Canadian Privacy Decisions

A complainant alleged that a telecommunications firm failed to provide her with access to her personal information, specifically notes and transcripts of recorded conversations relating to her account dispute. The investigation found that the firm failed to respond to the access request within the statutory time limits and deleted records that were the subject of the request, contravening PIPEDA. The firm accepted recommendations to amend its policies, procedures, and provide enhanced training to staff, leading to the resolution of the complaint.

• Timeliness of response to access requests
• Retention of personal information subject to an access request
• Adequacy of privacy policies and staff training

A complainant alleged that a market research firm unnecessarily collected her full date of birth and did not adequately inform her that survey responses would be added to her member profile. The Office of the Privacy Commissioner of Canada (OPC) found that collecting the full date of birth was not necessary and recommended collecting only the month and year. The OPC also found that the firm failed to adequately inform participants that their survey responses would be linked to their profiles. While the firm agreed to clarify consent language, it refused to stop collecting or using the day of birth, leading the OPC to find the complaint well-founded but partially unresolved.

• Necessity of collecting full date of birth for market research demographics
• Necessity of confirming full date of birth in profiling surveys
• Adequacy of notice and consent regarding the linking of survey responses to member profiles

Parents complained they could not access their 17-year-old daughter's online dental benefit information, even though they paid for her plan and expenses. The plan administrator's policy required consent from individuals aged 16 or older before their information could be disclosed to other plan members. The parents were satisfied with the administrator's explanation of its policy, which was based in part on Ontario's Health Care Consent Act.

• Disclosure of dependent's personal information to parents
• Requirement for consent from mature minors
• Application of PIPEDA's consent requirements

A married couple complained that a bank mortgage specialist disclosed the husband's personal financial information to his wife without his consent. The bank argued there was implied consent given the purpose of applying for a joint mortgage. The Assistant Commissioner found the bank did not make a reasonable effort to inform the couple about potential disclosures between them, meaning consent was not meaningful. While a contravention was found, the bank had since adopted reasonable practices.

• Meaningful consent for disclosure of personal information to a spouse
• Reasonable efforts to inform individuals about purposes of disclosure
• Implied consent in the context of joint mortgage applications

This investigation concerned a complaint that Accusearch Inc. (Abika.com), a U.S. company, was collecting, using, and disclosing Canadians' personal information without their knowledge or consent, compiling inaccurate information, and doing so for inappropriate purposes. The OPC found that Abika contravened PIPEDA by collecting, using, and disclosing personal information without knowledge or consent and for inappropriate purposes. However, the complaint regarding inaccurate information was not well-founded due to a lack of objective evidence. The OPC recommended Abika cease these practices.

• Collection, use, and disclosure of personal information without knowledge or consent
• Compilation and disclosure of inaccurate personal information
• Collection, use, and disclosure for inappropriate purposes
• Jurisdiction over U.S. companies and transborder data flows

CIPPIC filed a complaint alleging 24 violations of PIPEDA by Facebook across 12 subjects, focusing on knowledge and consent. The Assistant Privacy Commissioner found Facebook contravened the Act in areas such as default privacy settings, advertising, third-party applications, account deactivation/deletion, deceased users' accounts, and non-users' personal information. While some allegations were resolved through Facebook's proposed corrective measures, others remained unresolved, particularly concerning third-party applications and the safeguarding of user data.

• Adequacy of notice and consent for collection, use, and disclosure of personal information.
• Sufficiency of security safeguards for personal information.
• Transparency regarding new uses of personal information and the implications of privacy settings.
• Handling of personal information of non-users and deceased users.

This investigation concerned a complaint about the Law School Admission Council's (LSAC) requirement that students applying to write the Law School Admission Test (LSAT) in Canada have their fingerprints collected. LSAC, a US-based non-profit, argued that Canadian privacy law did not apply to its activities. The Assistant Privacy Commissioner found that despite LSAC's location, Canada had a sufficient link to LSAC's operations to bring it under the Act. The Commissioner determined that fingerprinting was not demonstrably necessary, likely ineffective, and the loss of privacy outweighed the benefits, particularly since the fingerprints were rarely used.

• Jurisdiction of the Privacy Act over a US-based organization
• Necessity and proportionality of collecting fingerprints for LSAT authentication
• Effectiveness of fingerprinting as a deterrent
• Privacy implications of collecting biometric data

The Office of the Privacy Commissioner of Canada (OPC) investigated Ticketmaster Canada Limited (TM) following a complaint that its practices regarding the collection, disclosure, and use of customer information did not comply with PIPEDA. The investigation found that TM's privacy policy was too long and complex, failing the openness principle. Furthermore, TM was using customer information for marketing purposes without adequately obtaining consent, violating the consent principle. TM has since revised its policies and practices to be more transparent and to provide customers with clear opt-in choices for marketing.

