Federal (Canada) Privacy Decisions

A telecommunications company erroneously continued to report a debt to a credit-reporting agency after the complainant was discharged from bankruptcy. This impacted the complainant's credit score and led to unwanted debt collection calls. The company investigated, corrected its records, notified the credit-reporting agency, and ensured the debt collection calls would cease.

• Accuracy and up-to-dateness of personal information
• Disclosure of personal information to third parties
• Appropriate use of personal information in decision-making

An employee complained that her pension and benefit provider improperly disclosed her unique identifier, failed to keep her address accurate, and did not implement adequate safeguards. An individual with the same name was mistakenly given the complainant's ID number, leading to her address being changed. Consequently, five mailings containing sensitive information were sent to the wrong address, and the complainant lost her life insurance coverage due to missed forms. The provider corrected the error and reinstated coverage.

• Disclosure of unique identifier to a third party without consent.
• Failure to maintain accurate client address information.
• Inadequate safeguards against unauthorized disclosure and modification of personal information.
• Improper authentication of caller identity.

An individual complained that a real estate management company failed to obtain consent for the collection of his personal information through video surveillance at a shopping mall. The complainant alleged inadequate signage and over-collection of his information when a camera was focused on him. The company responded by posting new signage and providing additional training to staff. The Office of the Privacy Commissioner discontinued the investigation, finding the company’s response to be fair and reasonable.

• Adequacy of signage for video surveillance
• Over-collection of personal information
• Consent to collection of personal information

An individual complained that an estimator, subcontracted by a roofing company, disclosed his personal information to another roofing company without consent. The investigation found that the second roofing company was responsible for its estimator's actions and that there was a disclosure of personal information in contravention of PIPEDA. The second roofing company implemented a recommendation to establish agreements with subcontractors regarding privacy policies and training.

• Whether the subcontractor's actions were attributable to the organization.
• Whether personal information was disclosed without consent.
• Whether the disclosure exceeded the purposes for which the information was collected.

An individual complained to the OPC after a retailer's delivery person texted her inappropriate comments after obtaining her number from a work phone and transferring it to a personal device. The complainant also felt the retailer mishandled her initial complaint. The OPC's involvement led the retailer to implement new procedures for faulty work phones, retrain employees on its privacy policy, and take disciplinary action against the delivery person. The complainant was satisfied with the resolution.

• Unauthorized use of customer personal information
• Handling of customer complaints
• Employee training on privacy policies

An individual complained that a car dealership could not provide details about its personal information handling practices when asked. The dealership employee copied the complainant's driver's license and credit card without adequately explaining why or what safeguards were in place. The dealership agreed to hold an employee review session to ensure staff are knowledgeable about privacy policies and practices.

• Adequacy of employee training on privacy policies
• Transparency regarding collection and use of personal information
• Responding to individual inquiries about personal information handling practices

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an individual who alleged that a collection agency was pursuing him for a debt he did not owe and that inaccurate information was appearing on his credit report. The individual was unable to obtain validation of the debt from the agency. Following the OPC's intervention, the agency investigated, found discrepancies on the original credit application, ceased collection efforts, and agreed to correct the individual's credit report. The individual was satisfied with this resolution.

• Accuracy of personal information
• Access to personal information
• Debt collection practices
• Correction of credit reports

The complainant alleged that the RCMP inappropriately used employees' personal information during a training course. The RCMP used real personal information from 91 employees for a data entry exercise without their consent and without advising participants of the data's sensitive nature. The RCMP acknowledged the contravention of section 7 of the Privacy Act and notified the affected employees.

• Use of personal information for training purposes without consent
• Adequacy of notification to affected individuals
• Consistency of use with the original purpose of collection

The OPC discontinued further complaints against Globe24h.com concerning the collection, use, and disclosure of personal information from Canadian court and tribunal decisions. While initial complaints were found to be well-founded, additional complaints were discontinued as the issues had already been investigated and reported on. The matter was further resolved when the Federal Court ordered Globe24h to remove personal information from its website and the website subsequently ceased operations.

• Collection, use, and disclosure of personal information from public court decisions
• Consent for republishing personal information
• Discontinuance of investigation based on prior report
• Circumvention of privacy laws by republishing sensitive data

The complainant alleged that the Parole Board of Canada (PBC) contravened the Privacy Act by disclosing her medical information to external parties involved in a Public Service Staffing Tribunal (PSST) hearing. The PBC acknowledged that a human resources employee inadvertently emailed documents containing the complainant's medical information, which was outside the scope of the PSST's order. The PBC apologized to the complainant, ensured the recipients disposed of the information, and reported the breach internally.

• Was the complainant's medical information disclosed without consent or lawful authority?
• Did the disclosure contravene the Privacy Act's provisions on disclosure of personal information?
• Were the corrective actions taken by the PBC satisfactory?

A complaint was made against a telecommunications company and a credit-reporting agency after a fraudulent telecommunications account led to a false debt appearing on the complainant's credit report. The telecommunications company initially refused to correct the information or prove the complainant opened the account. Following OPC's involvement, the company's fraud team investigated, confirmed the account was fraudulent, cancelled it, and updated the credit-reporting agency with accurate information.

• Accuracy and completeness of personal information
• Correction of inaccurate personal information
• Adequacy of customer authentication procedures
• Accountability for information transferred to third parties

A customer complained that a department store was displaying photographs of individuals on a bulletin board to identify suspected shoplifters. The Office of the Privacy Commissioner of Canada (OPC) advised the store that posting such photographs without consent contravened PIPEDA. The store agreed to remove the pictures and discontinue the practice, opting instead to work with the police.

• Public display of photographs of suspected shoplifters without consent
• Application of PIPEDA to photographs taken from video surveillance

An individual complained that her telecommunications provider disclosed her personal information without consent when a technical support representative remotely accessed her computer to fix an email issue. The representative inadvertently set up an automatic email forwarding to an acquaintance's address, causing personal emails, including a temporary password, to be sent to the wrong recipient. While the provider implemented corrective measures, the OPC noted the provider initially misrepresented steps taken to address the issue.

• Disclosure of personal information without consent
• Accuracy of representations made to the OPC
• Adequacy of internal procedures and training

A couple complained after their personal information was fraudulently used by a marketing company posing as an employee of their anti-virus service provider. The couple suspected the service provider employee disclosed their account number to the marketing company. The OPC investigated and found the service provider had failed to adequately protect customer information. The service provider dismissed the employee responsible and implemented new safeguards, including an auditing system and a streamlined procedure for addressing privacy concerns.

• Adequacy of security safeguards
• Unauthorized access to personal information
• Complaint handling procedures
• Accountability for employee actions

An individual complained that her manager at a credit union accessed her personal bank account without consent. The manager suspected the employee was not actually sick and used her customer data to check her debit card usage outside the province. The credit union acknowledged the improper access and agreed to apologize and address the manager's conduct. The employee was satisfied, and the matter was resolved.

• Manager accessing employee's personal banking information without valid business purpose
• Use of personal information for a purpose other than that for which it was collected
• Employee's right to privacy while also being a customer of the institution