Canadian Privacy Decisions

A veteran complained that Veterans Affairs Canada (VAC) had inappropriately used and shared his sensitive medical information in briefing notes to the Minister, and had transferred his medical file to a VAC-administered hospital without his consent. The investigation found that the briefing notes contained excessive medical details and that sensitive information was shared widely within VAC without a need-to-know. The transfer of the medical file also occurred without the required consent. The complaint was found to be well-founded.

• Inappropriate use and disclosure of sensitive medical information in briefing notes.
• Transfer of personal medical information to a hospital without consent.
• Failure to limit access to personal information on a need-to-know basis.
• Compliance with section 7 of the Privacy Act regarding use of personal information.

This investigation concerned a data spill involving 11,900 forms mailed to applicants for the Guaranteed Income Supplement. A mechanical malfunction caused some applicants to receive forms destined for other individuals, including names, addresses, and Social Insurance Numbers. Human error by the overseeing technician, who failed to use detection mechanisms and notify management, compounded the issue. The Office found the complaint well-founded and recommended that the department enhance employee awareness of their obligations to protect personal information.

• Adequacy of security safeguards for personal information
• Role of human error in compounding a mechanical defect
• Reporting obligations of employees regarding privacy breaches

A Member of Parliament complained that an employee of the Toronto Port Authority used the organization's e-mail database to invite individuals to a political fundraising event. The investigation found that an employee sent an email using personal and business addresses obtained from business cards, soliciting donations. Although recipient addresses were in the BCC field, the employee's signature block indicated they worked for the Authority, implying institutional sanction.

• Use of institutional database for personal fundraising activities
• Collection and use of personal information for non-business purposes
• Impression of institutional sanction for personal activities

This investigation was initiated following media reports that a Canada Revenue Agency (CRA) employee posted personal tax information of athletes to an Internet chat group. The OPC found that a former employee did post information, and other CRA employees inappropriately accessed the athletes' tax information out of curiosity, which constituted a breach of the Privacy Act. The CRA took corrective measures, including disciplinary action against employees and modernization of its audit trail system.

• Unauthorized access to taxpayer information by CRA employees
• Disclosure of taxpayer information to an external party
• Adequacy of CRA's corrective measures and audit systems

The Office of the Privacy Commissioner of Canada (OPC) received 82 complaints after Human Resources and Skills Development Canada (HRSDC) inadvertently disclosed the personal information of 191 Employment Insurance (EI) claimants. The disclosed information included names, dates of birth, employee identification numbers, and Social Insurance Numbers. HRSDC took immediate steps to retrieve the data, notify affected individuals, and implement preventative measures. The OPC found 79 of the 82 complaints to be well-founded.

• Inadvertent disclosure of personal information
• Adequacy of breach response measures
• Preventing recurrence of similar breaches