Canadian Privacy Decisions

This special report details an investigation into unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency (CRA). The Office of the Privacy Commissioner (OPC) found that the CRA contravened the Privacy Act regarding accuracy and disclosure of personal information. While the CRA has made efforts to improve its security, shortcomings remain in prevention, monitoring, detection, remediation, and governance, particularly concerning the handling of "Unauthorized Use of Taxpayer Information by a Third Party" (UUTP) incidents. The investigation concluded that the CRA contravened subsections 6(2) and 8(2) of the Act.

• Adequacy of safeguards to protect taxpayer personal information from unauthorized disclosure and modification.
• Timeliness and strength of multi-factor authentication implementation.
• Effectiveness of monitoring and detection mechanisms for UUTPs.
• Coordination and proactivity of the CRA's governance for addressing UUTPs.

The OPC investigated a complaint alleging that Immigration, Refugees and Citizenship Canada (IRCC) improperly withheld access to personal information. The complainant requested the "History Section" of their case file, but IRCC only provided a subset of information from other sections, referred to as the "Short Form" report. The OPC found that IRCC's practice of systematically retrieving and processing only the Short Form report contravenes section 12 of the Privacy Act, as it fails to provide individuals with access to all personal information under the government's control. Although the specific file was eventually provided, IRCC refused to update its procedures to address the systemic issue.

• Whether IRCC's practice of only retrieving and processing a "Short Form" subset of records in response to access requests complies with the Privacy Act's access obligations.
• Whether the "History Section" of the Global Case Management System (GCMS) file contains personal information.
• Whether IRCC's assertion that information outside the "Short Form" would always be withheld under exemptions is valid.
• Whether IRCC's failure to commit to updating its procedures constitutes a continuing contravention of the Privacy Act.

An employee of the Canada Border Services Agency (CBSA) complained that their personal information was inadvertently disclosed to colleagues due to improperly set folder permissions in the CBSA's information management system, Apollo. The CBSA confirmed the contravention of section 8 of the Privacy Act. While the CBSA took steps to correct the issue and improve practices, it did not commit to mandatory, trackable training for managing permissions, leading the OPC to find the complaint well-founded but unresolved.

• Whether CBSA contravened section 8 of the Privacy Act by improperly disclosing employee personal information.
• Adequacy of CBSA's response and corrective measures.
• Whether CBSA's training and awareness initiatives for managing information system permissions are sufficient.
• Whether the matter is resolved given CBSA's non-commitment to mandatory, trackable training.

This investigation examined the Treasury Board of Canada Secretariat's (TBS) handling of employee personal information related to the administration of the Direction on Prescribed Presence in the Workplace, which mandates minimum on-site workdays. The Office of the Privacy Commissioner of Canada (OPC) found that TBS's practices for both organizational compliance reporting (using aggregated data like turnstile and HR data) and individual compliance monitoring (relying on manager observation and self-reporting) were compliant with the Privacy Act. The OPC concluded that the complaint was not well-founded, noting TBS's effective balance between operational needs and employee privacy.

• Collection of employee personal information for hybrid work model compliance
• Retention and disposal of personal information
• Use and disclosure of personal information
• Transparency and adequacy of Personal Information Banks (PIBs)

The Office of the Privacy Commissioner of Canada (OPC) investigated the Canada Border Services Agency's (CBSA) contracting practices related to the ArriveCAN application following a complaint and a request from a parliamentary committee. The investigation examined whether contractors had inappropriate access to travellers' personal information. While the OPC found no contravention of the Privacy Act, it identified shortcomings in the CBSA's contracting processes, such as issues with the timeliness and accuracy of security assessments and broad task descriptions in contracts. The OPC made recommendations to improve the CBSA's practices, which the agency accepted.

• Whether CBSA authorized contractors to access personal information without required security clearances.
• Accuracy and timeliness of security requirement assessments for contracts.
• Clarity and specificity of task descriptions in contracts and task authorizations.
• CBSA's compliance with security requirements for personnel and organizations involved in ArriveCAN contracts.

An inmate alleged that Correctional Service Canada (CSC) failed to retain video footage of use of force incidents involving them, violating the Privacy Act's retention obligations. The OPC found that CSC did dispose of footage that it was obligated to retain for at least two years under the Act. CSC agreed to implement enhanced oversight, including monthly attestations and quarterly audits of use of force footage retention in its Pacific Region.

• Obligation to retain personal information used for administrative purposes under the Privacy Act
• Adequacy of institutional policies for video retention
• Ensuring reasonable access to personal information
• Effectiveness of oversight measures for compliance

This report details an investigation into the unauthorized disclosure of personal information of over 18,000 Canada Border Services Agency (CBSA) employees due to improperly shared spreadsheets. While the CBSA contravened section 8 of the Privacy Act by disclosing information beyond what was necessary for the stated purposes, the agency took appropriate steps to notify affected individuals, contain the breaches, and implement measures to prevent recurrence. These measures included new data request procedures and the development of a new information management system.

• Whether the CBSA contravened section 8 of the Privacy Act by disclosing personal information.
• Whether the CBSA took adequate steps to notify affected individuals.
• Whether the CBSA took adequate steps to contain the impact of the breaches.
• Whether the CBSA took adequate steps to reduce the risk of future breaches.

This investigation concerned the loss of an unencrypted USB storage device by the Royal Canadian Mounted Police (RCMP), which contained sensitive personal information of 1,741 individuals. The OPC found that the RCMP contravened section 8 of the Privacy Act by disclosing personal information without consent. The investigation also revealed failures in timely breach reporting and inadequate safeguards for personal information on USB devices, leading to the complaint being well-founded and unresolved.

