Canadian Privacy Decisions

Public Services and Procurement Canada (PSPC) improperly disclosed pay-related information for 69,087 public servants to the wrong government institutions. An investigation found that PSPC contravened the Privacy Act due to this unauthorized disclosure. However, the complaints are considered resolved because PSPC took satisfactory corrective actions to remedy the vulnerabilities that caused the breach and notified affected individuals.

• Unauthorized disclosure of personal information
• Adequacy of PSPC's response to the breach
• Timeliness and completeness of notification to affected individuals
• Implementation of corrective measures to prevent recurrence

Three individuals complained that the RCMP used non-conviction information in vulnerable sector (VS) checks without their informed consent. The OPC found that the RCMP contravened the Privacy Act in two of the three cases because the consent forms did not clearly explain what types of non-conviction information would be reported. The OPC also determined that the RCMP's policy of broadly reporting non-conviction information, including mental health incidents, was not proportional or minimally intrusive. The RCMP agreed to revise its consent forms and policies.

• Adequacy of informed consent for the use of non-conviction information in vulnerable sector checks.
• Proportionality and minimal intrusiveness of reporting non-conviction information, including mental health incidents, in vulnerable sector checks.
• Compliance with record retention requirements under the Privacy Act.
• Consistency of RCMP policies and practices across different provinces.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against CATSA concerning its practice of notifying police when cannabis was found in a traveller's possession. The OPC found that CATSA's collection and disclosure of personal information for this purpose contravened sections 4 and 8 of the Privacy Act, as its mandate is focused on aviation security, not general law enforcement. While CATSA agreed to cease collecting and disclosing such information when the cannabis possession is not clearly illegal, the record-keeping aspect of the complaint was found not well-founded.

• Whether CATSA's collection of personal information from travellers possessing cannabis was consistent with its mandate under the Privacy Act.
• Whether CATSA's disclosure of personal information to police regarding cannabis possession was consistent with the Privacy Act.
• Whether CATSA's record retention practices for this information complied with the Privacy Act.

This investigation examined a complaint regarding the alleged leak of personal information about a Supreme Court of Canada candidate. The complainant alleged that documents revealed by an anonymous source demonstrated a disagreement between the Prime Minister’s Office and the former Attorney General concerning the candidate's nomination. The Office of the Privacy Commissioner of Canada (OPC) investigated the Privy Council Office (PCO) and the Department of Justice (DOJ) but found no evidence that these institutions were responsible for the unauthorized disclosure. The OPC's investigation was constrained by jurisdictional limitations, as the Privacy Act does not apply to Ministers' offices or the Prime Minister's Office.

• Whether the PCO or DOJ contravened section 8 of the Privacy Act by improperly disclosing personal information.
• Whether the PCO or DOJ had access to the personal information that was leaked to the media.
• The jurisdictional limitations of the Privacy Act concerning Ministers' offices and the Prime Minister's Office.
• The need for legislative reform to extend the Privacy Act's coverage.

A former employee of TD Canada Trust (TD) complained that TD had outsourced fraud claims processing to a third-party provider in India without customer consent or an opt-out option. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that TD was not required to obtain additional consent as the personal information was used for the original purpose of fraud claims management. The OPC also found TD was sufficiently open about its outsourcing practices and remained accountable by ensuring comparable protection through contractual and monitoring measures.

• Requirement for consent to transfer personal information to a third-party processor for the same purpose
• Sufficiency of openness regarding outsourcing of personal information to foreign jurisdictions
• Accountability for personal information transferred to a third-party processor and ensuring comparable protection

This report details a systemic investigation into how the Department of National Defence (DND) processed access to information requests between January 1, 2017, and December 21, 2018. The investigation examined six key offices and DND's ATIP Directorate, reviewing their internal processes, training, and statistics. The Commissioner made nine recommendations to the Minister of National Defence to address identified shortcomings, which the Minister accepted and agreed to implement.

• Timeliness of access to information request processing
• Adherence to legislative obligations under the Access to Information Act
• Effectiveness of internal procedures and training for ATIP staff
• Improvement of ATIP compliance metrics

The complainant alleged that the Canada Border Services Agency (CBSA) improperly disclosed his personal medical information to a third party by carbon copying them on a letter. The CBSA argued the information was publicly available from court documents. The OPC found that while the CBSA did disclose personal information, this disclosure was not a contravention because the information was indeed publicly available in court records, making section 8 of the Privacy Act inapplicable under subsection 69(2).

• Was the personal information disclosed by the CBSA considered "personal information" under the Privacy Act?
• Was the disclosed personal information "publicly available"?
• Did subsection 69(2) of the Privacy Act apply, rendering section 8 of the Act inapplicable?
• If section 8 applied, would the disclosure have been permitted under subsection 8(2)?

