Canadian Privacy Decisions

This investigation concerned a complaint alleging that Statistics Canada (StatCan) improperly disclosed confidential census data to Shared Services Canada (SSC) when transferring its IT infrastructure. The complainant also raised concerns about the adequacy of safeguards and supervision of SSC employees handling the data. The OPC found that StatCan did not disclose personal information contrary to the Privacy Act, as it was legally required to transfer its IT infrastructure to SSC. Furthermore, StatCan took reasonable measures to define its relationship with SSC and ensure privacy and security considerations were addressed.

• Whether StatCan improperly disclosed confidential census data to SSC.
• Whether StatCan took reasonable measures to safeguard the census data transferred to SSC's IT infrastructure.
• Whether StatCan adequately supervised SSC employees with access to the data.
• Whether the transfer of data was consistent with the Statistics Act and the Privacy Act.

The complainant alleged that a courier company disclosed her personal information without consent by delivering a package addressed to her to her neighbour. The investigation found that the courier company had contravened PIPEDA's consent principle by not obtaining consent directly from the complainant for its practice of delivering packages to neighbours, nor by demonstrating due diligence to ensure the shipper had obtained such consent. In response to the OPC's recommendations, the courier company committed to ending the practice of delivering to neighbours, and this commitment was confirmed.

• Was personal information disclosed without consent by delivering a package to a neighbour?
• Did the courier company exercise due diligence to ensure the shipper obtained consent for the delivery to a neighbour practice?
• Is an unlisted telephone number on a package label sensitive personal information?

The complainant alleged that Health Canada collected more personal information than necessary for adjudicating claims under its Non-Insured Health Benefits (NIHB) Program. Specifically, concerns were raised about the detailed patient information required for the approval of drug benefits. Health Canada demonstrated that the information collected through Limited Use forms for drug benefits was directly related to the administration of the NIHB Program and necessary for determining eligibility based on established clinical criteria.

• Was the personal information collected by Health Canada directly related to an operating program or activity of the institution?
• Was the information collected necessary for the adjudication of claims for limited use drug benefits under the NIHB Program?
• Did Health Canada require more personal information than necessary for the adjudication of claims?

This investigation examined a breach of WADA's Anti-Doping Administration and Management System (ADAMS) database, which resulted in the public disclosure of athletes' personal information, including health details. The OPC found that WADA's security safeguards were insufficient, contravening PIPEDA principles. While WADA committed to implementing recommendations, including enhanced security measures, the matter was resolved conditionally pending compliance.

• Sufficiency of security safeguards for sensitive personal information
• Access controls and authentication mechanisms for the ADAMS database
• Monitoring, logging, and incident response capabilities
• Policies, procedures, and training related to information security

The OPC investigated a complaint against an online marketplace that sent an email to members inviting them to sign a petition without their explicit consent. The OPC found that the marketplace retained information appropriately but failed to obtain adequate consent for sending the petition email, which was beyond the scope of their services. The OPC also found that the marketplace did not handle the complainant's privacy concerns effectively. The matter was conditionally resolved when the marketplace committed to implementing recommendations, including obtaining opt-in consent for such emails and improving complaint handling. The issue was later resolved upon evidence of implementation.

• Adequacy of consent for using personal information for advocacy emails.
• Proper handling and escalation of customer privacy complaints.
• Appropriate retention of personal information.
• Clarity of purposes stated in the privacy policy.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint following a global data breach at VTech Holdings Limited, which potentially compromised the personal information of over 316,000 Canadian children and 237,000 Canadian adults. The investigation found significant deficiencies in VTech's information security safeguards, including a lack of testing, inadequate access controls, cryptographic issues, and absence of security monitoring. Although VTech contravened PIPEDA Principle 4.7, the OPC concluded the matter was resolved because VTech implemented timely and comprehensive measures to address the breach and improve its security.

• Adequacy of information security safeguards for children's data
• Failure to test for and mitigate known vulnerabilities
• Insufficient access controls and cryptographic protection
• Lack of comprehensive security management program

A complainant objected to a retail store retaining records of her credit card transactions after she requested their deletion. The store initially cited contractual obligations to credit card companies, but later informed the OPC that the Excise Tax Act also legally required data retention. The OPC relayed this explanation to the complainant, who found it satisfactory, and the matter was resolved.

• Right to withdraw consent vs. legal and contractual retention obligations
• Adequacy of explanation provided to complainant

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that a financial institution required customers to provide their Social Insurance Number (SIN) for identity verification purposes as a condition of opening a savings account. The OPC found that while the institution collected SINs for legally required income reporting, it could not mandate its use for identity verification. The institution agreed to make the use of SIN for identity verification optional rather than a condition of service.

