Canadian Privacy Decisions

This investigation concerned an individual's complaint that their Permanent Resident Card renewal application, submitted to Immigration, Refugees and Citizenship Canada (IRCC), was inappropriately disclosed to the Canada Border Services Agency (CBSA). The complainant alleged this disclosure was contrary to the purpose for which the information was collected and that it was used in support of a cessation application to terminate refugee protection. The OPC found that the disclosure was consistent with the purpose for which the information was obtained, as both departments share a mandate under the Immigration and Refugee Protection Act and information sharing for immigration legislation enforcement is considered a consistent use. Therefore, the complaints against both departments were found not well-founded.

• Whether IRCC was authorized to disclose the complainant's personal information to the CBSA.
• Whether the disclosure was for a purpose for which the information was obtained or a consistent use.
• The interpretation of "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• The impact of the privacy notice on the PRC renewal application and the relevant Personal Information Bank (PIB).

The complainant alleged that Library and Archives Canada (LAC) took an unreasonable amount of time to grant a time extension for an access to information request. The request was for records related to access requests concerning 'Project Anecdote'. LAC claimed a 1,095-day extension under paragraphs 9(1)(a) and (b) of the Act, pushing the response deadline to June 20, 2025. The Information Commissioner found that LAC met all the requirements for this extension, deeming it valid.

• Reasonableness of time extension claimed by institution under subsection 9(1)
• Whether institution met the requirements of paragraphs 9(1)(a) and (b) for the extension

The complainant alleged that the Department of Justice Canada did not conduct a reasonable search for a 2009 workplace report. The Department stated that the record's retention period was five years and it was requested seven years later, meaning it would have been destroyed. While the complainant claimed the consultant still had a copy, the Department argued it was not reasonable to contact the consultant directly given the nature and age of the contract. The OIC agreed that the Department conducted a reasonable search.

• Did the institution conduct a reasonable search for the requested records?
• Whether the institution was required to contact the consultant directly to fulfill the request.

This investigation examined whether mobility data collected by the Public Health Agency of Canada (PHAC) during the COVID-19 pandemic contained personal information as defined under the Privacy Act. The investigation found that the de-identification techniques and safeguards against re-identification implemented by PHAC and its data providers reduced the risk of identifying individuals below the "serious possibility" threshold. Consequently, the complaints were deemed not well-founded, as PHAC did not contravene the Privacy Act.

• Whether the mobility data collected constituted personal information under the Privacy Act.
• The adequacy of de-identification and aggregation techniques to prevent re-identification.
• Whether access to data within a provider's system constitutes collection under the Act.
• The need for transparency regarding the use of de-identified data.

This investigation examined whether the collection, use, retention, and disclosure of personal information by the Public Health Agency of Canada (PHAC) and the Canada Border Services Agency (CBSA) related to COVID-19 vaccine mandates for travellers entering Canada complied with the Privacy Act. The OPC found that the agencies had the authority to collect this information as it was directly related to their mandate under the Quarantine Act and the Emergency Orders. While the OPC identified some weaknesses in PHAC's documentation regarding the necessity and proportionality of the measures, overall, the collection, use, and disclosure of personal information were deemed compliant with the Act.

• Whether personal information collected was directly related to an operating program or activity of PHAC and CBSA.
• Whether personal information was used or disclosed for the purpose for which it was compiled or in accordance with an Act of Parliament.
• Whether personal information was disposed of in accordance with the Privacy Regulations and the Directive on Privacy Practices.
• Whether the collection of personal information under the Emergency Orders was necessary and proportional.

This investigation examined whether COVID-19 vaccination attestation requirements implemented by several federal separate employers for their employees complied with the Privacy Act. The OPC found that the collection and use of vaccination status information, including for accommodation requests, was authorized under the Act and directly related to the employers' operating programs, specifically workplace health and safety during the pandemic. While not a strict legal requirement of the Act, the OPC also assessed the necessity and proportionality of these measures and found them to be reasonable given the exceptional circumstances of the pandemic.

• Whether the collection of COVID-19 vaccination status information was directly related to an operating program or activity of the institutions.
• Whether the use and disclosure of vaccination status information, including for accommodation requests, was authorized under the Privacy Act.
• The necessity and proportionality of the vaccination attestation measures in the context of the COVID-19 pandemic.

This investigation examined the COVID-19 vaccination attestation requirements established by the Department of National Defence (DND) for members of the Canadian Armed Forces (CAF). The Office of the Privacy Commissioner of Canada (OPC) found that DND/CAF had the authority to collect this information under the National Defence Act and Part II of the Canada Labour Code. The use and disclosure of the information were generally consistent with the purposes for which it was collected. Although DND declined to implement a recommendation to strengthen oversight of access controls in the Monitor MASS system, the OPC found no instances of inappropriate access or disclosure. The OPC also determined that DND took reasonable steps to ensure the accuracy of the vaccination status information collected.

• Whether DND/CAF's collection of COVID-19 vaccination status information directly related to an operating program or activity of the institution.
• Whether the use of collected vaccination status information was authorized under section 7 of the Privacy Act.
• Whether the use of the Monitor MASS system resulted in unauthorized disclosure of information.
• Whether DND/CAF took reasonable steps to ensure the accuracy of vaccination status information.

This investigation examined whether the collection, use, and disclosure of traveller vaccination status by Transport Canada, VIA Rail, and CATSA complied with the Privacy Act. The Office of the Privacy Commissioner found that the personal information was collected, used, and disclosed in compliance with the Act's requirements. While the Act does not mandate necessity and proportionality, the OPC also considered these principles and found the measures were generally necessary and proportional, though recommended clearer definition of objectives and documentation of less privacy-invasive alternatives for future initiatives.

• Whether the collection of vaccination information was directly related to the operating programs or activities of CATSA and VIA Rail.
• Whether the use and disclosure of personal information, and the centralized collection by Transport Canada, complied with sections 4, 7, and 8 of the Privacy Act.
• Whether the collection of personal information was necessary and proportional, considering the circumstances and available alternatives.