Canadian Privacy Decisions

A couple complained after their personal information was fraudulently used by a marketing company posing as an employee of their anti-virus service provider. The couple suspected the service provider employee disclosed their account number to the marketing company. The OPC investigated and found the service provider had failed to adequately protect customer information. The service provider dismissed the employee responsible and implemented new safeguards, including an auditing system and a streamlined procedure for addressing privacy concerns.

• Adequacy of security safeguards
• Unauthorized access to personal information
• Complaint handling procedures
• Accountability for employee actions

An individual complained that her manager at a credit union accessed her personal bank account without consent. The manager suspected the employee was not actually sick and used her customer data to check her debit card usage outside the province. The credit union acknowledged the improper access and agreed to apologize and address the manager's conduct. The employee was satisfied, and the matter was resolved.

• Manager accessing employee's personal banking information without valid business purpose
• Use of personal information for a purpose other than that for which it was collected
• Employee's right to privacy while also being a customer of the institution

The complainant alleged that the Canada Border Services Agency (CBSA) improperly disclosed his personal information to his country of origin without consent. The CBSA disclosed a court judgment related to the complainant's criminal history to the High Commission of Canada to Ghana, which then forwarded it to Interpol for verification. The OPC found that while the disclosure was for a consistent purpose under the Privacy Act (enforcing immigration law), the CBSA's procedures for such disclosures were insufficient at the time, and the electronic transmission of information raised concerns.

• Disclosure of personal information to a foreign entity for verification purposes.
• Whether the disclosure constituted a consistent use of information under the Privacy Act.
• Adequacy of CBSA procedures for international disclosure and verification requests.
• Concerns regarding the electronic transmission of personal information.

An individual complained that an investment brokerage collected more personal information than necessary to open a self-directed investment account. The brokerage stated the information was required to comply with regulatory obligations, including "Know Your Client" rules from the Investment Industry Regulatory Organization of Canada (IIROC) and anti-money laundering (AML) requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), as well as provincial securities legislation. The OPC found that the requested information, including net worth, marital status, and spouse's occupation, was necessary for these regulatory purposes.

• Whether the brokerage collected more personal information than necessary for opening a self-directed investment account.
• Whether the collection of information was a condition of service contrary to PIPEDA.
• Whether the brokerage's collection purposes met regulatory requirements.
• The applicability of "Know Your Client" and AML rules to self-directed accounts.

The complainant alleged that Public Services and Procurement Canada (PWGSC) contravened the Privacy Act when a Director disclosed that the complainant had filed a harassment complaint against her during a management meeting. The investigation confirmed the disclosure, and found that the Director had not obtained the complainant's consent and that the attendees did not need to know the information. As a result, the complaint was found to be well-founded.

• Definition of personal information under section 3 of the Privacy Act
• Rules regarding the disclosure of personal information under section 8 of the Privacy Act
• Application of Treasury Board and departmental policies on confidentiality of harassment complaints

The Office of the Privacy Commissioner of Canada investigated Peoples Trust after a breach compromised the sensitive personal information of 12,000 customers. The investigation found that the financial institution failed to implement adequate safeguards in its online application portal and retained customer data unnecessarily on a vulnerable, unencrypted web server. These failures contravened PIPEDA's principles regarding safeguards and data retention. Following the breach, Peoples Trust took comprehensive remedial actions, including redesigning its portal, enhancing monitoring, and improving retention practices, which resolved the issues.

• Adequacy of information security safeguards for sensitive personal data.
• Unnecessary retention of personal information beyond required purposes.
• Vulnerabilities in web application portal development and maintenance.
• Effectiveness of breach response and risk mitigation measures.

A complainant was concerned that a hotel chain linked her IP address to her phone number after she received a promotional phone call. The hotel chain clarified that it does not engage in promotional calls and that the call was a fraudulent telemarketing scam by an unrelated party. The complainant suggested the hotel warn its customers about such scams, which the hotel did, leading to the matter being resolved.

• Unauthorized collection of personal information
• Misrepresentation by a third party
• Complainant's concern about IP address linkage to phone number

This investigation concerned a complaint against Health Canada (HC) regarding the mailing of 41,514 letters using windowed envelopes that revealed the name of the "Marihuana Medical Access Program" (MMAP). The Office of the Privacy Commissioner of Canada (OPC) found that HC contravened the Privacy Act by disclosing sensitive personal information without consent or legitimate purpose. Although HC cited administrative error and argued implicit consent or consistent use, the OPC determined that the sensitive nature of the program name required greater protection. HC has since implemented stricter mail-out procedures and created a new working group.

• Whether the visible program name in the return address constituted a disclosure of personal information.
• Whether implied consent was obtained from recipients.
• Whether the disclosure was a 'consistent use' of information under section 8(2)(a) of the Privacy Act.
• Whether Health Canada took reasonable steps to protect sensitive personal information.

