Canadian Privacy Decisions

This investigation examined a breach of WADA's Anti-Doping Administration and Management System (ADAMS) database, which resulted in the public disclosure of athletes' personal information, including health details. The OPC found that WADA's security safeguards were insufficient, contravening PIPEDA principles. While WADA committed to implementing recommendations, including enhanced security measures, the matter was resolved conditionally pending compliance.

• Sufficiency of security safeguards for sensitive personal information
• Access controls and authentication mechanisms for the ADAMS database
• Monitoring, logging, and incident response capabilities
• Policies, procedures, and training related to information security

The OPC investigated a complaint against an online marketplace that sent an email to members inviting them to sign a petition without their explicit consent. The OPC found that the marketplace retained information appropriately but failed to obtain adequate consent for sending the petition email, which was beyond the scope of their services. The OPC also found that the marketplace did not handle the complainant's privacy concerns effectively. The matter was conditionally resolved when the marketplace committed to implementing recommendations, including obtaining opt-in consent for such emails and improving complaint handling. The issue was later resolved upon evidence of implementation.

• Adequacy of consent for using personal information for advocacy emails.
• Proper handling and escalation of customer privacy complaints.
• Appropriate retention of personal information.
• Clarity of purposes stated in the privacy policy.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint following a global data breach at VTech Holdings Limited, which potentially compromised the personal information of over 316,000 Canadian children and 237,000 Canadian adults. The investigation found significant deficiencies in VTech's information security safeguards, including a lack of testing, inadequate access controls, cryptographic issues, and absence of security monitoring. Although VTech contravened PIPEDA Principle 4.7, the OPC concluded the matter was resolved because VTech implemented timely and comprehensive measures to address the breach and improve its security.

• Adequacy of information security safeguards for children's data
• Failure to test for and mitigate known vulnerabilities
• Insufficient access controls and cryptographic protection
• Lack of comprehensive security management program

A complainant objected to a retail store retaining records of her credit card transactions after she requested their deletion. The store initially cited contractual obligations to credit card companies, but later informed the OPC that the Excise Tax Act also legally required data retention. The OPC relayed this explanation to the complainant, who found it satisfactory, and the matter was resolved.

• Right to withdraw consent vs. legal and contractual retention obligations
• Adequacy of explanation provided to complainant

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that a financial institution required customers to provide their Social Insurance Number (SIN) for identity verification purposes as a condition of opening a savings account. The OPC found that while the institution collected SINs for legally required income reporting, it could not mandate its use for identity verification. The institution agreed to make the use of SIN for identity verification optional rather than a condition of service.

• Requirement of SIN for identity verification as a condition of service.
• Appropriate use of SIN by private sector organizations.
• Interpretation of FINTRAC guidelines regarding identity verification.

A traveler complained that an airline did not provide complete access to his personal information, specifically documents and correspondence related to being denied boarding. The airline relied on exemptions under PIPEDA, arguing that the information was collected to investigate a potential breach of agreement or contravention of law and was disclosed to a government institution for law enforcement purposes. The OPC found that both the collection and disclosure were reasonable under the Act's exemptions, and the airline properly followed the process when a government institution objected to disclosure of the information.

• Whether the collection of personal information without consent was justified under PIPEDA's exemptions.
• Whether the disclosure of personal information to a government institution was justified under PIPEDA's exemptions.
• Whether the airline properly handled the access request when a government institution objected to disclosure.

The complainant discovered that his financial institution had disclosed his Registered Education Savings Plan (RESP) account information dating back to 1999 to the police. The OPC found that while production orders allow disclosure of information, the financial institution disclosed documents beyond the scope of the specific production order and did not have valid consent. The institution agreed to review its procedures and provide training to staff regarding disclosures pursuant to production orders.

• Disclosure of personal information beyond the scope of a production order
• Validity of consent based on a general privacy policy for law enforcement disclosures
• Sensitivity of financial information

The complainant alleged that the respondent's property history reports included personal information without adequate consent. The Office of the Privacy Commissioner of Canada (OPC) found that insurance claims data, as described in this case, was not personal information about an individual. However, information about drug activity at a property was deemed personal information. The respondent agreed to cease including drug activity details in its reports, leading the OPC to find the complaint well-founded and resolved.

