Canadian Privacy Decisions

The Information Commissioner ceased an investigation into a complaint regarding an institution's search for records. The OIC had previously investigated and issued a final report on an identical matter concerning the institution's search for records from the 1990s. As continuing the investigation was deemed unnecessary and the complainant did not respond to an offer to provide further representations, the investigation was discontinued.

• Whether continuing the investigation was unnecessary
• Whether the matter had already been the subject of a previous investigation or final report

The complainant alleged that Library and Archives Canada (LAC) failed to respond to an access request within the statutory time limits. LAC took an extensive extension but still missed the deadline, resulting in a deemed refusal. The delay was partly due to a consultation with CSIS and LAC's lack of infrastructure to process Top Secret records. The Information Commissioner found the complaint well founded, recommending immediate action and a permanent solution for processing classified records.

• Failure to respond within statutory time limits.
• Validity of 425-day time extension.
• LAC's lack of infrastructure to process classified records.
• Deemed refusal under subsection 10(3) ATIA.

The complainant alleged that Employment and Social Development Canada (ESDC) wrongly refused to process an access request for emails containing specific keywords, claiming they were not under its control. The emails were stored on ESDC servers and sent using a government account. However, the OIC found that the emails were entirely personal, had no institutional purpose, and were not integrated with ESDC's records. Therefore, the OIC concluded the emails were not under ESDC's control and not subject to the Access to Information Act, resulting in the complaint being not well founded.

• Whether the requested emails were under the control of Employment and Social Development Canada for the purposes of the Access to Information Act.

The complainant alleged that Public Services and Procurement Canada (PSPC) failed to respond to an access request for COVID-19 related contracts within the statutory time limit. PSPC cited pandemic measures as a reason for the delay. The Information Commissioner found that institutions cannot suspend access request processing due to the pandemic and that PSPC failed to respond within the required timeframe. Therefore, the complaint was deemed well-founded, and PSPC is considered to have refused access.

• Failure to respond within the statutory time limit
• Justification for delay due to pandemic measures
• Application of subsection 10(3) of the ATIA (deemed refusal)

This report details a systemic investigation into Immigration, Refugees and Citizenship Canada's (IRCC) handling of access to information requests, particularly for immigration application files. The investigation found that IRCC's practice of automatically extending response times for frequent requesters violated the Access to Information Act. The Information Commissioner made five recommendations to improve IRCC's processes, including ceasing this practice, developing a work plan for performance improvements, enhancing the availability of client information through other means, and securing adequate resources for the ATIP office.

• Timeliness of response to access to information requests
• Proper application of time extension provisions under the ATIA
• Systemic issues in processing high volumes of access requests
• Accessibility of immigration application information through alternative channels

The complainant alleged that the Privy Council Office (PCO) improperly withheld the names of employees within the Prime Minister's Office. The information was requested in relation to records concerning an announcement about audits of registered charities for political activities. The OIC found that the withheld names constituted personal information and met the requirements for exemption under subsection 19(1) of the Access to Information Act. The OIC was also satisfied that none of the exceptions allowing for disclosure under subsection 19(2) applied. Therefore, the complaint was not well-founded.

• Whether the names of Prime Minister's Office employees constitute personal information under subsection 19(1) of the ATIA.
• Whether the information fell under exceptions to the definition of personal information.
• Whether the institution properly exercised its discretion to disclose the information under subsection 19(2) of the ATIA.

The complainant requested information regarding legal fees for a specific litigation file from the Department of Justice Canada. The Department withheld expense details and disbursements under section 23 (legal advice and litigation privilege), citing solicitor-client privilege and a presumption of privilege for legal bills. The Information Commissioner found that while disbursements are generally presumed privileged, this presumption was rebutted in this case. The Commissioner concluded that the information was not subject to privilege as there was no reasonable possibility that it could be used to deduce protected communications, and recommended its disclosure. The Department of Justice Canada agreed to implement this recommendation.

• Whether section 23 (legal advice and litigation privilege) of the ATIA applied to the withheld expense details and disbursements.
• Whether the presumption of privilege for legal bills, as established in Maranda v. Richer, was rebutted.
• Whether the withheld information could be used by an assiduous inquirer to deduce privileged communications.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a charitable organization's donor list trading program. The OPC found that the charity required express opt-in consent, not opt-out, for sharing donor contact information, as this practice fell outside donors' reasonable expectations. The OPC also determined that the information provided to donors was insufficient to ensure meaningful consent, lacking details about what information would be shared with whom and for what purpose. The charity agreed to implement recommendations to obtain opt-in consent and provide clearer information.

