Canadian Privacy Decisions

The complainant alleged that the Department of Justice Canada missed the deadline to respond to an access to information request. The Information Commissioner previously recommended a response date, which the institution did not accept but committed to a later date. When the institution again failed to respond, the complaint was reopened. The Commissioner found the complaint to be well-founded.

• Timeliness of response under ATIA section 10(3)
• Failure to meet commitment disclosure date

The complainant challenged the Department of Justice Canada's decision to withhold a Memorandum of Understanding (MOU) for legal services, citing section 23 (Legal advice and litigation privilege) of the Access to Information Act. The Department could not demonstrate that the entire MOU, including its title and signature blocks, was protected by solicitor-client privilege. Furthermore, the Department had waived privilege over some information within the MOU. The Information Commissioner found the complaint well-founded.

• Applicability of section 23 (Legal advice and litigation privilege)
• Waiver of privilege
• Protection of general identifying information

The complainant requested records related to a human rights file from the Canadian Human Rights Commission (CHRC). The CHRC withheld information citing personal information, testing/auditing procedures, and solicitor-client privilege. During the OIC investigation, the CHRC agreed to disclose information withheld under testing/auditing procedures and portions withheld under solicitor-client privilege. The OIC found that some file numbers withheld as personal information did not meet the exemption's requirements, and that certain draft investigation reports withheld under solicitor-client privilege also did not meet the exemption's requirements. The CHRC agreed to disclose these records.

• Applicability of the personal information exemption (section 19(1)) to file numbers
• Applicability of the solicitor-client privilege exemption (section 23) to draft investigation reports
• Reasonable exercise of discretion by the institution
• Disclosure of information withheld under testing/auditing procedures (section 22)

The requester filed a complaint after the Royal Canadian Mounted Police (RCMP) failed to respond to an access to information request for over two years. The RCMP provided insufficient information during the investigation regarding the records or the processing of the request. As a result, the Information Commissioner found the complaint to be well-founded and ordered the RCMP to respond to the request within 10 business days.

• Failure to respond to an access to information request within the prescribed time limits.
• Adequacy of information provided by the institution during the investigation.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Employment and Social Development Canada (ESDC) improperly used video surveillance footage to monitor an employee's departure times. The OPC found that ESDC's use of the footage for this purpose was not consistent with the stated security collection purpose and that employees were not adequately informed about the camera usage. ESDC agreed to implement a clear policy on video surveillance use and inform individuals about collection purposes.

• Use of personal information collected via video surveillance for purposes other than security.
• Failure to inform employees about the collection and purpose of video surveillance.
• Whether the use of video surveillance was an exceptional measure for a pressing problem.
• Adherence to the institution's Personal Information Bank (PIB) for consistent uses.

A requester alleged that the Royal Canadian Mounted Police (RCMP) failed to respond to an access to information request within the statutory time limit. The RCMP was deemed to have refused access as they did not respond by the due date. Although the RCMP cited high volume and resource pressures, the Commissioner found these reasons did not justify the delay, especially given the moderate volume of records. The complaint was found to be well-founded. An initial report with an intended order was issued, but the RCMP subsequently responded to the request, rendering the order moot.

• Failure to respond within statutory time limits
• Adequacy of reasons for delay
• Assessment of record volume and complexity

This report details the OPC's investigation into six complaints concerning the Canada Border Services Agency's (CBSA) search of travellers' digital devices at the border. The OPC found that the CBSA contravened the Privacy Act by failing to adhere to its own policies and legal authorities regarding these searches, particularly concerning the scope of data accessed and the lack of proper documentation. The CBSA accepted most operational recommendations for improvement but disagreed with recommendations for legislative reform.

• CBSA's authority to examine digital devices at the border under the Customs Act
• Compliance with CBSA's internal policy on digital device examinations
• Collection and retention of personal information from digital devices
• Adequacy of training and oversight for CBSA officers

This joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) examined Facebook's compliance with privacy laws concerning the disclosure of user data to third-party apps, specifically the "thisisyourdigitallife" (TYDL) app. The investigation found that Facebook failed to obtain valid and meaningful consent from users whose information was disclosed, had inadequate safeguards to protect user data, and lacked accountability for the information under its control. These failures are particularly concerning given similar findings by the OPC in a 2009 investigation, indicating a lack of substantive improvement in Facebook's privacy practices.

• Meaningful consent from installing users
• Meaningful consent from affected users (friends of installing users)
• Adequacy of safeguards to protect user data from third-party apps
• Facebook's accountability for user data

The complainant alleged that Global Affairs Canada (GAC) improperly collected personal information from his diplomatic passport for an administrative investigation. The complainant had used his diplomatic passport for personal travel, and GAC requested the original passport as evidence. GAC did not demonstrate how the personal travel information collected related to its operating programs or activities, nor did it provide sufficient cooperation to confirm its authority to collect this information.

