Federal (Canada) Privacy Decisions

A married couple complained that a bank mortgage specialist disclosed the husband's personal financial information to his wife without his consent. The bank argued there was implied consent given the purpose of applying for a joint mortgage. The Assistant Commissioner found the bank did not make a reasonable effort to inform the couple about potential disclosures between them, meaning consent was not meaningful. While a contravention was found, the bank had since adopted reasonable practices.

• Meaningful consent for disclosure of personal information to a spouse
• Reasonable efforts to inform individuals about purposes of disclosure
• Implied consent in the context of joint mortgage applications

This investigation examined a complaint regarding the Royal Canadian Mounted Police's (RCMP) use and disclosure of personal information from the Canadian Firearms Program (CFP) database to a public opinion research firm, EKOS Research Associates Inc. The RCMP contracted EKOS to conduct a survey of firearms licensees to improve program administration and service delivery. The investigation reviewed the contract, security measures, and the survey process.

• Appropriateness of using personal information for a client-satisfaction survey.
• Compliance with contractual confidentiality and security provisions when disclosing information to a third-party contractor.
• Whether the use of information for the survey was consistent with the purpose for which it was originally collected.

A woman complained that the Canadian Human Rights Commission (CHRC) improperly collected and used her personal information by accessing her wireless Internet connection to post messages to a website during an investigation. The Office found no evidence that the CHRC accessed the complainant's connection or collected any of her personal information. Technological experts suggested the association of the complainant's IP address to the CHRC was likely a mismatch by a third party.

• Whether the CHRC improperly collected and used the complainant's personal information by accessing her Internet connection.
• Whether an IP address constitutes personal information.
• Evidence of unauthorized access to personal information.

The Office of the Privacy Commissioner of Canada (OPC) investigated a Privacy Act complaint after media reported on the leak of a Canadian citizen's personal information from a Department of Foreign Affairs and International Trade (DFAIT) database. The investigation found that DFAIT lacked adequate controls, such as audit trails, to prevent or track unauthorized access and disclosure of the information. DFAIT agreed to implement better guidance and explore system changes to enhance security.

• Adequacy of security measures for personal information held in departmental computer systems.
• Lack of audit trail capability to track access to personal information.
• Responsibility of government institutions to protect personal information under the Privacy Act.

This investigation concerned a complaint that Accusearch Inc. (Abika.com), a U.S. company, was collecting, using, and disclosing Canadians' personal information without their knowledge or consent, compiling inaccurate information, and doing so for inappropriate purposes. The OPC found that Abika contravened PIPEDA by collecting, using, and disclosing personal information without knowledge or consent and for inappropriate purposes. However, the complaint regarding inaccurate information was not well-founded due to a lack of objective evidence. The OPC recommended Abika cease these practices.

• Collection, use, and disclosure of personal information without knowledge or consent
• Compilation and disclosure of inaccurate personal information
• Collection, use, and disclosure for inappropriate purposes
• Jurisdiction over U.S. companies and transborder data flows

CIPPIC filed a complaint alleging 24 violations of PIPEDA by Facebook across 12 subjects, focusing on knowledge and consent. The Assistant Privacy Commissioner found Facebook contravened the Act in areas such as default privacy settings, advertising, third-party applications, account deactivation/deletion, deceased users' accounts, and non-users' personal information. While some allegations were resolved through Facebook's proposed corrective measures, others remained unresolved, particularly concerning third-party applications and the safeguarding of user data.

• Adequacy of notice and consent for collection, use, and disclosure of personal information.
• Sufficiency of security safeguards for personal information.
• Transparency regarding new uses of personal information and the implications of privacy settings.
• Handling of personal information of non-users and deceased users.

An individual complained that the Canadian Human Rights Commission (CHRC) improperly collected and used her personal information, alleging the CHRC accessed her wireless internet connection to post messages on a website. The investigation examined whether the CHRC contravened sections 4 to 8 of the Privacy Act. Ultimately, the OPC found no evidence that the CHRC collected or used the complainant's personal information, concluding the complaint was not well-founded.

• Whether the IP address constitutes personal information under the Privacy Act.
• Whether the CHRC collected and used the complainant's personal information during its investigations.
• Whether the CHRC improperly disclosed or retained the complainant's personal information.