Federal (Canada) Privacy Decisions

This report details a joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Australian Office of the Information Commissioner (OAIC) into Avid Life Media Inc. (ALM), the operator of Ashley Madison. The investigation followed a significant data breach where personal information of millions of users was exposed. The OPC found that ALM contravened PIPEDA regarding information security, indefinite retention of user data, accuracy of email addresses, and transparency with users. ALM has entered into a compliance agreement with the OPC to address these issues.

• Adequacy of information security safeguards
• Indefinite retention of user data
• Accuracy of collected email addresses
• Transparency and user consent regarding data handling practices

This document is a systemic investigation into Parks Canada's approach to processing access requests, completed in 2015-2016. It highlights how cooperation with the Information Commissioner's Office can lead to positive systemic changes in how access rights are managed. The report uses Parks Canada's practices as an example for improvement.

• Effectiveness of Parks Canada's access to information request processing
• Impact of leadership and collaboration on access rights
• Systemic changes in access to information practices

This report details an incident where a fraudster impersonated an unknown individual to trick a financial institution's employees into revealing customer contact information. The fraudster then used this information to extract further personal details from approximately 100 customers, increasing their risk of identity theft. The financial institution took immediate steps to mitigate the breach, including offering credit monitoring and enhancing staff training.

• Effectiveness of internal controls to prevent unauthorized disclosure of personal information
• Adequacy of breach response and mitigation measures
• Risks of identity theft and fraud due to personal information disclosure