Canadian Privacy Decisions

This investigation examined the Treasury Board of Canada Secretariat's (TBS) handling of employee personal information related to the administration of the Direction on Prescribed Presence in the Workplace, which mandates minimum on-site workdays. The Office of the Privacy Commissioner of Canada (OPC) found that TBS's practices for both organizational compliance reporting (using aggregated data like turnstile and HR data) and individual compliance monitoring (relying on manager observation and self-reporting) were compliant with the Privacy Act. The OPC concluded that the complaint was not well-founded, noting TBS's effective balance between operational needs and employee privacy.

• Collection of employee personal information for hybrid work model compliance
• Retention and disposal of personal information
• Use and disclosure of personal information
• Transparency and adequacy of Personal Information Banks (PIBs)

The Office of the Privacy Commissioner of Canada (OPC) investigated the Canada Border Services Agency's (CBSA) contracting practices related to the ArriveCAN application following a complaint and a request from a parliamentary committee. The investigation examined whether contractors had inappropriate access to travellers' personal information. While the OPC found no contravention of the Privacy Act, it identified shortcomings in the CBSA's contracting processes, such as issues with the timeliness and accuracy of security assessments and broad task descriptions in contracts. The OPC made recommendations to improve the CBSA's practices, which the agency accepted.

• Whether CBSA authorized contractors to access personal information without required security clearances.
• Accuracy and timeliness of security requirement assessments for contracts.
• Clarity and specificity of task descriptions in contracts and task authorizations.
• CBSA's compliance with security requirements for personnel and organizations involved in ArriveCAN contracts.

The complainant requested his minor child's passport application from Immigration, Refugees and Citizenship Canada (IRCC), citing a court order granting him access to his children's information. IRCC denied the request, stating the child's consent was required. The OPC found that while the complainant had legal authorization to act on his child's behalf, the request was not made for the child's benefit or best interests, a key condition under the Privacy Regulations. Therefore, the OPC concluded that the complainant did not have a right of access to the child's personal information.

• Whether a parent has an automatic right of access to a minor child's personal information under the Privacy Act.
• Interpretation of the Privacy Regulations regarding requests made on behalf of a minor.
• Whether the complainant's request served the child's best interests.
• The decision-making capacity of a minor regarding their personal information.

A representative acting for the executor of an estate requested personal information about a deceased individual from the Department of National Defence (DND). DND determined the representative was not entitled to the information under paragraph 10(b) of the Privacy Regulations because they did not sufficiently demonstrate a connection between the information sought and the administration of the estate. While DND processed the request informally and disclosed some information under another provision of the Act, they did not clearly state the grounds for refusal. The OPC found the complaint not well-founded as the representative failed to adequately articulate and substantiate the estate's purposes and how the records would serve them.

• Whether the representative was authorized to make a request on behalf of the deceased under paragraph 10(b) of the Privacy Regulations for the purpose of administering the estate.
• Whether the representative sufficiently demonstrated a connection between the information sought and the administration of the deceased's estate.
• Whether DND properly notified the representative of the refusal and the basis for it.
• Whether DND properly handled the request informally.

This investigation concerned an individual's complaint that their Permanent Resident Card renewal application, submitted to Immigration, Refugees and Citizenship Canada (IRCC), was inappropriately disclosed to the Canada Border Services Agency (CBSA). The complainant alleged this disclosure was contrary to the purpose for which the information was collected and that it was used in support of a cessation application to terminate refugee protection. The OPC found that the disclosure was consistent with the purpose for which the information was obtained, as both departments share a mandate under the Immigration and Refugee Protection Act and information sharing for immigration legislation enforcement is considered a consistent use. Therefore, the complaints against both departments were found not well-founded.

• Whether IRCC was authorized to disclose the complainant's personal information to the CBSA.
• Whether the disclosure was for a purpose for which the information was obtained or a consistent use.
• The interpretation of "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• The impact of the privacy notice on the PRC renewal application and the relevant Personal Information Bank (PIB).

