Canadian Privacy Decisions

This investigation concerned the handling of personal information collected by the RCMP's Canadian Firearms Program and used by EKOS Research Associates Inc. to survey firearms licensees. The OPC found that the RCMP was authorized to collect the information for program administration and that its use for a client-satisfaction survey was consistent with the original purpose. The RCMP also complied with the Act in providing data to EKOS, as the contract included strong confidentiality provisions. As a result, the complaint was not well-founded.

• Lawful collection of personal information for program administration
• Use of personal information for client-satisfaction surveys
• Compliance with contractual confidentiality and security provisions
• Adequacy of privacy impact assessments

A public servant complained that Public Works and Government Services Canada (PWGSC) failed to provide her with access to her personal information, collected during an investigation under the Public Servants Disclosure Protection Act. Although the investigation completely exonerated her, she was not informed of this outcome. The Office found that while PWGSC correctly applied section 22.3 of the Privacy Act to refuse disclosure, it urged the department to inform subjects when allegations are unsubstantiated. The Commissioner also asked the Treasury Board Secretariat to develop mechanisms for departments to inform individuals of unsubstantiated allegations.

• Access to personal information collected during a whistleblower investigation
• Application of section 22.3 of the Privacy Act
• Obligation to inform individuals when allegations of wrongdoing are unsubstantiated

This investigation was initiated following media reports that a Canada Revenue Agency (CRA) employee posted personal tax information of athletes to an Internet chat group. The OPC found that a former employee did post information, and other CRA employees inappropriately accessed the athletes' tax information out of curiosity, which constituted a breach of the Privacy Act. The CRA took corrective measures, including disciplinary action against employees and modernization of its audit trail system.

• Unauthorized access to taxpayer information by CRA employees
• Disclosure of taxpayer information to an external party
• Adequacy of CRA's corrective measures and audit systems

An individual complained that the Canada Border Services Agency (CBSA) improperly collected personal information from his blog after his term position ended. The complainant posted information on the internet for public consumption. The investigation found that some CBSA employees had viewed the blog from government computers in a personal capacity, which was deemed to accord with the government's Acceptable Use Policy. The investigation found no evidence that the CBSA had collected personal information in connection with these visits.

• Whether the CBSA collected personal information from an individual's public blog.
• Whether employee access to the blog from government computers was in accordance with policy.

This investigation concerned a data spill involving 11,900 forms mailed to applicants for the Guaranteed Income Supplement. A mechanical malfunction caused some applicants to receive forms destined for other individuals, including names, addresses, and Social Insurance Numbers. Human error by the overseeing technician, who failed to use detection mechanisms and notify management, compounded the issue. The Office found the complaint well-founded and recommended that the department enhance employee awareness of their obligations to protect personal information.

• Adequacy of security safeguards for personal information
• Role of human error in compounding a mechanical defect
• Reporting obligations of employees regarding privacy breaches

A Member of Parliament complained that an employee of the Toronto Port Authority used the organization's e-mail database to invite individuals to a political fundraising event. The investigation found that an employee sent an email using personal and business addresses obtained from business cards, soliciting donations. Although recipient addresses were in the BCC field, the employee's signature block indicated they worked for the Authority, implying institutional sanction.

• Use of institutional database for personal fundraising activities
• Collection and use of personal information for non-business purposes
• Impression of institutional sanction for personal activities

The Office of the Privacy Commissioner of Canada (OPC) received 82 complaints after Human Resources and Skills Development Canada (HRSDC) inadvertently disclosed the personal information of 191 Employment Insurance (EI) claimants. The disclosed information included names, dates of birth, employee identification numbers, and Social Insurance Numbers. HRSDC took immediate steps to retrieve the data, notify affected individuals, and implement preventative measures. The OPC found 79 of the 82 complaints to be well-founded.

• Inadvertent disclosure of personal information
• Adequacy of breach response measures
• Preventing recurrence of similar breaches

Parents complained they could not access their 17-year-old daughter's online dental benefit information, even though they paid for her plan and expenses. The plan administrator's policy required consent from individuals aged 16 or older before their information could be disclosed to other plan members. The parents were satisfied with the administrator's explanation of its policy, which was based in part on Ontario's Health Care Consent Act.

