Canadian Privacy Decisions

This investigation concerned a complaint that the Canada Border Services Agency (CBSA) violated the Privacy Act by requiring border services officers (BSOs) to wear name tags displaying their surnames. Complainants argued this was an unreasonable invasion of privacy and exposed them to potential harm. The Office of the Privacy Commissioner of Canada (OPC) found that while the names were personal information, they fell under an exception in the Privacy Act relating to information about an individual's position or functions within a government institution. Therefore, the requirement to display surnames on name tags did not violate the Act.

• Whether displaying surnames on name tags constitutes personal information under the Privacy Act.
• Whether displaying surnames on name tags is an unreasonable invasion of privacy.
• Whether the requirement to display surnames on name tags violates the use and disclosure provisions of the Privacy Act.
• Whether the exception for information relating to an individual's position or functions applies to surnames on name tags.

The Office of the Privacy Commissioner of Canada investigated a complaint regarding the improper disclosure of personal information by Aboriginal Affairs and Northern Development Canada (AANDC). The complainant was concerned that AANDC created a document listing individuals who had requested information about a former minister under the Access to Information Act, and that this document was subsequently disclosed to La Presse newspaper. The investigation found that AANDC improperly shared the document with staff who did not have a need-to-know the identities of the requesters, and that the document was ultimately disclosed to La Presse, violating the Privacy Act.

• Whether the document contained personal information.
• Whether AANDC officials who accessed the document had a need-to-know.
• Whether the disclosure of the document to La Presse constituted a contravention of the Privacy Act.

The complainant alleged that the Public Service Commission of Canada (PSC) contravened the Privacy Act by disclosing her private medical information to multiple witnesses during an investigation into potential fraud. The OPC found that while the PSC's collection and use of the information were justified, the disclosure of the doctor's letter to all witnesses was not a "consistent use" and thus contravened the Act. The PSC has committed to implementing new procedures to ensure future compliance.

• Whether the disclosure of medical information to all witnesses in an investigation complied with the Privacy Act's "consistent use" provision.
• Whether the PSC's disclosure of medical information was necessary for procedural fairness.
• Whether the PSC's interpretation of "affected person" was overly broad, leading to excessive disclosure.

This report details an investigation into the loss of an external hard drive at Employment and Social Development Canada (ESDC), which contained the personal information of 583,000 Canada student loan borrowers and 250 employees. The Office of the Privacy Commissioner of Canada (OPC) found that while ESDC had appropriate policies in place, there was a significant gap in their implementation, leading to inadequate physical, technical, administrative, and personnel security controls. Consequently, ESDC was found to be in contravention of sections 6(3), 7, and 8 of the Privacy Act. ESDC accepted all of the OPC's recommendations for improvement.

• Adequacy of physical security controls for storing personal information on portable media.
• Sufficiency of technical safeguards, such as encryption, for personal information on external hard drives.
• Effectiveness of administrative controls, including asset management and inventory of portable devices.
• Level of employee awareness and training regarding the risks associated with handling personal information on portable devices.

A complainant alleged that the RCMP continued to retain and use personal information from the long-gun registry after it was legally required to be destroyed. The investigation focused on whether the RCMP used this information in contravention of section 7 of the Privacy Act. While the RCMP provided evidence that the registry records were destroyed, the complainant pointed to instances suggesting otherwise. However, the OPC could not find evidence to support the allegation that the RCMP used deleted long-gun registry information and noted that subsequent legislation retroactively exempted certain information from the Privacy Act.

• Whether the RCMP retained and used personal information from the long-gun registry after it was legally required to be destroyed.
• Whether the alleged use of this information contravened section 7 of the Privacy Act.
• The impact of retroactive legislative amendments on the investigation and the application of the Privacy Act.

The Office of the Privacy Commissioner investigated a complaint from an individual whose personal health information was accessed by an employee of National Defence. The investigation found that the employee improperly accessed the complainant's health records for personal reasons, not for any professional or authorized purpose. National Defence has since implemented new controls, updated policies, and provided training to its healthcare staff to prevent future breaches.

• Inappropriate access to personal health information
• Use of personal information for personal reasons
• Adequacy of National Defence's privacy training and controls

The complainant alleged that the Canada Revenue Agency (CRA) contravened the Privacy Act by improperly accessing his tax file. The investigation found that a CRA employee accessed the complainant's tax file without authorization and beyond the requirements of their position. The CRA has since confirmed the employee no longer has access to taxpayer information.

