Federal (Canada) Privacy Decisions

An individual complained that an online dating service used his personal information without consent and failed to provide him access to his information after he cancelled his membership. The Office of the Privacy Commissioner of Canada (OPC) found that the original owner violated PIPEDA by denying the complainant access to his personal information and by continuing to send him marketing emails after consent was withdrawn. The OPC also found the service failed to have a privacy policy and safeguard information. While issues were found to be well-founded, they were resolved by the new owner who purged the data and implemented a privacy policy.

• Access to personal information
• Withdrawal of consent for marketing emails
• Retention of personal information
• Safeguarding of personal information

This systemic investigation examined the use and preservation of instant messages, such as BlackBerry PIN messages, on government devices. The investigation was prompted by complaints of missing records, including a case where devices were destroyed before an access request could be fulfilled. The OIC found that the use of instant messaging posed a risk to the right of access to information.

• Use and preservation of instant messaging on government devices
• Impact of instant messaging on the right of access to information
• Destruction of devices containing potential records
• Timeliness of access to information

The OPC investigated a complaint about an RCMP officer who accessed the CPIC database to conduct a criminal background check on a prospective tenant for a private rental. The investigation found the officer used the database for personal reasons, not for a legitimate law enforcement purpose. The RCMP took remedial actions, including an apology and a reminder to employees about database use policies, which satisfied the OPC.

• Unauthorized access to the CPIC database
• Use of personal information for non-law enforcement purposes
• Compliance with RCMP policies on database access

An inmate at a maximum-security penitentiary requested video recordings of incidents involving officers. The Correctional Service of Canada (CSC) denied access, citing third-party information and security concerns. The OPC found complaints regarding 16 destroyed videos to be well-founded, as CSC had not even reviewed them before denial. For two other videos, which CSC claimed contained third-party information and posed security risks, the OPC found CSC correctly applied exemptions, thus resolving those complaints.

• Timeliness of responding to access to information requests
• Destruction of records prior to fulfilling requests
• Application of exemptions for security of penal institutions
• Proper review of records before withholding information

An estranged wife, employed as a civilian at a Canadian Forces Base, accessed her husband's medical records without authorization. She also deleted a physiotherapy appointment and accessed a paper file. The Department of National Defence (DND) determined this was a willful breach of rules and implemented restrictions on her access. The OPC found the complaint to be well-founded, as the access was inconsistent with the original purpose of the information and not a permissible use under the Privacy Act.

• Unauthorized access to medical records
• Access and use inconsistent with original purpose
• Willful breach of departmental rules

Transport Canada denied a man's security clearance based on information from the RCMP. The man complained that the RCMP improperly disclosed his personal information, specifically details of an absolute discharge from a 2009 incident. The RCMP disclosed this information without the required ministerial approval, which contravened the Criminal Records Act.

• Disclosure of personal information by the RCMP.
• Compliance with the Criminal Records Act regarding absolute discharges.
• Authorization for disclosure of information for security clearances.

A complainant expressed concern that the online publication of her full name and date of birth in the Canada Gazette, as required by the agreement establishing the Qalipu Mi’kmaq First Nation Band, put her at risk of identity theft. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that the disclosure was consistent with the Privacy Act, as the information was published for the purpose for which it was originally collected: the identification and recognition of Band members. Therefore, the complaint was not well-founded.

• Disclosure of personal information without consent
• Purpose of collection and disclosure
• Risk of identity theft

A formal investigation by the Office of the Privacy Commissioner of Canada concluded that Aboriginal Affairs and Northern Development Canada (AANDC) and the Department of Justice Canada wrongly collected personal information from activist Cindy Blackstock's personal Facebook page. The departments argued that information posted publicly on social media was not private, but the OPC rejected this argument, stating that public availability does not make information non-personal. The OPC recommended that both departments cease accessing personal information on social media without a direct link to government business and destroy improperly collected information, with both departments accepting the recommendations.

• Whether personal information posted on a public Facebook page is still considered private under the Privacy Act.
• Whether the collection of personal information from social media feeds was directly related to a government operating program or activity.
• Whether the departments' accessing of Indian status records was justified.