• Whether GAC had the authority to collect personal travel information from a diplomatic passport.
• Whether the collection of personal travel information related directly to GAC's operating programs or activities.
• Whether GAC provided sufficient information regarding the administrative investigation and its authority to collect the passport.

The complainant alleged that Employment and Social Development Canada (ESDC) contravened the Privacy Act by collecting his personal information for a second time, despite his previous objection, through a third-party company. The OPC found that while ESDC's collection was not for an administrative purpose directly affecting the complainant, it failed to comply with section 4 of the Act because the information was not collected in accordance with the terms of its program, as the third party had obtained the information without consent. ESDC also continued to use the complainant's information despite his request to be removed from the list.

• Collection of personal information without consent
• Collection of personal information from a third party
• ESDC's responsibility to ensure third-party compliance with contractual obligations
• ESDC's continued collection of information after a request for removal

The complainant, an air passenger rights advocate, requested access to records about himself from the Canadian Transportation Agency (CTA). The CTA denied access to most records, arguing the information was not personal information, or that it was exempt under various provisions of the Privacy Act. The OPC found that the CTA had erred in withholding information and improperly invoked exemptions under section 70(1). However, most information withheld under sections 26 and 27 was found to be properly exempted, with specific exceptions.

• Whether records containing the complainant's name and discussions about his advocacy activities constituted personal information under the Privacy Act.
• Whether information withheld under paragraph 12(1)(b) was properly excluded from the scope of accessible personal information.
• Whether information was correctly exempted under sections 26 (third-party personal information), 27 (solicitor-client privilege), and subsection 70(1) (cabinet confidences).

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) contravened the accuracy provisions of the Privacy Act by using inaccurate information about him when staffing a position. ISED confirmed that it failed to ensure the accuracy of the information used, which was linked to the complainant’s profile in the MyGCHR human resources system. The investigation found the complaint to be well-founded.

• Whether ISED contravened the accuracy provisions of the Privacy Act.
• Whether ISED took reasonable steps to ensure the accuracy of personal information used for staffing.
• The role of the MyGCHR system in the accuracy of personal information.

The Office of the Privacy Commissioner of Canada investigated a complaint from a federal inmate who alleged that Correctional Service Canada (CSC) contravened the Privacy Act by denying him access to personal information, specifically video and audio recordings. This was a repeat issue, as similar allegations were found to be well-founded in a previous investigation. While CSC properly exempted some recordings, it failed to respond to some requests entirely and, critically, failed to retrieve and retain requested video recordings before they were overwritten in two instances, despite previous recommendations to improve processes for short-retention period records. The complaint was found well-founded due to these failures to provide timely access.

• Timeliness of responding to access to information requests.
• Retention and destruction of personal information, particularly video recordings.
• Appropriate application of exemptions to disclosure.
• Failure to implement previous recommendations regarding record retrieval.

The Office of the Privacy Commissioner of Canada (OPC) investigated complaints against Profile Technology Ltd. (Profile Technology), a New Zealand-based company, for copying and using personal information from Facebook profiles without consent. The OPC found that Profile Technology's website was not merely a search engine but a social networking site, and that the information was not "publicly available" under PIPEDA. The company's practice of repurposing outdated Facebook data without consent or consideration for privacy settings was deemed inappropriate. Additionally, Profile Technology was found to be retaining help desk ticket information longer than necessary. The OPC concluded that Profile Technology contravened PIPEDA by using and disclosing personal information for purposes not appropriate in the circumstances and without consent.

• Jurisdiction over a foreign-based organization
• Definition of "publicly available" information under PIPEDA
• Requirement for consent for collection and use of personal information
• Appropriateness of purposes for using personal information

Several complainants alleged that the Correctional Service Canada (CSC) unlawfully collected personal information through the use of a cell-site simulator near the Warkworth Institution. While CSC confirmed collecting six text messages, it denied intercepting conversations and stated the collection was not authorized. The Office of the Privacy Commissioner of Canada (OPC) found that while the collection of metadata was consistent with the Privacy Act given security concerns, the interception and collection of text message content was not authorized and therefore contravened the Act.

• Whether the collection of cell phone metadata and text messages by CSC constituted personal information under the Privacy Act.
• Whether the collection of cell phone metadata was directly related to CSC's operating programs or activities.
• Whether the interception and collection of text message content was authorized under the Privacy Act.