Canadian Privacy Decisions

A representative acting for the executor of an estate requested personal information about a deceased individual from the Department of National Defence (DND). DND determined the representative was not entitled to the information under paragraph 10(b) of the Privacy Regulations because they did not sufficiently demonstrate a connection between the information sought and the administration of the estate. While DND processed the request informally and disclosed some information under another provision of the Act, they did not clearly state the grounds for refusal. The OPC found the complaint not well-founded as the representative failed to adequately articulate and substantiate the estate's purposes and how the records would serve them.

• Whether the representative was authorized to make a request on behalf of the deceased under paragraph 10(b) of the Privacy Regulations for the purpose of administering the estate.
• Whether the representative sufficiently demonstrated a connection between the information sought and the administration of the deceased's estate.
• Whether DND properly notified the representative of the refusal and the basis for it.
• Whether DND properly handled the request informally.

This special report from the OPC investigated the RCMP's Project Wide Awake initiative, which uses third-party services to collect open-source information. The investigation found that the RCMP did not conduct adequate due diligence to ensure that the personal information collected via the Babel X service and its data providers was compliant with Canadian privacy laws. Additionally, the RCMP failed to meet its transparency obligations under the Privacy Act by providing inadequate descriptions of its open-source information collection practices and purposes in its Personal Information Banks.

• Compliance with collection provisions of the Privacy Act
• Adequacy of due diligence regarding third-party data collection practices
• Adequacy of transparency obligations under the Privacy Act
• Sufficiency of Personal Information Bank descriptions

This special report details an investigation into cyber attacks that compromised sensitive personal information held by the Canada Revenue Agency (CRA) and Employment and Social Development Canada (ESDC). Attackers used stolen credentials to access online accounts, leading to unauthorized disclosures, modifications, and identity theft. The investigation found that both departments failed to implement adequate authentication, security decision-making, and monitoring practices, contravening sections 8 and 6(2) of the Privacy Act. While both departments accepted recommendations for improvement, some weaknesses persist.

• Inadequate identity and credential assurance measures
• Insufficiently informed and accountable security decision-making
• Lack of effective monitoring and timely breach containment
• Contravention of Privacy Act sections 8 (disclosure) and 6(2) (accuracy)

Immigration, Refugees and Citizenship Canada (IRCC) contravened the Privacy Act when an employee inadvertently sent 497 emails containing personal information to the wrong email addresses. The investigation found that IRCC had insufficient administrative and procedural controls to prevent such errors. While IRCC took steps to notify affected individuals and mitigate harm, the Office of the Privacy Commissioner recommended improvements to prevent future breaches. IRCC accepted these recommendations and implemented enhanced measures, leading the OPC to consider the matter resolved.

• Whether IRCC contravened section 8 of the Privacy Act by disclosing personal information to unintended recipients.
• Adequacy of IRCC's administrative and procedural controls to prevent accidental disclosures.
• Effectiveness of IRCC's measures to mitigate the impact of the breach on affected individuals.
• Sufficiency of IRCC's actions to reduce the risk of recurrence.

The complainant alleged that Immigration, Refugees and Citizenship Canada (IRCC) failed to disclose all records sought under the Privacy Act. The investigation found that IRCC did not initially conduct a reasonable search for records, particularly concerning visa cancellations and reissuing. However, IRCC subsequently expanded its search to include all relevant offices, and although no additional information was found, the OPC was satisfied that its obligations under the Act were met, resolving the complaint.

• Reasonableness of IRCC's search for records.
• Whether IRCC failed to disclose all responsive information.
• Adequacy of IRCC's search scope and tasked offices.

An individual complained that Canada Post was using personal information collected from the outside of delivered mail to create marketing lists rented to private sector companies. The Office of the Privacy Commissioner of Canada (OPC) found that Canada Post's collection and use of this information for marketing purposes contravened section 5 of the Privacy Act because individuals were not authorized to have their information indirectly collected and used this way. While Canada Post disagreed with the findings and did not agree to cease the practice, it committed to improving transparency about its data usage.

