Federal (Canada) Privacy Decisions

A complainant objected to a retail store retaining records of her credit card transactions after she requested their deletion. The store initially cited contractual obligations to credit card companies, but later informed the OPC that the Excise Tax Act also legally required data retention. The OPC relayed this explanation to the complainant, who found it satisfactory, and the matter was resolved.

• Right to withdraw consent vs. legal and contractual retention obligations
• Adequacy of explanation provided to complainant

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that a financial institution required customers to provide their Social Insurance Number (SIN) for identity verification purposes as a condition of opening a savings account. The OPC found that while the institution collected SINs for legally required income reporting, it could not mandate its use for identity verification. The institution agreed to make the use of SIN for identity verification optional rather than a condition of service.

• Requirement of SIN for identity verification as a condition of service.
• Appropriate use of SIN by private sector organizations.
• Interpretation of FINTRAC guidelines regarding identity verification.

A traveler complained that an airline did not provide complete access to his personal information, specifically documents and correspondence related to being denied boarding. The airline relied on exemptions under PIPEDA, arguing that the information was collected to investigate a potential breach of agreement or contravention of law and was disclosed to a government institution for law enforcement purposes. The OPC found that both the collection and disclosure were reasonable under the Act's exemptions, and the airline properly followed the process when a government institution objected to disclosure of the information.

• Whether the collection of personal information without consent was justified under PIPEDA's exemptions.
• Whether the disclosure of personal information to a government institution was justified under PIPEDA's exemptions.
• Whether the airline properly handled the access request when a government institution objected to disclosure.

The complainant discovered that his financial institution had disclosed his Registered Education Savings Plan (RESP) account information dating back to 1999 to the police. The OPC found that while production orders allow disclosure of information, the financial institution disclosed documents beyond the scope of the specific production order and did not have valid consent. The institution agreed to review its procedures and provide training to staff regarding disclosures pursuant to production orders.

• Disclosure of personal information beyond the scope of a production order
• Validity of consent based on a general privacy policy for law enforcement disclosures
• Sensitivity of financial information

The complainant alleged that the respondent's property history reports included personal information without adequate consent. The Office of the Privacy Commissioner of Canada (OPC) found that insurance claims data, as described in this case, was not personal information about an individual. However, information about drug activity at a property was deemed personal information. The respondent agreed to cease including drug activity details in its reports, leading the OPC to find the complaint well-founded and resolved.

• Whether drug activity information in property reports constitutes personal information.
• Whether drug activity information is publicly available under PIPEDA Regulations.
• Whether consent was adequately obtained for the collection, use, and disclosure of personal information.

The Office of the Privacy Commissioner of Canada investigated Wajam Internet Technologies Inc. after receiving complaints about its software, which tracked online search queries and displayed ads. The investigation found that Wajam breached multiple provisions of PIPEDA, including failing to obtain meaningful consent, inadequately safeguarding personal information, and having insufficient accountability policies. Although Wajam ceased operations and sold its assets, the OPC concluded the matters examined were well-founded.

• Meaningful consent for software installation and data collection.
• Adequate safeguarding of personal information during transmission and storage.
• Effectiveness of uninstallation processes and withdrawal of consent.
• Lack of a privacy accountability framework and policies.

An individual complained to the OPC after an insurance company denied access to parts of their insurance claim file, including case management notes and a video of an incident. The company claimed the notes were confidential commercial information and the video contained third-party images. Through the early resolution process, the company allowed the individual to view the video and provided a redacted version of the case management notes. The complaint was resolved early.

• Access to personal information, including insurance claim files and videos.
• Application of PIPEDA exemptions for confidential commercial information and third-party personal information.
• Severing or redaction of information to provide access.
• Obligation to provide access to personal information.

A complainant alleged that Jet Airways did not provide complete access to her personal information following an incident where she and her companion were denied boarding. The airline cited solicitor-client privilege, litigation privilege, and formal dispute resolution processes as reasons for withholding certain documents. The OPC found the complaint well-founded regarding the airline's failure to respond within the statutory timeframe and its improper application of the formal dispute resolution exemption. However, the OPC could not make a finding on the privilege claims due to legal precedents limiting its ability to investigate privileged documents.

• Timeliness of response to access request
• Applicability of solicitor-client and litigation privilege exemptions
• Applicability of formal dispute resolution exemption
• Overbroad claims of privilege

This investigation was initiated following a complaint that the RCMP used cell site simulators, also known as "Stingray" devices or "IMSI catchers," without confirming or denying their use. The complainant was concerned these devices could intercept private communications and extract encryption keys. The investigation found that while the RCMP's cell site simulators cannot intercept private communications, there were six instances where they were used without prior judicial authorization or exigent circumstances, which constituted a contravention of the Privacy Act. The RCMP has since implemented a policy requiring prior judicial authorization for all deployments unless exigent circumstances exist.

