The comprehensive archive of Canadian privacy decisions from federal, provincial, and territorial commissioners — with AI-summarized plain-language summaries for every decision.
The OIC ordered Privy Council Office to provide a complete response to the access request no later than 36 business days following the date of the final report..
The OIC ordered Health Canada to provide a complete response to the access request no later than 36 business days following the date of the final report..
The OIC ordered Health Canada to provide a complete response to the access request no later than 36 business days following the date of the final report..
The OIC ordered Health Canada to provide a complete response to the access request no later than 36 business days following the date of the final report..
The OIC ordered Health Canada to provide a complete response to the access request no later than 36 business days following the date of the final report..
The OIC ordered Health Canada to provide a complete response to the access request no later than 60 business days following the date of the final report..
The OIC ordered Privy Council Office to provide a complete response to the access request no later than 60 days following the date of the final report..
The OIC ordered Privy Council Office to provide a complete response to the access request no later than 36 business days following the date of the final report..
The OIC ordered Privy Council Office to provide a complete response to the access request no later than 60 business days following the date of the final report..
The OIC ordered Privy Council Office to provide a complete response to the access request no later than 60 day days following the date of the final report..
The OIC ordered Privy Council Office to provide a complete response to the access request no later than May 22..
This compliance letter concerns a privacy breach at Nova Scotia Power that began around March 19, 2025. A malware attack allowed a threat actor to access and exfiltrate sensitive customer information, including names, contact details, financial information, and SINs, affecting approximately 375,000 current and 540,000 former customers. Nova Scotia Power has committed to specific actions, including deleting customer SINs and undergoing an external security assessment, to address the breach. Upon the Commissioner's satisfaction with these commitments, the investigation will be discontinued.
An employee of the Canada Border Services Agency (CBSA) complained that their personal information was inadvertently disclosed to colleagues due to improperly set folder permissions in the CBSA's information management system, Apollo. The CBSA confirmed the contravention of section 8 of the Privacy Act. While the CBSA took steps to correct the issue and improve practices, it did not commit to mandatory, trackable training for managing permissions, leading the OPC to find the complaint well-founded but unresolved.
The OIC ordered National Defence to provide a complete response to the access request no later than 36 business days after the date of the final report..
The complainant alleged that Transport Canada failed to respond to an access to information request within the legislated 30-day timeframe. The request, for correspondence regarding the Greater Toronto Airports Authority, was significantly delayed due to the slow retrieval of records by a key office within Transport Canada, further exacerbated by a building fire. The Information Commissioner found the complaint to be well-founded, ordering Transport Canada to provide a complete response within 120 business days.
Federal (Canada)
Ontario
British Columbia
Alberta
Saskatchewan
Manitoba
Quebec
Nova Scotia
New Brunswick
Prince Edward Island
Newfoundland and Labrador