Canadian Privacy Decisions

This report details an investigation into the unauthorized disclosure of personal information of over 18,000 Canada Border Services Agency (CBSA) employees due to improperly shared spreadsheets. While the CBSA contravened section 8 of the Privacy Act by disclosing information beyond what was necessary for the stated purposes, the agency took appropriate steps to notify affected individuals, contain the breaches, and implement measures to prevent recurrence. These measures included new data request procedures and the development of a new information management system.

• Whether the CBSA contravened section 8 of the Privacy Act by disclosing personal information.
• Whether the CBSA took adequate steps to notify affected individuals.
• Whether the CBSA took adequate steps to contain the impact of the breaches.
• Whether the CBSA took adequate steps to reduce the risk of future breaches.

This investigation concerned a privately owned swimming pool's policy requiring parents to consent to the use of photos and videos of their children for promotional purposes as a condition of enrolling them in swimming lessons. The OPC found that this requirement contravened PIPEDA principles regarding consent for the collection, use, and disclosure of personal information. The swimming pool has agreed to implement an opt-in photo policy, resolving the complaint.

• Whether requiring consent for promotional photos/videos as a condition of service violates PIPEDA.
• Whether photos/videos of children in swim attire are sensitive personal information.
• Whether the swimming pool's stated business needs justified the mandatory consent policy.
• Whether consent was sought appropriately for staff training purposes.

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

• Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
• Timeliness and completeness of breach notifications to regulators and affected individuals.
• Risk of harm to individuals due to the sensitive nature of compromised personal information.
• 23andMe's assessment of and response to the identified security deficiencies.

The OPC investigated a complaint that Brinks Home failed to implement adequate safeguards, leading to the compromise of customer personal information via its online portal. While the OPC found Brinks Home had failed to adequately protect customer information, the issue was resolved through corrective actions and the subsequent sale of customer accounts. The OPC also determined that Brinks Home was not required to report the breach to the OPC or notify affected individuals because it did not present a real risk of significant harm.

• Adequacy of safeguards for personal information
• Compliance with mandatory breach reporting requirements
• Assessment of real risk of significant harm (RROSH)
• Employee error leading to unauthorized access

This investigation examined the COVID-19 vaccination attestation requirements for federal public servants. The OPC found that the collection of vaccination status was directly related to the employer's health and safety obligations. However, the Treasury Board of Canada Secretariat (TBS) contravened the Act by failing to update its index of personal information banks within the required timeframe. The OPC also assessed the necessity and proportionality of the measures, concluding they were justified given the pandemic context, though TBS's documentation and response during the investigation were found to be lacking.

• Whether the collection of employee vaccination status was directly related to an operating program or activity.
• Whether institutions met transparency requirements under the Act.
• Whether disclosures of personal information were authorized.
• Necessity and proportionality of the vaccination attestation measures.

The spouse of a Correctional Services Canada (CSC) employee complained that the employee's manager inappropriately collected personal information about them from their public Facebook page in relation to the employee's use of "Other leave with pay (699)". The OPC found that CSC contravened section 4 of the Privacy Act by collecting information that was not related directly to an operating program or activity of CSC. The OPC also noted that CSC's ATIP office incorrectly advised the complainant on how to raise a privacy concern.

• Whether the collection of personal information from a public Facebook page was related directly to an operating program or activity of CSC.
• Whether information collected from a public source is exempt from the collection provisions of the Privacy Act.
• Whether CSC's ATIP office provided appropriate guidance to a member of the public wishing to raise a privacy concern.

An individual complained that Transport Canada failed to publish a description of the Personal Information Bank (PIB) for its Incentives for Zero-Emission Vehicles Program. The investigation found that Transport Canada did not submit the PIB description for approval until 19 months after the program launched, and it was still not approved by the Treasury Board Secretariat (TBS) by the time the OPC's report was issued. Transport Canada has since confirmed the PIB has been approved and published.

• Failure to publish a Personal Information Bank (PIB) description for a program
• Timeliness of PIB approval and publication by government institutions and TBS
• Adequate notification to individuals about the collection and use of their personal information

The Office of the Privacy Commissioner of Canada investigated Home Depot for disclosing customer email addresses and purchase details to Meta (Facebook) through Meta's "Offline Conversions" tool without valid consent. Home Depot used this tool to measure the effectiveness of its Facebook ads. The OPC found that Home Depot's privacy statement and Meta's policy were insufficient to obtain implied consent for this disclosure, as customers were not reasonably expected to understand that their data would be shared for these secondary purposes. Home Depot has since discontinued the use of the tool and agreed to implement recommendations for obtaining express consent should they restart the practice.

