)

This investigation examined whether mobility data collected by the Public Health Agency of Canada (PHAC) during the COVID-19 pandemic contained personal information as defined under the Privacy Act. The investigation found that the de-identification techniques and safeguards against re-identification implemented by PHAC and its data providers reduced the risk of identifying individuals below the "serious possibility" threshold. Consequently, the complaints were deemed not well-founded, as PHAC did not contravene the Privacy Act.

• Whether the mobility data collected constituted personal information under the Privacy Act.
• The adequacy of de-identification and aggregation techniques to prevent re-identification.
• Whether access to data within a provider's system constitutes collection under the Act.
• The need for transparency regarding the use of de-identified data.

This investigation examined the COVID-19 vaccination attestation requirements for federal public servants. The OPC found that the collection of vaccination status was directly related to the employer's health and safety obligations. However, the Treasury Board of Canada Secretariat (TBS) contravened the Act by failing to update its index of personal information banks within the required timeframe. The OPC also assessed the necessity and proportionality of the measures, concluding they were justified given the pandemic context, though TBS's documentation and response during the investigation were found to be lacking.

• Whether the collection of employee vaccination status was directly related to an operating program or activity.
• Whether institutions met transparency requirements under the Act.
• Whether disclosures of personal information were authorized.
• Necessity and proportionality of the vaccination attestation measures.

This Special Report to Parliament details the OPC's investigations into federal government privacy practices during the COVID-19 pandemic. It examined vaccine mandates for travel and employment, the ArriveCAN app, and the use of mobility data. While most government measures complied with the Privacy Act, the OPC identified areas for improvement, including the need for clearer objectives in mandates and better documentation of less privacy-intrusive alternatives. An error in the ArriveCAN app led to incorrect quarantine notifications, and a PIPEDA investigation found a private company misused a traveller's contact information for marketing.

• Compliance of COVID-19 measures with the Privacy Act
• Necessity and proportionality of personal information collection
• Accuracy of personal information used in administrative decisions (ArriveCAN)
• Use of de-identified mobility data and PIPEDA compliance

This investigation examined whether COVID-19 vaccination attestation requirements implemented by several federal separate employers for their employees complied with the Privacy Act. The OPC found that the collection and use of vaccination status information, including for accommodation requests, was authorized under the Act and directly related to the employers' operating programs, specifically workplace health and safety during the pandemic. While not a strict legal requirement of the Act, the OPC also assessed the necessity and proportionality of these measures and found them to be reasonable given the exceptional circumstances of the pandemic.

• Whether the collection of COVID-19 vaccination status information was directly related to an operating program or activity of the institutions.
• Whether the use and disclosure of vaccination status information, including for accommodation requests, was authorized under the Privacy Act.
• The necessity and proportionality of the vaccination attestation measures in the context of the COVID-19 pandemic.

This investigation examined the COVID-19 vaccination attestation requirements established by the Department of National Defence (DND) for members of the Canadian Armed Forces (CAF). The Office of the Privacy Commissioner of Canada (OPC) found that DND/CAF had the authority to collect this information under the National Defence Act and Part II of the Canada Labour Code. The use and disclosure of the information were generally consistent with the purposes for which it was collected. Although DND declined to implement a recommendation to strengthen oversight of access controls in the Monitor MASS system, the OPC found no instances of inappropriate access or disclosure. The OPC also determined that DND took reasonable steps to ensure the accuracy of the vaccination status information collected.

• Whether DND/CAF's collection of COVID-19 vaccination status information directly related to an operating program or activity of the institution.
• Whether the use of collected vaccination status information was authorized under section 7 of the Privacy Act.
• Whether the use of the Monitor MASS system resulted in unauthorized disclosure of information.
• Whether DND/CAF took reasonable steps to ensure the accuracy of vaccination status information.

A joint investigation by the OPC and three provincial privacy authorities found that Tim Hortons collected granular location data from users of its mobile app without an appropriate purpose and without valid consent. The company tracked users' locations even when the app was closed, inferring details like home and work locations, ostensibly for targeted advertising, but ultimately did not use the data for this stated purpose. The investigation also raised concerns about contractual protections with a third-party vendor and Tim Hortons' overall accountability.

• Collection and use of granular location data for an appropriate purpose
• Obtaining valid consent for location data collection
• Adequacy of contractual protections for data processed by third parties
• Tim Hortons' accountability for privacy practices

This investigation examined a privacy breach experienced by a contractor for the Canada Border Services Agency (CBSA), which was targeted by a ransomware attack. Personal information, specifically licence plate images captured at Canadian border crossings, was accessed and some was posted online. The OPC found that the CBSA had contravened the Privacy Act due to inadequate security safeguards in its contract with the contractor and its inconsistent handling of licence plate data as personal information. The investigation concluded the complaint was well-founded but resolved, as the CBSA agreed to implement recommendations to improve its contracting and data protection practices.

• Whether licence plate image files, including metadata, constitute personal information under the Privacy Act.
• Whether the CBSA contravened the disclosure provisions of the Privacy Act.
• Whether the CBSA had adequate security safeguards in its contract with a third-party contractor.
• Whether the CBSA adequately managed the retention of personal information.