Federal (Canada) Privacy Decisions

The OPC investigated two separate incidents where health information was sent by facsimile to the wrong recipient. In the first incident, Dynacare sent a misdirected fax containing personal health information. In the second incident, Viewpoint sent a medical evaluation to an incorrect number. Both companies were found to have contravened PIPEDA by disclosing personal information without consent. Recommendations were made to both companies regarding faxing procedures, employee training, and notification of affected individuals.

• Disclosure of personal health information without consent via misdirected facsimile transmission
• Responsibility for and accountability of employees in faxing personal information
• Adequacy of organizational policies and procedures for protecting personal information during transmission
• Notification of individuals whose personal information has been disclosed

An individual complained that a department store disclosed his personal information to a third party for a mail solicitation, despite his prior request not to share his data. The investigation found that no personal information was actually disclosed; the mail-out was conducted by the department store on behalf of the third party. The store agreed to clarify its mailings and review its opt-out policies. The complaint was settled.

• Disclosure of personal information to a third party
• Clarity of consent and opt-out mechanisms
• Cross-promotion versus disclosure to non-affiliated third parties

The complainant alleged that a collection agency failed to report a paid-off debt to credit bureaux, negatively impacting his ability to secure credit. After the OPC's involvement, the agency investigated, confirmed the debt was paid, and updated the credit bureaux, resolving the issue. The complaint was settled during the investigation.

• Accuracy of credit reporting
• Timeliness of information updates to credit bureaux

Employees complained that a list containing their names, identification and seniority numbers, and social insurance numbers (SINs) was shared with their union without their knowledge or consent. The company admitted fault, stating the SIN was inadvertently included on one list and was visible on another shared with the union. The company implemented changes, including no longer requiring SINs for severance applications and amending consent forms for sharing employee information with the union.

• Disclosure of personal information to a third party (union)
• Inclusion of SIN on employee lists
• Lack of employee consent for disclosure

An individual complained that a bank inappropriately required him to consent to a credit check when applying online for a no-fee personal deposit account. He was also concerned about other information requested, including his Social Insurance Number. The bank agreed to modify its online application forms to clarify consent requirements for credit checks and to make the SIN optional. The length of employment will only be required for applicants seeking credit.

• Consent to credit check for deposit account
• Collection of Social Insurance Number (SIN)
• Clarity of information exchange with credit bureaus

An individual complained that a pharmacy required them to sign a consent form authorizing overly broad disclosure practices before providing medication. The complainant was concerned about information being disclosed for marketing purposes and their ability to obtain necessary medication if consent was refused. The OPC clarified with the pharmacy chain that they did not disclose customer information for secondary marketing. The company revised its consent form and implemented a policy allowing verbal consent for privacy practices.

• Consent to disclosure of personal information
• Disclosure of personal information for marketing purposes
• Impact of consent requirements on access to essential services

The Office investigated two complaints concerning banks revealing excessive personal information through envelope windows. In one case, Social Insurance Numbers were visible. In the other, bankruptcy information was inadvertently displayed on a dormant account notice. Both banks implemented new processes to prevent such disclosures, and the complaints were settled.

• Visibility of SINs through envelope windows
• Disclosure of bankruptcy status on envelopes
• Adequate protection of personal information in mailings

The complainant alleged his former employer, an interprovincial trucking company, disclosed his personal information to a creditor without his consent. The investigation found no evidence to support the allegation, and determined the complainant had provided some information himself. The company implemented a privacy policy and appointed an Information Officer.

• Disclosure of personal information without consent

The complainant alleged that an insurance company required her to consent to overly broad collection, use, and disclosure practices when applying for life insurance. While the company's actual practices were found to be consistent with the Act, it agreed to revise its consent language to be more precise and clear. The complainant was satisfied with these assurances, and the matter was settled.

• Clarity and precision of consent language
• Overly broad collection, use, and disclosure practices

A complainant's original laptop, containing her personal information, was sold by a store after it was returned for repair. The store had failed to wipe the data from the hard drive. The laptop was eventually retrieved and returned to the complainant. The store implemented new policies to ensure customer information is wiped from returned devices, resolving the complaint.

• Adequacy of safeguards for personal information on returned electronic devices
• Employee failure to follow data wiping procedures
• Unauthorized disclosure of personal information

A former employee complained that his former trucking company employer had disclosed personal information about him to other trucking firms after his employment was terminated. The complaint was settled after discussions between the company, the complainant, and the Office. The trucking company agreed to develop privacy policies and procedures and designated a privacy officer, which were confirmed to the Office.

• Disclosure of personal information
• Development of privacy policies and procedures
• Designation of a privacy officer

An individual complained that a lending institution disclosed information about her delinquent account to her uncle without her consent. The investigation found merit to the complaint. The institution agreed to apologize to the complainant, adjust her loan, implement privacy policies and practices, establish a privacy committee, provide employee training, and remind staff to limit disclosure during debt recovery. The complainant and the OPC were satisfied with the actions taken, and the case was settled.

• Unauthorized disclosure of personal information
• Lack of privacy policies and practices
• Compliance with PIPEDA obligations

A doctor complained that his access request to a professional organization for personal information was ignored. The organization confirmed they did not act on the request, but also stated that the presentation the information was to be used for was cancelled, meaning no personal information was collected or held. The complainant accepted this and the file was closed as early resolved.

• Timeliness of access requests
• Existence of personal information

An employee of a national transportation company complained about the security of employee personal information in an automated crew management system. The complainant was concerned that unauthorized personnel, including union representatives, could access sensitive information like date of birth, SIN, and wage rates. The company agreed to modify the system to prevent the display of SIN, birth date, and health information on certain screens. As the complainant's concerns were addressed, the case was settled.

• Security of employee personal information
• Access to sensitive personal information (SIN, date of birth, health information) by unauthorized personnel
• Appropriate use and disclosure of employee data