Canadian privacy & access decisions

A joint investigation by the OPC and three provincial privacy authorities found that Tim Hortons collected granular location data from users of its mobile app without an appropriate purpose and without valid consent. The company tracked users' locations even when the app was closed, inferring details like home and work locations, ostensibly for targeted advertising, but ultimately did not use the data for this stated purpose. The investigation also raised concerns about contractual protections with a third-party vendor and Tim Hortons' overall accountability.

• Collection and use of granular location data for an appropriate purpose
• Obtaining valid consent for location data collection
• Adequacy of contractual protections for data processed by third parties
• Tim Hortons' accountability for privacy practices

This investigation examined a privacy breach experienced by a contractor for the Canada Border Services Agency (CBSA), which was targeted by a ransomware attack. Personal information, specifically licence plate images captured at Canadian border crossings, was accessed and some was posted online. The OPC found that the CBSA had contravened the Privacy Act due to inadequate security safeguards in its contract with the contractor and its inconsistent handling of licence plate data as personal information. The investigation concluded the complaint was well-founded but resolved, as the CBSA agreed to implement recommendations to improve its contracting and data protection practices.

• Whether licence plate image files, including metadata, constitute personal information under the Privacy Act.
• Whether the CBSA contravened the disclosure provisions of the Privacy Act.
• Whether the CBSA had adequate security safeguards in its contract with a third-party contractor.
• Whether the CBSA adequately managed the retention of personal information.

This investigation concerned MGM Resorts International's handling of a 2019 data breach that affected millions of guests, including nearly two million Canadians. The OPC initiated a complaint after media reports indicated a breach and MGM had not reported it. The investigation found that MGM failed to promptly assess the risk of significant harm (RROSH) posed by the breach and did not report it to the OPC or notify affected Canadians as soon as feasible. MGM has committed to updating its privacy breach response framework to ensure timely RROSH assessments and reporting.

• Whether the personal information involved in the breach posed a real risk of significant harm (RROSH) to affected Canadians.
• Whether MGM adequately assessed the RROSH.
• Whether MGM reported the breach to the OPC and notified affected Canadians as soon as feasible.
• Whether MGM's delay in assessing the breach and notifying Canadians contravened PIPEDA's mandatory breach reporting obligations.

The Department of National Defence (DND) disclosed the identity of a workplace violence (WPV) complainant and the investigation report to a second investigator, who was conducting a separate administrative investigation into the complainant's conduct. The OPC found that while disclosing the report to labour relations was a consistent use, disclosing it to the second investigator was not, as it was not a reasonably expected use of the information given the confidentiality assurances provided to the complainant. This disclosure was therefore found to be a contravention of the Privacy Act.

• Was the disclosure of the WPV complainant's identity and report to a second investigator a 'consistent use' under paragraph 8(2)(a) of the Privacy Act?
• Did DND's consent form clearly communicate potential uses and disclosures of the complainant's identity?
• Did the disclosure align with the reasonable expectations of the complainant regarding confidentiality?
• What corrective actions are necessary to ensure future compliance with privacy principles in WPV investigations?

The complainant alleged that Shared Services Canada (SSC) wrongfully refused to process an access request for records related to informal official language complaints. SSC argued that the request, even after narrowing its scope, did not meet the requirements of section 6 of the Access to Information Act because it would require tasking too many employees and would impose an unreasonable administrative burden. The Information Commissioner disagreed, finding the request sufficiently detailed and ordering SSC to process it.

• Whether the access request provided sufficient detail to enable an experienced employee to identify records with reasonable effort.
• Whether administrative burden on an institution is a valid reason to refuse processing a request.
• Whether the scope of the request necessitated tasking all employees of the department.
• Whether section 6.1 of the Act was the appropriate process to address claims of vexatious requests.

Biron Health Group sent promotional emails to travellers who had undergone COVID-19 testing upon arrival in Canada, using their email addresses collected for testing purposes. The complainant alleged this violated PIPEDA. Biron argued they assumed implicit consent due to a business relationship, but the OPC found this assumption unreasonable given the mandatory nature of the testing. Biron has since ceased the practice, deleted affected email addresses, and the complaint was settled.

• Use of personal information for secondary marketing purposes without consent
• Reasonableness of assuming implicit consent in a mandatory service context
• Nature of consent required for collecting and using health-related information

The complainant alleged that Public Services and Procurement Canada (PSPC) failed to provide records regarding a specific contract. PSPC stated they could not identify relevant records, claiming they were not in their possession. The Information Commissioner found that while the records (a subcontract and related documents) were not in PSPC's physical possession, they were under PSPC's control for the purposes of the Access to Information Act. Therefore, PSPC should have retrieved and processed these records.

• Whether records held by a third-party contractor are under the control of a federal institution.
• Whether the institution conducted a reasonable search for the requested records.
• The interpretation of the 'under the control' clause in the Access to Information Act.

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) improperly withheld job creation estimates under paragraph 20(1)(c) of the Access to Information Act. The scope was narrowed to 11 third parties. Only one third party, Toyota, provided representations to support the exemption. The Information Commissioner found that neither ISED nor Toyota sufficiently demonstrated that disclosure would cause material financial harm or prejudice competitive position. The Commissioner recommended disclosure of all information, but ISED stated it would continue to withhold certain information related to Toyota.

• Application of paragraph 20(1)(c) (financial impact on a third party)
• Sufficiency of representations from third parties
• Reasonable expectation of harm
• Necessity of an explanatory note