• Whether drug activity information in property reports constitutes personal information.
• Whether drug activity information is publicly available under PIPEDA Regulations.
• Whether consent was adequately obtained for the collection, use, and disclosure of personal information.

The Office of the Privacy Commissioner of Canada investigated Wajam Internet Technologies Inc. after receiving complaints about its software, which tracked online search queries and displayed ads. The investigation found that Wajam breached multiple provisions of PIPEDA, including failing to obtain meaningful consent, inadequately safeguarding personal information, and having insufficient accountability policies. Although Wajam ceased operations and sold its assets, the OPC concluded the matters examined were well-founded.

• Meaningful consent for software installation and data collection.
• Adequate safeguarding of personal information during transmission and storage.
• Effectiveness of uninstallation processes and withdrawal of consent.
• Lack of a privacy accountability framework and policies.

An individual complained to the OPC after an insurance company denied access to parts of their insurance claim file, including case management notes and a video of an incident. The company claimed the notes were confidential commercial information and the video contained third-party images. Through the early resolution process, the company allowed the individual to view the video and provided a redacted version of the case management notes. The complaint was resolved early.

• Access to personal information, including insurance claim files and videos.
• Application of PIPEDA exemptions for confidential commercial information and third-party personal information.
• Severing or redaction of information to provide access.
• Obligation to provide access to personal information.

A complainant alleged that Jet Airways did not provide complete access to her personal information following an incident where she and her companion were denied boarding. The airline cited solicitor-client privilege, litigation privilege, and formal dispute resolution processes as reasons for withholding certain documents. The OPC found the complaint well-founded regarding the airline's failure to respond within the statutory timeframe and its improper application of the formal dispute resolution exemption. However, the OPC could not make a finding on the privilege claims due to legal precedents limiting its ability to investigate privileged documents.

• Timeliness of response to access request
• Applicability of solicitor-client and litigation privilege exemptions
• Applicability of formal dispute resolution exemption
• Overbroad claims of privilege

The OPC investigated a complaint that Public Executions Inc. was disclosing debtors' personal information without consent on its website for profit. The OPC found that the website's activities constituted a commercial activity under PIPEDA, and that its primary purpose was not journalistic, but rather to shame debtors into paying. The OPC determined the complaint was well-founded, leading to legal proceedings. Subsequently, the website was taken down, and the OPC discontinued its court application.

• Whether the website's operation constituted a 'commercial activity' under PIPEDA.
• Whether the website's purpose qualified as 'journalistic' and was therefore exempt from PIPEDA's consent requirements.
• Whether the disclosure of personal information for the purpose of shaming debtors into paying was an 'appropriate purpose' under PIPEDA.
• Whether section 7(3)(b) of PIPEDA permitted the broad disclosure of judgment debtor information.

A complainant filed a complaint against a financial technology (FinTech) company after being required to provide personal information to access an investment account management agreement. The company initially cited regulatory requirements for collecting the data before an individual became a client. The OPC advised the company that prospective clients should be able to review agreements and understand privacy implications before providing personal information to ensure meaningful consent.

• Purpose of information collection
• Meaningful consent
• Regulatory requirements for collection

An individual complained that a bank performed multiple credit checks on her without her consent, even though she had not been a client for many years. The bank initially stated the inquiries were from its marketing group but later found they originated from an unactivated credit card application. While the bank’s policy suggested it could continue soft credit inquiries after a relationship ended, the OPC expressed concerns about this practice. The bank agreed to end the practice and update its privacy policy, leading to the complaint being early resolved. The OPC confirmed the practice has ceased and the policy has been updated.

• Consent for credit checks after termination of a business relationship
• Continued collection of sensitive personal information without a legal requirement
• Accuracy and completeness of information provided to individuals about data handling practices

This report details three incidents in 2017 where Canadian organizations experienced data breaches due to password reuse by their customers. In each case, attackers used login credentials obtained from unrelated breaches to access customer accounts. The Office of the Privacy Commissioner of Canada found the organizations' responses to be appropriate, including actions like password resets, enhanced security measures, and customer notifications, and encouraged other organizations to adopt similar preventative strategies.

• Impact of password reuse on personal information security
• Adequacy of organizational responses to data breaches
• Effectiveness of safeguards against unauthorized access
• Communication and notification obligations to individuals