• Whether Canada Post's collection of personal information from mail for marketing purposes complies with section 4 of the Privacy Act.
• Whether Canada Post's use and disclosure of personal information for marketing purposes complies with sections 7 and 8 of the Privacy Act.
• Whether Canada Post's indirect collection of personal information for marketing purposes, without explicit authorization, contravenes section 5 of the Privacy Act.
• What constitutes valid authorization for indirect collection of personal information under the Privacy Act.

This investigation concerned an individual's complaint that their Permanent Resident Card renewal application, submitted to Immigration, Refugees and Citizenship Canada (IRCC), was inappropriately disclosed to the Canada Border Services Agency (CBSA). The complainant alleged this disclosure was contrary to the purpose for which the information was collected and that it was used in support of a cessation application to terminate refugee protection. The OPC found that the disclosure was consistent with the purpose for which the information was obtained, as both departments share a mandate under the Immigration and Refugee Protection Act and information sharing for immigration legislation enforcement is considered a consistent use. Therefore, the complaints against both departments were found not well-founded.

• Whether IRCC was authorized to disclose the complainant's personal information to the CBSA.
• Whether the disclosure was for a purpose for which the information was obtained or a consistent use.
• The interpretation of "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• The impact of the privacy notice on the PRC renewal application and the relevant Personal Information Bank (PIB).

This investigation examined whether the collection, use, retention, and disclosure of personal information by the Public Health Agency of Canada (PHAC) and the Canada Border Services Agency (CBSA) related to COVID-19 vaccine mandates for travellers entering Canada complied with the Privacy Act. The OPC found that the agencies had the authority to collect this information as it was directly related to their mandate under the Quarantine Act and the Emergency Orders. While the OPC identified some weaknesses in PHAC's documentation regarding the necessity and proportionality of the measures, overall, the collection, use, and disclosure of personal information were deemed compliant with the Act.

• Whether personal information collected was directly related to an operating program or activity of PHAC and CBSA.
• Whether personal information was used or disclosed for the purpose for which it was compiled or in accordance with an Act of Parliament.
• Whether personal information was disposed of in accordance with the Privacy Regulations and the Directive on Privacy Practices.
• Whether the collection of personal information under the Emergency Orders was necessary and proportional.

This investigation examined whether COVID-19 vaccination attestation requirements implemented by several federal separate employers for their employees complied with the Privacy Act. The OPC found that the collection and use of vaccination status information, including for accommodation requests, was authorized under the Act and directly related to the employers' operating programs, specifically workplace health and safety during the pandemic. While not a strict legal requirement of the Act, the OPC also assessed the necessity and proportionality of these measures and found them to be reasonable given the exceptional circumstances of the pandemic.

• Whether the collection of COVID-19 vaccination status information was directly related to an operating program or activity of the institutions.
• Whether the use and disclosure of vaccination status information, including for accommodation requests, was authorized under the Privacy Act.
• The necessity and proportionality of the vaccination attestation measures in the context of the COVID-19 pandemic.

This Special Report to Parliament details the OPC's investigations into federal government privacy practices during the COVID-19 pandemic. It examined vaccine mandates for travel and employment, the ArriveCAN app, and the use of mobility data. While most government measures complied with the Privacy Act, the OPC identified areas for improvement, including the need for clearer objectives in mandates and better documentation of less privacy-intrusive alternatives. An error in the ArriveCAN app led to incorrect quarantine notifications, and a PIPEDA investigation found a private company misused a traveller's contact information for marketing.

