Canadian Privacy Decisions

This special report details an investigation into unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency (CRA). The Office of the Privacy Commissioner (OPC) found that the CRA contravened the Privacy Act regarding accuracy and disclosure of personal information. While the CRA has made efforts to improve its security, shortcomings remain in prevention, monitoring, detection, remediation, and governance, particularly concerning the handling of "Unauthorized Use of Taxpayer Information by a Third Party" (UUTP) incidents. The investigation concluded that the CRA contravened subsections 6(2) and 8(2) of the Act.

• Adequacy of safeguards to protect taxpayer personal information from unauthorized disclosure and modification.
• Timeliness and strength of multi-factor authentication implementation.
• Effectiveness of monitoring and detection mechanisms for UUTPs.
• Coordination and proactivity of the CRA's governance for addressing UUTPs.

An inmate alleged that Correctional Service Canada (CSC) failed to retain video footage of use of force incidents involving them, violating the Privacy Act's retention obligations. The OPC found that CSC did dispose of footage that it was obligated to retain for at least two years under the Act. CSC agreed to implement enhanced oversight, including monthly attestations and quarterly audits of use of force footage retention in its Pacific Region.

• Obligation to retain personal information used for administrative purposes under the Privacy Act
• Adequacy of institutional policies for video retention
• Ensuring reasonable access to personal information
• Effectiveness of oversight measures for compliance

The complainant, as executor of a deceased individual's estate, requested personal information from the Department of National Defence (DND). DND refused to disclose most information, citing Privacy Act exemptions and arguing the request didn't meet the criteria for accessing information on behalf of a deceased person. The OPC found that the complainant was entitled to make the request for estate administration purposes and that DND failed to conduct an adequate search. DND agreed to conduct searches and provide a new response, leading to the complaint being conditionally resolved.

• Eligibility of an estate executor to request personal information of a deceased individual.
• Proper application of section 26 of the Privacy Act (disclosure of personal information about others).
• Adequacy of DND's search for requested records.
• DND's obligation to process formal access requests even if informal avenues exist.

The OPC investigated a complaint that the Canada Revenue Agency (CRA) failed to ensure the accuracy of a taxpayer's personal information used for administrative decisions. An imposter used the complainant's compromised CRA My Account to fraudulently receive COVID-19 benefits and Employment Insurance. The investigation found that the CRA's inadequate safeguards allowed unauthorized access and modification, contravening section 6(2) of the Privacy Act. The CRA has since implemented corrective measures.

• Adequacy of safeguards to protect against unauthorized access and modification of personal information.
• Reasonable steps taken by the CRA to ensure the accuracy of personal information used for administrative decisions.
• Timeliness of notification and privacy breach reporting.
• Impact of identity theft on tax reassessments.

This special report details an investigation into cyber attacks that compromised sensitive personal information held by the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC). Attackers used stolen credentials to access online accounts, leading to unauthorized disclosures, modifications, and identity theft. The investigation found that both departments failed to implement adequate authentication, security decision-making, and monitoring practices, contravening sections 8 and 6(2) of the Privacy Act. While both departments accepted recommendations for improvement, some weaknesses persist.

• Inadequate identity and credential assurance measures
• Insufficiently informed and accountable security decision-making
• Lack of effective monitoring and timely breach containment
• Contravention of Privacy Act sections 8 (disclosure) and 6(2) (accuracy)

This Special Report to Parliament details the OPC's investigations into federal government privacy practices during the COVID-19 pandemic. It examined vaccine mandates for travel and employment, the ArriveCAN app, and the use of mobility data. While most government measures complied with the Privacy Act, the OPC identified areas for improvement, including the need for clearer objectives in mandates and better documentation of less privacy-intrusive alternatives. An error in the ArriveCAN app led to incorrect quarantine notifications, and a PIPEDA investigation found a private company misused a traveller's contact information for marketing.

• Compliance of COVID-19 measures with the Privacy Act
• Necessity and proportionality of personal information collection
• Accuracy of personal information used in administrative decisions (ArriveCAN)
• Use of de-identified mobility data and PIPEDA compliance

Twenty federal employees complained after the Treasury Board of Canada Secretariat (TBS) mistakenly disclosed their email addresses and the fact they had filed claims for damages related to the Severe Phoenix Impacts program. The OPC found that TBS contravened the Privacy Act by improperly disclosing personal information. While TBS argued the breach was not material, the OPC disagreed, emphasizing the importance of contextual factors and the potential for harm, even if not all individuals experienced severe injury.

• Was the disclosure of personal information authorized under the Privacy Act?
• Was the privacy breach considered "material" by TBS?
• Did TBS conduct a holistic and context-informed assessment of the breach's materiality and potential harm?