The complainant, a former Canadian Forces member, alleged that the Department of National Defence (DND) contravened the Privacy Act by prematurely destroying an audio recording of his Progress Review Board (PRB) hearing. The OPC found that the recording contained personal information used for an administrative purpose and should have been retained for at least two years, as required by the Act, unless the complainant consented to its destruction. DND's destruction of the recording shortly after the hearing was deemed premature. The OPC recommended that DND develop a policy for retention and disposal of PRB hearing records and, in the interim, retain such recordings or transcriptions for at least two years.

• Whether the audio recording of the PRB hearing contained personal information used for an administrative purpose.
• Whether the complainant consented to the destruction of the audio recording.
• Whether DND's destruction of the audio recording violated the retention provisions of the Privacy Act.
• Whether DND provided access to accurate records following the hearing.

A tenant complained about five video surveillance cameras installed in common areas of their office building by another tenant. The complainant was particularly concerned about two cameras that monitored activity near his office door and the elevators, viewing it as an invasion of privacy. Following the OPC's involvement, the cameras of most concern were relocated inside the other tenant's offices, resolving the complainant's privacy concerns.

• Appropriateness of video surveillance in common areas
• Collection of personal information in shared spaces
• Minimum collection principle for video surveillance

This investigation concerned complaints against the CBC for disclosing details of a privacy breach at the Canada Revenue Agency (CRA), where taxpayer information was inadvertently sent to a CBC journalist. The CBC subsequently published an article containing some of this information, including names and photos of affected individuals. However, the OPC found that the Privacy Act does not apply to personal information collected, used, or disclosed by the CBC for journalistic purposes. Therefore, the complaints were deemed not well-founded as the information was excluded from the Act's application.

• Whether the CBC contravened the Privacy Act by disclosing personal information obtained from a privacy breach at the CRA.
• Whether section 69.1 of the Privacy Act, which excludes journalistic purposes from the Act's application, applied to the CBC's actions.
• Whether the CBC's use and disclosure of the personal information was for purely journalistic purposes.

The Office of the Privacy Commissioner of Canada investigated complaints following a privacy breach by the Canada Revenue Agency (CRA), where personal information of approximately 1,000 individuals was inadvertently sent to the Canadian Broadcasting Corporation (CBC). The investigation confirmed that a CRA employee switched cover letters for two different packages, resulting in a consultation package being sent to a CBC journalist instead of the intended recipient. Despite the CRA's efforts to retrieve the information and implement corrective measures, the information was not returned by the CBC, leading to a published article by the CBC.

• Unauthorized disclosure of personal information
• Adequacy of CRA's internal procedures and employee training
• Compliance with section 8 of the Privacy Act regarding disclosure

The complainant alleged that Veterans Affairs Canada (VAC) inappropriately disclosed her health and financial information to the Royal Canadian Mounted Police (RCMP). The investigation found that VAC disclosed the complainant's medical diagnosis and financial information to the RCMP's National Compensation Policy Centre via its pension award letter. This disclosure was found to contravene the Privacy Act because it was not a 'consistent use' of the information, as neither consent nor a clear need-to-know was established for the RCMP's National Compensation Policy Centre to receive this sensitive personal information. The issue was also found to be systemic, affecting numerous RCMP employees.

• Was the disclosure of the complainant's medical and financial information by VAC to the RCMP a contravention of the Privacy Act?
• Did the complainant provide informed consent for the disclosure of her personal information?
• Was the disclosure of information considered a 'consistent use' under paragraph 8(2)(a) of the Privacy Act?
• Was the disclosure of personal information systemic in nature?

The Office of the Privacy Commissioner of Canada investigated a complaint concerning the RCMP's collection of a member's medical diagnosis and financial information from Veterans Affairs Canada (VAC). The OPC found that the RCMP's National Compensation Policy Centre collected sensitive personal information that was not necessary for the administration of pension benefits or health care, contravening the Privacy Act. The investigation revealed this practice was systemic and occurred over several years, despite the transfer of responsibility for pension adjudication to VAC.

• Necessity of collecting medical and financial information by the RCMP from VAC.
• Consistency of collection with the purposes for which information was originally collected by VAC.
• Systemic nature of the inappropriate collection of sensitive personal information.
• Adequacy of information sharing agreements between federal institutions.

A complaint was filed against the Canada Border Services Agency (CBSA) alleging that its use of video surveillance to monitor employees at a border crossing contravened the Privacy Act. The complainant argued that the CBSA was using video technology to collect personal information for monitoring employee conduct and performance, beyond the initial safety and security purposes, and that signage was insufficient. While the CBSA's signage issue was resolved, the investigation focused on the collection of employee information for monitoring. The OPC found that the CBSA's updated policies and rationale for collecting personal information for integrity and quality assurance, including investigating serious misconduct, met the Act's requirements, but awaited confirmation of updated guidelines.

• Use of video surveillance for monitoring employee conduct and performance
• Necessity and proportionality of collecting personal information via video surveillance
• Sufficiency of signage informing employees of video monitoring
• Compliance with the Privacy Act's requirement that personal information collection relates directly to an operating program or activity