Canadian Privacy Decisions

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an employee of a federal institution who alleged a breach of privacy. The employee's personal information regarding her transgender identity and the reasons for her transfer were disclosed to her new supervisor and colleagues without her consent, despite assurances of confidentiality. The OPC found this disclosure contravened the Privacy Act.

• Disclosure of personal information without consent
• Confidentiality of transgender status
• Application of the Privacy Act

Three individuals complained that the RCMP used non-conviction information in vulnerable sector (VS) checks without their informed consent. The OPC found that the RCMP contravened the Privacy Act in two of the three cases because the consent forms did not clearly explain what types of non-conviction information would be reported. The OPC also determined that the RCMP's policy of broadly reporting non-conviction information, including mental health incidents, was not proportional or minimally intrusive. The RCMP agreed to revise its consent forms and policies.

• Adequacy of informed consent for the use of non-conviction information in vulnerable sector checks.
• Proportionality and minimal intrusiveness of reporting non-conviction information, including mental health incidents, in vulnerable sector checks.
• Compliance with record retention requirements under the Privacy Act.
• Consistency of RCMP policies and practices across different provinces.

This report details a review of passport protection practices by four federal institutions: IRCC, ESDC, GAC, and CPC. While the institutions generally had reasonable measures to prevent unauthorized passport disclosures, the review identified areas for improvement in incident detection, remediation for affected individuals, and learning from past breaches. The institutions agreed to implement the OPC's recommendations to enhance these processes.

• Adequacy of measures to prevent unauthorized disclosure of passports
• Effectiveness of incident detection mechanisms
• Sufficiency of remediation measures for affected individuals
• Processes for learning from past passport breach incidents

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against CATSA concerning its practice of notifying police when cannabis was found in a traveller's possession. The OPC found that CATSA's collection and disclosure of personal information for this purpose contravened sections 4 and 8 of the Privacy Act, as its mandate is focused on aviation security, not general law enforcement. While CATSA agreed to cease collecting and disclosing such information when the cannabis possession is not clearly illegal, the record-keeping aspect of the complaint was found not well-founded.

• Whether CATSA's collection of personal information from travellers possessing cannabis was consistent with its mandate under the Privacy Act.
• Whether CATSA's disclosure of personal information to police regarding cannabis possession was consistent with the Privacy Act.
• Whether CATSA's record retention practices for this information complied with the Privacy Act.

Public Services and Procurement Canada (PSPC) improperly disclosed pay-related information for 69,087 public servants to the wrong government institutions. An investigation found that PSPC contravened the Privacy Act due to this unauthorized disclosure. However, the complaints are considered resolved because PSPC took satisfactory corrective actions to remedy the vulnerabilities that caused the breach and notified affected individuals.

• Unauthorized disclosure of personal information
• Adequacy of PSPC's response to the breach
• Timeliness and completeness of notification to affected individuals
• Implementation of corrective measures to prevent recurrence

This investigation examined a complaint regarding the alleged leak of personal information about a Supreme Court of Canada candidate. The complainant alleged that documents revealed by an anonymous source demonstrated a disagreement between the Prime Minister’s Office and the former Attorney General concerning the candidate's nomination. The Office of the Privacy Commissioner of Canada (OPC) investigated the Privy Council Office (PCO) and the Department of Justice (DOJ) but found no evidence that these institutions were responsible for the unauthorized disclosure. The OPC's investigation was constrained by jurisdictional limitations, as the Privacy Act does not apply to Ministers' offices or the Prime Minister's Office.

• Whether the PCO or DOJ contravened section 8 of the Privacy Act by improperly disclosing personal information.
• Whether the PCO or DOJ had access to the personal information that was leaked to the media.
• The jurisdictional limitations of the Privacy Act concerning Ministers' offices and the Prime Minister's Office.
• The need for legislative reform to extend the Privacy Act's coverage.

The complainant alleged that the Canada Border Services Agency (CBSA) improperly disclosed his personal medical information to a third party by carbon copying them on a letter. The CBSA argued the information was publicly available from court documents. The OPC found that while the CBSA did disclose personal information, this disclosure was not a contravention because the information was indeed publicly available in court records, making section 8 of the Privacy Act inapplicable under subsection 69(2).

• Was the personal information disclosed by the CBSA considered "personal information" under the Privacy Act?
• Was the disclosed personal information "publicly available"?
• Did subsection 69(2) of the Privacy Act apply, rendering section 8 of the Act inapplicable?
• If section 8 applied, would the disclosure have been permitted under subsection 8(2)?

A Canadian returning to Canada complained that the Canada Border Services Agency (CBSA) contravened the Privacy Act by requiring him to provide his cell phone passcode for inspection. The OPC found that while the CBSA has the authority under the Customs Act to require passcodes, it must follow its own policies and only retain personal information when necessary. The CBSA acknowledged policy failures and committed to improved training and policy revisions.

• CBSA's authority to require digital device passcodes under the Customs Act
• Whether the collection of the passcode was necessary
• CBSA's adherence to its internal policies regarding personal information collection and retention
• The sensitivity of digital device passcodes as personal information

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Employment and Social Development Canada (ESDC) improperly used video surveillance footage to monitor an employee's departure times. The OPC found that ESDC's use of the footage for this purpose was not consistent with the stated security collection purpose and that employees were not adequately informed about the camera usage. ESDC agreed to implement a clear policy on video surveillance use and inform individuals about collection purposes.

• Use of personal information collected via video surveillance for purposes other than security.
• Failure to inform employees about the collection and purpose of video surveillance.
• Whether the use of video surveillance was an exceptional measure for a pressing problem.
• Adherence to the institution's Personal Information Bank (PIB) for consistent uses.

A former member of the Canadian Armed Forces complained that the Department of National Defence (DND) wrongfully compelled him to publicly disclose medical information during a military summary trial. The Office of the Privacy Commissioner of Canada (OPC) found the complaint was not well-founded. The OPC determined that the disclosure was made as testimony during a public military trial, consistent with the open courts principle and the National Defence Act. Since confidentiality was not requested, the disclosure was permitted under subsections 8(2)(a) and 8(2)(b) of the Privacy Act.

• Applicability of the Privacy Act to military summary trials
• Whether public disclosure of medical information during a summary trial contravened the Privacy Act
• The principle of open courts in military justice proceedings
• The concept of publicly available information under section 69 of the Privacy Act