Canadian Privacy Decisions

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

• Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
• Timeliness and completeness of breach notifications to regulators and affected individuals.
• Risk of harm to individuals due to the sensitive nature of compromised personal information.
• 23andMe's assessment of and response to the identified security deficiencies.

This investigation examined the COVID-19 vaccination attestation requirements for federal public servants. The OPC found that the collection of vaccination status was directly related to the employer's health and safety obligations. However, the Treasury Board of Canada Secretariat (TBS) contravened the Act by failing to update its index of personal information banks within the required timeframe. The OPC also assessed the necessity and proportionality of the measures, concluding they were justified given the pandemic context, though TBS's documentation and response during the investigation were found to be lacking.

• Whether the collection of employee vaccination status was directly related to an operating program or activity.
• Whether institutions met transparency requirements under the Act.
• Whether disclosures of personal information were authorized.
• Necessity and proportionality of the vaccination attestation measures.

This investigation examined a privacy breach experienced by a contractor for the Canada Border Services Agency (CBSA), which was targeted by a ransomware attack. Personal information, specifically licence plate images captured at Canadian border crossings, was accessed and some was posted online. The OPC found that the CBSA had contravened the Privacy Act due to inadequate security safeguards in its contract with the contractor and its inconsistent handling of licence plate data as personal information. The investigation concluded the complaint was well-founded but resolved, as the CBSA agreed to implement recommendations to improve its contracting and data protection practices.

• Whether licence plate image files, including metadata, constitute personal information under the Privacy Act.
• Whether the CBSA contravened the disclosure provisions of the Privacy Act.
• Whether the CBSA had adequate security safeguards in its contract with a third-party contractor.
• Whether the CBSA adequately managed the retention of personal information.

This report details an investigation into the loss of a USB key containing the personal information of 5,045 Canada Pension Plan Disability appellants. The investigation found that both Employment and Social Development Canada (ESDC) and Justice Canada failed to adequately translate their privacy and security policies into practice, leading to weaknesses in physical, technological, administrative, and personnel controls. Both departments accepted nine recommendations to improve data protection, many of which were similar to those made in a previous investigation involving ESDC.

• Adequacy of physical, technological, administrative, and personnel security controls
• Failure to translate privacy and security policies into meaningful business practices
• Protection of sensitive personal information including SIN and medical details
• Custody and storage of portable electronic devices containing personal information

The Office of the Privacy Commissioner of Canada investigated two separate incidents involving misdirected faxes containing personal information at two banks. In both cases, the banks failed to adequately safeguard personal information, leading to its disclosure to unintended recipients. While both banks took corrective actions, including revising policies and procedures, the OPC recommended further improvements in customer notification and information recovery.

• Adequacy of safeguards for personal information transmitted by fax
• Effectiveness of privacy policies and employee awareness
• Timeliness and scope of customer notification following a privacy breach
• Procedures for recovering erroneously transmitted personal information

This report details an investigation into CIBC's handling of misdirected faxes containing customer personal information, which occurred between 2001 and 2004. The investigation found that CIBC's privacy practices failed to adequately address these incidents, resulting in breaches of customer data and trust. The bank has since implemented significant remedial measures to enhance its privacy safeguards.

• Adequacy of CIBC's privacy policies and procedures
• Effectiveness of CIBC's response to misdirected fax incidents
• Timeliness and appropriateness of customer notification following a privacy breach
• Organizational awareness and adherence to privacy obligations