Canadian Privacy Decisions

Three complainants alleged that Correctional Service Canada (CSC) was using video footage collected for security purposes to monitor employee performance. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that CSC used the footage to identify systemic deficiencies in patrols following an inmate's death, aiming to improve security and prevent future deaths. The OPC determined this use was consistent with the original purpose of collection (security) and therefore not a contravention of the Privacy Act.

• Was CSC using video footage to monitor employee performance?
• Was the use of video footage for identifying and addressing security deficiencies consistent with the original purpose of collection?
• Did the use of video footage contravene the Privacy Act's use provisions?

This joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) examined Facebook's compliance with privacy laws concerning the disclosure of user data to third-party apps, specifically the "thisisyourdigitallife" (TYDL) app. The investigation found that Facebook failed to obtain valid and meaningful consent from users whose information was disclosed, had inadequate safeguards to protect user data, and lacked accountability for the information under its control. These failures are particularly concerning given similar findings by the OPC in a 2009 investigation, indicating a lack of substantive improvement in Facebook's privacy practices.

• Meaningful consent from installing users
• Meaningful consent from affected users (friends of installing users)
• Adequacy of safeguards to protect user data from third-party apps
• Facebook's accountability for user data

The complainant alleged that Global Affairs Canada (GAC) improperly collected personal information from his diplomatic passport for an administrative investigation. The complainant had used his diplomatic passport for personal travel, and GAC requested the original passport as evidence. GAC did not demonstrate how the personal travel information collected related to its operating programs or activities, nor did it provide sufficient cooperation to confirm its authority to collect this information.

• Whether GAC had the authority to collect personal travel information from a diplomatic passport.
• Whether the collection of personal travel information related directly to GAC's operating programs or activities.
• Whether GAC provided sufficient information regarding the administrative investigation and its authority to collect the passport.

The complainant alleged that Employment and Social Development Canada (ESDC) contravened the Privacy Act by collecting his personal information for a second time, despite his previous objection, through a third-party company. The OPC found that while ESDC's collection was not for an administrative purpose directly affecting the complainant, it failed to comply with section 4 of the Act because the information was not collected in accordance with the terms of its program, as the third party had obtained the information without consent. ESDC also continued to use the complainant's information despite his request to be removed from the list.

• Collection of personal information without consent
• Collection of personal information from a third party
• ESDC's responsibility to ensure third-party compliance with contractual obligations
• ESDC's continued collection of information after a request for removal

The complainant alleged that Grey House Publishing Canada (Grey House) collected, used, and disclosed his personal information without his knowledge or consent. Grey House collected the complainant's contact information from a non-profit association's webpage and included it in its print directory and database. Grey House then sold an email distribution list containing this information to Economic and Social Development Canada (ESDC), which used it to send emails promoting a federal program. The OPC found that Grey House contravened PIPEDA by collecting and using the complainant's personal information without adequate consent, as the information was not considered business contact information and did not fall under the exceptions for publicly available information. The OPC also found that Grey House contravened PIPEDA's openness principle by having an inadequate privacy statement.

• Whether the complainant's contact information constituted personal information or business contact information under PIPEDA
• Whether Grey House was conducting commercial activity under PIPEDA
• Whether Grey House obtained adequate consent to collect and use the complainant's personal information
• Whether Grey House's privacy statement adequately reflected its practices

The Office of the Privacy Commissioner of Canada (OPC) investigated 411Numbers, a website operator that provided free access to telephone numbers and associated information. A complainant alleged that 411Numbers collected, used, and disclosed his personal information without consent, used it for an inappropriate purpose (paid removal service), over-collected information for removal services, and was unresponsive to privacy concerns. The OPC found that 411Numbers contravened PIPEDA by publishing unlisted telephone numbers without consent, and that its previous practice of requiring extensive identification for removal services was an over-collection. The paid removal service was also deemed inappropriate. However, 411Numbers has since ceased its paid removal service and implemented new practices for information removal and data collection.

• Jurisdiction over a non-Canadian company with a real and substantial connection to Canada
• Collection, use, and disclosure of unlisted telephone numbers without consent
• Appropriateness of using personal information for a paid removal service
• Over-collection of personal information for identity verification during removal requests

The complainant, an air passenger rights advocate, requested access to records about himself from the Canadian Transportation Agency (CTA). The CTA denied access to most records, arguing the information was not personal information, or that it was exempt under various provisions of the Privacy Act. The OPC found that the CTA had erred in withholding information and improperly invoked exemptions under section 70(1). However, most information withheld under sections 26 and 27 was found to be properly exempted, with specific exceptions.

• Whether records containing the complainant's name and discussions about his advocacy activities constituted personal information under the Privacy Act.
• Whether information withheld under paragraph 12(1)(b) was properly excluded from the scope of accessible personal information.
• Whether information was correctly exempted under sections 26 (third-party personal information), 27 (solicitor-client privilege), and subsection 70(1) (cabinet confidences).

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) contravened the accuracy provisions of the Privacy Act by using inaccurate information about him when staffing a position. ISED confirmed that it failed to ensure the accuracy of the information used, which was linked to the complainant’s profile in the MyGCHR human resources system. The investigation found the complaint to be well-founded.

• Whether ISED contravened the accuracy provisions of the Privacy Act.
• Whether ISED took reasonable steps to ensure the accuracy of personal information used for staffing.
• The role of the MyGCHR system in the accuracy of personal information.