Immigration, Refugees and Citizenship Canada (IRCC) inadvertently disclosed the email addresses of 636 individuals seeking emergency assistance related to the situation in Afghanistan. These individuals were included in the "TO" field of mass emails, rather than the "BCC" field, exposing their contact information to other recipients. The Office of the Privacy Commissioner of Canada (OPC) found that IRCC contravened section 8 of the Privacy Act due to insufficient controls to prevent such disclosures and that the complaint was well-founded. While IRCC took immediate steps to mitigate the breach, the OPC emphasized the need for robust preventative measures.

• Disclosure of personal information without consent
• Adequacy of preventative measures for mass emails
• Mitigation of harm to affected individuals
• Risk of recurrence of similar breaches

The Department of National Defence (DND) disclosed the identity of a workplace violence (WPV) complainant and the investigation report to a second investigator, who was conducting a separate administrative investigation into the complainant's conduct. The OPC found that while disclosing the report to labour relations was a consistent use, disclosing it to the second investigator was not, as it was not a reasonably expected use of the information given the confidentiality assurances provided to the complainant. This disclosure was therefore found to be a contravention of the Privacy Act.

• Was the disclosure of the WPV complainant's identity and report to a second investigator a 'consistent use' under paragraph 8(2)(a) of the Privacy Act?
• Did DND's consent form clearly communicate potential uses and disclosures of the complainant's identity?
• Did the disclosure align with the reasonable expectations of the complainant regarding confidentiality?
• What corrective actions are necessary to ensure future compliance with privacy principles in WPV investigations?

The Office of the Privacy Commissioner of Canada investigated the RCMP's collection of personal information from Clearview AI, a company that scraped billions of images from the internet for facial recognition. The OPC found that the RCMP contravened the Privacy Act by collecting this information, as Clearview had collected it unlawfully. While the RCMP disagreed with this finding, it agreed to implement the OPC's recommendations to improve its policies and systems for tracking and assessing novel collections of personal information.

• Whether the RCMP's collection of personal information from Clearview AI related directly to an operating program or activity of the institution.
• Whether the RCMP had adequate controls in place to prevent future contraventions of the Privacy Act.
• The lawfulness of Clearview AI's data collection practices.
• The adequacy of the RCMP's assessment of privacy risks associated with new technologies.

This report follows up on an earlier investigation into Statistics Canada's Financial Transactions Project and Credit Agency Data Project. While the initial investigation found no contraventions, it raised significant privacy concerns. This compliance monitoring report assesses whether Statistics Canada’s redesigned projects adequately incorporate the principles of necessity and proportionality. Although Statistics Canada has made progress in reducing the scope of data collection and implementing privacy-enhancing measures, the report concludes that the project plans still fall short in adequately describing public goals, demonstrating effectiveness, and analyzing privacy impacts.

• Adequacy of public goal descriptions for necessity and proportionality assessment.
• Demonstration of project effectiveness.
• Sufficiency of privacy impact analysis, including risk of harm.
• Alignment of Statistics Canada's necessity and proportionality framework with OPC criteria.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against CATSA concerning its practice of notifying police when cannabis was found in a traveller's possession. The OPC found that CATSA's collection and disclosure of personal information for this purpose contravened sections 4 and 8 of the Privacy Act, as its mandate is focused on aviation security, not general law enforcement. While CATSA agreed to cease collecting and disclosing such information when the cannabis possession is not clearly illegal, the record-keeping aspect of the complaint was found not well-founded.

• Whether CATSA's collection of personal information from travellers possessing cannabis was consistent with its mandate under the Privacy Act.
• Whether CATSA's disclosure of personal information to police regarding cannabis possession was consistent with the Privacy Act.
• Whether CATSA's record retention practices for this information complied with the Privacy Act.

This report details a review of passport protection practices by four federal institutions: IRCC, ESDC, GAC, and CPC. While the institutions generally had reasonable measures to prevent unauthorized passport disclosures, the review identified areas for improvement in incident detection, remediation for affected individuals, and learning from past breaches. The institutions agreed to implement the OPC's recommendations to enhance these processes.

• Adequacy of measures to prevent unauthorized disclosure of passports
• Effectiveness of incident detection mechanisms
• Sufficiency of remediation measures for affected individuals
• Processes for learning from past passport breach incidents

Three individuals complained that the RCMP used non-conviction information in vulnerable sector (VS) checks without their informed consent. The OPC found that the RCMP contravened the Privacy Act in two of the three cases because the consent forms did not clearly explain what types of non-conviction information would be reported. The OPC also determined that the RCMP's policy of broadly reporting non-conviction information, including mental health incidents, was not proportional or minimally intrusive. The RCMP agreed to revise its consent forms and policies.

• Adequacy of informed consent for the use of non-conviction information in vulnerable sector checks.
• Proportionality and minimal intrusiveness of reporting non-conviction information, including mental health incidents, in vulnerable sector checks.
• Compliance with record retention requirements under the Privacy Act.
• Consistency of RCMP policies and practices across different provinces.