A complainant alleged that Correctional Service of Canada (CSC) denied him access to the full version of a report concerning his treatment and supervision. CSC initially provided a condensed version, which the OPC found to be a misrepresentation of the information and contrary to CSC's obligations under the Privacy Act. Following the OPC's investigation, CSC provided the complainant with the full report, with some personal information of other parties withheld, and committed to reviewing its access request handling procedures and communicating staff obligations under the Privacy Act.

• Was the respondent in compliance with its obligations to identify and provide all relevant information in response to an access request?
• Whether the respondent's provision of an abbreviated report was a misrepresentation of the information.

The Office of the Privacy Commissioner investigated a complaint from an individual whose personal health information was accessed by an employee of National Defence. The investigation found that the employee improperly accessed the complainant's health records for personal reasons, not for any professional or authorized purpose. National Defence has since implemented new controls, updated policies, and provided training to its healthcare staff to prevent future breaches.

• Inappropriate access to personal health information
• Use of personal information for personal reasons
• Adequacy of National Defence's privacy training and controls

The complainant alleged that the Canada Revenue Agency (CRA) contravened the Privacy Act by improperly accessing his tax file. The investigation found that a CRA employee accessed the complainant's tax file without authorization and beyond the requirements of their position. The CRA has since confirmed the employee no longer has access to taxpayer information.

• Unauthorized access to personal information
• Contravention of use and disclosure provisions of the Privacy Act

An individual complained that a legal firm failed to respond to his requests for estate information, in which he claimed beneficiary status. The Office of the Privacy Commissioner of Canada (OPC) found that the firm contravened PIPEDA by not responding within the 30-day time limit. However, the OPC also determined that the individual was only entitled to access his own personal information, not general estate information, and that the firm had conducted a reasonable search for any such information. The complaint was ultimately found to be well-founded and resolved.

• Individual's right to access general estate information as a beneficiary versus personal information.
• Organization's obligation to respond to an access request within 30 days, even if no responsive information is held.
• Determining what constitutes an individual's 'personal information' under PIPEDA in the context of estate administration.

An individual complained that a retailer withheld access to her personal information, which she stated was necessary for ongoing litigation between them. The Office of the Privacy Commissioner of Canada (OPC) declined to investigate, finding that court procedures offered a more appropriate means for the complainant to address her access issues. The OPC noted that a provincial court judge had indicated the complainant could seek further disclosure through cross-examination. Therefore, the OPC determined that the complaint could be more appropriately dealt with by the court.

• Whether court procedures provide a more appropriate means to address access issues related to ongoing litigation.
• Whether the retailer contravened PIPEDA by refusing access to personal information based on litigation privilege.
• Whether the OPC should decline to investigate when court procedures can address the access issues.

Three individuals complained after discovering their sensitive dating profiles, posted on PositiveSingles.com, appeared on nearly 60 other affiliated dating websites without their knowledge or consent. The Office of the Privacy Commissioner of Canada found that while the profiles remained within the company's controlled network, users were not adequately informed about this practice. Furthermore, inadequate safeguards allowed some personal information to be accessed by non-members. The organization revamped its website to provide clearer disclosures about profile sharing and its network structure, and improved its security measures.

• Adequacy of consent for the use and disclosure of personal information across affiliated websites.
• Whether users were adequately informed about the company's network structure and profile sharing practices.
• Sufficiency of security safeguards to prevent unauthorized access to personal information.
• Transparency of privacy policies and practices regarding data management.

The OPC investigated a complaint alleging Apple used and shared a user's unique device identifier (UDID) without knowledge or consent for tracking and targeted advertising. While Apple initially argued UDID was not personal information, the OPC found it was, especially given Apple's ability to link it to account details. The OPC determined Apple's privacy policy lacked clarity on UDID use for advertising, though its administrative uses were acceptable. Apple has since ceased using UDID for advertising, replacing it with Ad ID, and enhanced opt-out mechanisms for Ad ID, leading the OPC to find the complaint well-founded and resolved.

• Whether UDID and Ad ID constitute personal information under PIPEDA.
• Whether Apple obtained meaningful consent for the collection, use, and disclosure of UDID and Ad ID for advertising purposes.
• Adequacy of notice provided by Apple regarding its use of UDID and Ad ID.
• Apple's responsibility for disclosures of UDID and Ad ID to third-party app developers.