• Contravention of section 8 of the Privacy Act regarding unauthorized disclosure of personal information
• Timeliness and appropriateness of the RCMP's response to the breach
• Sufficiency of RCMP measures to safeguard personal information on USB storage devices
• Adequacy of policies and enforcement regarding USB device usage

This investigation examined allegations that the Canada Revenue Agency (CRA) inappropriately disclosed an adopted child's adoptive name, and the adoptive mother's personal information, to the child's biological mother. The OPC found that, on the balance of probabilities, the CRA likely disclosed the child's adoptive name, contravening section 8 of the Privacy Act. Deficiencies were also identified in the CRA's internal procedures for safeguarding adopted children's personal information. The complaint was found to be well-founded but not resolved, as the CRA agreed to implement some, but not all, of the OPC's recommendations.

• Whether the CRA disclosed the child's adoptive name and the adoptive mother's personal information to the biological mother without consent.
• Whether the CRA's internal procedures adequately protected the personal information of adopted children.
• Whether the CRA's actions contravened section 8 of the Privacy Act.
• Whether the complaint was resolved based on the CRA's response to the OPC's recommendations.

The complainant alleged that the Canada Revenue Agency (CRA) improperly denied access to personal information related to five grievances, relying on exceptions under the Privacy Act. The OPC found that while the CRA conducted reasonable searches, it failed to adequately substantiate its use of paragraph 22(1)(b) of the Act to withhold information. Much of the withheld information was transactional and did not demonstrate a clear risk of harm upon disclosure. The complaint was found to be well-founded, but unresolved, as the CRA maintained its position on the withheld information.

• Proper application of paragraph 22(1)(b) of the Privacy Act regarding risk of harm.
• Adequacy of government institution's searches for responsive records.
• Substantiation of claims for withholding information under statutory exemptions.
• Requirement for case-by-case assessment when applying exemptions.

This investigation examined complaints regarding the National Security and Intelligence Review Agency's (NSIRA) Secretariat's request for access to polygraph records as part of a review of the Communications Security Establishment. The OPC found that the anonymization measures significantly reduced re-identification risks, and the polygraph recordings themselves contained no personal information. However, concerns were raised about the timeliness of the Secretariat's requests to Treasury Board Secretariat for approval of Personal Information Banks (PIBs). The collection issue was found not well-founded, but the timeliness of PIB updates was found well-founded and subsequently resolved.

• Whether the NSIRA Secretariat collected personal information without a direct relationship to its operating programs or activities.
• Whether the NSIRA Secretariat complied with its obligations to include all personal information under its control in Personal Information Banks (PIBs).
• Assessment of privacy mitigation measures implemented by CSE to anonymize polygraph records.
• Timeliness of the NSIRA Secretariat's requests for PIB approvals and publication of its Info Source page.

The complainant requested his minor child's passport application from Immigration, Refugees and Citizenship Canada (IRCC), citing a court order granting him access to his children's information. IRCC denied the request, stating the child's consent was required. The OPC found that while the complainant had legal authorization to act on his child's behalf, the request was not made for the child's benefit or best interests, a key condition under the Privacy Regulations. Therefore, the OPC concluded that the complainant did not have a right of access to the child's personal information.

• Whether a parent has an automatic right of access to a minor child's personal information under the Privacy Act.
• Interpretation of the Privacy Regulations regarding requests made on behalf of a minor.
• Whether the complainant's request served the child's best interests.
• The decision-making capacity of a minor regarding their personal information.

The complainant, as executor of a deceased individual's estate, requested personal information from the Department of National Defence (DND). DND refused to disclose most information, citing Privacy Act exemptions and arguing the request didn't meet the criteria for accessing information on behalf of a deceased person. The OPC found that the complainant was entitled to make the request for estate administration purposes and that DND failed to conduct an adequate search. DND agreed to conduct searches and provide a new response, leading to the complaint being conditionally resolved.

• Eligibility of an estate executor to request personal information of a deceased individual.
• Proper application of section 26 of the Privacy Act (disclosure of personal information about others).
• Adequacy of DND's search for requested records.
• DND's obligation to process formal access requests even if informal avenues exist.

The OPC investigated a complaint that the Canada Revenue Agency (CRA) failed to ensure the accuracy of a taxpayer's personal information used for administrative decisions. An imposter used the complainant's compromised CRA My Account to fraudulently receive COVID-19 benefits and Employment Insurance. The investigation found that the CRA's inadequate safeguards allowed unauthorized access and modification, contravening section 6(2) of the Privacy Act. The CRA has since implemented corrective measures.

• Adequacy of safeguards to protect against unauthorized access and modification of personal information.
• Reasonable steps taken by the CRA to ensure the accuracy of personal information used for administrative decisions.
• Timeliness of notification and privacy breach reporting.
• Impact of identity theft on tax reassessments.

The Office of the Privacy Commissioner of Canada investigated a complaint from a federal government employee who alleged that her personal information was repeatedly disclosed to another employee with the same name, and that administrative errors occurred in their files. The OPC found that the institution contravened the Privacy Act by improperly disclosing the complainant's personal information and by failing to ensure the accuracy of information used for administrative purposes. The complaint was found to be well-founded but conditionally resolved after the institution committed to implementing corrective measures.

• Unauthorized disclosure of personal information under section 8 of the Privacy Act.
• Failure to ensure the accuracy and completeness of personal information used for administrative purposes under subsection 6(2) of the Privacy Act.
• Lack of employee awareness regarding privacy breach reporting procedures.
• Systemic nature of errors due to employees having the same name.