Canadian Privacy Decisions

The complainant alleged that the Canada Border Services Agency (CBSA) improperly disclosed his personal medical information to a third party by carbon copying them on a letter. The CBSA argued the information was publicly available from court documents. The OPC found that while the CBSA did disclose personal information, this disclosure was not a contravention because the information was indeed publicly available in court records, making section 8 of the Privacy Act inapplicable under subsection 69(2).

• Was the personal information disclosed by the CBSA considered "personal information" under the Privacy Act?
• Was the disclosed personal information "publicly available"?
• Did subsection 69(2) of the Privacy Act apply, rendering section 8 of the Act inapplicable?
• If section 8 applied, would the disclosure have been permitted under subsection 8(2)?

The complainant filed a complaint after National Defence (DND) did not respond to their access to information request. DND had decided that the request did not meet the requirements of section 6 of the Access to Information Act. The Information Commissioner found that the complaint was not well-founded, indicating that DND's handling of the request was appropriate.

• Whether the institution responded to the request within the time limits prescribed by the Act.

A former member of the Canadian Armed Forces complained that the Department of National Defence (DND) wrongfully compelled him to publicly disclose medical information during a military summary trial. The Office of the Privacy Commissioner of Canada (OPC) found the complaint was not well-founded. The OPC determined that the disclosure was made as testimony during a public military trial, consistent with the open courts principle and the National Defence Act. Since confidentiality was not requested, the disclosure was permitted under subsections 8(2)(a) and 8(2)(b) of the Privacy Act.

• Applicability of the Privacy Act to military summary trials
• Whether public disclosure of medical information during a summary trial contravened the Privacy Act
• The principle of open courts in military justice proceedings
• The concept of publicly available information under section 69 of the Privacy Act

The Office of the Privacy Commissioner of Canada investigated two complaints concerning the disclosure of a military officer's personal health information. The Department of National Defence (DND) disclosed the information to the Department of Justice (DOJ) to defend against litigation initiated by the complainant against the government. The OPC found that both the disclosure by DND and the collection by DOJ were permissible under paragraph 8(2)(d) of the Privacy Act, as the information was disclosed to the Attorney General for use in legal proceedings involving the Crown. The OPC concluded that the Privacy Act does not distinguish between types of personal information and that the disclosure was necessary for legal defence, upholding the legal interpretation confirmed by the Federal Court.

• Permissibility of disclosing personal health information for litigation purposes under paragraph 8(2)(d) of the Privacy Act.
• Whether the collection of personal medical information by the Department of Justice was a contravention of the Privacy Act.
• Whether the disclosure of personal medical information by the Department of National Defence was a contravention of the Privacy Act.
• The scope and interpretation of paragraph 8(2)(d) of the Privacy Act regarding disclosures to the Attorney General for legal proceedings.

The complainant alleged that Trans Union disclosed his credit file information to Statistics Canada without consent, and that this information was subsequently used to initiate debt collection efforts against him. The Office of the Privacy Commissioner of Canada (OPC) found that Trans Union was authorized to disclose the information under PIPEDA, as Statistics Canada had requested it under the authority of the Statistics Act. The OPC also found no evidence that Statistics Canada disclosed the complainant's information to other institutions for debt collection purposes.

• Whether Trans Union disclosed personal information without consent contrary to PIPEDA.
• Whether Statistics Canada used disclosed information for debt collection.
• Whether the disclosure was authorized by law under PIPEDA.
• Whether Statistics Canada contravened the Privacy Act in its data collection.

This investigation examined complaints concerning Statistics Canada's collection of personal financial and credit information from a credit bureau and financial institutions for two projects. The OPC found Statistics Canada had the legal authority for the Credit Information Project, deeming that aspect not well-founded. However, the OPC had serious concerns that the Financial Transactions Project, as originally designed, would have exceeded Statistics Canada's legal authority. As this project was halted before any data was collected, no finding was made. Despite finding no contravention of the Privacy Act, the OPC identified significant privacy concerns regarding necessity, proportionality, and transparency in both projects as originally designed, and made recommendations for improvement.

• Legal authority for collecting personal information under the Statistics Act and Privacy Act
• Necessity and proportionality of collecting sensitive personal information
• Adequacy of transparency regarding data collection
• Safeguards for handling collected personal information

Three complainants alleged that Correctional Service Canada (CSC) was using video footage collected for security purposes to monitor employee performance. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that CSC used the footage to identify systemic deficiencies in patrols following an inmate's death, aiming to improve security and prevent future deaths. The OPC determined this use was consistent with the original purpose of collection (security) and therefore not a contravention of the Privacy Act.

• Was CSC using video footage to monitor employee performance?
• Was the use of video footage for identifying and addressing security deficiencies consistent with the original purpose of collection?
• Did the use of video footage contravene the Privacy Act's use provisions?

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding the Department of National Defence’s (DND) disclosure of deceased Canadian Forces members’ medical records to Military Police investigators for suicide investigations. The OPC found that while DND’s Directorate of Access to Information and Privacy (DAIP) generally acted appropriately in assessing the necessity of the requested information, its record-keeping practices were insufficient, failing to retain all requested disclosure forms as required by the Privacy Act. DND was recommended to improve its policies and procedures to ensure full retention of request forms, verify the statutory authority for investigations, and maintain more comprehensive disclosure records.

• Adequacy of DND's assessment of necessity for disclosing medical records under paragraph 8(2)(e) of the Privacy Act for suicide investigations.
• Sufficiency of DND's record-keeping practices concerning requests and disclosures under paragraph 8(2)(e).
• DND's interpretation of its obligations regarding lawful investigations and adherence to its own policies.
• Whether DND's disclosure of records was consistent with the Privacy Act and TBS Directive.

