Canadian Privacy Decisions

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against CATSA concerning its practice of notifying police when cannabis was found in a traveller's possession. The OPC found that CATSA's collection and disclosure of personal information for this purpose contravened sections 4 and 8 of the Privacy Act, as its mandate is focused on aviation security, not general law enforcement. While CATSA agreed to cease collecting and disclosing such information when the cannabis possession is not clearly illegal, the record-keeping aspect of the complaint was found not well-founded.

• Whether CATSA's collection of personal information from travellers possessing cannabis was consistent with its mandate under the Privacy Act.
• Whether CATSA's disclosure of personal information to police regarding cannabis possession was consistent with the Privacy Act.
• Whether CATSA's record retention practices for this information complied with the Privacy Act.

This investigation examined a complaint regarding the alleged leak of personal information about a Supreme Court of Canada candidate. The complainant alleged that documents revealed by an anonymous source demonstrated a disagreement between the Prime Minister’s Office and the former Attorney General concerning the candidate's nomination. The Office of the Privacy Commissioner of Canada (OPC) investigated the Privy Council Office (PCO) and the Department of Justice (DOJ) but found no evidence that these institutions were responsible for the unauthorized disclosure. The OPC's investigation was constrained by jurisdictional limitations, as the Privacy Act does not apply to Ministers' offices or the Prime Minister's Office.

• Whether the PCO or DOJ contravened section 8 of the Privacy Act by improperly disclosing personal information.
• Whether the PCO or DOJ had access to the personal information that was leaked to the media.
• The jurisdictional limitations of the Privacy Act concerning Ministers' offices and the Prime Minister's Office.
• The need for legislative reform to extend the Privacy Act's coverage.

The complainant alleged that the Canada Border Services Agency (CBSA) improperly disclosed his personal medical information to a third party by carbon copying them on a letter. The CBSA argued the information was publicly available from court documents. The OPC found that while the CBSA did disclose personal information, this disclosure was not a contravention because the information was indeed publicly available in court records, making section 8 of the Privacy Act inapplicable under subsection 69(2).

• Was the personal information disclosed by the CBSA considered "personal information" under the Privacy Act?
• Was the disclosed personal information "publicly available"?
• Did subsection 69(2) of the Privacy Act apply, rendering section 8 of the Act inapplicable?
• If section 8 applied, would the disclosure have been permitted under subsection 8(2)?

A Canadian returning to Canada complained that the Canada Border Services Agency (CBSA) contravened the Privacy Act by requiring him to provide his cell phone passcode for inspection. The OPC found that while the CBSA has the authority under the Customs Act to require passcodes, it must follow its own policies and only retain personal information when necessary. The CBSA acknowledged policy failures and committed to improved training and policy revisions.

• CBSA's authority to require digital device passcodes under the Customs Act
• Whether the collection of the passcode was necessary
• CBSA's adherence to its internal policies regarding personal information collection and retention
• The sensitivity of digital device passcodes as personal information

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Employment and Social Development Canada (ESDC) improperly used video surveillance footage to monitor an employee's departure times. The OPC found that ESDC's use of the footage for this purpose was not consistent with the stated security collection purpose and that employees were not adequately informed about the camera usage. ESDC agreed to implement a clear policy on video surveillance use and inform individuals about collection purposes.

• Use of personal information collected via video surveillance for purposes other than security.
• Failure to inform employees about the collection and purpose of video surveillance.
• Whether the use of video surveillance was an exceptional measure for a pressing problem.
• Adherence to the institution's Personal Information Bank (PIB) for consistent uses.

A former member of the Canadian Armed Forces complained that the Department of National Defence (DND) wrongfully compelled him to publicly disclose medical information during a military summary trial. The Office of the Privacy Commissioner of Canada (OPC) found the complaint was not well-founded. The OPC determined that the disclosure was made as testimony during a public military trial, consistent with the open courts principle and the National Defence Act. Since confidentiality was not requested, the disclosure was permitted under subsections 8(2)(a) and 8(2)(b) of the Privacy Act.

• Applicability of the Privacy Act to military summary trials
• Whether public disclosure of medical information during a summary trial contravened the Privacy Act
• The principle of open courts in military justice proceedings
• The concept of publicly available information under section 69 of the Privacy Act

The Office of the Privacy Commissioner of Canada investigated two complaints concerning the disclosure of a military officer's personal health information. The Department of National Defence (DND) disclosed the information to the Department of Justice (DOJ) to defend against litigation initiated by the complainant against the government. The OPC found that both the disclosure by DND and the collection by DOJ were permissible under paragraph 8(2)(d) of the Privacy Act, as the information was disclosed to the Attorney General for use in legal proceedings involving the Crown. The OPC concluded that the Privacy Act does not distinguish between types of personal information and that the disclosure was necessary for legal defence, upholding the legal interpretation confirmed by the Federal Court.

• Permissibility of disclosing personal health information for litigation purposes under paragraph 8(2)(d) of the Privacy Act.
• Whether the collection of personal medical information by the Department of Justice was a contravention of the Privacy Act.
• Whether the disclosure of personal medical information by the Department of National Defence was a contravention of the Privacy Act.
• The scope and interpretation of paragraph 8(2)(d) of the Privacy Act regarding disclosures to the Attorney General for legal proceedings.

