Canadian Privacy Decisions

This joint investigation by the Privacy Commissioner of Canada (OPC) and the UK Information Commissioner (ICO) examined a significant data breach at 23andMe, which affected nearly 7 million customers globally. The investigation found that 23andMe failed to implement appropriate safeguards to protect sensitive personal information, including genetic data, from a credential stuffing attack. Furthermore, the company's notifications to both regulatory bodies and affected individuals were found to be inadequate in content and, in some cases, timeliness. Although contraventions were found, the issues were deemed resolved due to significant security improvements made by 23andMe.

• Adequacy of safeguards to protect personal information, particularly genetic data, from credential stuffing attacks.
• Timeliness and completeness of breach notifications to regulators and affected individuals.
• Risk of harm to individuals due to the sensitive nature of compromised personal information.
• 23andMe's assessment of and response to the identified security deficiencies.

The complainant alleged that Canada Post improperly withheld records related to a health and safety strategy report and invoicing, citing personal information, trade secrets, and confidential third-party information. The Information Commissioner found that Canada Post failed to demonstrate that certain information met the requirements for exemption under subsections 18.1(1) and paragraph 20(1)(b) of the Access to Information Act. Specifically, Canada Post could not prove the information was a trade secret, had a reasonable expectation of confidentiality, or was exclusively supplied by the third party. The Commissioner ordered Canada Post to disclose certain withheld information, and Canada Post agreed to comply.

• Whether information on an invoice is confidential third-party commercial information (s. 20(1)(b))
• Whether information constitutes a trade secret or confidential commercial information belonging to Canada Post (s. 18.1(1))
• Whether withheld information is publicly available
• Whether information was supplied by a third party

The complainant alleged that Health Canada failed to respond to an access request within the statutory time limit. The request concerned documents related to the Public Health Agency of Canada and the National Microbiology Laboratory. Although Health Canada completed processing and consultations, it placed the response on hold pending ongoing investigations. The Information Commissioner found this delay unjustifiable under the Access to Information Act, as concerns about sensitive information should be addressed through exemptions, not by pausing the response. Health Canada subsequently provided a response, making a formal order unnecessary.

• Failure to respond within statutory time limits
• Justification for placing an access request on hold
• Timely access to information
• Application of exemptions versus delaying disclosure