• Whether Home Depot obtained valid consent for disclosing customer purchase data to Meta.
• Whether the information disclosed was sensitive.
• Whether Home Depot's privacy statement and Meta's policies provided sufficient notice and clarity.
• Whether express opt-in consent should have been obtained.

This investigation examined a privacy breach experienced by a contractor for the Canada Border Services Agency (CBSA), which was targeted by a ransomware attack. Personal information, specifically licence plate images captured at Canadian border crossings, was accessed and some was posted online. The OPC found that the CBSA had contravened the Privacy Act due to inadequate security safeguards in its contract with the contractor and its inconsistent handling of licence plate data as personal information. The investigation concluded the complaint was well-founded but resolved, as the CBSA agreed to implement recommendations to improve its contracting and data protection practices.

• Whether licence plate image files, including metadata, constitute personal information under the Privacy Act.
• Whether the CBSA contravened the disclosure provisions of the Privacy Act.
• Whether the CBSA had adequate security safeguards in its contract with a third-party contractor.
• Whether the CBSA adequately managed the retention of personal information.

This investigation report concerns a large-scale breach of personal information at the Bank of Montreal (BMO), affecting approximately 113,000 customers. The OPC found that BMO's online banking software had significant vulnerabilities, including issues with developer security testing, vulnerability management, and oversight/monitoring, which allowed attackers to access sensitive data such as financial account numbers and SINs. BMO has since implemented substantial improvements to its security safeguards.

• Adequacy of BMO's technical safeguards to protect personal information.
• Effectiveness of BMO's developer security testing and evaluation processes.
• Sufficiency of BMO's vulnerability management protocols.
• Appropriateness of BMO's oversight and monitoring capabilities for detecting cyberattacks.

The complainant alleged that a computer services company remotely accessed his laptop without his express consent during a help desk call. The Office of the Privacy Commissioner of Canada (OPC) found that the company failed to obtain meaningful express consent for remote access and did not have adequate safeguards to protect customer information. The company has since restructured, ceased offering personal help desk services, and no longer uses the remote access software, leading the OPC to find the complaint well-founded and resolved.

• Whether meaningful express consent was obtained for remote computer access.
• Whether adequate safeguards were in place to protect customer data during remote access.
• The nature of consent required for accessing potentially sensitive personal information on a customer's laptop.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a truck driver alleging that his employer, Oculus Transport Ltd., collected personal information through audio surveillance in the truck cab for inappropriate purposes. The OPC found that while Oculus had a legitimate business need for some surveillance, the continuous audio recording, even when drivers were off-duty, was excessively intrusive and disproportionate to the benefits. Oculus has since stopped using audio surveillance.

• Whether the purposes for which Oculus collected audio recordings were appropriate under PIPEDA's section 5(3).
• Whether less privacy-invasive means were available to Oculus to achieve its stated purposes.
• Whether the intrusion on drivers' privacy was proportionate to the benefits gained by Oculus.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an employee of a federal institution who alleged a breach of privacy. The employee's personal information regarding her transgender identity and the reasons for her transfer were disclosed to her new supervisor and colleagues without her consent, despite assurances of confidentiality. The OPC found this disclosure contravened the Privacy Act.

• Disclosure of personal information without consent
• Confidentiality of transgender status
• Application of the Privacy Act

This joint investigation by federal, Alberta, and British Columbia privacy commissioners examined Cadillac Fairview's (CFCL) use of Anonymous Video Analytics (AVA) in mall directories and mobile device geolocation tracking. CFCL collected and used personal biometric information via AVA without valid consent, and improperly retained this data. While CFCL stated it had ceased using AVA, it disagreed with findings and refused to commit to express opt-in consent for future use. Regarding geolocation, CFCL's "Anonymous Shopper Journey" did not collect personal information, and while its "Logged In Shopper Journey" collected personal information, it did not combine it with geolocation data as initially suspected. Therefore, the geolocation aspect was found not well-founded.

• Collection, use, and disclosure of personal information via AVA technology
• Adequacy of consent and notice for AVA technology
• Appropriate retention of personal information collected via AVA
• Collection, use, and disclosure of personal information via geolocation tracking

Public Services and Procurement Canada (PSPC) improperly disclosed pay-related information for 69,087 public servants to the wrong government institutions. An investigation found that PSPC contravened the Privacy Act due to this unauthorized disclosure. However, the complaints are considered resolved because PSPC took satisfactory corrective actions to remedy the vulnerabilities that caused the breach and notified affected individuals.

• Unauthorized disclosure of personal information
• Adequacy of PSPC's response to the breach
• Timeliness and completeness of notification to affected individuals
• Implementation of corrective measures to prevent recurrence