Following complaints from two customers who were victims of tech support scams, the OPC investigated Dell's security safeguards and complaint handling practices. Dell discovered that two employees of its service provider in India had sold customer information on two separate occasions, leading to personal information breaches affecting thousands of Canadians. The OPC found that Dell's safeguards, including access controls and breach investigation procedures, were insufficient given the sensitivity of the data and the risk environment.

• Adequacy of security safeguards for personal information transferred to a service provider
• Effectiveness of access controls and monitoring for preventing insider theft of data
• Sufficiency of investigation into customer complaints alleging privacy breaches
• Appropriateness of breach notification and response

A dentist complained that RateMDs.com, a health practitioner rating website, used her personal information without consent and for lucrative purposes. The Office of the Privacy Commissioner of Canada (OPC) found that the dentist's business contact information was publicly available and did not require consent. However, the OPC found that RateMDs.com engaged in an inappropriate practice by charging a subscription fee for a service that allowed users to hide certain reviews, contravening PIPEDA's purpose provisions. RateMDs.com agreed to cease this practice, leading to a conditionally resolved outcome for that issue. The OPC also found RateMDs.com resolved issues related to openness regarding its policies on correcting inaccurate information.

• Consent for the collection, use, and disclosure of personal information.
• The appropriateness of using personal information for a business model.
• Transparency and openness regarding policies for correcting inaccurate information.
• The balance between privacy rights and public interest in online reviews.

The complainant challenged the Department of Justice Canada's decision to withhold a Memorandum of Understanding (MOU) for legal services, citing section 23 (Legal advice and litigation privilege) of the Access to Information Act. The Department could not demonstrate that the entire MOU, including its title and signature blocks, was protected by solicitor-client privilege. Furthermore, the Department had waived privilege over some information within the MOU. The Information Commissioner found the complaint well-founded.

• Applicability of section 23 (Legal advice and litigation privilege)
• Waiver of privilege
• Protection of general identifying information

The complainant filed a complaint after National Defence (DND) did not respond to their access to information request. DND had decided that the request did not meet the requirements of section 6 of the Access to Information Act. The Information Commissioner found that the complaint was not well-founded, indicating that DND's handling of the request was appropriate.

• Whether the institution responded to the request within the time limits prescribed by the Act.

The complainant requested records related to a human rights file from the Canadian Human Rights Commission (CHRC). The CHRC withheld information citing personal information, testing/auditing procedures, and solicitor-client privilege. During the OIC investigation, the CHRC agreed to disclose information withheld under testing/auditing procedures and portions withheld under solicitor-client privilege. The OIC found that some file numbers withheld as personal information did not meet the exemption's requirements, and that certain draft investigation reports withheld under solicitor-client privilege also did not meet the exemption's requirements. The CHRC agreed to disclose these records.

• Applicability of the personal information exemption (section 19(1)) to file numbers
• Applicability of the solicitor-client privilege exemption (section 23) to draft investigation reports
• Reasonable exercise of discretion by the institution
• Disclosure of information withheld under testing/auditing procedures (section 22)

A Canadian returning to Canada complained that the Canada Border Services Agency (CBSA) contravened the Privacy Act by requiring him to provide his cell phone passcode for inspection. The OPC found that while the CBSA has the authority under the Customs Act to require passcodes, it must follow its own policies and only retain personal information when necessary. The CBSA acknowledged policy failures and committed to improved training and policy revisions.

• CBSA's authority to require digital device passcodes under the Customs Act
• Whether the collection of the passcode was necessary
• CBSA's adherence to its internal policies regarding personal information collection and retention
• The sensitivity of digital device passcodes as personal information

The requester filed a complaint after the Royal Canadian Mounted Police (RCMP) failed to respond to an access to information request for over two years. The RCMP provided insufficient information during the investigation regarding the records or the processing of the request. As a result, the Information Commissioner found the complaint to be well-founded and ordered the RCMP to respond to the request within 10 business days.

• Failure to respond to an access to information request within the prescribed time limits.
• Adequacy of information provided by the institution during the investigation.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Employment and Social Development Canada (ESDC) improperly used video surveillance footage to monitor an employee's departure times. The OPC found that ESDC's use of the footage for this purpose was not consistent with the stated security collection purpose and that employees were not adequately informed about the camera usage. ESDC agreed to implement a clear policy on video surveillance use and inform individuals about collection purposes.

• Use of personal information collected via video surveillance for purposes other than security.
• Failure to inform employees about the collection and purpose of video surveillance.
• Whether the use of video surveillance was an exceptional measure for a pressing problem.
• Adherence to the institution's Personal Information Bank (PIB) for consistent uses.