Decisions

Canadian Privacy Decisions

The comprehensive archive of Canadian privacy decisions from federal, provincial, and territorial commissioners — with AI-summarized plain-language summaries for every decision.

3 decisions matching

Jurisdiction

Federal (Canada)Ontario British Columbia Alberta Saskatchewan Manitoba QuebecIn Progress Nova Scotia New Brunswick Prince Edward Island Newfoundland and Labrador

Federal (Canada)Personal Information Protection and Electronic Documents ActWell-founded & resolved

Nov 10, 2015PIPEDA Case Summary #2015-015· Indexed Apr 12, 2026

PIPEDA Case Summary #2015-015: Roofing company takes measures to ensure sub-contractors follow its privacy policy

A roofing company

An individual complained that an estimator, subcontracted by a roofing company, disclosed his personal information to another roofing company without consent. The investigation found that the second roofing company was responsible for its estimator's actions and that there was a disclosure of personal information in contravention of PIPEDA. The second roofing company implemented a recommendation to establish agreements with subcontractors regarding privacy policies and training.

Official ↗

Federal (Canada)Personal Information Protection and Electronic Documents ActWell-founded & resolved

Jul 6, 2015PIPEDA Case Summary #2015-010· Indexed Apr 12, 2026

PIPEDA Case Summary #2015-010: Customer’s emails sent to her acquaintance following a telecom employee’s attempt to fix a problem with the customer’s email service

A telecommunications provider

An individual complained that her telecommunications provider disclosed her personal information without consent when a technical support representative remotely accessed her computer to fix an email issue. The representative inadvertently set up an automatic email forwarding to an acquaintance's address, causing personal emails, including a temporary password, to be sent to the wrong recipient. While the provider implemented corrective measures, the OPC noted the provider initially misrepresented steps taken to address the issue.

Official ↗

Federal (Canada)Personal Information Protection and Electronic Documents ActWell-founded & resolved

Apr 13, 2015PIPEDA Report of Findings #2015-007· Indexed Apr 12, 2026

PIPEDA Report of Findings #2015-007: Financial institution takes strong remedial measures after insufficient safeguards and unnecessary storage leaves sensitive data vulnerable to breach

Peoples Trust

The Office of the Privacy Commissioner of Canada investigated Peoples Trust after a breach compromised the sensitive personal information of 12,000 customers. The investigation found that the financial institution failed to implement adequate safeguards in its online application portal and retained customer data unnecessarily on a vulnerable, unencrypted web server. These failures contravened PIPEDA's principles regarding safeguards and data retention. Following the breach, Peoples Trust took comprehensive remedial actions, including redesigning its portal, enhancing monitoring, and improving retention practices, which resolved the issues.

Official ↗

Outcome Notes

Federal rulings come from two regulators with different statutory authority — outcome filters cover both.

OIC Order (ATIA s.36.1, binding) — Since June 2019 (Bill C-58) the Information Commissioner can issue binding orders requiring disclosure or reconsideration. Enforceable after 31/41 business days unless reviewed by the Federal Court (s.41).

Well-Founded — finding that the complaint is well-founded. For OIC: ATIA s.37(1)(a) finding (may be paired with a s.36.1 order). For OPC: Privacy Act s.35(1) / PIPEDA s.13(1) advisory finding — recommendations only, no binding order-making power. Includes well-founded, well-founded & resolved, well-founded & conditionally resolved, well-founded & unresolved.

Not Well-Founded — no contravention found.

s.6.1 Application— the OIC's response to a head's application for authorization to refuse a frivolous, vexatious, or bad-faith access request. Granted = institution may refuse; Denied = institution must respond.

Settled / Resolved / Early-resolved — OPC matter resolved during or before formal findings without a contravention finding.

Declined to investigate / No jurisdiction — Procedural close (Privacy Act s.34, PIPEDA discretion, or scope outside the Acts).

References: ATIA s.36.1 · OPC disposition definitions

About This Archive

Breach of Privacy is the one-stop archive for Canadian privacy decisions from federal, provincial, and territorial commissioners. Each decision includes an AI-generated plain-language summary. Always verify against the official source document.

Canadian Privacy Decisions

PIPEDA Case Summary #2015-015: Roofing company takes measures to ensure sub-contractors follow its privacy policy

Quick View

PIPEDA Case Summary #2015-015: Roofing company takes measures to ensure sub-contractors follow its privacy policy

PIPEDA Case Summary #2015-010: Customer’s emails sent to her acquaintance following a telecom employee’s attempt to fix a problem with the customer’s email service

Quick View

PIPEDA Case Summary #2015-010: Customer’s emails sent to her acquaintance following a telecom employee’s attempt to fix a problem with the customer’s email service

PIPEDA Report of Findings #2015-007: Financial institution takes strong remedial measures after insufficient safeguards and unnecessary storage leaves sensitive data vulnerable to breach

Quick View

PIPEDA Report of Findings #2015-007: Financial institution takes strong remedial measures after insufficient safeguards and unnecessary storage leaves sensitive data vulnerable to breach

Filters