This investigation examined complaints concerning Statistics Canada's collection of personal financial and credit information from a credit bureau and financial institutions for two projects. The OPC found Statistics Canada had the legal authority for the Credit Information Project, deeming that aspect not well-founded. However, the OPC had serious concerns that the Financial Transactions Project, as originally designed, would have exceeded Statistics Canada's legal authority. As this project was halted before any data was collected, no finding was made. Despite finding no contravention of the Privacy Act, the OPC identified significant privacy concerns regarding necessity, proportionality, and transparency in both projects as originally designed, and made recommendations for improvement.

• Legal authority for collecting personal information under the Statistics Act and Privacy Act
• Necessity and proportionality of collecting sensitive personal information
• Adequacy of transparency regarding data collection
• Safeguards for handling collected personal information

This report details the OPC's investigation into six complaints concerning the Canada Border Services Agency's (CBSA) search of travellers' digital devices at the border. The OPC found that the CBSA contravened the Privacy Act by failing to adhere to its own policies and legal authorities regarding these searches, particularly concerning the scope of data accessed and the lack of proper documentation. The CBSA accepted most operational recommendations for improvement but disagreed with recommendations for legislative reform.

• CBSA's authority to examine digital devices at the border under the Customs Act
• Compliance with CBSA's internal policy on digital device examinations
• Collection and retention of personal information from digital devices
• Adequacy of training and oversight for CBSA officers

Three complainants alleged that Correctional Service Canada (CSC) was using video footage collected for security purposes to monitor employee performance. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that CSC used the footage to identify systemic deficiencies in patrols following an inmate's death, aiming to improve security and prevent future deaths. The OPC determined this use was consistent with the original purpose of collection (security) and therefore not a contravention of the Privacy Act.

• Was CSC using video footage to monitor employee performance?
• Was the use of video footage for identifying and addressing security deficiencies consistent with the original purpose of collection?
• Did the use of video footage contravene the Privacy Act's use provisions?

The complainant alleged that Global Affairs Canada (GAC) improperly collected personal information from his diplomatic passport for an administrative investigation. The complainant had used his diplomatic passport for personal travel, and GAC requested the original passport as evidence. GAC did not demonstrate how the personal travel information collected related to its operating programs or activities, nor did it provide sufficient cooperation to confirm its authority to collect this information.

• Whether GAC had the authority to collect personal travel information from a diplomatic passport.
• Whether the collection of personal travel information related directly to GAC's operating programs or activities.
• Whether GAC provided sufficient information regarding the administrative investigation and its authority to collect the passport.

The complainant alleged that Employment and Social Development Canada (ESDC) contravened the Privacy Act by collecting his personal information for a second time, despite his previous objection, through a third-party company. The OPC found that while ESDC's collection was not for an administrative purpose directly affecting the complainant, it failed to comply with section 4 of the Act because the information was not collected in accordance with the terms of its program, as the third party had obtained the information without consent. ESDC also continued to use the complainant's information despite his request to be removed from the list.

• Collection of personal information without consent
• Collection of personal information from a third party
• ESDC's responsibility to ensure third-party compliance with contractual obligations
• ESDC's continued collection of information after a request for removal

The complainant, an air passenger rights advocate, requested access to records about himself from the Canadian Transportation Agency (CTA). The CTA denied access to most records, arguing the information was not personal information, or that it was exempt under various provisions of the Privacy Act. The OPC found that the CTA had erred in withholding information and improperly invoked exemptions under section 70(1). However, most information withheld under sections 26 and 27 was found to be properly exempted, with specific exceptions.

• Whether records containing the complainant's name and discussions about his advocacy activities constituted personal information under the Privacy Act.
• Whether information withheld under paragraph 12(1)(b) was properly excluded from the scope of accessible personal information.
• Whether information was correctly exempted under sections 26 (third-party personal information), 27 (solicitor-client privilege), and subsection 70(1) (cabinet confidences).

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) contravened the accuracy provisions of the Privacy Act by using inaccurate information about him when staffing a position. ISED confirmed that it failed to ensure the accuracy of the information used, which was linked to the complainant’s profile in the MyGCHR human resources system. The investigation found the complaint to be well-founded.

• Whether ISED contravened the accuracy provisions of the Privacy Act.
• Whether ISED took reasonable steps to ensure the accuracy of personal information used for staffing.
• The role of the MyGCHR system in the accuracy of personal information.

The Office of the Privacy Commissioner of Canada investigated a complaint from a federal inmate who alleged that Correctional Service Canada (CSC) contravened the Privacy Act by denying him access to personal information, specifically video and audio recordings. This was a repeat issue, as similar allegations were found to be well-founded in a previous investigation. While CSC properly exempted some recordings, it failed to respond to some requests entirely and, critically, failed to retrieve and retain requested video recordings before they were overwritten in two instances, despite previous recommendations to improve processes for short-retention period records. The complaint was found well-founded due to these failures to provide timely access.

• Timeliness of responding to access to information requests.
• Retention and destruction of personal information, particularly video recordings.
• Appropriate application of exemptions to disclosure.
• Failure to implement previous recommendations regarding record retrieval.