• Adequacy of TM's privacy policy in terms of openness and transparency.
• Lawfulness of using customer personal information for marketing purposes without explicit consent.
• Requirement for opt-in/opt-out mechanisms for secondary uses of personal information.
• Responsibility of TM for ensuring third-party compliance with customer consent preferences.

A former client complained that her lawyer refused to grant her access to her personal information, citing an outstanding account and a solicitor's lien. The OPC found that a solicitor's lien is not a valid reason to deny access under PIPEDA. The lawyer eventually provided the client with her full file, and the matter was settled.

• Can a solicitor's lien be used to deny a client access to their personal information?
• What are the grounds for refusing access to personal information under PIPEDA?

This investigation concerned SWIFT's disclosure of personal information originating from Canadian financial institutions to the US Department of the Treasury in response to administrative subpoenas. The OPC found that PIPEDA applied to SWIFT's commercial activities in Canada. However, the Commissioner concluded that SWIFT's disclosure of information to comply with valid US subpoenas was permissible under PIPEDA, interpreting subsection 7(3)(c) to allow compliance with lawful orders from foreign jurisdictions where the organization operates. The Commissioner recommended that US authorities use existing information-sharing mechanisms rather than subpoenas to obtain Canadian financial data.

• Does PIPEDA apply to SWIFT's collection, use, and disclosure of personal information in its Canadian operations?
• Was personal information disclosed to US authorities in accordance with PIPEDA?
• Interpretation of subsection 7(3)(c) regarding compliance with foreign subpoenas.
• Balancing privacy protection with counter-terrorism financing efforts.

This investigation concerned allegations that SWIFT inappropriately disclosed personal information from Canadian financial institutions to the US Department of the Treasury (UST) via administrative subpoenas. The Privacy Commissioner of Canada determined that SWIFT was subject to PIPEDA due to its operations in Canada and its commercial activities involving Canadian banks. While SWIFT disclosed data held in the US to the UST in response to a subpoena, the Commissioner found this disclosure was permissible under the Act's exceptions to consent.

• Whether SWIFT is subject to PIPEDA
• Whether SWIFT inappropriately disclosed personal information to the UST
• Applicability of PIPEDA exceptions to disclosure in response to a subpoena

An individual complained that a department store's method for collecting provincial tax exemption information exposed customers' personal data to other customers. The store used a petition-style form where multiple customers' information was visible. Following the complaint, the store revised its process by implementing a new form and reconfiguring cash registers to generate individual receipts that were then secured. The complainant was satisfied with the changes, and the matter was settled.

• Visibility of personal information to other customers
• Safeguarding of personal information during collection
• Adequacy of corrective measures to protect privacy

A complainant was required to provide his driver's licence details to rent DVDs from a store. He objected to the store entering these details into its database, believing it unnecessary. The store initially defended the practice but later revised its membership application process after realizing it did not use the driver's licence data to trace members. The revised process allows for alternative forms of identification, and only a general confirmation of verification is entered into the database.

• Necessity of collecting driver's licence details
• Use of personal information for membership verification
• Revision of data collection practices

The Office of the Privacy Commissioner of Canada investigated two separate incidents involving misdirected faxes containing personal information at two banks. In both cases, the banks failed to adequately safeguard personal information, leading to its disclosure to unintended recipients. While both banks took corrective actions, including revising policies and procedures, the OPC recommended further improvements in customer notification and information recovery.

• Adequacy of safeguards for personal information transmitted by fax
• Effectiveness of privacy policies and employee awareness
• Timeliness and scope of customer notification following a privacy breach
• Procedures for recovering erroneously transmitted personal information

The complainant alleged that a counselling firm, which provided services through her employer's employee assistance program, improperly disclosed sensitive information about her to her employer. The firm revealed that the complainant was using their services and believed she was a danger to herself, which led to her supervisor and coworkers becoming aware of her EAP use. The matter was settled when the firm revised its disclosure policies and counsellors were advised to take more detailed notes and disclose only essential information when a client is believed to be in danger.

• Confidentiality of employee assistance program services
• Disclosure of sensitive information to employer
• Accurate assessment of client risk
• Misinterpretation of client statements