Canadian Privacy Decisions

The complainant alleged that the Canada Border Services Agency (CBSA) improperly disclosed his personal information to his country of origin without consent. The CBSA disclosed a court judgment related to the complainant's criminal history to the High Commission of Canada to Ghana, which then forwarded it to Interpol for verification. The OPC found that while the disclosure was for a consistent purpose under the Privacy Act (enforcing immigration law), the CBSA's procedures for such disclosures were insufficient at the time, and the electronic transmission of information raised concerns.

• Disclosure of personal information to a foreign entity for verification purposes.
• Whether the disclosure constituted a consistent use of information under the Privacy Act.
• Adequacy of CBSA procedures for international disclosure and verification requests.
• Concerns regarding the electronic transmission of personal information.

The complainant alleged that Public Services and Procurement Canada (PWGSC) contravened the Privacy Act when a Director disclosed that the complainant had filed a harassment complaint against her during a management meeting. The investigation confirmed the disclosure, and found that the Director had not obtained the complainant's consent and that the attendees did not need to know the information. As a result, the complaint was found to be well-founded.

• Definition of personal information under section 3 of the Privacy Act
• Rules regarding the disclosure of personal information under section 8 of the Privacy Act
• Application of Treasury Board and departmental policies on confidentiality of harassment complaints

This investigation concerned a complaint against Health Canada (HC) regarding the mailing of 41,514 letters using windowed envelopes that revealed the name of the "Marihuana Medical Access Program" (MMAP). The Office of the Privacy Commissioner of Canada (OPC) found that HC contravened the Privacy Act by disclosing sensitive personal information without consent or legitimate purpose. Although HC cited administrative error and argued implicit consent or consistent use, the OPC determined that the sensitive nature of the program name required greater protection. HC has since implemented stricter mail-out procedures and created a new working group.

• Whether the visible program name in the return address constituted a disclosure of personal information.
• Whether implied consent was obtained from recipients.
• Whether the disclosure was a 'consistent use' of information under section 8(2)(a) of the Privacy Act.
• Whether Health Canada took reasonable steps to protect sensitive personal information.

The complainant, a former Canadian Forces member, alleged that the Department of National Defence (DND) contravened the Privacy Act by prematurely destroying an audio recording of his Progress Review Board (PRB) hearing. The OPC found that the recording contained personal information used for an administrative purpose and should have been retained for at least two years, as required by the Act, unless the complainant consented to its destruction. DND's destruction of the recording shortly after the hearing was deemed premature. The OPC recommended that DND develop a policy for retention and disposal of PRB hearing records and, in the interim, retain such recordings or transcriptions for at least two years.

• Whether the audio recording of the PRB hearing contained personal information used for an administrative purpose.
• Whether the complainant consented to the destruction of the audio recording.
• Whether DND's destruction of the audio recording violated the retention provisions of the Privacy Act.
• Whether DND provided access to accurate records following the hearing.

The Office of the Privacy Commissioner of Canada investigated complaints following a privacy breach by the Canada Revenue Agency (CRA), where personal information of approximately 1,000 individuals was inadvertently sent to the Canadian Broadcasting Corporation (CBC). The investigation confirmed that a CRA employee switched cover letters for two different packages, resulting in a consultation package being sent to a CBC journalist instead of the intended recipient. Despite the CRA's efforts to retrieve the information and implement corrective measures, the information was not returned by the CBC, leading to a published article by the CBC.

• Unauthorized disclosure of personal information
• Adequacy of CRA's internal procedures and employee training
• Compliance with section 8 of the Privacy Act regarding disclosure

The complainant alleged that Veterans Affairs Canada (VAC) inappropriately disclosed her health and financial information to the Royal Canadian Mounted Police (RCMP). The investigation found that VAC disclosed the complainant's medical diagnosis and financial information to the RCMP's National Compensation Policy Centre via its pension award letter. This disclosure was found to contravene the Privacy Act because it was not a 'consistent use' of the information, as neither consent nor a clear need-to-know was established for the RCMP's National Compensation Policy Centre to receive this sensitive personal information. The issue was also found to be systemic, affecting numerous RCMP employees.

• Was the disclosure of the complainant's medical and financial information by VAC to the RCMP a contravention of the Privacy Act?
• Did the complainant provide informed consent for the disclosure of her personal information?
• Was the disclosure of information considered a 'consistent use' under paragraph 8(2)(a) of the Privacy Act?
• Was the disclosure of personal information systemic in nature?

The Office of the Privacy Commissioner of Canada investigated a complaint concerning the RCMP's collection of a member's medical diagnosis and financial information from Veterans Affairs Canada (VAC). The OPC found that the RCMP's National Compensation Policy Centre collected sensitive personal information that was not necessary for the administration of pension benefits or health care, contravening the Privacy Act. The investigation revealed this practice was systemic and occurred over several years, despite the transfer of responsibility for pension adjudication to VAC.

