Canadian Privacy Decisions

A complainant alleged that a financial institution refused to provide access to personal information related to a disputed credit card transaction. The institution initially claimed the information was confidential commercial information under PIPEDA. While the OPC found the institution's initial claim of exemption was unfounded, it later determined that the redacted information was not the complainant's personal information, but related to third parties. The OPC concluded the complaint was well-founded due to the delay and improper initial claim, but resolved as the complainant ultimately received access to his entitled personal information.

• Whether the financial institution properly withheld personal information under the confidential commercial information exemption (PIPEDA s. 9(3)(b)).
• Whether the financial institution responded to the access request within the time limits prescribed by PIPEDA.
• Whether the withheld information constituted the complainant's personal information or third-party information.
• Whether the complainant received appropriate access to personal information concerning a disputed credit card transaction.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against an insurance company that collected and used an individual's credit score during an auto insurance claims assessment. The OPC found that the company did not have a legal basis to use credit scores for fraud detection in this context and did not obtain meaningful consent from the individual because they failed to clearly state that providing consent was optional. The company also lacked openness in its policies regarding credit score usage.

• Appropriateness of using credit scores for fraud detection in auto insurance claims assessment.
• Whether meaningful consent was obtained for the collection and use of credit score.
• Whether the insurance company over-collected personal information.
• The company's openness regarding its credit score collection and use policies.

An individual complained that their former automobile insurance company refused to delete their personal information upon withdrawal of consent. The company initially refused, citing the need to provide insurance history to other insurers. The Office determined that the company should have treated the request as a withdrawal of consent. The company subsequently deleted the information from its records after the individual accepted the implications. However, the company was not required to ensure deletion from third-party records to which the information had been lawfully disclosed. The company was also found to be in contravention for not having clear policies on third-party disclosures.

• Withdrawal of consent for the continued use of personal information
• Deletion of personal information from an organization's records
• Deletion of personal information from third-party records after lawful disclosure
• Accountability for information disclosure policies and procedures

The complainant alleged that a doctor used and disclosed his personal information without consent during an insurance claim evaluation. The investigation focused on whether the complainant's consent, provided through accident benefit application forms (OCF-1 and OCF-19), extended to this specific doctor hired to prepare a summary report. The Office determined that the consent forms explicitly allowed the insurance company and other parties, including health professionals, to collect, use, and disclose personal information for the purposes of investigating and processing the insurance claim, including assessing catastrophic impairment. Therefore, the doctor did not contravene PIPEDA's consent provisions.

• Whether consent provided for an insurance claim extended to a third-party doctor hired to prepare a summary report.
• Whether the specific wording of consent forms (OCF-1 and OCF-19) covered the collection, use, and disclosure of personal information by the doctor.
• Whether the doctor collected, used, or disclosed personal information for purposes beyond those stated in the consent forms.

An individual complained that a sports facilities company disclosed his personal information regarding an outstanding debt to a related sports association on two occasions without his consent. The company argued that PIPEDA did not apply because it answered a direct question and there was an expectation of privacy. The OPC found that disclosing debt information is sensitive and requires consent unless a specific exemption applies. As the disclosures were not for the purpose of collecting the debt, the exemption in subsection 7(3)(b) of PIPEDA did not apply, making the complaint well-founded.

• Was the disclosure of an outstanding debt considered personal information?
• Did the disclosure of debt information fall under the exemption for debt collection purposes?
• Does an 'expectation of privacy' or answering a direct question exempt an organization from obtaining consent for disclosure?
• Did the company obtain the individual's knowledge and consent for the disclosure of his debt information?

A condominium owner complained that a developer failed to provide access to his personal information at minimal or no cost. The owner was initially told that thousands of pages of documents would cost over $200, or he could view them for free at the developer’s lawyer's office. The OPC's early resolution unit helped negotiate a compromise where the owner narrowed his request, and the developer agreed to provide free copies of the specific documents he sought. The owner was ultimately satisfied with this resolution.

• Whether the proposed fees for access to personal information complied with the "minimal or no cost" requirement.
• Whether the offer to view documents for free, but not receive copies, met the organization's access obligations.
• The reasonable accommodation of an individual with a disability in fulfilling an access request.

This report details a joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Australian Office of the Information Commissioner (OAIC) into Avid Life Media Inc. (ALM), the operator of Ashley Madison. The investigation followed a significant data breach where personal information of millions of users was exposed. The OPC found that ALM contravened PIPEDA regarding information security, indefinite retention of user data, accuracy of email addresses, and transparency with users. ALM has entered into a compliance agreement with the OPC to address these issues.

