Canadian Privacy Decisions

This report details three incidents in 2017 where Canadian organizations experienced data breaches due to password reuse by their customers. In each case, attackers used login credentials obtained from unrelated breaches to access customer accounts. The Office of the Privacy Commissioner of Canada found the organizations' responses to be appropriate, including actions like password resets, enhanced security measures, and customer notifications, and encouraged other organizations to adopt similar preventative strategies.

• Impact of password reuse on personal information security
• Adequacy of organizational responses to data breaches
• Effectiveness of safeguards against unauthorized access
• Communication and notification obligations to individuals

This investigation concerned a complaint that the Royal Canadian Mounted Police (RCMP) inappropriately disclosed the complainant's personal information, including details of a past suicide attempt, to US Customs and Border Protection (CBP) via the Canadian Police Information Centre (CPIC). The complainant alleged this disclosure led to her being deemed inadmissible to the US. The Office of the Privacy Commissioner of Canada (OPC) found the disclosure was not authorized under the Privacy Act, as it did not meet the criteria for law enforcement or criminal justice purposes as defined by the Memorandum of Cooperation (MOC) between the RCMP and the FBI. Although the RCMP implemented some changes to CPIC policies, the OPC concluded they remained unclear and did not sufficiently protect against unauthorized disclosures.

• Whether the disclosure of personal information related to a suicide attempt to US border officials via CPIC was authorized under subsection 8(2)(f) of the Privacy Act.
• Whether the disclosure was authorized under subsection 8(2)(a) of the Privacy Act as a use consistent with the original purpose of information collection.
• Whether CPIC policies adequately protected against unauthorized disclosure of sensitive personal information.
• The interpretation of 'law enforcement' and 'criminal justice purposes' in the context of border security assessments.

A complainant alleged that a financial institution refused to provide access to personal information related to a disputed credit card transaction. The institution initially claimed the information was confidential commercial information under PIPEDA. While the OPC found the institution's initial claim of exemption was unfounded, it later determined that the redacted information was not the complainant's personal information, but related to third parties. The OPC concluded the complaint was well-founded due to the delay and improper initial claim, but resolved as the complainant ultimately received access to his entitled personal information.

• Whether the financial institution properly withheld personal information under the confidential commercial information exemption (PIPEDA s. 9(3)(b)).
• Whether the financial institution responded to the access request within the time limits prescribed by PIPEDA.
• Whether the withheld information constituted the complainant's personal information or third-party information.
• Whether the complainant received appropriate access to personal information concerning a disputed credit card transaction.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against an insurance company that collected and used an individual's credit score during an auto insurance claims assessment. The OPC found that the company did not have a legal basis to use credit scores for fraud detection in this context and did not obtain meaningful consent from the individual because they failed to clearly state that providing consent was optional. The company also lacked openness in its policies regarding credit score usage.

• Appropriateness of using credit scores for fraud detection in auto insurance claims assessment.
• Whether meaningful consent was obtained for the collection and use of credit score.
• Whether the insurance company over-collected personal information.
• The company's openness regarding its credit score collection and use policies.

An individual complained that their former automobile insurance company refused to delete their personal information upon withdrawal of consent. The company initially refused, citing the need to provide insurance history to other insurers. The Office determined that the company should have treated the request as a withdrawal of consent. The company subsequently deleted the information from its records after the individual accepted the implications. However, the company was not required to ensure deletion from third-party records to which the information had been lawfully disclosed. The company was also found to be in contravention for not having clear policies on third-party disclosures.

• Withdrawal of consent for the continued use of personal information
• Deletion of personal information from an organization's records
• Deletion of personal information from third-party records after lawful disclosure
• Accountability for information disclosure policies and procedures

The complainant alleged that a doctor used and disclosed his personal information without consent during an insurance claim evaluation. The investigation focused on whether the complainant's consent, provided through accident benefit application forms (OCF-1 and OCF-19), extended to this specific doctor hired to prepare a summary report. The Office determined that the consent forms explicitly allowed the insurance company and other parties, including health professionals, to collect, use, and disclose personal information for the purposes of investigating and processing the insurance claim, including assessing catastrophic impairment. Therefore, the doctor did not contravene PIPEDA's consent provisions.

• Whether consent provided for an insurance claim extended to a third-party doctor hired to prepare a summary report.
• Whether the specific wording of consent forms (OCF-1 and OCF-19) covered the collection, use, and disclosure of personal information by the doctor.
• Whether the doctor collected, used, or disclosed personal information for purposes beyond those stated in the consent forms.