• Necessity of collecting medical and financial information by the RCMP from VAC.
• Consistency of collection with the purposes for which information was originally collected by VAC.
• Systemic nature of the inappropriate collection of sensitive personal information.
• Adequacy of information sharing agreements between federal institutions.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint alleging the improper disclosure of personal information on the Canada Border Service Agency's (CBSA) "Wanted by the CBSA" website. While the disclosure itself was found to be permissible under the Privacy Act for immigration law enforcement, the CBSA failed to ensure the accuracy and completeness of the information. The investigation also found the CBSA failed to conduct a Privacy Impact Assessment before launching the program. The CBSA accepted all five OPC recommendations for improvement.

• Whether the CBSA improperly disclosed personal information on its "Wanted by the CBSA" website.
• Whether the CBSA conducted a Privacy Impact Assessment prior to launching the program.
• Whether the CBSA took reasonable steps to ensure the accuracy and completeness of the disclosed personal information.
• Whether the purpose of disclosure was consistent with the Privacy Act.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an employee of the Canada School of Public Service (the School) who alleged his personal information was improperly disclosed. The School had received a letter from the Public Sector Integrity Commissioner (PSIC) identifying seven employees and allegations against them. The School hand-delivered this letter to the named employees, including the complainant. The OPC found that the School's actions contravened the Privacy Act by disclosing the complainant's personal information without authority. Following the OPC's recommendations, the School developed new procedures to protect confidentiality.

• Disclosure of personal information contrary to the Privacy Act
• Adequacy of procedures to protect personal information
• Cooperation with other federal oversight bodies

A woman received the personal information of five strangers along with her daughter's tax documents from the Canada Revenue Agency (CRA). She attempted to return the information to the CRA through various channels but faced difficulties. The OPC launched a Commissioner-initiated investigation, which concluded that the CRA had breached the privacy rights of the individuals whose information was improperly disclosed. The CRA has since implemented remedial measures to improve its procedures for handling misdirected mail and facilitating breach reporting.

• Adequacy of CRA's procedures for handling misdirected personal information.
• Effectiveness of CRA's channels for the public to report privacy breaches.
• Timeliness and appropriateness of CRA's response to the breach.

The Office of the Privacy Commissioner of Canada investigated a complaint regarding the improper disclosure of personal information by Aboriginal Affairs and Northern Development Canada (AANDC). The complainant was concerned that AANDC created a document listing individuals who had requested information about a former minister under the Access to Information Act, and that this document was subsequently disclosed to La Presse newspaper. The investigation found that AANDC improperly shared the document with staff who did not have a need-to-know the identities of the requesters, and that the document was ultimately disclosed to La Presse, violating the Privacy Act.

• Whether the document contained personal information.
• Whether AANDC officials who accessed the document had a need-to-know.
• Whether the disclosure of the document to La Presse constituted a contravention of the Privacy Act.

The complainant alleged that the Public Service Commission of Canada (PSC) contravened the Privacy Act by disclosing her private medical information to multiple witnesses during an investigation into potential fraud. The OPC found that while the PSC's collection and use of the information were justified, the disclosure of the doctor's letter to all witnesses was not a "consistent use" and thus contravened the Act. The PSC has committed to implementing new procedures to ensure future compliance.

• Whether the disclosure of medical information to all witnesses in an investigation complied with the Privacy Act's "consistent use" provision.
• Whether the PSC's disclosure of medical information was necessary for procedural fairness.
• Whether the PSC's interpretation of "affected person" was overly broad, leading to excessive disclosure.

This report details an investigation into the loss of an external hard drive at Employment and Social Development Canada (ESDC), which contained the personal information of 583,000 Canada student loan borrowers and 250 employees. The Office of the Privacy Commissioner of Canada (OPC) found that while ESDC had appropriate policies in place, there was a significant gap in their implementation, leading to inadequate physical, technical, administrative, and personnel security controls. Consequently, ESDC was found to be in contravention of sections 6(3), 7, and 8 of the Privacy Act. ESDC accepted all of the OPC's recommendations for improvement.

• Adequacy of physical security controls for storing personal information on portable media.
• Sufficiency of technical safeguards, such as encryption, for personal information on external hard drives.
• Effectiveness of administrative controls, including asset management and inventory of portable devices.
• Level of employee awareness and training regarding the risks associated with handling personal information on portable devices.

An estranged wife, employed as a civilian at a Canadian Forces Base, accessed her husband's medical records without authorization. She also deleted a physiotherapy appointment and accessed a paper file. The Department of National Defence (DND) determined this was a willful breach of rules and implemented restrictions on her access. The OPC found the complaint to be well-founded, as the access was inconsistent with the original purpose of the information and not a permissible use under the Privacy Act.

• Unauthorized access to medical records
• Access and use inconsistent with original purpose
• Willful breach of departmental rules

The Office of the Privacy Commissioner investigated a complaint from an individual whose personal health information was accessed by an employee of National Defence. The investigation found that the employee improperly accessed the complainant's health records for personal reasons, not for any professional or authorized purpose. National Defence has since implemented new controls, updated policies, and provided training to its healthcare staff to prevent future breaches.

• Inappropriate access to personal health information
• Use of personal information for personal reasons
• Adequacy of National Defence's privacy training and controls