Four complainants alleged that Transport Canada's requirement for owners of unmanned aircraft to display their personal information on the device contravened the Privacy Act. They argued this obligation to publicly display contact information without consent was a violation of disclosure provisions. The Office of the Privacy Commissioner of Canada (OPC) found that while the information collected is personal, the requirement did not constitute a collection by Transport Canada itself, and therefore, the disclosure provisions of the Act did not apply. The OPC concluded the complaints were not well-founded, acknowledging the measure was an interim safety precaution but noted Transport Canada intended to revise the regulations to address privacy concerns.

• Whether the requirement to display personal information on unmanned aircraft constitutes a collection under the Privacy Act.
• Whether the disclosure of personal information on unmanned aircraft contravenes the disclosure provisions of the Privacy Act.
• The balance between aviation safety and public privacy.
• The authority of the Minister of Transport to issue interim orders for aviation safety.

This investigation concerned a complaint alleging that Statistics Canada (StatCan) improperly disclosed confidential census data to Shared Services Canada (SSC) when transferring its IT infrastructure. The complainant also raised concerns about the adequacy of safeguards and supervision of SSC employees handling the data. The OPC found that StatCan did not disclose personal information contrary to the Privacy Act, as it was legally required to transfer its IT infrastructure to SSC. Furthermore, StatCan took reasonable measures to define its relationship with SSC and ensure privacy and security considerations were addressed.

• Whether StatCan improperly disclosed confidential census data to SSC.
• Whether StatCan took reasonable measures to safeguard the census data transferred to SSC's IT infrastructure.
• Whether StatCan adequately supervised SSC employees with access to the data.
• Whether the transfer of data was consistent with the Statistics Act and the Privacy Act.

A traveler complained that an airline did not provide complete access to his personal information, specifically documents and correspondence related to being denied boarding. The airline relied on exemptions under PIPEDA, arguing that the information was collected to investigate a potential breach of agreement or contravention of law and was disclosed to a government institution for law enforcement purposes. The OPC found that both the collection and disclosure were reasonable under the Act's exemptions, and the airline properly followed the process when a government institution objected to disclosure of the information.

• Whether the collection of personal information without consent was justified under PIPEDA's exemptions.
• Whether the disclosure of personal information to a government institution was justified under PIPEDA's exemptions.
• Whether the airline properly handled the access request when a government institution objected to disclosure.

The complainant alleged that a doctor used and disclosed his personal information without consent during an insurance claim evaluation. The investigation focused on whether the complainant's consent, provided through accident benefit application forms (OCF-1 and OCF-19), extended to this specific doctor hired to prepare a summary report. The Office determined that the consent forms explicitly allowed the insurance company and other parties, including health professionals, to collect, use, and disclose personal information for the purposes of investigating and processing the insurance claim, including assessing catastrophic impairment. Therefore, the doctor did not contravene PIPEDA's consent provisions.

• Whether consent provided for an insurance claim extended to a third-party doctor hired to prepare a summary report.
• Whether the specific wording of consent forms (OCF-1 and OCF-19) covered the collection, use, and disclosure of personal information by the doctor.
• Whether the doctor collected, used, or disclosed personal information for purposes beyond those stated in the consent forms.

A complainant expressed concerns that personal taxpayer information held by Mobilshred Inc. under contract with the Canada Revenue Agency (CRA) could be accessed by US authorities under the USA PATRIOT Act, due to Mobilshred's perceived US affiliation. The OPC investigated whether the CRA had adequately safeguarded this information. The investigation determined that Mobilshred Inc. is a Canadian company, and the contract explicitly requires all stored paper records to remain physically within Canada. Therefore, the CRA took adequate measures to prevent unauthorized disclosure.

• Potential for US authorities to access Canadian taxpayer information stored by a contractor under the USA PATRIOT Act.
• Whether the Canada Revenue Agency adequately safeguarded personal information entrusted to a third-party contractor.
• The corporate structure and operational location of Mobilshred Inc. and its parent company, Recall.

Canada Post's collection of electronic signatures for mail tracking was investigated following a complaint. The OPC found that Canada Post's collection, use, and disclosure of signatures for tracking purposes complied with the Privacy Act, as it was consistent with the original purpose of collection and a permitted disclosure under paragraph 8(2)(a) of the Act. However, the OPC identified shortcomings in the security and privacy controls of Canada Post's online tracking website and made recommendations for improvement, which Canada Post accepted.

• Adequacy of notice provided to individuals regarding the collection, use, and disclosure of their electronic signatures.
• Compliance with the Privacy Act regarding the collection, use, and disclosure of personal information.
• Adequacy of security and privacy controls for digitized signatures displayed on Canada Post's online tracking website.

An individual complained that an investment brokerage collected more personal information than necessary to open a self-directed investment account. The brokerage stated the information was required to comply with regulatory obligations, including "Know Your Client" rules from the Investment Industry Regulatory Organization of Canada (IIROC) and anti-money laundering (AML) requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), as well as provincial securities legislation. The OPC found that the requested information, including net worth, marital status, and spouse's occupation, was necessary for these regulatory purposes.

• Whether the brokerage collected more personal information than necessary for opening a self-directed investment account.
• Whether the collection of information was a condition of service contrary to PIPEDA.
• Whether the brokerage's collection purposes met regulatory requirements.
• The applicability of "Know Your Client" and AML rules to self-directed accounts.