• Use of cell site simulators (mobile device identifiers) by the RCMP
• Capability of cell site simulators to intercept private communications
• Requirement for judicial authorization for the collection of personal information using cell site simulators
• Handling and retention of data collected from third-party devices

The OPC investigated a complaint that Public Executions Inc. was disclosing debtors' personal information without consent on its website for profit. The OPC found that the website's activities constituted a commercial activity under PIPEDA, and that its primary purpose was not journalistic, but rather to shame debtors into paying. The OPC determined the complaint was well-founded, leading to legal proceedings. Subsequently, the website was taken down, and the OPC discontinued its court application.

• Whether the website's operation constituted a 'commercial activity' under PIPEDA.
• Whether the website's purpose qualified as 'journalistic' and was therefore exempt from PIPEDA's consent requirements.
• Whether the disclosure of personal information for the purpose of shaming debtors into paying was an 'appropriate purpose' under PIPEDA.
• Whether section 7(3)(b) of PIPEDA permitted the broad disclosure of judgment debtor information.

A complainant filed a complaint against a financial technology (FinTech) company after being required to provide personal information to access an investment account management agreement. The company initially cited regulatory requirements for collecting the data before an individual became a client. The OPC advised the company that prospective clients should be able to review agreements and understand privacy implications before providing personal information to ensure meaningful consent.

• Purpose of information collection
• Meaningful consent
• Regulatory requirements for collection

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding the MyDemocracy.ca website, operated by the Privy Council Office (PCO). The complainant alleged that despite promises of anonymity, the website used Facebook Connect tracking, potentially disclosing personal information to Facebook. The OPC found that the website's design led to the automatic disclosure of IP addresses and browser information to Facebook upon visiting the site, even before users chose to share content. While PCO made some changes and no evidence suggested PCO used the data to identify individuals, the OPC concluded that the initial disclosure was not consensual and violated section 8 of the Privacy Act. Consequently, the complaint was found well-founded.

• Disclosure of personal information to third parties (Facebook) without consent.
• Whether IP addresses and browser characteristics constitute 'personal information' under the Privacy Act.
• Adequacy of privacy notices and consent mechanisms for third-party data sharing.
• Failure to conduct a Privacy Impact Assessment (PIA).

An individual complained that a bank performed multiple credit checks on her without her consent, even though she had not been a client for many years. The bank initially stated the inquiries were from its marketing group but later found they originated from an unactivated credit card application. While the bank’s policy suggested it could continue soft credit inquiries after a relationship ended, the OPC expressed concerns about this practice. The bank agreed to end the practice and update its privacy policy, leading to the complaint being early resolved. The OPC confirmed the practice has ceased and the policy has been updated.

• Consent for credit checks after termination of a business relationship
• Continued collection of sensitive personal information without a legal requirement
• Accuracy and completeness of information provided to individuals about data handling practices

The Office of the Privacy Commissioner (OPC) investigated three complaints concerning privacy breaches within the Phoenix pay system. The investigation revealed that Public Services and Procurement Canada (PSPC) had inadequate testing, coding errors, and insufficient controls, leading to multiple breaches of federal public servants' personal information. These breaches exposed names, Personal Record Identifier (PRI) numbers, and salary information, with some vulnerabilities being government-wide and potentially allowing data changes. The OPC found the complaints to be well-founded, citing the system's vulnerabilities and PSPC's initial underreporting of the scope of the breaches.

• Unauthorized access to and disclosure of personal information within the Phoenix pay system.
• Inadequacy of PSPC's testing, coding, and security controls for the Phoenix system.
• Scope and impact of the privacy breaches on federal public servants.
• Timeliness and adequacy of PSPC's notification to affected individuals.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Health Canada was over-collecting personal information, specifically diagnostic details, for medical transportation and specialist services under its Non-Insured Health Benefits (NIHB) Program. The OPC found that while Health Canada's intention was to confirm policy requirements for travel, the form used inadvertently led to the collection of unnecessary diagnostic information. Health Canada has since removed the problematic field from the form.

• Whether Health Canada collected more personal information than necessary for the administration of the NIHB Program.
• Whether the collection of diagnostic information for medical transportation and specialist services contravened the Privacy Act.
• The adequacy of Health Canada's NIHB Medical Transportation and Specialist Referral Form in preventing over-collection of personal information.