Canadian Privacy Decisions

A complainant objected to a retail store retaining records of her credit card transactions after she requested their deletion. The store initially cited contractual obligations to credit card companies, but later informed the OPC that the Excise Tax Act also legally required data retention. The OPC relayed this explanation to the complainant, who found it satisfactory, and the matter was resolved.

• Right to withdraw consent vs. legal and contractual retention obligations
• Adequacy of explanation provided to complainant

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that a financial institution required customers to provide their Social Insurance Number (SIN) for identity verification purposes as a condition of opening a savings account. The OPC found that while the institution collected SINs for legally required income reporting, it could not mandate its use for identity verification. The institution agreed to make the use of SIN for identity verification optional rather than a condition of service.

• Requirement of SIN for identity verification as a condition of service.
• Appropriate use of SIN by private sector organizations.
• Interpretation of FINTRAC guidelines regarding identity verification.

A traveler complained that an airline did not provide complete access to his personal information, specifically documents and correspondence related to being denied boarding. The airline relied on exemptions under PIPEDA, arguing that the information was collected to investigate a potential breach of agreement or contravention of law and was disclosed to a government institution for law enforcement purposes. The OPC found that both the collection and disclosure were reasonable under the Act's exemptions, and the airline properly followed the process when a government institution objected to disclosure of the information.

• Whether the collection of personal information without consent was justified under PIPEDA's exemptions.
• Whether the disclosure of personal information to a government institution was justified under PIPEDA's exemptions.
• Whether the airline properly handled the access request when a government institution objected to disclosure.

The complainant discovered that his financial institution had disclosed his Registered Education Savings Plan (RESP) account information dating back to 1999 to the police. The OPC found that while production orders allow disclosure of information, the financial institution disclosed documents beyond the scope of the specific production order and did not have valid consent. The institution agreed to review its procedures and provide training to staff regarding disclosures pursuant to production orders.

• Disclosure of personal information beyond the scope of a production order
• Validity of consent based on a general privacy policy for law enforcement disclosures
• Sensitivity of financial information

The complainant alleged that the respondent's property history reports included personal information without adequate consent. The Office of the Privacy Commissioner of Canada (OPC) found that insurance claims data, as described in this case, was not personal information about an individual. However, information about drug activity at a property was deemed personal information. The respondent agreed to cease including drug activity details in its reports, leading the OPC to find the complaint well-founded and resolved.

• Whether drug activity information in property reports constitutes personal information.
• Whether drug activity information is publicly available under PIPEDA Regulations.
• Whether consent was adequately obtained for the collection, use, and disclosure of personal information.

The Office of the Privacy Commissioner of Canada investigated Wajam Internet Technologies Inc. after receiving complaints about its software, which tracked online search queries and displayed ads. The investigation found that Wajam breached multiple provisions of PIPEDA, including failing to obtain meaningful consent, inadequately safeguarding personal information, and having insufficient accountability policies. Although Wajam ceased operations and sold its assets, the OPC concluded the matters examined were well-founded.

• Meaningful consent for software installation and data collection.
• Adequate safeguarding of personal information during transmission and storage.
• Effectiveness of uninstallation processes and withdrawal of consent.
• Lack of a privacy accountability framework and policies.

An individual complained to the OPC after an insurance company denied access to parts of their insurance claim file, including case management notes and a video of an incident. The company claimed the notes were confidential commercial information and the video contained third-party images. Through the early resolution process, the company allowed the individual to view the video and provided a redacted version of the case management notes. The complaint was resolved early.

• Access to personal information, including insurance claim files and videos.
• Application of PIPEDA exemptions for confidential commercial information and third-party personal information.
• Severing or redaction of information to provide access.
• Obligation to provide access to personal information.

A complainant alleged that Jet Airways did not provide complete access to her personal information following an incident where she and her companion were denied boarding. The airline cited solicitor-client privilege, litigation privilege, and formal dispute resolution processes as reasons for withholding certain documents. The OPC found the complaint well-founded regarding the airline's failure to respond within the statutory timeframe and its improper application of the formal dispute resolution exemption. However, the OPC could not make a finding on the privilege claims due to legal precedents limiting its ability to investigate privileged documents.

