Canadian Privacy Decisions

The OPC discontinued further complaints against Globe24h.com concerning the collection, use, and disclosure of personal information from Canadian court and tribunal decisions. While initial complaints were found to be well-founded, additional complaints were discontinued as the issues had already been investigated and reported on. The matter was further resolved when the Federal Court ordered Globe24h to remove personal information from its website and the website subsequently ceased operations.

• Collection, use, and disclosure of personal information from public court decisions
• Consent for republishing personal information
• Discontinuance of investigation based on prior report
• Circumvention of privacy laws by republishing sensitive data

A complaint was made against a telecommunications company and a credit-reporting agency after a fraudulent telecommunications account led to a false debt appearing on the complainant's credit report. The telecommunications company initially refused to correct the information or prove the complainant opened the account. Following OPC's involvement, the company's fraud team investigated, confirmed the account was fraudulent, cancelled it, and updated the credit-reporting agency with accurate information.

• Accuracy and completeness of personal information
• Correction of inaccurate personal information
• Adequacy of customer authentication procedures
• Accountability for information transferred to third parties

A customer complained that a department store was displaying photographs of individuals on a bulletin board to identify suspected shoplifters. The Office of the Privacy Commissioner of Canada (OPC) advised the store that posting such photographs without consent contravened PIPEDA. The store agreed to remove the pictures and discontinue the practice, opting instead to work with the police.

• Public display of photographs of suspected shoplifters without consent
• Application of PIPEDA to photographs taken from video surveillance

An individual complained that her telecommunications provider disclosed her personal information without consent when a technical support representative remotely accessed her computer to fix an email issue. The representative inadvertently set up an automatic email forwarding to an acquaintance's address, causing personal emails, including a temporary password, to be sent to the wrong recipient. While the provider implemented corrective measures, the OPC noted the provider initially misrepresented steps taken to address the issue.

• Disclosure of personal information without consent
• Accuracy of representations made to the OPC
• Adequacy of internal procedures and training

A couple complained after their personal information was fraudulently used by a marketing company posing as an employee of their anti-virus service provider. The couple suspected the service provider employee disclosed their account number to the marketing company. The OPC investigated and found the service provider had failed to adequately protect customer information. The service provider dismissed the employee responsible and implemented new safeguards, including an auditing system and a streamlined procedure for addressing privacy concerns.

• Adequacy of security safeguards
• Unauthorized access to personal information
• Complaint handling procedures
• Accountability for employee actions

An individual complained that her manager at a credit union accessed her personal bank account without consent. The manager suspected the employee was not actually sick and used her customer data to check her debit card usage outside the province. The credit union acknowledged the improper access and agreed to apologize and address the manager's conduct. The employee was satisfied, and the matter was resolved.

• Manager accessing employee's personal banking information without valid business purpose
• Use of personal information for a purpose other than that for which it was collected
• Employee's right to privacy while also being a customer of the institution

An individual complained that an investment brokerage collected more personal information than necessary to open a self-directed investment account. The brokerage stated the information was required to comply with regulatory obligations, including "Know Your Client" rules from the Investment Industry Regulatory Organization of Canada (IIROC) and anti-money laundering (AML) requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), as well as provincial securities legislation. The OPC found that the requested information, including net worth, marital status, and spouse's occupation, was necessary for these regulatory purposes.

• Whether the brokerage collected more personal information than necessary for opening a self-directed investment account.
• Whether the collection of information was a condition of service contrary to PIPEDA.
• Whether the brokerage's collection purposes met regulatory requirements.
• The applicability of "Know Your Client" and AML rules to self-directed accounts.

The Office of the Privacy Commissioner of Canada investigated Peoples Trust after a breach compromised the sensitive personal information of 12,000 customers. The investigation found that the financial institution failed to implement adequate safeguards in its online application portal and retained customer data unnecessarily on a vulnerable, unencrypted web server. These failures contravened PIPEDA's principles regarding safeguards and data retention. Following the breach, Peoples Trust took comprehensive remedial actions, including redesigning its portal, enhancing monitoring, and improving retention practices, which resolved the issues.

