Canadian Privacy Decisions

The complainant alleged that the Immigration and Refugee Board of Canada (IRB) failed to conduct a reasonable search for records containing all final decisions made between January 2018 and June 2020. The IRB's ATIP office mistakenly narrowed the request to only written decisions, excluding responsive audio recordings without the complainant's consent. The Information Commissioner found the complaint well-founded and ordered the IRB to process all responsive audio recordings.

• Reasonableness of search
• Definition of 'record' under ATIA
• Scope of access request
• Assistance to requesters

The complainant alleged that the Public Health Agency of Canada (PHAC) unreasonably extended the time to respond to an access request for correspondence sent and received by its president during a specific week. PHAC cited a large volume of records (estimated at 30,000 pages) and the need for consultations as justification for the extensive extension. The Information Commissioner found that PHAC provided sufficient justification for the time extension under paragraphs 9(1)(a) and 9(1)(b) of the Access to Information Act, making the complaint not well-founded.

• Reasonableness of time extension due to volume of records (ATIA s. 9(1)(a))
• Reasonableness of time extension due to consultations (ATIA s. 9(1)(b))
• Impact of request scope on institution's operations
• Complainant's willingness to narrow the scope of the request

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) improperly withheld Total Repayment figures related to the Technology Partnerships Canada (TPC) program, citing exemptions concerning financial impact on third parties (s. 20(1)(c)) and other provisions. The scope was narrowed to 21 third parties. The Information Commissioner found that neither ISED nor the third parties provided sufficient evidence to meet the requirements for these exemptions. Consequently, the Commissioner ordered ISED to disclose all the withheld information.

• Whether the Total Repayments figures meet the criteria for exemption under paragraph 20(1)(b) (confidential third-party information).
• Whether the Total Repayments figures meet the criteria for exemption under paragraph 20(1)(c) (financial impact on a third party).
• Whether the Total Repayments figures meet the criteria for exemption under paragraph 20(1)(d) (interference with third-party negotiations).
• The burden of proof on the institution and third parties to demonstrate that exemptions apply.

An institution applied to the Information Commissioner for permission to ignore two access requests, claiming they were vexatious and an abuse of the access to information process. The institution also argued it had fulfilled its duty to assist the requester. The Commissioner found the institution failed in its duty to assist and did not prove the requests were vexatious or an abuse of the process. Consequently, the Commissioner denied the institution's applications, requiring it to process the requests.

• Whether the access requests were vexatious
• Whether the access requests constituted an abuse of the right to access information
• Whether the institution fulfilled its duty to assist the requester

A joint investigation by the OPC and three provincial privacy authorities found that Tim Hortons collected granular location data from users of its mobile app without an appropriate purpose and without valid consent. The company tracked users' locations even when the app was closed, inferring details like home and work locations, ostensibly for targeted advertising, but ultimately did not use the data for this stated purpose. The investigation also raised concerns about contractual protections with a third-party vendor and Tim Hortons' overall accountability.

• Collection and use of granular location data for an appropriate purpose
• Obtaining valid consent for location data collection
• Adequacy of contractual protections for data processed by third parties
• Tim Hortons' accountability for privacy practices

This investigation examined a privacy breach experienced by a contractor for the Canada Border Services Agency (CBSA), which was targeted by a ransomware attack. Personal information, specifically licence plate images captured at Canadian border crossings, was accessed and some was posted online. The OPC found that the CBSA had contravened the Privacy Act due to inadequate security safeguards in its contract with the contractor and its inconsistent handling of licence plate data as personal information. The investigation concluded the complaint was well-founded but resolved, as the CBSA agreed to implement recommendations to improve its contracting and data protection practices.

• Whether licence plate image files, including metadata, constitute personal information under the Privacy Act.
• Whether the CBSA contravened the disclosure provisions of the Privacy Act.
• Whether the CBSA had adequate security safeguards in its contract with a third-party contractor.
• Whether the CBSA adequately managed the retention of personal information.