Canadian Privacy Decisions

This investigation concerned MGM Resorts International's handling of a 2019 data breach that affected millions of guests, including nearly two million Canadians. The OPC initiated a complaint after media reports indicated a breach and MGM had not reported it. The investigation found that MGM failed to promptly assess the risk of significant harm (RROSH) posed by the breach and did not report it to the OPC or notify affected Canadians as soon as feasible. MGM has committed to updating its privacy breach response framework to ensure timely RROSH assessments and reporting.

• Whether the personal information involved in the breach posed a real risk of significant harm (RROSH) to affected Canadians.
• Whether MGM adequately assessed the RROSH.
• Whether MGM reported the breach to the OPC and notified affected Canadians as soon as feasible.
• Whether MGM's delay in assessing the breach and notifying Canadians contravened PIPEDA's mandatory breach reporting obligations.

The Department of National Defence (DND) disclosed the identity of a workplace violence (WPV) complainant and the investigation report to a second investigator, who was conducting a separate administrative investigation into the complainant's conduct. The OPC found that while disclosing the report to labour relations was a consistent use, disclosing it to the second investigator was not, as it was not a reasonably expected use of the information given the confidentiality assurances provided to the complainant. This disclosure was therefore found to be a contravention of the Privacy Act.

• Was the disclosure of the WPV complainant's identity and report to a second investigator a 'consistent use' under paragraph 8(2)(a) of the Privacy Act?
• Did DND's consent form clearly communicate potential uses and disclosures of the complainant's identity?
• Did the disclosure align with the reasonable expectations of the complainant regarding confidentiality?
• What corrective actions are necessary to ensure future compliance with privacy principles in WPV investigations?

The complainant alleged that Shared Services Canada (SSC) wrongfully refused to process an access request for records related to informal official language complaints. SSC argued that the request, even after narrowing its scope, did not meet the requirements of section 6 of the Access to Information Act because it would require tasking too many employees and would impose an unreasonable administrative burden. The Information Commissioner disagreed, finding the request sufficiently detailed and ordering SSC to process it.

• Whether the access request provided sufficient detail to enable an experienced employee to identify records with reasonable effort.
• Whether administrative burden on an institution is a valid reason to refuse processing a request.
• Whether the scope of the request necessitated tasking all employees of the department.
• Whether section 6.1 of the Act was the appropriate process to address claims of vexatious requests.

Biron Health Group sent promotional emails to travellers who had undergone COVID-19 testing upon arrival in Canada, using their email addresses collected for testing purposes. The complainant alleged this violated PIPEDA. Biron argued they assumed implicit consent due to a business relationship, but the OPC found this assumption unreasonable given the mandatory nature of the testing. Biron has since ceased the practice, deleted affected email addresses, and the complaint was settled.

• Use of personal information for secondary marketing purposes without consent
• Reasonableness of assuming implicit consent in a mandatory service context
• Nature of consent required for collecting and using health-related information

The complainant alleged that Public Services and Procurement Canada (PSPC) failed to provide records regarding a specific contract. PSPC stated they could not identify relevant records, claiming they were not in their possession. The Information Commissioner found that while the records (a subcontract and related documents) were not in PSPC's physical possession, they were under PSPC's control for the purposes of the Access to Information Act. Therefore, PSPC should have retrieved and processed these records.

• Whether records held by a third-party contractor are under the control of a federal institution.
• Whether the institution conducted a reasonable search for the requested records.
• The interpretation of the 'under the control' clause in the Access to Information Act.

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) improperly withheld job creation estimates under paragraph 20(1)(c) of the Access to Information Act. The scope was narrowed to 11 third parties. Only one third party, Toyota, provided representations to support the exemption. The Information Commissioner found that neither ISED nor Toyota sufficiently demonstrated that disclosure would cause material financial harm or prejudice competitive position. The Commissioner recommended disclosure of all information, but ISED stated it would continue to withhold certain information related to Toyota.