• Compliance of COVID-19 measures with the Privacy Act
• Necessity and proportionality of personal information collection
• Accuracy of personal information used in administrative decisions (ArriveCAN)
• Use of de-identified mobility data and PIPEDA compliance

This investigation examined whether mobility data collected by the Public Health Agency of Canada (PHAC) during the COVID-19 pandemic contained personal information as defined under the Privacy Act. The investigation found that the de-identification techniques and safeguards against re-identification implemented by PHAC and its data providers reduced the risk of identifying individuals below the "serious possibility" threshold. Consequently, the complaints were deemed not well-founded, as PHAC did not contravene the Privacy Act.

• Whether the mobility data collected constituted personal information under the Privacy Act.
• The adequacy of de-identification and aggregation techniques to prevent re-identification.
• Whether access to data within a provider's system constitutes collection under the Act.
• The need for transparency regarding the use of de-identified data.

This investigation examined the COVID-19 vaccination attestation requirements for federal public servants. The OPC found that the collection of vaccination status was directly related to the employer's health and safety obligations. However, the Treasury Board of Canada Secretariat (TBS) contravened the Act by failing to update its index of personal information banks within the required timeframe. The OPC also assessed the necessity and proportionality of the measures, concluding they were justified given the pandemic context, though TBS's documentation and response during the investigation were found to be lacking.

• Whether the collection of employee vaccination status was directly related to an operating program or activity.
• Whether institutions met transparency requirements under the Act.
• Whether disclosures of personal information were authorized.
• Necessity and proportionality of the vaccination attestation measures.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding erroneous quarantine notifications sent by the ArriveCAN application to approximately 10,200 Apple device users. The OPC found that the Canada Border Services Agency (CBSA) did not take all reasonable steps to ensure the accuracy of the personal information used for administrative decisions, contravening subsection 6(2) of the Privacy Act. The CBSA disagreed with this finding and refused to correct the inaccurate information, although they later informed the OPC that the defect had been fixed and affected individuals notified.

• Whether the CBSA took all reasonable steps to ensure the accuracy of personal information used for administrative decisions.
• Whether the 'quarantine_exempted' data field constituted personal information used for an administrative purpose.
• Whether the CBSA's pre-release testing, human intervention, and correction mechanisms were adequate.
• Whether the CBSA should correct the erroneous information it holds despite the measures taken.

This investigation examined the COVID-19 vaccination attestation requirements established by the Department of National Defence (DND) for members of the Canadian Armed Forces (CAF). The Office of the Privacy Commissioner of Canada (OPC) found that DND/CAF had the authority to collect this information under the National Defence Act and Part II of the Canada Labour Code. The use and disclosure of the information were generally consistent with the purposes for which it was collected. Although DND declined to implement a recommendation to strengthen oversight of access controls in the Monitor MASS system, the OPC found no instances of inappropriate access or disclosure. The OPC also determined that DND took reasonable steps to ensure the accuracy of the vaccination status information collected.

• Whether DND/CAF's collection of COVID-19 vaccination status information directly related to an operating program or activity of the institution.
• Whether the use of collected vaccination status information was authorized under section 7 of the Privacy Act.
• Whether the use of the Monitor MASS system resulted in unauthorized disclosure of information.
• Whether DND/CAF took reasonable steps to ensure the accuracy of vaccination status information.

This investigation examined whether the collection, use, and disclosure of traveller vaccination status by Transport Canada, VIA Rail, and CATSA complied with the Privacy Act. The Office of the Privacy Commissioner found that the personal information was collected, used, and disclosed in compliance with the Act's requirements. While the Act does not mandate necessity and proportionality, the OPC also considered these principles and found the measures were generally necessary and proportional, though recommended clearer definition of objectives and documentation of less privacy-invasive alternatives for future initiatives.

• Whether the collection of vaccination information was directly related to the operating programs or activities of CATSA and VIA Rail.
• Whether the use and disclosure of personal information, and the centralized collection by Transport Canada, complied with sections 4, 7, and 8 of the Privacy Act.
• Whether the collection of personal information was necessary and proportional, considering the circumstances and available alternatives.