• Requirement of SIN for identity verification as a condition of service.
• Appropriate use of SIN by private sector organizations.
• Interpretation of FINTRAC guidelines regarding identity verification.

A traveler complained that an airline did not provide complete access to his personal information, specifically documents and correspondence related to being denied boarding. The airline relied on exemptions under PIPEDA, arguing that the information was collected to investigate a potential breach of agreement or contravention of law and was disclosed to a government institution for law enforcement purposes. The OPC found that both the collection and disclosure were reasonable under the Act's exemptions, and the airline properly followed the process when a government institution objected to disclosure of the information.

• Whether the collection of personal information without consent was justified under PIPEDA's exemptions.
• Whether the disclosure of personal information to a government institution was justified under PIPEDA's exemptions.
• Whether the airline properly handled the access request when a government institution objected to disclosure.

The complainant discovered that his financial institution had disclosed his Registered Education Savings Plan (RESP) account information dating back to 1999 to the police. The OPC found that while production orders allow disclosure of information, the financial institution disclosed documents beyond the scope of the specific production order and did not have valid consent. The institution agreed to review its procedures and provide training to staff regarding disclosures pursuant to production orders.

• Disclosure of personal information beyond the scope of a production order
• Validity of consent based on a general privacy policy for law enforcement disclosures
• Sensitivity of financial information

The complainant alleged that the respondent's property history reports included personal information without adequate consent. The Office of the Privacy Commissioner of Canada (OPC) found that insurance claims data, as described in this case, was not personal information about an individual. However, information about drug activity at a property was deemed personal information. The respondent agreed to cease including drug activity details in its reports, leading the OPC to find the complaint well-founded and resolved.

• Whether drug activity information in property reports constitutes personal information.
• Whether drug activity information is publicly available under PIPEDA Regulations.
• Whether consent was adequately obtained for the collection, use, and disclosure of personal information.

The Office of the Privacy Commissioner of Canada investigated Wajam Internet Technologies Inc. after receiving complaints about its software, which tracked online search queries and displayed ads. The investigation found that Wajam breached multiple provisions of PIPEDA, including failing to obtain meaningful consent, inadequately safeguarding personal information, and having insufficient accountability policies. Although Wajam ceased operations and sold its assets, the OPC concluded the matters examined were well-founded.

• Meaningful consent for software installation and data collection.
• Adequate safeguarding of personal information during transmission and storage.
• Effectiveness of uninstallation processes and withdrawal of consent.
• Lack of a privacy accountability framework and policies.

An individual complained to the OPC after an insurance company denied access to parts of their insurance claim file, including case management notes and a video of an incident. The company claimed the notes were confidential commercial information and the video contained third-party images. Through the early resolution process, the company allowed the individual to view the video and provided a redacted version of the case management notes. The complaint was resolved early.

• Access to personal information, including insurance claim files and videos.
• Application of PIPEDA exemptions for confidential commercial information and third-party personal information.
• Severing or redaction of information to provide access.
• Obligation to provide access to personal information.

A complainant alleged that Jet Airways did not provide complete access to her personal information following an incident where she and her companion were denied boarding. The airline cited solicitor-client privilege, litigation privilege, and formal dispute resolution processes as reasons for withholding certain documents. The OPC found the complaint well-founded regarding the airline's failure to respond within the statutory timeframe and its improper application of the formal dispute resolution exemption. However, the OPC could not make a finding on the privilege claims due to legal precedents limiting its ability to investigate privileged documents.

• Timeliness of response to access request
• Applicability of solicitor-client and litigation privilege exemptions
• Applicability of formal dispute resolution exemption
• Overbroad claims of privilege

This investigation was initiated following a complaint that the RCMP used cell site simulators, also known as "Stingray" devices or "IMSI catchers," without confirming or denying their use. The complainant was concerned these devices could intercept private communications and extract encryption keys. The investigation found that while the RCMP's cell site simulators cannot intercept private communications, there were six instances where they were used without prior judicial authorization or exigent circumstances, which constituted a contravention of the Privacy Act. The RCMP has since implemented a policy requiring prior judicial authorization for all deployments unless exigent circumstances exist.

• Use of cell site simulators (mobile device identifiers) by the RCMP
• Capability of cell site simulators to intercept private communications
• Requirement for judicial authorization for the collection of personal information using cell site simulators
• Handling and retention of data collected from third-party devices