Canadian Privacy Decisions

The Office of the Privacy Commissioner of Canada investigated a complaint against Agronomy Company of Canada Ltd. (Agronomy) following a significant data breach. The investigation found that Agronomy lacked appropriate safeguards, including multi-factor authentication, network segregation, and encryption, which contributed to the breach affecting 845 individuals. The OPC also found Agronomy lacked accountability structures. However, the complaint regarding valid consent for credit services was found not well-founded. Agronomy has since made significant improvements to its security measures and accountability practices.

• Adequacy of security safeguards
• Accountability for personal information
• Validity of consent for collection and use of personal information

This Special Report to Parliament details the OPC's investigations into federal government privacy practices during the COVID-19 pandemic. It examined vaccine mandates for travel and employment, the ArriveCAN app, and the use of mobility data. While most government measures complied with the Privacy Act, the OPC identified areas for improvement, including the need for clearer objectives in mandates and better documentation of less privacy-intrusive alternatives. An error in the ArriveCAN app led to incorrect quarantine notifications, and a PIPEDA investigation found a private company misused a traveller's contact information for marketing.

• Compliance of COVID-19 measures with the Privacy Act
• Necessity and proportionality of personal information collection
• Accuracy of personal information used in administrative decisions (ArriveCAN)
• Use of de-identified mobility data and PIPEDA compliance

Twenty federal employees complained after the Treasury Board of Canada Secretariat (TBS) mistakenly disclosed their email addresses and the fact they had filed claims for damages related to the Severe Phoenix Impacts program. The OPC found that TBS contravened the Privacy Act by improperly disclosing personal information. While TBS argued the breach was not material, the OPC disagreed, emphasizing the importance of contextual factors and the potential for harm, even if not all individuals experienced severe injury.

• Was the disclosure of personal information authorized under the Privacy Act?
• Was the privacy breach considered "material" by TBS?
• Did TBS conduct a holistic and context-informed assessment of the breach's materiality and potential harm?