• Application of paragraph 20(1)(c) (financial impact on a third party)
• Sufficiency of representations from third parties
• Reasonable expectation of harm
• Necessity of an explanatory note

The Information Commissioner initiated a systemic investigation into Library and Archives Canada (LAC) due to consistently delayed responses to access requests over several years. The investigation found that nearly 80% of requests completed by LAC during the period under review did not meet the timeframes stipulated by the Access to Information Act. The Commissioner made ten recommendations to the Minister of Canadian Heritage, and subsequently tabled a special report in Parliament highlighting issues at LAC and broader challenges within the access to information system.

• Timeliness of access to information requests
• Consultation processes between institutions
• Lack of a government-wide declassification framework

The complainant alleged that the Vancouver Fraser Port Authority (VFPA) improperly withheld records related to $103 million in funding from the National Trade Corridors Fund. The VFPA cited exemptions related to government interests, negotiations, and confidential third-party information. The Information Commissioner found that the VFPA failed to demonstrate that all withheld information met the requirements for exemptions under paragraphs 18(b) and 18(d). Furthermore, the VFPA and the third party, Canadian National Railway, did not demonstrate that the exemptions under paragraphs 20(1)(b) and 20(1)(d) were met. The Commissioner ordered the disclosure of all information withheld under paragraphs 20(1)(b) and 20(1)(d), and specific information withheld under paragraphs 18(b) and 18(d). The VFPA agreed to implement the order.

• Whether the Vancouver Fraser Port Authority properly applied exemptions under paragraphs 18(b), 18(d), 20(1)(b), and 20(1)(d) of the Access to Information Act.
• Whether the Vancouver Fraser Port Authority discharged its burden to demonstrate that the withheld information met the requirements of the cited exemptions.
• Whether the third party, Canadian National Railway, met the requirements for the application of exemptions under paragraphs 20(1)(b) and 20(1)(d).
• Whether the Vancouver Fraser Port Authority reasonably exercised its discretion in withholding information.

The complainant alleged that the Department of Justice Canada (Justice) took an unreasonable 2,280 days to respond to an access request. Justice claimed an extension under paragraphs 9(1)(a) and 9(1)(b) of the Access to Information Act due to the large volume and complexity of records and the need for consultations. The Information Commissioner found that while the volume of records and the need for consultations were valid reasons for an extension, Justice failed to sufficiently justify the length of the extension claimed under paragraph 9(1)(a). Therefore, the complaint was found to be well-founded, and the Commissioner ordered Justice to provide a final response forthwith.

• Reasonableness of time extension claimed due to volume of records (s. 9(1)(a) ATIA)
• Reasonableness of time extension claimed for consultations (s. 9(1)(b) ATIA)
• Justification for the duration of specific processing steps
• Failure to demonstrate the reasonableness of the claimed extension period

The Information Commissioner initiated a systemic investigation into Library and Archives Canada's (LAC) delayed responses to access requests. The investigation found that nearly 80% of requests completed by LAC during the period under review did not meet legislative deadlines. The Commissioner made ten recommendations to the Minister of Canadian Heritage to address the systemic issues causing these delays, which include problems with inter-institutional consultations, lack of a declassification framework, insufficient infrastructure for processing classified records, and inadequate ATIP resources.

• LAC's failure to respond to access requests within legislative timeframes.
• Excessive delays caused by inter-institutional consultations.
• Lack of infrastructure and processes for handling classified records.
• Insufficient resources and funding for LAC's Access to Information and Privacy (ATIP) office.

The complainant alleged that Parks Canada improperly withheld portions of a draft feasibility study. Parks Canada initially cited exemptions related to personal information, financial impact on third parties, and negotiations by a third party. During the investigation, Parks Canada shifted its reliance to the exemption for confidential third-party financial, commercial, scientific, or technical information. The Information Commissioner found that neither Parks Canada nor the third party (Liricon Capital Ltd.) demonstrated that the withheld information met the requirements of the exemption. Therefore, the Commissioner ordered Parks Canada to disclose specific portions of the study.

• Whether information in a draft feasibility study was properly withheld under exemptions related to personal information, financial impact, negotiations, or confidential third-party information.
• Whether the institution and third party met the burden of proof to justify withholding information under paragraph 20(1)(b) of the Access to Information Act.
• Whether certain withheld information was already publicly available or disclosed elsewhere in the record, thus failing the confidentiality requirement of paragraph 20(1)(b).