Federal (Canada) Privacy Decisions

This investigation concerned complaints against the CBC for disclosing details of a privacy breach at the Canada Revenue Agency (CRA), where taxpayer information was inadvertently sent to a CBC journalist. The CBC subsequently published an article containing some of this information, including names and photos of affected individuals. However, the OPC found that the Privacy Act does not apply to personal information collected, used, or disclosed by the CBC for journalistic purposes. Therefore, the complaints were deemed not well-founded as the information was excluded from the Act's application.

• Whether the CBC contravened the Privacy Act by disclosing personal information obtained from a privacy breach at the CRA.
• Whether section 69.1 of the Privacy Act, which excludes journalistic purposes from the Act's application, applied to the CBC's actions.
• Whether the CBC's use and disclosure of the personal information was for purely journalistic purposes.

The Office of the Privacy Commissioner of Canada investigated complaints following a privacy breach by the Canada Revenue Agency (CRA), where personal information of approximately 1,000 individuals was inadvertently sent to the Canadian Broadcasting Corporation (CBC). The investigation confirmed that a CRA employee switched cover letters for two different packages, resulting in a consultation package being sent to a CBC journalist instead of the intended recipient. Despite the CRA's efforts to retrieve the information and implement corrective measures, the information was not returned by the CBC, leading to a published article by the CBC.

• Unauthorized disclosure of personal information
• Adequacy of CRA's internal procedures and employee training
• Compliance with section 8 of the Privacy Act regarding disclosure

The Office of the Privacy Commissioner of Canada investigated a complaint concerning the RCMP's collection of a member's medical diagnosis and financial information from Veterans Affairs Canada (VAC). The OPC found that the RCMP's National Compensation Policy Centre collected sensitive personal information that was not necessary for the administration of pension benefits or health care, contravening the Privacy Act. The investigation revealed this practice was systemic and occurred over several years, despite the transfer of responsibility for pension adjudication to VAC.

• Necessity of collecting medical and financial information by the RCMP from VAC.
• Consistency of collection with the purposes for which information was originally collected by VAC.
• Systemic nature of the inappropriate collection of sensitive personal information.
• Adequacy of information sharing agreements between federal institutions.

The complainant alleged that Veterans Affairs Canada (VAC) inappropriately disclosed her health and financial information to the Royal Canadian Mounted Police (RCMP). The investigation found that VAC disclosed the complainant's medical diagnosis and financial information to the RCMP's National Compensation Policy Centre via its pension award letter. This disclosure was found to contravene the Privacy Act because it was not a 'consistent use' of the information, as neither consent nor a clear need-to-know was established for the RCMP's National Compensation Policy Centre to receive this sensitive personal information. The issue was also found to be systemic, affecting numerous RCMP employees.

• Was the disclosure of the complainant's medical and financial information by VAC to the RCMP a contravention of the Privacy Act?
• Did the complainant provide informed consent for the disclosure of her personal information?
• Was the disclosure of information considered a 'consistent use' under paragraph 8(2)(a) of the Privacy Act?
• Was the disclosure of personal information systemic in nature?

A complaint was filed against the Canada Border Services Agency (CBSA) alleging that its use of video surveillance to monitor employees at a border crossing contravened the Privacy Act. The complainant argued that the CBSA was using video technology to collect personal information for monitoring employee conduct and performance, beyond the initial safety and security purposes, and that signage was insufficient. While the CBSA's signage issue was resolved, the investigation focused on the collection of employee information for monitoring. The OPC found that the CBSA's updated policies and rationale for collecting personal information for integrity and quality assurance, including investigating serious misconduct, met the Act's requirements, but awaited confirmation of updated guidelines.

• Use of video surveillance for monitoring employee conduct and performance
• Necessity and proportionality of collecting personal information via video surveillance
• Sufficiency of signage informing employees of video monitoring
• Compliance with the Privacy Act's requirement that personal information collection relates directly to an operating program or activity

A complainant alleged that his Internet Service Provider (ISP) disclosed his personal information without consent to a newspaper columnist who was assisting him with a service dispute. The ISP argued it had implied consent due to the complainant's actions. The OPC found that the complainant's familiarity with the columnist and his own disclosure of information in his email to the columnist created a reasonable expectation that his information might be shared to resolve the dispute. The disclosed information was also found to be relevant and not sensitive.

• Was there implied consent for the disclosure of personal information to a columnist assisting with a dispute?
• Was the disclosed information relevant to the complaint?
• Was the disclosed information sensitive?

The complainant alleged that his employer disclosed detailed personal information about his absence from the workplace to other employees. The organization used an electronic scheduling program that allowed all employees to view the reasons for colleagues' absences. The OPC found that this disclosure constituted a contravention of PIPEDA, as the organization's purposes were not appropriate and less privacy-intrusive means were available to manage employee schedules and shift exchanges. The organization committed to removing the detailed leave information from its systems.