This investigation concerned Microsoft's Windows 10 privacy settings, which were initially set to 'on' by default during installation. The Office of the Privacy Commissioner of Canada (OPC) investigated whether Microsoft obtained valid consent for the collection, use, and disclosure of users' personal information. While Microsoft made several updates to improve clarity and consent mechanisms, the OPC identified ongoing concerns regarding the meaningfulness of consent for certain settings, particularly regarding diagnostics, tailored experiences, and speech recognition. Microsoft committed to implementing further changes, including obtaining opt-in consent for all installation privacy settings, enhancing transparency, and improving data protection measures.

• Validity of consent for default privacy settings during Windows 10 installation.
• Clarity and completeness of privacy communications provided to users.
• Adequacy of measures to protect sensitive diagnostic data from being used for targeted marketing.
• Ensuring meaningful consent for cloud-based speech recognition services.

The Office of the Privacy Commissioner of Canada (OPC) investigated complaints against Profile Technology Ltd. (Profile Technology), a New Zealand-based company, for copying and using personal information from Facebook profiles without consent. The OPC found that Profile Technology's website was not merely a search engine but a social networking site, and that the information was not "publicly available" under PIPEDA. The company's practice of repurposing outdated Facebook data without consent or consideration for privacy settings was deemed inappropriate. Additionally, Profile Technology was found to be retaining help desk ticket information longer than necessary. The OPC concluded that Profile Technology contravened PIPEDA by using and disclosing personal information for purposes not appropriate in the circumstances and without consent.

• Jurisdiction over a foreign-based organization
• Definition of "publicly available" information under PIPEDA
• Requirement for consent for collection and use of personal information
• Appropriateness of purposes for using personal information

The Office of the Privacy Commissioner of Canada investigated a complaint from a federal inmate who alleged that Correctional Service Canada (CSC) contravened the Privacy Act by denying him access to personal information, specifically video and audio recordings. This was a repeat issue, as similar allegations were found to be well-founded in a previous investigation. While CSC properly exempted some recordings, it failed to respond to some requests entirely and, critically, failed to retrieve and retain requested video recordings before they were overwritten in two instances, despite previous recommendations to improve processes for short-retention period records. The complaint was found well-founded due to these failures to provide timely access.

• Timeliness of responding to access to information requests.
• Retention and destruction of personal information, particularly video recordings.
• Appropriate application of exemptions to disclosure.
• Failure to implement previous recommendations regarding record retrieval.

Several complainants alleged that the Correctional Service Canada (CSC) unlawfully collected personal information through the use of a cell-site simulator near the Warkworth Institution. While CSC confirmed collecting six text messages, it denied intercepting conversations and stated the collection was not authorized. The Office of the Privacy Commissioner of Canada (OPC) found that while the collection of metadata was consistent with the Privacy Act given security concerns, the interception and collection of text message content was not authorized and therefore contravened the Act.

• Whether the collection of cell phone metadata and text messages by CSC constituted personal information under the Privacy Act.
• Whether the collection of cell phone metadata was directly related to CSC's operating programs or activities.
• Whether the interception and collection of text message content was authorized under the Privacy Act.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding the Department of National Defence’s (DND) disclosure of deceased Canadian Forces members’ medical records to Military Police investigators for suicide investigations. The OPC found that while DND’s Directorate of Access to Information and Privacy (DAIP) generally acted appropriately in assessing the necessity of the requested information, its record-keeping practices were insufficient, failing to retain all requested disclosure forms as required by the Privacy Act. DND was recommended to improve its policies and procedures to ensure full retention of request forms, verify the statutory authority for investigations, and maintain more comprehensive disclosure records.

• Adequacy of DND's assessment of necessity for disclosing medical records under paragraph 8(2)(e) of the Privacy Act for suicide investigations.
• Sufficiency of DND's record-keeping practices concerning requests and disclosures under paragraph 8(2)(e).
• DND's interpretation of its obligations regarding lawful investigations and adherence to its own policies.
• Whether DND's disclosure of records was consistent with the Privacy Act and TBS Directive.

The Office of the Privacy Commissioner of Canada investigated a complaint against Facebook Inc. regarding a privacy breach where personal information of users and non-users was inadvertently disclosed through the 'Download Your Information' tool. The investigation found that while Facebook had safeguards in place, they were not adequate prior to the breach, leading to the unauthorized disclosure of contact information. Additionally, Facebook was not sufficiently open about its practice of matching contact information across address books. Facebook has since implemented corrective measures, including a new Privacy Framework and revised notices, resolving the issues.

• Adequacy of safeguards for personal information.
• Facebook's practice of matching contact information across address books and consent requirements.
• Openness and transparency of Facebook's policies and practices regarding contact information.
• Facebook's provision of access to and correction of personal information.

Four complainants alleged that Transport Canada's requirement for owners of unmanned aircraft to display their personal information on the device contravened the Privacy Act. They argued this obligation to publicly display contact information without consent was a violation of disclosure provisions. The Office of the Privacy Commissioner of Canada (OPC) found that while the information collected is personal, the requirement did not constitute a collection by Transport Canada itself, and therefore, the disclosure provisions of the Act did not apply. The OPC concluded the complaints were not well-founded, acknowledging the measure was an interim safety precaution but noted Transport Canada intended to revise the regulations to address privacy concerns.

• Whether the requirement to display personal information on unmanned aircraft constitutes a collection under the Privacy Act.
• Whether the disclosure of personal information on unmanned aircraft contravenes the disclosure provisions of the Privacy Act.
• The balance between aviation safety and public privacy.
• The authority of the Minister of Transport to issue interim orders for aviation safety.