Canadian Privacy Decisions

The complainant challenged the Department of Justice Canada's decision to withhold a Memorandum of Understanding (MOU) for legal services, citing section 23 (Legal advice and litigation privilege) of the Access to Information Act. The Department could not demonstrate that the entire MOU, including its title and signature blocks, was protected by solicitor-client privilege. Furthermore, the Department had waived privilege over some information within the MOU. The Information Commissioner found the complaint well-founded.

• Applicability of section 23 (Legal advice and litigation privilege)
• Waiver of privilege
• Protection of general identifying information

The complainant filed a complaint after National Defence (DND) did not respond to their access to information request. DND had decided that the request did not meet the requirements of section 6 of the Access to Information Act. The Information Commissioner found that the complaint was not well-founded, indicating that DND's handling of the request was appropriate.

• Whether the institution responded to the request within the time limits prescribed by the Act.

The complainant requested records related to a human rights file from the Canadian Human Rights Commission (CHRC). The CHRC withheld information citing personal information, testing/auditing procedures, and solicitor-client privilege. During the OIC investigation, the CHRC agreed to disclose information withheld under testing/auditing procedures and portions withheld under solicitor-client privilege. The OIC found that some file numbers withheld as personal information did not meet the exemption's requirements, and that certain draft investigation reports withheld under solicitor-client privilege also did not meet the exemption's requirements. The CHRC agreed to disclose these records.

• Applicability of the personal information exemption (section 19(1)) to file numbers
• Applicability of the solicitor-client privilege exemption (section 23) to draft investigation reports
• Reasonable exercise of discretion by the institution
• Disclosure of information withheld under testing/auditing procedures (section 22)

A Canadian returning to Canada complained that the Canada Border Services Agency (CBSA) contravened the Privacy Act by requiring him to provide his cell phone passcode for inspection. The OPC found that while the CBSA has the authority under the Customs Act to require passcodes, it must follow its own policies and only retain personal information when necessary. The CBSA acknowledged policy failures and committed to improved training and policy revisions.

• CBSA's authority to require digital device passcodes under the Customs Act
• Whether the collection of the passcode was necessary
• CBSA's adherence to its internal policies regarding personal information collection and retention
• The sensitivity of digital device passcodes as personal information

The requester filed a complaint after the Royal Canadian Mounted Police (RCMP) failed to respond to an access to information request for over two years. The RCMP provided insufficient information during the investigation regarding the records or the processing of the request. As a result, the Information Commissioner found the complaint to be well-founded and ordered the RCMP to respond to the request within 10 business days.

• Failure to respond to an access to information request within the prescribed time limits.
• Adequacy of information provided by the institution during the investigation.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Employment and Social Development Canada (ESDC) improperly used video surveillance footage to monitor an employee's departure times. The OPC found that ESDC's use of the footage for this purpose was not consistent with the stated security collection purpose and that employees were not adequately informed about the camera usage. ESDC agreed to implement a clear policy on video surveillance use and inform individuals about collection purposes.

• Use of personal information collected via video surveillance for purposes other than security.
• Failure to inform employees about the collection and purpose of video surveillance.
• Whether the use of video surveillance was an exceptional measure for a pressing problem.
• Adherence to the institution's Personal Information Bank (PIB) for consistent uses.

A former member of the Canadian Armed Forces complained that the Department of National Defence (DND) wrongfully compelled him to publicly disclose medical information during a military summary trial. The Office of the Privacy Commissioner of Canada (OPC) found the complaint was not well-founded. The OPC determined that the disclosure was made as testimony during a public military trial, consistent with the open courts principle and the National Defence Act. Since confidentiality was not requested, the disclosure was permitted under subsections 8(2)(a) and 8(2)(b) of the Privacy Act.

• Applicability of the Privacy Act to military summary trials
• Whether public disclosure of medical information during a summary trial contravened the Privacy Act
• The principle of open courts in military justice proceedings
• The concept of publicly available information under section 69 of the Privacy Act

A requester alleged that the Royal Canadian Mounted Police (RCMP) failed to respond to an access to information request within the statutory time limit. The RCMP was deemed to have refused access as they did not respond by the due date. Although the RCMP cited high volume and resource pressures, the Commissioner found these reasons did not justify the delay, especially given the moderate volume of records. The complaint was found to be well-founded. An initial report with an intended order was issued, but the RCMP subsequently responded to the request, rendering the order moot.

