Canadian Privacy Decisions

The complainant alleged that the Privy Council Office (PCO) failed to respond to an access request for minutes of the Joint Intelligence Committee from 1968 within the statutory time limits. PCO claimed an extension for consultations, but when other institutions did not respond, PCO closed the file based on its "no late file" policy. The OIC found that the Act does not permit PCO to fail to respond due to unreceived recommendations and determined PCO was in deemed refusal.

• Timeliness of response to access request
• Proper application of time extension provisions
• PCO's "no late file" policy in relation to the Act

This joint investigation by federal, Alberta, and British Columbia privacy commissioners examined Cadillac Fairview's (CFCL) use of Anonymous Video Analytics (AVA) in mall directories and mobile device geolocation tracking. CFCL collected and used personal biometric information via AVA without valid consent, and improperly retained this data. While CFCL stated it had ceased using AVA, it disagreed with findings and refused to commit to express opt-in consent for future use. Regarding geolocation, CFCL's "Anonymous Shopper Journey" did not collect personal information, and while its "Logged In Shopper Journey" collected personal information, it did not combine it with geolocation data as initially suspected. Therefore, the geolocation aspect was found not well-founded.

• Collection, use, and disclosure of personal information via AVA technology
• Adequacy of consent and notice for AVA technology
• Appropriate retention of personal information collected via AVA
• Collection, use, and disclosure of personal information via geolocation tracking

A complainant alleged that Health Canada failed to identify all records responsive to an Access to Information Act request and should have provided an index of these records. The Information Commissioner of Canada found that Health Canada conducted a reasonable search and did not improperly withhold records. The Commissioner also determined that Health Canada was not obligated to create an index for this request, as it would have been unreasonable.

• Duty to assist
• Reasonableness of search
• Obligation to create an index of records

This report details a systemic investigation into the Royal Canadian Mounted Police's (RCMP) timeliness in responding to access to information requests between 2016 and 2019. The investigation found significant delays and an increasing backlog of requests. The Information Commissioner made 15 recommendations across six areas to improve the RCMP's performance. However, the Minister of Public Safety largely ignored these recommendations, failing to provide adequate explanations or commit to concrete plans for improvement. Consequently, the Commissioner found the situation dire and tabled a special report to Parliament.

• Timeliness of access to information requests
• RCMP's failure to provide representations during delay investigations
• Adequacy of the Minister's response to recommendations
• Impact of resources and systems on access to information performance

The complainant alleged that the Privy Council Office (PCO) failed to respond to an access request for minutes of the Joint Intelligence Committee from 1957 to 1958 within the statutory time limits. PCO claimed an extension and consulted other institutions, but failed to respond when recommendations were not received by the deadline, citing a “no late file” policy. The OIC found that the Act does not permit such a failure to respond and that PCO was in deemed refusal.

• Timeliness of response to access request
• Proper application of time extensions
• Effect of "no late file" policy on ATIA obligations

The complainant alleged that the Privy Council Office (PCO) failed to respond to an access to information request within the statutory time limits. PCO had claimed an extension and then placed the request on hold for consultations, which it conducted over several years. The Commissioner found the complaint well-founded, as PCO's indefinite hold on the request had no provision in the Act. The Commissioner recommended PCO provide a final response by June 1, 2020, but PCO failed to meet this deadline, citing the COVID-19 pandemic's impact on consultations. As the complaint was filed before recent amendments, the Commissioner's jurisdiction was limited to making recommendations.

• Timeliness of response
• Indefinite hold on request for consultations
• Impact of COVID-19 pandemic on processing
• Commissioner's jurisdiction and remedies

The complainant alleged that the Department of Justice Canada missed the deadline to respond to an access to information request. The Information Commissioner previously recommended a response date, which the institution did not accept but committed to a later date. When the institution again failed to respond, the complaint was reopened. The Commissioner found the complaint to be well-founded.

• Timeliness of response under ATIA section 10(3)
• Failure to meet commitment disclosure date

Public Services and Procurement Canada (PSPC) improperly disclosed pay-related information for 69,087 public servants to the wrong government institutions. An investigation found that PSPC contravened the Privacy Act due to this unauthorized disclosure. However, the complaints are considered resolved because PSPC took satisfactory corrective actions to remedy the vulnerabilities that caused the breach and notified affected individuals.

• Unauthorized disclosure of personal information
• Adequacy of PSPC's response to the breach
• Timeliness and completeness of notification to affected individuals
• Implementation of corrective measures to prevent recurrence

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against CATSA concerning its practice of notifying police when cannabis was found in a traveller's possession. The OPC found that CATSA's collection and disclosure of personal information for this purpose contravened sections 4 and 8 of the Privacy Act, as its mandate is focused on aviation security, not general law enforcement. While CATSA agreed to cease collecting and disclosing such information when the cannabis possession is not clearly illegal, the record-keeping aspect of the complaint was found not well-founded.

