Canadian Privacy Decisions

Following complaints from two customers who were victims of tech support scams, the OPC investigated Dell's security safeguards and complaint handling practices. Dell discovered that two employees of its service provider in India had sold customer information on two separate occasions, leading to personal information breaches affecting thousands of Canadians. The OPC found that Dell's safeguards, including access controls and breach investigation procedures, were insufficient given the sensitivity of the data and the risk environment.

• Adequacy of security safeguards for personal information transferred to a service provider
• Effectiveness of access controls and monitoring for preventing insider theft of data
• Sufficiency of investigation into customer complaints alleging privacy breaches
• Appropriateness of breach notification and response

This investigation examined Loblaw's practices in its gift card program, which was established to compensate customers affected by a bread price-fixing scandal. The complainant argued Loblaw collected more personal information than necessary and was concerned about data transfers to the United States. The OPC found that while Loblaw initially collected more information than needed by requesting full identification documents, they subsequently clarified their requirements, resolving this issue. The OPC also found Loblaw's measures to protect personal information transferred to a third-party administrator in the US were sufficient and that Loblaw was transparent about cross-border data transfers.

• Collection of personal information beyond what is necessary for the stated purpose.
• Adequacy of safeguards for personal information transferred to a third-party processor in the United States.
• Sufficiency of transparency regarding cross-border data transfers.
• Requirement for additional consent for cross-border data transfers.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint following a global data breach at VTech Holdings Limited, which potentially compromised the personal information of over 316,000 Canadian children and 237,000 Canadian adults. The investigation found significant deficiencies in VTech's information security safeguards, including a lack of testing, inadequate access controls, cryptographic issues, and absence of security monitoring. Although VTech contravened PIPEDA Principle 4.7, the OPC concluded the matter was resolved because VTech implemented timely and comprehensive measures to address the breach and improve its security.

• Adequacy of information security safeguards for children's data
• Failure to test for and mitigate known vulnerabilities
• Insufficient access controls and cryptographic protection
• Lack of comprehensive security management program

The complainant discovered that his financial institution had disclosed his Registered Education Savings Plan (RESP) account information dating back to 1999 to the police. The OPC found that while production orders allow disclosure of information, the financial institution disclosed documents beyond the scope of the specific production order and did not have valid consent. The institution agreed to review its procedures and provide training to staff regarding disclosures pursuant to production orders.

• Disclosure of personal information beyond the scope of a production order
• Validity of consent based on a general privacy policy for law enforcement disclosures
• Sensitivity of financial information

The complainant alleged that the respondent's property history reports included personal information without adequate consent. The Office of the Privacy Commissioner of Canada (OPC) found that insurance claims data, as described in this case, was not personal information about an individual. However, information about drug activity at a property was deemed personal information. The respondent agreed to cease including drug activity details in its reports, leading the OPC to find the complaint well-founded and resolved.

• Whether drug activity information in property reports constitutes personal information.
• Whether drug activity information is publicly available under PIPEDA Regulations.
• Whether consent was adequately obtained for the collection, use, and disclosure of personal information.

A complainant alleged that a financial institution refused to provide access to personal information related to a disputed credit card transaction. The institution initially claimed the information was confidential commercial information under PIPEDA. While the OPC found the institution's initial claim of exemption was unfounded, it later determined that the redacted information was not the complainant's personal information, but related to third parties. The OPC concluded the complaint was well-founded due to the delay and improper initial claim, but resolved as the complainant ultimately received access to his entitled personal information.

• Whether the financial institution properly withheld personal information under the confidential commercial information exemption (PIPEDA s. 9(3)(b)).
• Whether the financial institution responded to the access request within the time limits prescribed by PIPEDA.
• Whether the withheld information constituted the complainant's personal information or third-party information.
• Whether the complainant received appropriate access to personal information concerning a disputed credit card transaction.

The complainant alleged that a telecommunications company's response to her access request was incomplete, specifically regarding disclosures of her personal information to third parties, including law enforcement. The Office of the Privacy Commissioner found that the company's standard response did not meet its obligations under Principle 4.9 of PIPEDA. The company has since provided a direct response to the complainant and has amended its policy to ensure compliance with access to information requests.

• Adequacy of response to an access request concerning disclosure of personal information.
• Compliance with PIPEDA Principle 4.9 regarding informing individuals of disclosures.
• Application of PIPEDA subsections 9(2.1) to 9(2.4) concerning disclosures to government institutions.
• Obligations regarding disclosures to third parties beyond government institutions.