• Failure to respond within statutory time limits
• Adequacy of reasons for delay
• Assessment of record volume and complexity

An institution applied to the Information Commissioner for approval to decline to act on an access request, claiming it was vexatious and an abuse of the right to access records. The institution noted the requester had submitted 893 requests over 17 years, many similar to the current one. The Commissioner found that 11 of the requests were duplicative and that the requester had not provided justification for resubmitting them. The Commissioner concluded that the volume and repetitive nature of the requests, combined with the requester's history of complaints, amounted to an abuse of the right of access.

• Whether the access request was vexatious
• Whether the access request constituted an abuse of the right to access records
• Whether the institution met the threshold for declining to act on the request

The Office of the Privacy Commissioner of Canada investigated two complaints concerning the disclosure of a military officer's personal health information. The Department of National Defence (DND) disclosed the information to the Department of Justice (DOJ) to defend against litigation initiated by the complainant against the government. The OPC found that both the disclosure by DND and the collection by DOJ were permissible under paragraph 8(2)(d) of the Privacy Act, as the information was disclosed to the Attorney General for use in legal proceedings involving the Crown. The OPC concluded that the Privacy Act does not distinguish between types of personal information and that the disclosure was necessary for legal defence, upholding the legal interpretation confirmed by the Federal Court.

• Permissibility of disclosing personal health information for litigation purposes under paragraph 8(2)(d) of the Privacy Act.
• Whether the collection of personal medical information by the Department of Justice was a contravention of the Privacy Act.
• Whether the disclosure of personal medical information by the Department of National Defence was a contravention of the Privacy Act.
• The scope and interpretation of paragraph 8(2)(d) of the Privacy Act regarding disclosures to the Attorney General for legal proceedings.

The complainant alleged that Trans Union disclosed his credit file information to Statistics Canada without consent, and that this information was subsequently used to initiate debt collection efforts against him. The Office of the Privacy Commissioner of Canada (OPC) found that Trans Union was authorized to disclose the information under PIPEDA, as Statistics Canada had requested it under the authority of the Statistics Act. The OPC also found no evidence that Statistics Canada disclosed the complainant's information to other institutions for debt collection purposes.

• Whether Trans Union disclosed personal information without consent contrary to PIPEDA.
• Whether Statistics Canada used disclosed information for debt collection.
• Whether the disclosure was authorized by law under PIPEDA.
• Whether Statistics Canada contravened the Privacy Act in its data collection.

This report details the OPC's investigation into six complaints concerning the Canada Border Services Agency's (CBSA) search of travellers' digital devices at the border. The OPC found that the CBSA contravened the Privacy Act by failing to adhere to its own policies and legal authorities regarding these searches, particularly concerning the scope of data accessed and the lack of proper documentation. The CBSA accepted most operational recommendations for improvement but disagreed with recommendations for legislative reform.

• CBSA's authority to examine digital devices at the border under the Customs Act
• Compliance with CBSA's internal policy on digital device examinations
• Collection and retention of personal information from digital devices
• Adequacy of training and oversight for CBSA officers

This investigation examined Loblaw's practices in its gift card program, which was established to compensate customers affected by a bread price-fixing scandal. The complainant argued Loblaw collected more personal information than necessary and was concerned about data transfers to the United States. The OPC found that while Loblaw initially collected more information than needed by requesting full identification documents, they subsequently clarified their requirements, resolving this issue. The OPC also found Loblaw's measures to protect personal information transferred to a third-party administrator in the US were sufficient and that Loblaw was transparent about cross-border data transfers.

• Collection of personal information beyond what is necessary for the stated purpose.
• Adequacy of safeguards for personal information transferred to a third-party processor in the United States.
• Sufficiency of transparency regarding cross-border data transfers.
• Requirement for additional consent for cross-border data transfers.

An institution applied to the Information Commissioner for approval to decline to act on an access request, alleging it was vexatious, an abuse of the right to request records, and made in bad faith. The requester was a former employee who had filed multiple previous access requests. The Commissioner found the institution failed to prove the request was vexatious, an abuse of the right of access, or made in bad faith, and also failed to demonstrate it fulfilled its duty to assist the requester. The Commissioner denied the institution's application.

• Whether the access request was vexatious.
• Whether the access request constituted an abuse of the right to access records.
• Whether the access request was made in bad faith.
• Whether the institution fulfilled its duty to assist the requester.

An institution applied to the Information Commissioner for approval to decline processing an access request from a former employee. The institution argued the request was vexatious, an abuse of the right to access, and made in bad faith due to the requester's previous dismissal and numerous prior requests. The Commissioner found the institution failed to provide sufficient evidence for any of these claims.

• Whether the request was vexatious
• Whether the request constituted an abuse of the right of access
• Whether the request was made in bad faith
• Whether the institution fulfilled its duty to assist