Federal (Canada) Privacy Decisions

This investigation examined complaints concerning Statistics Canada's collection of personal financial and credit information from a credit bureau and financial institutions for two projects. The OPC found Statistics Canada had the legal authority for the Credit Information Project, deeming that aspect not well-founded. However, the OPC had serious concerns that the Financial Transactions Project, as originally designed, would have exceeded Statistics Canada's legal authority. As this project was halted before any data was collected, no finding was made. Despite finding no contravention of the Privacy Act, the OPC identified significant privacy concerns regarding necessity, proportionality, and transparency in both projects as originally designed, and made recommendations for improvement.

• Legal authority for collecting personal information under the Statistics Act and Privacy Act
• Necessity and proportionality of collecting sensitive personal information
• Adequacy of transparency regarding data collection
• Safeguards for handling collected personal information

This joint investigation by the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found that AggregateIQ Data Services Ltd. (AIQ) contravened Canadian privacy laws (PIPEDA and PIPA) in its handling of personal information for political campaigns. AIQ failed to ensure adequate consent for the collection, use, and disclosure of personal information, particularly when sharing data with platforms like Facebook for targeted advertising and analytics. Additionally, AIQ's inadequate security measures led to a data breach involving the personal information of millions of individuals.

• AIQ's collection, use, and disclosure of personal information for political campaigns.
• AIQ's compliance with consent requirements for personal information.
• AIQ's implementation of reasonable security measures to protect personal information.
• Cross-jurisdictional data handling and privacy obligations.

The Office of the Privacy Commissioner of Canada (OPC) investigated Equifax Inc. and Equifax Canada Co. following a 2017 data breach that compromised the personal information of approximately 19,000 Canadians. The OPC found that both Equifax Inc. and Equifax Canada contravened PIPEDA concerning inadequate safeguards, data retention, accountability, and consent for the disclosure of personal information. The investigation also found Equifax Canada's post-breach safeguards to be inadequate for protecting affected Canadians. Equifax Canada has committed to corrective measures, and the matters are conditionally resolved.

• Adequacy of security safeguards for Canadian personal information held by Equifax Inc.
• Equifax Inc.'s data retention and destruction practices for Canadian personal information.
• Equifax Canada's accountability for Canadian personal information handled by Equifax Inc.
• Adequacy of consent obtained for the collection and disclosure of Canadian personal information to Equifax Inc.
• Adequacy of safeguards and post-breach measures for Canadian personal information held by Equifax Canada.