• Adequacy of information security safeguards
• Indefinite retention of user data
• Accuracy of collected email addresses
• Transparency and user consent regarding data handling practices

An individual complained that an online service company was not addressing an issue where another client's personal information was appearing on his account. The company, after intervention from the OPC, investigated and found the problem was a technical glitch involving another organization's software interface. The glitch was corrected, and the company updated its internal policies and established contractual agreements with the other organization to prevent future breaches.

• Adequate training of front-line staff on privacy policies and procedures.
• Need for contractual agreements to mitigate data breaches when integrating online services.
• Effectiveness of escalation processes for client privacy concerns.
• Resolution of technical glitches leading to inadvertent disclosure of personal information.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a psychiatrist's handling of a patient's personal information. The patient had requested access to his information following a medical assessment conducted as part of a civil lawsuit defence. However, the OPC determined that the psychiatrist's activities were not commercial in nature but were for the purpose of defending a lawsuit. As PIPEDA only applies to commercial activities, the OPC concluded it lacked jurisdiction to investigate the complaint.

• Whether the collection and use of personal information for the purpose of defending a civil lawsuit constitutes a commercial activity under PIPEDA.
• Whether the OPC has jurisdiction to investigate complaints falling outside the scope of PIPEDA.
• The application of the 'commercial activity' exemption in PIPEDA.

The complainant alleged that a telecommunications company's response to her access request was incomplete, specifically regarding disclosures of her personal information to third parties, including law enforcement. The Office of the Privacy Commissioner found that the company's standard response did not meet its obligations under Principle 4.9 of PIPEDA. The company has since provided a direct response to the complainant and has amended its policy to ensure compliance with access to information requests.

• Adequacy of response to an access request concerning disclosure of personal information.
• Compliance with PIPEDA Principle 4.9 regarding informing individuals of disclosures.
• Application of PIPEDA subsections 9(2.1) to 9(2.4) concerning disclosures to government institutions.
• Obligations regarding disclosures to third parties beyond government institutions.

An individual complained to the OPC after receiving a credit report containing unrecognized inquiries and a notation of an "AUTOMATIC COMBINE" of accounts, which merged his file with that of another individual. The OPC found that while there was no unauthorized use or disclosure of personal information, the credit reporting agency failed to maintain the accuracy of the complainant's information when it merged the files. The agency took corrective actions, including separating the files and notifying creditors of the corrections.

• Accuracy of personal information when merging files
• Unauthorized use or disclosure of personal information

A First Nation band council developed a privacy policy after an employee complained about lost doctor's notes required to approve his leave. While the band council did not confirm losing the notes, it worked with the OPC to create a privacy policy and adopt best practices. The employee considered his complaint resolved, recognizing the issue would be addressed under the Canada Labour Code, and was pleased the band council was implementing a privacy policy.

• Responsibility of a First Nation band council under PIPEDA
• Disposition of medical documentation
• Development of a privacy policy

This report details an investigation into Compu-Finder's practices of collecting and using email addresses for marketing its training courses without adequate consent. The Office of the Privacy Commissioner of Canada (OPC) found that Compu-Finder contravened PIPEDA by failing to obtain meaningful consent, lacking accountability frameworks, and not being transparent about its privacy practices. While Compu-Finder agreed to implement recommendations, the complaint was found to be well-founded and resolved in part, and well-founded and conditionally resolved in part, with a compliance agreement entered into.

• Collection and use of email addresses without consent
• Lack of accountability and transparency in privacy practices
• Use of address harvesting software
• Validity of implied and express consent claims

An individual complained that a retailer's salesperson signed him up for a credit card without his knowledge or consent, and that a bank subsequently conducted a credit check using inaccurate information. The Office of the Privacy Commissioner of Canada (OPC) found that the bank failed to demonstrate it obtained the complainant's consent for the credit check and that the collected information was sufficiently accurate. The bank apologized, cancelled the credit card, and removed the inquiry from the complainant's file. The bank also discontinued its pilot program for in-store credit applications.

• Adequacy of consent for a credit card application and credit check
• Accuracy of personal information collected
• Adequacy of procedures for collecting personal information and obtaining consent

An individual complained that his employer, an international trucking company, disclosed his positive drug test results to a provincial workers' compensation board (WCB) without his consent. The company claimed it was legally obligated to do so. The OPC found the disclosure was a contravention of PIPEDA as the company's belief of a legal obligation was inaccurate, and the WCB did not require the information. The complaint regarding disclosure to co-workers was not substantiated. The company implemented the OPC's recommendations, leading to the complaint being resolved.

• Whether disclosure of drug test results to WCB required consent
• Whether disclosure to WCB was a legal obligation under PIPEDA s. 7(3)(i)
• Whether drug test results were disclosed to co-workers
• Whether the company's random drug testing program violated PIPEDA