• Timeliness of response to access request
• Applicability of solicitor-client and litigation privilege exemptions
• Applicability of formal dispute resolution exemption
• Overbroad claims of privilege

The OPC investigated a complaint that Public Executions Inc. was disclosing debtors' personal information without consent on its website for profit. The OPC found that the website's activities constituted a commercial activity under PIPEDA, and that its primary purpose was not journalistic, but rather to shame debtors into paying. The OPC determined the complaint was well-founded, leading to legal proceedings. Subsequently, the website was taken down, and the OPC discontinued its court application.

• Whether the website's operation constituted a 'commercial activity' under PIPEDA.
• Whether the website's purpose qualified as 'journalistic' and was therefore exempt from PIPEDA's consent requirements.
• Whether the disclosure of personal information for the purpose of shaming debtors into paying was an 'appropriate purpose' under PIPEDA.
• Whether section 7(3)(b) of PIPEDA permitted the broad disclosure of judgment debtor information.

A complainant filed a complaint against a financial technology (FinTech) company after being required to provide personal information to access an investment account management agreement. The company initially cited regulatory requirements for collecting the data before an individual became a client. The OPC advised the company that prospective clients should be able to review agreements and understand privacy implications before providing personal information to ensure meaningful consent.

• Purpose of information collection
• Meaningful consent
• Regulatory requirements for collection

An individual complained that a bank performed multiple credit checks on her without her consent, even though she had not been a client for many years. The bank initially stated the inquiries were from its marketing group but later found they originated from an unactivated credit card application. While the bank’s policy suggested it could continue soft credit inquiries after a relationship ended, the OPC expressed concerns about this practice. The bank agreed to end the practice and update its privacy policy, leading to the complaint being early resolved. The OPC confirmed the practice has ceased and the policy has been updated.

• Consent for credit checks after termination of a business relationship
• Continued collection of sensitive personal information without a legal requirement
• Accuracy and completeness of information provided to individuals about data handling practices

This report details three incidents in 2017 where Canadian organizations experienced data breaches due to password reuse by their customers. In each case, attackers used login credentials obtained from unrelated breaches to access customer accounts. The Office of the Privacy Commissioner of Canada found the organizations' responses to be appropriate, including actions like password resets, enhanced security measures, and customer notifications, and encouraged other organizations to adopt similar preventative strategies.

• Impact of password reuse on personal information security
• Adequacy of organizational responses to data breaches
• Effectiveness of safeguards against unauthorized access
• Communication and notification obligations to individuals

A complainant alleged that a financial institution refused to provide access to personal information related to a disputed credit card transaction. The institution initially claimed the information was confidential commercial information under PIPEDA. While the OPC found the institution's initial claim of exemption was unfounded, it later determined that the redacted information was not the complainant's personal information, but related to third parties. The OPC concluded the complaint was well-founded due to the delay and improper initial claim, but resolved as the complainant ultimately received access to his entitled personal information.

• Whether the financial institution properly withheld personal information under the confidential commercial information exemption (PIPEDA s. 9(3)(b)).
• Whether the financial institution responded to the access request within the time limits prescribed by PIPEDA.
• Whether the withheld information constituted the complainant's personal information or third-party information.
• Whether the complainant received appropriate access to personal information concerning a disputed credit card transaction.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against an insurance company that collected and used an individual's credit score during an auto insurance claims assessment. The OPC found that the company did not have a legal basis to use credit scores for fraud detection in this context and did not obtain meaningful consent from the individual because they failed to clearly state that providing consent was optional. The company also lacked openness in its policies regarding credit score usage.

• Appropriateness of using credit scores for fraud detection in auto insurance claims assessment.
• Whether meaningful consent was obtained for the collection and use of credit score.
• Whether the insurance company over-collected personal information.
• The company's openness regarding its credit score collection and use policies.

An individual complained that their former automobile insurance company refused to delete their personal information upon withdrawal of consent. The company initially refused, citing the need to provide insurance history to other insurers. The Office determined that the company should have treated the request as a withdrawal of consent. The company subsequently deleted the information from its records after the individual accepted the implications. However, the company was not required to ensure deletion from third-party records to which the information had been lawfully disclosed. The company was also found to be in contravention for not having clear policies on third-party disclosures.

• Withdrawal of consent for the continued use of personal information
• Deletion of personal information from an organization's records
• Deletion of personal information from third-party records after lawful disclosure
• Accountability for information disclosure policies and procedures