An individual complained to the OPC after receiving a credit report containing unrecognized inquiries and a notation of an "AUTOMATIC COMBINE" of accounts, which merged his file with that of another individual. The OPC found that while there was no unauthorized use or disclosure of personal information, the credit reporting agency failed to maintain the accuracy of the complainant's information when it merged the files. The agency took corrective actions, including separating the files and notifying creditors of the corrections.

• Accuracy of personal information when merging files
• Unauthorized use or disclosure of personal information

An individual complained that a retailer's salesperson signed him up for a credit card without his knowledge or consent, and that a bank subsequently conducted a credit check using inaccurate information. The Office of the Privacy Commissioner of Canada (OPC) found that the bank failed to demonstrate it obtained the complainant's consent for the credit check and that the collected information was sufficiently accurate. The bank apologized, cancelled the credit card, and removed the inquiry from the complainant's file. The bank also discontinued its pilot program for in-store credit applications.

• Adequacy of consent for a credit card application and credit check
• Accuracy of personal information collected
• Adequacy of procedures for collecting personal information and obtaining consent

An individual complained that his employer, an international trucking company, disclosed his positive drug test results to a provincial workers' compensation board (WCB) without his consent. The company claimed it was legally obligated to do so. The OPC found the disclosure was a contravention of PIPEDA as the company's belief of a legal obligation was inaccurate, and the WCB did not require the information. The complaint regarding disclosure to co-workers was not substantiated. The company implemented the OPC's recommendations, leading to the complaint being resolved.

• Whether disclosure of drug test results to WCB required consent
• Whether disclosure to WCB was a legal obligation under PIPEDA s. 7(3)(i)
• Whether drug test results were disclosed to co-workers
• Whether the company's random drug testing program violated PIPEDA

The Office of the Privacy Commissioner of Canada investigated a complaint regarding a property management company maintaining a "bad tenant" list for a landlord association. The complainant alleged improper collection, use, and disclosure of personal information without consent. The OPC found that the list functioned like a credit reporting agency and that consent was not properly obtained, nor was there a mechanism for individuals to challenge the accuracy of the information. The property management company agreed to destroy the list and cease its collection, leading to the matter being resolved.

• Adequacy of consent for collecting and using tenant information.
• Whether the "bad tenant" list functioned as a credit reporting agency.
• Ensuring the accuracy of personal information and the ability for individuals to challenge it.
• Appropriateness of the purpose for collecting, using, and disclosing tenant information.

The complainant alleged an insurance company refused to provide her with access to her personal information, including a recording of a telephone conversation, and documents related to her complaint to the company's ombudsman office. The company claimed the ombudsman process was a "formal dispute resolution process" exempt from PIPEDA and that the process was not a "commercial activity." The OPC found the company contravened PIPEDA by unduly delaying access to the recorded conversation and by incorrectly withholding documents from the ombudsman process. The OPC determined the ombudsman office was not a "formal dispute resolution process" and its activities were subject to PIPEDA.

• Is an internal ombudsman office a "formal dispute resolution process" under PIPEDA?
• Are the services of an internal ombudsman office considered "commercial activity" under PIPEDA?
• Does an organization need spousal consent to release joint account information when third-party information can be severed?
• What are the obligations of an organization responding to an access to information request under PIPEDA?

An individual complained that a collection agency refused to provide access to their personal information, despite multiple written requests. The agency failed to respond to several of these requests within the timeframes required by PIPEDA. Although the agency eventually sent the information, and the individual refused to sign for it, the agency was deemed to have provided access. The agency acknowledged it did not follow its own procedures for handling access requests and committed to revising them and providing refresher training.

• Timeliness of response to access requests
• Failure to follow internal procedures for handling access requests
• Adequacy of providing access to personal information

A customer complained that a retail store employee disclosed his personal information, including his name and in-store behaviour, to his employer without his knowledge or consent. The Office found that the disclosed information was personal information and that the store could not rely on implied consent for the disclosure, as the information was sensitive and disclosure to an employer was not a reasonable expectation. The matter was resolved after the store implemented recommendations to communicate its PIPEDA obligations.

• Whether information disclosed in a public store is personal information.
• Whether implied consent applied to the disclosure of sensitive personal information to an employer.
• Whether the disclosed information qualified as publicly available information under the regulations.

An individual complained that an estimator, subcontracted by a roofing company, disclosed his personal information to another roofing company without consent. The investigation found that the second roofing company was responsible for its estimator's actions and that there was a disclosure of personal information in contravention of PIPEDA. The second roofing company implemented a recommendation to establish agreements with subcontractors regarding privacy policies and training.

• Whether the subcontractor's actions were attributable to the organization.
• Whether personal information was disclosed without consent.
• Whether the disclosure exceeded the purposes for which the information was collected.