Federal (Canada) Privacy Decisions

This special report from the OPC investigated the RCMP's Project Wide Awake initiative, which uses third-party services to collect open-source information. The investigation found that the RCMP did not conduct adequate due diligence to ensure that the personal information collected via the Babel X service and its data providers was compliant with Canadian privacy laws. Additionally, the RCMP failed to meet its transparency obligations under the Privacy Act by providing inadequate descriptions of its open-source information collection practices and purposes in its Personal Information Banks.

• Compliance with collection provisions of the Privacy Act
• Adequacy of due diligence regarding third-party data collection practices
• Adequacy of transparency obligations under the Privacy Act
• Sufficiency of Personal Information Bank descriptions

This special report details an investigation into cyber attacks that compromised sensitive personal information held by the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC). Attackers used stolen credentials to access online accounts, leading to unauthorized disclosures, modifications, and identity theft. The investigation found that both departments failed to implement adequate authentication, security decision-making, and monitoring practices, contravening sections 8 and 6(2) of the Privacy Act. While both departments accepted recommendations for improvement, some weaknesses persist.

• Inadequate identity and credential assurance measures
• Insufficiently informed and accountable security decision-making
• Lack of effective monitoring and timely breach containment
• Contravention of Privacy Act sections 8 (disclosure) and 6(2) (accuracy)