• Appropriate purposes for disclosure of personal information
• Balancing employee privacy with operational needs
• Necessity of disclosing reasons for absence
• Interpretation of collective agreement obligations

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding an equipment store's policy of photocopying customers' driver's licences as a condition of renting equipment. The OPC advised the store that driver's licences contain excessive personal information and have minimal value in theft investigations. As a result of the OPC's involvement, the store discontinued the practice and implemented a less privacy-invasive solution, resolving the complaint to the complainant's satisfaction.

• Appropriateness of collecting driver's licence information for theft prevention.
• Necessity of photocopying driver's licences for equipment rentals.
• Compliance with principles of minimal information collection.

A woman received the personal information of five strangers along with her daughter's tax documents from the Canada Revenue Agency (CRA). She attempted to return the information to the CRA through various channels but faced difficulties. The OPC launched a Commissioner-initiated investigation, which concluded that the CRA had breached the privacy rights of the individuals whose information was improperly disclosed. The CRA has since implemented remedial measures to improve its procedures for handling misdirected mail and facilitating breach reporting.

• Adequacy of CRA's procedures for handling misdirected personal information.
• Effectiveness of CRA's channels for the public to report privacy breaches.
• Timeliness and appropriateness of CRA's response to the breach.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint alleging the improper disclosure of personal information on the Canada Border Service Agency's (CBSA) "Wanted by the CBSA" website. While the disclosure itself was found to be permissible under the Privacy Act for immigration law enforcement, the CBSA failed to ensure the accuracy and completeness of the information. The investigation also found the CBSA failed to conduct a Privacy Impact Assessment before launching the program. The CBSA accepted all five OPC recommendations for improvement.

• Whether the CBSA improperly disclosed personal information on its "Wanted by the CBSA" website.
• Whether the CBSA conducted a Privacy Impact Assessment prior to launching the program.
• Whether the CBSA took reasonable steps to ensure the accuracy and completeness of the disclosed personal information.
• Whether the purpose of disclosure was consistent with the Privacy Act.

This report details an investigation into the loss of a USB key containing the personal information of 5,045 Canada Pension Plan Disability appellants. The investigation found that both Employment and Social Development Canada (ESDC) and Justice Canada failed to adequately translate their privacy and security policies into practice, leading to weaknesses in physical, technological, administrative, and personnel controls. Both departments accepted nine recommendations to improve data protection, many of which were similar to those made in a previous investigation involving ESDC.

• Adequacy of physical, technological, administrative, and personnel security controls
• Failure to translate privacy and security policies into meaningful business practices
• Protection of sensitive personal information including SIN and medical details
• Custody and storage of portable electronic devices containing personal information

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an employee of the Canada School of Public Service (the School) who alleged his personal information was improperly disclosed. The School had received a letter from the Public Sector Integrity Commissioner (PSIC) identifying seven employees and allegations against them. The School hand-delivered this letter to the named employees, including the complainant. The OPC found that the School's actions contravened the Privacy Act by disclosing the complainant's personal information without authority. Following the OPC's recommendations, the School developed new procedures to protect confidentiality.

• Disclosure of personal information contrary to the Privacy Act
• Adequacy of procedures to protect personal information
• Cooperation with other federal oversight bodies

A staff relations representative complained that the RCMP's disclosure of informal disciplinary records to the Crown was inconsistent with the Supreme Court’s McNeil decision. The complainant argued that only records from formal disciplinary hearings should be disclosed. The OPC agreed with the RCMP that all disciplinary records, informal or formal, may need to be disclosed if relevant to court proceedings. While the complaint was found not well-founded, the OPC recommended the RCMP reconsider its policy of retaining disciplinary records until members reach 100 years of age, which is significantly longer than other police services.

• Disclosure of informal disciplinary records to the Crown in light of the McNeil decision
• Relevance determination for disclosure of disciplinary records
• Retention period for RCMP disciplinary records

The complainant settled a legal dispute with a retailer by signing a mutual release, which included releasing the retailer from all past, present, and future claims and complaints. Subsequently, the complainant filed a privacy complaint alleging the retailer failed to provide access to her personal information. The Office of the Privacy Commissioner of Canada (OPC) discontinued the investigation, finding the complaint was made in bad faith because the complainant had already released the retailer from such claims.

• Whether the complaint was made in bad faith
• The effect of a mutual release on a privacy complaint

This investigation concerned a complaint that the Canada Border Services Agency (CBSA) violated the Privacy Act by requiring border services officers (BSOs) to wear name tags displaying their surnames. Complainants argued this was an unreasonable invasion of privacy and exposed them to potential harm. The Office of the Privacy Commissioner of Canada (OPC) found that while the names were personal information, they fell under an exception in the Privacy Act relating to information about an individual's position or functions within a government institution. Therefore, the requirement to display surnames on name tags did not violate the Act.

• Whether displaying surnames on name tags constitutes personal information under the Privacy Act.
• Whether displaying surnames on name tags is an unreasonable invasion of privacy.
• Whether the requirement to display surnames on name tags violates the use and disclosure provisions of the Privacy Act.
• Whether the exception for information relating to an individual's position or functions applies to surnames on name tags.