• Adequacy of information security safeguards for sensitive personal data.
• Unnecessary retention of personal information beyond required purposes.
• Vulnerabilities in web application portal development and maintenance.
• Effectiveness of breach response and risk mitigation measures.

A complainant was concerned that a hotel chain linked her IP address to her phone number after she received a promotional phone call. The hotel chain clarified that it does not engage in promotional calls and that the call was a fraudulent telemarketing scam by an unrelated party. The complainant suggested the hotel warn its customers about such scams, which the hotel did, leading to the matter being resolved.

• Unauthorized collection of personal information
• Misrepresentation by a third party
• Complainant's concern about IP address linkage to phone number

A tenant complained about five video surveillance cameras installed in common areas of their office building by another tenant. The complainant was particularly concerned about two cameras that monitored activity near his office door and the elevators, viewing it as an invasion of privacy. Following the OPC's involvement, the cameras of most concern were relocated inside the other tenant's offices, resolving the complainant's privacy concerns.

• Appropriateness of video surveillance in common areas
• Collection of personal information in shared spaces
• Minimum collection principle for video surveillance

The complainant alleged that his employer disclosed detailed personal information about his absence from the workplace to other employees. The organization used an electronic scheduling program that allowed all employees to view the reasons for colleagues' absences. The OPC found that this disclosure constituted a contravention of PIPEDA, as the organization's purposes were not appropriate and less privacy-intrusive means were available to manage employee schedules and shift exchanges. The organization committed to removing the detailed leave information from its systems.

• Appropriate purposes for disclosure of personal information
• Balancing employee privacy with operational needs
• Necessity of disclosing reasons for absence
• Interpretation of collective agreement obligations

A complainant alleged that his Internet Service Provider (ISP) disclosed his personal information without consent to a newspaper columnist who was assisting him with a service dispute. The ISP argued it had implied consent due to the complainant's actions. The OPC found that the complainant's familiarity with the columnist and his own disclosure of information in his email to the columnist created a reasonable expectation that his information might be shared to resolve the dispute. The disclosed information was also found to be relevant and not sensitive.

• Was there implied consent for the disclosure of personal information to a columnist assisting with a dispute?
• Was the disclosed information relevant to the complaint?
• Was the disclosed information sensitive?

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding an equipment store's policy of photocopying customers' driver's licences as a condition of renting equipment. The OPC advised the store that driver's licences contain excessive personal information and have minimal value in theft investigations. As a result of the OPC's involvement, the store discontinued the practice and implemented a less privacy-invasive solution, resolving the complaint to the complainant's satisfaction.

• Appropriateness of collecting driver's licence information for theft prevention.
• Necessity of photocopying driver's licences for equipment rentals.
• Compliance with principles of minimal information collection.

The complainant settled a legal dispute with a retailer by signing a mutual release, which included releasing the retailer from all past, present, and future claims and complaints. Subsequently, the complainant filed a privacy complaint alleging the retailer failed to provide access to her personal information. The Office of the Privacy Commissioner of Canada (OPC) discontinued the investigation, finding the complaint was made in bad faith because the complainant had already released the retailer from such claims.

• Whether the complaint was made in bad faith
• The effect of a mutual release on a privacy complaint

An individual complained that a videographer hired to record her wedding shared her personal information without consent by posting the wedding video online for business promotion. The OPC found that using the video for promotional purposes was a commercial activity requiring consent, which the videographer had not obtained. Although the videographer initially disputed this, they eventually removed the video and agreed to include consent provisions in future contracts, leading to the complaint being resolved.

• Was the use of the wedding video for promotional purposes considered a commercial activity under PIPEDA?
• Did the videographer obtain the complainant's informed consent for the use of her personal information?
• Did any exemptions under PIPEDA apply to the videographer's use of the video without consent?