Canadian Privacy Decisions

A former employee of TD Canada Trust (TD) complained that TD had outsourced fraud claims processing to a third-party provider in India without customer consent or an opt-out option. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that TD was not required to obtain additional consent as the personal information was used for the original purpose of fraud claims management. The OPC also found TD was sufficiently open about its outsourcing practices and remained accountable by ensuring comparable protection through contractual and monitoring measures.

• Requirement for consent to transfer personal information to a third-party processor for the same purpose
• Sufficiency of openness regarding outsourcing of personal information to foreign jurisdictions
• Accountability for personal information transferred to a third-party processor and ensuring comparable protection

The complainant alleged that Trans Union disclosed his credit file information to Statistics Canada without consent, and that this information was subsequently used to initiate debt collection efforts against him. The Office of the Privacy Commissioner of Canada (OPC) found that Trans Union was authorized to disclose the information under PIPEDA, as Statistics Canada had requested it under the authority of the Statistics Act. The OPC also found no evidence that Statistics Canada disclosed the complainant's information to other institutions for debt collection purposes.

• Whether Trans Union disclosed personal information without consent contrary to PIPEDA.
• Whether Statistics Canada used disclosed information for debt collection.
• Whether the disclosure was authorized by law under PIPEDA.
• Whether Statistics Canada contravened the Privacy Act in its data collection.

A traveler complained that an airline did not provide complete access to his personal information, specifically documents and correspondence related to being denied boarding. The airline relied on exemptions under PIPEDA, arguing that the information was collected to investigate a potential breach of agreement or contravention of law and was disclosed to a government institution for law enforcement purposes. The OPC found that both the collection and disclosure were reasonable under the Act's exemptions, and the airline properly followed the process when a government institution objected to disclosure of the information.

• Whether the collection of personal information without consent was justified under PIPEDA's exemptions.
• Whether the disclosure of personal information to a government institution was justified under PIPEDA's exemptions.
• Whether the airline properly handled the access request when a government institution objected to disclosure.

The complainant alleged that a doctor used and disclosed his personal information without consent during an insurance claim evaluation. The investigation focused on whether the complainant's consent, provided through accident benefit application forms (OCF-1 and OCF-19), extended to this specific doctor hired to prepare a summary report. The Office determined that the consent forms explicitly allowed the insurance company and other parties, including health professionals, to collect, use, and disclose personal information for the purposes of investigating and processing the insurance claim, including assessing catastrophic impairment. Therefore, the doctor did not contravene PIPEDA's consent provisions.

• Whether consent provided for an insurance claim extended to a third-party doctor hired to prepare a summary report.
• Whether the specific wording of consent forms (OCF-1 and OCF-19) covered the collection, use, and disclosure of personal information by the doctor.
• Whether the doctor collected, used, or disclosed personal information for purposes beyond those stated in the consent forms.

An individual complained that an investment brokerage collected more personal information than necessary to open a self-directed investment account. The brokerage stated the information was required to comply with regulatory obligations, including "Know Your Client" rules from the Investment Industry Regulatory Organization of Canada (IIROC) and anti-money laundering (AML) requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), as well as provincial securities legislation. The OPC found that the requested information, including net worth, marital status, and spouse's occupation, was necessary for these regulatory purposes.

• Whether the brokerage collected more personal information than necessary for opening a self-directed investment account.
• Whether the collection of information was a condition of service contrary to PIPEDA.
• Whether the brokerage's collection purposes met regulatory requirements.
• The applicability of "Know Your Client" and AML rules to self-directed accounts.

A complainant alleged that his Internet Service Provider (ISP) disclosed his personal information without consent to a newspaper columnist who was assisting him with a service dispute. The ISP argued it had implied consent due to the complainant's actions. The OPC found that the complainant's familiarity with the columnist and his own disclosure of information in his email to the columnist created a reasonable expectation that his information might be shared to resolve the dispute. The disclosed information was also found to be relevant and not sensitive.

• Was there implied consent for the disclosure of personal information to a columnist assisting with a dispute?
• Was the disclosed information relevant to the complaint?
• Was the disclosed information sensitive?

A customer complained that his investment firm's Know Your Client (KYC) form required an unreasonable amount of personal information, contrary to PIPEDA. The firm argued the information was necessary to comply with regulatory obligations set by the Investment Industry Regulatory Organization of Canada (IIROC). The OPC investigated whether the firm collected more information than necessary for legitimate purposes. Ultimately, the OPC found that the firm's collection of detailed financial and personal information, including spousal income and investment experience, was justified to meet IIROC's KYC and suitability requirements.

• Whether the investment firm explicitly specified the purposes for collecting personal information.
• Whether the stated purposes for collection were legitimate.
• Whether the firm collected more personal information than necessary to fulfill those purposes.
• Whether the collection was a condition of service that violated PIPEDA.

This investigation concerned SWIFT's disclosure of personal information originating from Canadian financial institutions to the US Department of the Treasury in response to administrative subpoenas. The OPC found that PIPEDA applied to SWIFT's commercial activities in Canada. However, the Commissioner concluded that SWIFT's disclosure of information to comply with valid US subpoenas was permissible under PIPEDA, interpreting subsection 7(3)(c) to allow compliance with lawful orders from foreign jurisdictions where the organization operates. The Commissioner recommended that US authorities use existing information-sharing mechanisms rather than subpoenas to obtain Canadian financial data.

• Does PIPEDA apply to SWIFT's collection, use, and disclosure of personal information in its Canadian operations?
• Was personal information disclosed to US authorities in accordance with PIPEDA?
• Interpretation of subsection 7(3)(c) regarding compliance with foreign subpoenas.
• Balancing privacy protection with counter-terrorism financing efforts.

This investigation concerned allegations that SWIFT inappropriately disclosed personal information from Canadian financial institutions to the US Department of the Treasury (UST) via administrative subpoenas. The Privacy Commissioner of Canada determined that SWIFT was subject to PIPEDA due to its operations in Canada and its commercial activities involving Canadian banks. While SWIFT disclosed data held in the US to the UST in response to a subpoena, the Commissioner found this disclosure was permissible under the Act's exceptions to consent.

• Whether SWIFT is subject to PIPEDA
• Whether SWIFT inappropriately disclosed personal information to the UST
• Applicability of PIPEDA exceptions to disclosure in response to a subpoena

An individual complained that a telecommunications company failed to obtain adequate consent for the secondary marketing use and disclosure of customer data. The investigation found that the company's privacy code, policy, and customer activation process sufficiently informed customers of its marketing practices and their right to opt-out. The company also complied with CRTC restrictions on disclosing customer information. As a result, the Assistant Privacy Commissioner concluded that the company was in compliance with PIPEDA.

• Adequacy of consent for secondary marketing purposes
• Clarity and accessibility of privacy policies
• Company's process for informing customers of data use and opt-out options

An individual complained that a bank failed to obtain adequate consent for using and sharing customer data with affiliates for secondary marketing purposes, arguing the bank did not clearly inform customers or provide an easy opt-out mechanism. The Office of the Privacy Commissioner of Canada (OPC) investigated and found the bank's practices and materials, including informing customers of privacy policies and providing an opt-out process, constituted a reasonable effort to ensure customer knowledge and consent. The OPC concluded the bank was in compliance with PIPEDA principles regarding secondary marketing.

• Adequacy of consent for secondary marketing purposes
• Clarity of information provided to customers about data use and sharing
• Availability and ease of the opt-out process
• Bank's compliance with PIPEDA principles on knowledge and consent