Decisions

Canadian Privacy Decisions

The comprehensive archive of Canadian privacy decisions from federal, provincial, and territorial commissioners — with AI-summarized plain-language summaries for every decision.

1 decision matching

Jurisdiction

Federal (Canada)Ontario British Columbia Alberta Saskatchewan Manitoba QuebecIn Progress Nova Scotia New Brunswick Prince Edward Island Newfoundland and Labrador

Federal (Canada)Privacy ActWell-founded & resolved

Feb 26, 2026· Indexed Jun 5, 2026

Canada Border Services Agency’s Unauthorized Disclosure of Employee Personal Information Extracted from the Corporate Administrative Software Portal

Canada Border Services Agency

This report details an investigation into the unauthorized disclosure of personal information of over 18,000 Canada Border Services Agency (CBSA) employees due to improperly shared spreadsheets. While the CBSA contravened section 8 of the Privacy Act by disclosing information beyond what was necessary for the stated purposes, the agency took appropriate steps to notify affected individuals, contain the breaches, and implement measures to prevent recurrence. These measures included new data request procedures and the development of a new information management system.

Official ↗

Outcome Notes

Federal rulings come from two regulators with different statutory authority — outcome filters cover both.

OIC Order (ATIA s.36.1, binding) — Since June 2019 (Bill C-58) the Information Commissioner can issue binding orders requiring disclosure or reconsideration. Enforceable after 31/41 business days unless reviewed by the Federal Court (s.41).

Well-Founded — finding that the complaint is well-founded. For OIC: ATIA s.37(1)(a) finding (may be paired with a s.36.1 order). For OPC: Privacy Act s.35(1) / PIPEDA s.13(1) advisory finding — recommendations only, no binding order-making power. Includes well-founded, well-founded & resolved, well-founded & conditionally resolved, well-founded & unresolved.

Not Well-Founded — no contravention found.

s.6.1 Application— the OIC's response to a head's application for authorization to refuse a frivolous, vexatious, or bad-faith access request. Granted = institution may refuse; Denied = institution must respond.

Settled / Resolved / Early-resolved — OPC matter resolved during or before formal findings without a contravention finding.

Declined to investigate / No jurisdiction — Procedural close (Privacy Act s.34, PIPEDA discretion, or scope outside the Acts).

References: ATIA s.36.1 · OPC disposition definitions

About This Archive

Breach of Privacy is the one-stop archive for Canadian privacy decisions from federal, provincial, and territorial commissioners. Each decision includes an AI-generated plain-language summary. Always verify against the official source document.

Canadian Privacy Decisions

Canada Border Services Agency’s Unauthorized Disclosure of Employee Personal Information Extracted from the Corporate Administrative Software Portal

Quick View

Canada Border Services Agency’s Unauthorized Disclosure of Employee Personal Information Extracted from the Corporate Administrative Software Portal

Filters