This investigation examined whether COVID-19 vaccination attestation requirements implemented by several federal separate employers for their employees complied with the Privacy Act. The OPC found that the collection and use of vaccination status information, including for accommodation requests, was authorized under the Act and directly related to the employers' operating programs, specifically workplace health and safety during the pandemic. While not a strict legal requirement of the Act, the OPC also assessed the necessity and proportionality of these measures and found them to be reasonable given the exceptional circumstances of the pandemic.

• Whether the collection of COVID-19 vaccination status information was directly related to an operating program or activity of the institutions.
• Whether the use and disclosure of vaccination status information, including for accommodation requests, was authorized under the Privacy Act.
• The necessity and proportionality of the vaccination attestation measures in the context of the COVID-19 pandemic.

This investigation examined the COVID-19 vaccination attestation requirements established by the Department of National Defence (DND) for members of the Canadian Armed Forces (CAF). The Office of the Privacy Commissioner of Canada (OPC) found that DND/CAF had the authority to collect this information under the National Defence Act and Part II of the Canada Labour Code. The use and disclosure of the information were generally consistent with the purposes for which it was collected. Although DND declined to implement a recommendation to strengthen oversight of access controls in the Monitor MASS system, the OPC found no instances of inappropriate access or disclosure. The OPC also determined that DND took reasonable steps to ensure the accuracy of the vaccination status information collected.

• Whether DND/CAF's collection of COVID-19 vaccination status information directly related to an operating program or activity of the institution.
• Whether the use of collected vaccination status information was authorized under section 7 of the Privacy Act.
• Whether the use of the Monitor MASS system resulted in unauthorized disclosure of information.
• Whether DND/CAF took reasonable steps to ensure the accuracy of vaccination status information.

This investigation examined whether the collection, use, and disclosure of traveller vaccination status by Transport Canada, VIA Rail, and CATSA complied with the Privacy Act. The Office of the Privacy Commissioner found that the personal information was collected, used, and disclosed in compliance with the Act's requirements. While the Act does not mandate necessity and proportionality, the OPC also considered these principles and found the measures were generally necessary and proportional, though recommended clearer definition of objectives and documentation of less privacy-invasive alternatives for future initiatives.

• Whether the collection of vaccination information was directly related to the operating programs or activities of CATSA and VIA Rail.
• Whether the use and disclosure of personal information, and the centralized collection by Transport Canada, complied with sections 4, 7, and 8 of the Privacy Act.
• Whether the collection of personal information was necessary and proportional, considering the circumstances and available alternatives.

This investigation examined whether the collection, use, retention, and disclosure of personal information by the Public Health Agency of Canada (PHAC) and the Canada Border Services Agency (CBSA) related to COVID-19 vaccine mandates for travellers entering Canada complied with the Privacy Act. The OPC found that the agencies had the authority to collect this information as it was directly related to their mandate under the Quarantine Act and the Emergency Orders. While the OPC identified some weaknesses in PHAC's documentation regarding the necessity and proportionality of the measures, overall, the collection, use, and disclosure of personal information were deemed compliant with the Act.

• Whether personal information collected was directly related to an operating program or activity of PHAC and CBSA.
• Whether personal information was used or disclosed for the purpose for which it was compiled or in accordance with an Act of Parliament.
• Whether personal information was disposed of in accordance with the Privacy Regulations and the Directive on Privacy Practices.
• Whether the collection of personal information under the Emergency Orders was necessary and proportional.

This investigation examined whether mobility data collected by the Public Health Agency of Canada (PHAC) during the COVID-19 pandemic contained personal information as defined under the Privacy Act. The investigation found that the de-identification techniques and safeguards against re-identification implemented by PHAC and its data providers reduced the risk of identifying individuals below the "serious possibility" threshold. Consequently, the complaints were deemed not well-founded, as PHAC did not contravene the Privacy Act.

• Whether the mobility data collected constituted personal information under the Privacy Act.
• The adequacy of de-identification and aggregation techniques to prevent re-identification.
• Whether access to data within a provider's system constitutes collection under the Act.
• The need for transparency regarding the use of de-identified data.