• Whether CATSA's collection of personal information from travellers possessing cannabis was consistent with its mandate under the Privacy Act.
• Whether CATSA's disclosure of personal information to police regarding cannabis possession was consistent with the Privacy Act.
• Whether CATSA's record retention practices for this information complied with the Privacy Act.

Three individuals complained that the RCMP used non-conviction information in vulnerable sector (VS) checks without their informed consent. The OPC found that the RCMP contravened the Privacy Act in two of the three cases because the consent forms did not clearly explain what types of non-conviction information would be reported. The OPC also determined that the RCMP's policy of broadly reporting non-conviction information, including mental health incidents, was not proportional or minimally intrusive. The RCMP agreed to revise its consent forms and policies.

• Adequacy of informed consent for the use of non-conviction information in vulnerable sector checks.
• Proportionality and minimal intrusiveness of reporting non-conviction information, including mental health incidents, in vulnerable sector checks.
• Compliance with record retention requirements under the Privacy Act.
• Consistency of RCMP policies and practices across different provinces.

This investigation examined a complaint regarding the alleged leak of personal information about a Supreme Court of Canada candidate. The complainant alleged that documents revealed by an anonymous source demonstrated a disagreement between the Prime Minister’s Office and the former Attorney General concerning the candidate's nomination. The Office of the Privacy Commissioner of Canada (OPC) investigated the Privy Council Office (PCO) and the Department of Justice (DOJ) but found no evidence that these institutions were responsible for the unauthorized disclosure. The OPC's investigation was constrained by jurisdictional limitations, as the Privacy Act does not apply to Ministers' offices or the Prime Minister's Office.

• Whether the PCO or DOJ contravened section 8 of the Privacy Act by improperly disclosing personal information.
• Whether the PCO or DOJ had access to the personal information that was leaked to the media.
• The jurisdictional limitations of the Privacy Act concerning Ministers' offices and the Prime Minister's Office.
• The need for legislative reform to extend the Privacy Act's coverage.

A former employee of TD Canada Trust (TD) complained that TD had outsourced fraud claims processing to a third-party provider in India without customer consent or an opt-out option. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that TD was not required to obtain additional consent as the personal information was used for the original purpose of fraud claims management. The OPC also found TD was sufficiently open about its outsourcing practices and remained accountable by ensuring comparable protection through contractual and monitoring measures.

• Requirement for consent to transfer personal information to a third-party processor for the same purpose
• Sufficiency of openness regarding outsourcing of personal information to foreign jurisdictions
• Accountability for personal information transferred to a third-party processor and ensuring comparable protection

The complainant alleged that the Canada Border Services Agency (CBSA) improperly disclosed his personal medical information to a third party by carbon copying them on a letter. The CBSA argued the information was publicly available from court documents. The OPC found that while the CBSA did disclose personal information, this disclosure was not a contravention because the information was indeed publicly available in court records, making section 8 of the Privacy Act inapplicable under subsection 69(2).

• Was the personal information disclosed by the CBSA considered "personal information" under the Privacy Act?
• Was the disclosed personal information "publicly available"?
• Did subsection 69(2) of the Privacy Act apply, rendering section 8 of the Act inapplicable?
• If section 8 applied, would the disclosure have been permitted under subsection 8(2)?

Following complaints from two customers who were victims of tech support scams, the OPC investigated Dell's security safeguards and complaint handling practices. Dell discovered that two employees of its service provider in India had sold customer information on two separate occasions, leading to personal information breaches affecting thousands of Canadians. The OPC found that Dell's safeguards, including access controls and breach investigation procedures, were insufficient given the sensitivity of the data and the risk environment.

• Adequacy of security safeguards for personal information transferred to a service provider
• Effectiveness of access controls and monitoring for preventing insider theft of data
• Sufficiency of investigation into customer complaints alleging privacy breaches
• Appropriateness of breach notification and response

A dentist complained that RateMDs.com, a health practitioner rating website, used her personal information without consent and for lucrative purposes. The Office of the Privacy Commissioner of Canada (OPC) found that the dentist's business contact information was publicly available and did not require consent. However, the OPC found that RateMDs.com engaged in an inappropriate practice by charging a subscription fee for a service that allowed users to hide certain reviews, contravening PIPEDA's purpose provisions. RateMDs.com agreed to cease this practice, leading to a conditionally resolved outcome for that issue. The OPC also found RateMDs.com resolved issues related to openness regarding its policies on correcting inaccurate information.

• Consent for the collection, use, and disclosure of personal information.
• The appropriateness of using personal information for a business model.
• Transparency and openness regarding policies for correcting inaccurate information.
• The balance between privacy rights and public interest in online reviews.