• Requirement for opt-in versus opt-out consent for donor list trading.
• Sufficiency of information provided to donors for meaningful consent.
• Application of the 'reasonable expectations' principle under PIPEDA.
• Compliance with PIPEDA's requirements for consent for information sharing.

This investigation report concerns a large-scale breach of personal information at the Bank of Montreal (BMO), affecting approximately 113,000 customers. The OPC found that BMO's online banking software had significant vulnerabilities, including issues with developer security testing, vulnerability management, and oversight/monitoring, which allowed attackers to access sensitive data such as financial account numbers and SINs. BMO has since implemented substantial improvements to its security safeguards.

• Adequacy of BMO's technical safeguards to protect personal information.
• Effectiveness of BMO's developer security testing and evaluation processes.
• Sufficiency of BMO's vulnerability management protocols.
• Appropriateness of BMO's oversight and monitoring capabilities for detecting cyberattacks.

This investigation concerned a complaint that Fido Solutions Inc. failed to safeguard a customer's personal information, allowing fraudsters to access and alter account details. It was found that Fido's customer service representatives repeatedly failed to follow authentication protocols, leading to unauthorized access. Additionally, the complaint alleged Fido failed to provide a requested transcript in an understandable format. Fido has committed to implementing enhanced safeguards regarding authentication protocols and has since provided the requested transcripts.

• Adequacy of safeguards to protect customer personal information from unauthorized access.
• Effectiveness of authentication protocols and employee adherence.
• Proper response to customer requests for access to personal information.
• Provision of personal information in a generally understandable format.

The Office of the Privacy Commissioner of Canada (OPC) investigated CoreFour Inc. concerning its compliance with PIPEDA regarding its learning management system, Edsby. The OPC found that CoreFour's safeguards were not adequate due to vulnerabilities in password requirements and protection of student profile pictures, and a lack of an overarching information security framework. The OPC also found that CoreFour lacked a robust accountability framework, including written policies and adequate privacy training. However, the OPC found CoreFour to be in compliance with its breach reporting and notification obligations. CoreFour has accepted the recommendations and is implementing corrective measures.

• Adequacy of safeguards for personal information
• Breach reporting and notification obligations
• Accountability for privacy compliance
• Development of privacy management and information security frameworks

The complainant alleged that a computer services company remotely accessed his laptop without his express consent during a help desk call. The Office of the Privacy Commissioner of Canada (OPC) found that the company failed to obtain meaningful express consent for remote access and did not have adequate safeguards to protect customer information. The company has since restructured, ceased offering personal help desk services, and no longer uses the remote access software, leading the OPC to find the complaint well-founded and resolved.

• Whether meaningful express consent was obtained for remote computer access.
• Whether adequate safeguards were in place to protect customer data during remote access.
• The nature of consent required for accessing potentially sensitive personal information on a customer's laptop.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from a truck driver alleging that his employer, Oculus Transport Ltd., collected personal information through audio surveillance in the truck cab for inappropriate purposes. The OPC found that while Oculus had a legitimate business need for some surveillance, the continuous audio recording, even when drivers were off-duty, was excessively intrusive and disproportionate to the benefits. Oculus has since stopped using audio surveillance.

• Whether the purposes for which Oculus collected audio recordings were appropriate under PIPEDA's section 5(3).
• Whether less privacy-invasive means were available to Oculus to achieve its stated purposes.
• Whether the intrusion on drivers' privacy was proportionate to the benefits gained by Oculus.

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) took an unreasonable extension of time to respond to an access request for information related to the Competition Bureau's bread price-fixing investigation. The request involved over 75 million pages of records. ISED calculated the extension by considering the volume of records, the time needed for the program area to gather records, and the time needed by the Access to Information and Privacy Office to analyze exemptions. The Information Commissioner found the complaint not well founded, agreeing that the extension was reasonable and that ISED followed the proper procedures.

• Whether the extension of time taken by the institution was reasonable under paragraph 9(1)(a) of the Access to Information Act.
• Whether the request involved a large number of records or required searching through a large number of records.
• Whether meeting the 30-day deadline would unreasonably interfere with the institution's operations.
• Whether the duration of the extension was reasonable given the circumstances.

The complainant alleged that Public Safety Canada refused to process an access request for records related to various keywords. Public Safety argued parts of the request did not meet the Act's requirements and processing it would be overly burdensome. The Commissioner found the complaint well-founded, agreeing that some parts of the request were too vague but that Public Safety improperly refused to process the parts that did meet the criteria. Public Safety Canada committed to processing 5,000 pages per year of the relevant records.

• Adequacy of the request details under section 6 of the ATIA
• Institution's obligation to process requests in parts
• Institution's duty to assist requesters
• Timely processing of large volumes of records