• Unauthorized access to personal information
• Contravention of use and disclosure provisions of the Privacy Act

A complainant expressed concern that the online publication of her full name and date of birth in the Canada Gazette, as required by the agreement establishing the Qalipu Mi’kmaq First Nation Band, put her at risk of identity theft. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that the disclosure was consistent with the Privacy Act, as the information was published for the purpose for which it was originally collected: the identification and recognition of Band members. Therefore, the complaint was not well-founded.

• Disclosure of personal information without consent
• Purpose of collection and disclosure
• Risk of identity theft

A complainant alleged that Correctional Service of Canada (CSC) denied him access to the full version of a report concerning his treatment and supervision. CSC initially provided a condensed version, which the OPC found to be a misrepresentation of the information and contrary to CSC's obligations under the Privacy Act. Following the OPC's investigation, CSC provided the complainant with the full report, with some personal information of other parties withheld, and committed to reviewing its access request handling procedures and communicating staff obligations under the Privacy Act.

• Was the respondent in compliance with its obligations to identify and provide all relevant information in response to an access request?
• Whether the respondent's provision of an abbreviated report was a misrepresentation of the information.

Transport Canada denied a man's security clearance based on information from the RCMP. The man complained that the RCMP improperly disclosed his personal information, specifically details of an absolute discharge from a 2009 incident. The RCMP disclosed this information without the required ministerial approval, which contravened the Criminal Records Act.

• Disclosure of personal information by the RCMP.
• Compliance with the Criminal Records Act regarding absolute discharges.
• Authorization for disclosure of information for security clearances.

An estranged wife, employed as a civilian at a Canadian Forces Base, accessed her husband's medical records without authorization. She also deleted a physiotherapy appointment and accessed a paper file. The Department of National Defence (DND) determined this was a willful breach of rules and implemented restrictions on her access. The OPC found the complaint to be well-founded, as the access was inconsistent with the original purpose of the information and not a permissible use under the Privacy Act.

• Unauthorized access to medical records
• Access and use inconsistent with original purpose
• Willful breach of departmental rules

An inmate at a maximum-security penitentiary requested video recordings of incidents involving officers. The Correctional Service of Canada (CSC) denied access, citing third-party information and security concerns. The OPC found complaints regarding 16 destroyed videos to be well-founded, as CSC had not even reviewed them before denial. For two other videos, which CSC claimed contained third-party information and posed security risks, the OPC found CSC correctly applied exemptions, thus resolving those complaints.

• Timeliness of responding to access to information requests
• Destruction of records prior to fulfilling requests
• Application of exemptions for security of penal institutions
• Proper review of records before withholding information

The OPC investigated a complaint about an RCMP officer who accessed the CPIC database to conduct a criminal background check on a prospective tenant for a private rental. The investigation found the officer used the database for personal reasons, not for a legitimate law enforcement purpose. The RCMP took remedial actions, including an apology and a reminder to employees about database use policies, which satisfied the OPC.

• Unauthorized access to the CPIC database
• Use of personal information for non-law enforcement purposes
• Compliance with RCMP policies on database access

A formal investigation by the Office of the Privacy Commissioner of Canada concluded that Aboriginal Affairs and Northern Development Canada (AANDC) and the Department of Justice Canada wrongly collected personal information from activist Cindy Blackstock's personal Facebook page. The departments argued that information posted publicly on social media was not private, but the OPC rejected this argument, stating that public availability does not make information non-personal. The OPC recommended that both departments cease accessing personal information on social media without a direct link to government business and destroy improperly collected information, with both departments accepting the recommendations.

• Whether personal information posted on a public Facebook page is still considered private under the Privacy Act.
• Whether the collection of personal information from social media feeds was directly related to a government operating program or activity.
• Whether the departments' accessing of Indian status records was justified.

A woman complained to the Office of the Privacy Commissioner of Canada (OPC) after her tax information was inappropriately accessed by a Canada Revenue Agency (CRA) employee, who was the common-law spouse of her ex-husband. The OPC's investigation found the complaint to be well-founded, noting that while the CRA had a disciplinary policy, the investigation into the misconduct took too long. The OPC recommended enhanced privacy training and stressed the importance of timely investigations.

• Inappropriate access to taxpayer information by a CRA employee.
• Delay in investigating employee misconduct.
• Need for enhanced privacy training for employees.