This investigation examined a complaint regarding the alleged leak of personal information about a Supreme Court of Canada candidate. The complainant alleged that documents revealed by an anonymous source demonstrated a disagreement between the Prime Minister’s Office and the former Attorney General concerning the candidate's nomination. The Office of the Privacy Commissioner of Canada (OPC) investigated the Privy Council Office (PCO) and the Department of Justice (DOJ) but found no evidence that these institutions were responsible for the unauthorized disclosure. The OPC's investigation was constrained by jurisdictional limitations, as the Privacy Act does not apply to Ministers' offices or the Prime Minister's Office.

• Whether the PCO or DOJ contravened section 8 of the Privacy Act by improperly disclosing personal information.
• Whether the PCO or DOJ had access to the personal information that was leaked to the media.
• The jurisdictional limitations of the Privacy Act concerning Ministers' offices and the Prime Minister's Office.
• The need for legislative reform to extend the Privacy Act's coverage.

The complainant alleged that the Canada Border Services Agency (CBSA) improperly disclosed his personal medical information to a third party by carbon copying them on a letter. The CBSA argued the information was publicly available from court documents. The OPC found that while the CBSA did disclose personal information, this disclosure was not a contravention because the information was indeed publicly available in court records, making section 8 of the Privacy Act inapplicable under subsection 69(2).

• Was the personal information disclosed by the CBSA considered "personal information" under the Privacy Act?
• Was the disclosed personal information "publicly available"?
• Did subsection 69(2) of the Privacy Act apply, rendering section 8 of the Act inapplicable?
• If section 8 applied, would the disclosure have been permitted under subsection 8(2)?

A former member of the Canadian Armed Forces complained that the Department of National Defence (DND) wrongfully compelled him to publicly disclose medical information during a military summary trial. The Office of the Privacy Commissioner of Canada (OPC) found the complaint was not well-founded. The OPC determined that the disclosure was made as testimony during a public military trial, consistent with the open courts principle and the National Defence Act. Since confidentiality was not requested, the disclosure was permitted under subsections 8(2)(a) and 8(2)(b) of the Privacy Act.

• Applicability of the Privacy Act to military summary trials
• Whether public disclosure of medical information during a summary trial contravened the Privacy Act
• The principle of open courts in military justice proceedings
• The concept of publicly available information under section 69 of the Privacy Act

The Office of the Privacy Commissioner of Canada investigated two complaints concerning the disclosure of a military officer's personal health information. The Department of National Defence (DND) disclosed the information to the Department of Justice (DOJ) to defend against litigation initiated by the complainant against the government. The OPC found that both the disclosure by DND and the collection by DOJ were permissible under paragraph 8(2)(d) of the Privacy Act, as the information was disclosed to the Attorney General for use in legal proceedings involving the Crown. The OPC concluded that the Privacy Act does not distinguish between types of personal information and that the disclosure was necessary for legal defence, upholding the legal interpretation confirmed by the Federal Court.

• Permissibility of disclosing personal health information for litigation purposes under paragraph 8(2)(d) of the Privacy Act.
• Whether the collection of personal medical information by the Department of Justice was a contravention of the Privacy Act.
• Whether the disclosure of personal medical information by the Department of National Defence was a contravention of the Privacy Act.
• The scope and interpretation of paragraph 8(2)(d) of the Privacy Act regarding disclosures to the Attorney General for legal proceedings.

This investigation examined complaints concerning Statistics Canada's collection of personal financial and credit information from a credit bureau and financial institutions for two projects. The OPC found Statistics Canada had the legal authority for the Credit Information Project, deeming that aspect not well-founded. However, the OPC had serious concerns that the Financial Transactions Project, as originally designed, would have exceeded Statistics Canada's legal authority. As this project was halted before any data was collected, no finding was made. Despite finding no contravention of the Privacy Act, the OPC identified significant privacy concerns regarding necessity, proportionality, and transparency in both projects as originally designed, and made recommendations for improvement.

• Legal authority for collecting personal information under the Statistics Act and Privacy Act
• Necessity and proportionality of collecting sensitive personal information
• Adequacy of transparency regarding data collection
• Safeguards for handling collected personal information