• Disclosure of dependent's personal information to parents
• Requirement for consent from mature minors
• Application of PIPEDA's consent requirements

A married couple complained that a bank mortgage specialist disclosed the husband's personal financial information to his wife without his consent. The bank argued there was implied consent given the purpose of applying for a joint mortgage. The Assistant Commissioner found the bank did not make a reasonable effort to inform the couple about potential disclosures between them, meaning consent was not meaningful. While a contravention was found, the bank had since adopted reasonable practices.

• Meaningful consent for disclosure of personal information to a spouse
• Reasonable efforts to inform individuals about purposes of disclosure
• Implied consent in the context of joint mortgage applications

This investigation examined a complaint regarding the Royal Canadian Mounted Police's (RCMP) use and disclosure of personal information from the Canadian Firearms Program (CFP) database to a public opinion research firm, EKOS Research Associates Inc. The RCMP contracted EKOS to conduct a survey of firearms licensees to improve program administration and service delivery. The investigation reviewed the contract, security measures, and the survey process.

• Appropriateness of using personal information for a client-satisfaction survey.
• Compliance with contractual confidentiality and security provisions when disclosing information to a third-party contractor.
• Whether the use of information for the survey was consistent with the purpose for which it was originally collected.

The Office of the Privacy Commissioner of Canada (OPC) investigated a Privacy Act complaint after media reported on the leak of a Canadian citizen's personal information from a Department of Foreign Affairs and International Trade (DFAIT) database. The investigation found that DFAIT lacked adequate controls, such as audit trails, to prevent or track unauthorized access and disclosure of the information. DFAIT agreed to implement better guidance and explore system changes to enhance security.

• Adequacy of security measures for personal information held in departmental computer systems.
• Lack of audit trail capability to track access to personal information.
• Responsibility of government institutions to protect personal information under the Privacy Act.

A woman complained that the Canadian Human Rights Commission (CHRC) improperly collected and used her personal information by accessing her wireless Internet connection to post messages to a website during an investigation. The Office found no evidence that the CHRC accessed the complainant's connection or collected any of her personal information. Technological experts suggested the association of the complainant's IP address to the CHRC was likely a mismatch by a third party.

• Whether the CHRC improperly collected and used the complainant's personal information by accessing her Internet connection.
• Whether an IP address constitutes personal information.
• Evidence of unauthorized access to personal information.

This investigation concerned a complaint that Accusearch Inc. (Abika.com), a U.S. company, was collecting, using, and disclosing Canadians' personal information without their knowledge or consent, compiling inaccurate information, and doing so for inappropriate purposes. The OPC found that Abika contravened PIPEDA by collecting, using, and disclosing personal information without knowledge or consent and for inappropriate purposes. However, the complaint regarding inaccurate information was not well-founded due to a lack of objective evidence. The OPC recommended Abika cease these practices.

• Collection, use, and disclosure of personal information without knowledge or consent
• Compilation and disclosure of inaccurate personal information
• Collection, use, and disclosure for inappropriate purposes
• Jurisdiction over U.S. companies and transborder data flows

An individual complained that the Canadian Human Rights Commission (CHRC) improperly collected and used her personal information, alleging the CHRC accessed her wireless internet connection to post messages on a website. The investigation examined whether the CHRC contravened sections 4 to 8 of the Privacy Act. Ultimately, the OPC found no evidence that the CHRC collected or used the complainant's personal information, concluding the complaint was not well-founded.

• Whether the IP address constitutes personal information under the Privacy Act.
• Whether the CHRC collected and used the complainant's personal information during its investigations.
• Whether the CHRC improperly disclosed or retained the complainant's personal information.

This investigation concerned a complaint about the Law School Admission Council's (LSAC) requirement that students applying to write the Law School Admission Test (LSAT) in Canada have their fingerprints collected. LSAC, a US-based non-profit, argued that Canadian privacy law did not apply to its activities. The Assistant Privacy Commissioner found that despite LSAC's location, Canada had a sufficient link to LSAC's operations to bring it under the Act. The Commissioner determined that fingerprinting was not demonstrably necessary, likely ineffective, and the loss of privacy outweighed the benefits, particularly since the fingerprints were rarely used.

• Jurisdiction of the Privacy Act over a US-based organization
• Necessity and proportionality of collecting fingerprints for LSAT authentication
• Effectiveness of fingerprinting as a deterrent
• Privacy implications of collecting biometric data