Canadian Privacy Decisions

The requester filed a complaint after the Royal Canadian Mounted Police (RCMP) failed to respond to an access to information request for over two years. The RCMP provided insufficient information during the investigation regarding the records or the processing of the request. As a result, the Information Commissioner found the complaint to be well-founded and ordered the RCMP to respond to the request within 10 business days.

• Failure to respond to an access to information request within the prescribed time limits.
• Adequacy of information provided by the institution during the investigation.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Employment and Social Development Canada (ESDC) improperly used video surveillance footage to monitor an employee's departure times. The OPC found that ESDC's use of the footage for this purpose was not consistent with the stated security collection purpose and that employees were not adequately informed about the camera usage. ESDC agreed to implement a clear policy on video surveillance use and inform individuals about collection purposes.

• Use of personal information collected via video surveillance for purposes other than security.
• Failure to inform employees about the collection and purpose of video surveillance.
• Whether the use of video surveillance was an exceptional measure for a pressing problem.
• Adherence to the institution's Personal Information Bank (PIB) for consistent uses.

A former member of the Canadian Armed Forces complained that the Department of National Defence (DND) wrongfully compelled him to publicly disclose medical information during a military summary trial. The Office of the Privacy Commissioner of Canada (OPC) found the complaint was not well-founded. The OPC determined that the disclosure was made as testimony during a public military trial, consistent with the open courts principle and the National Defence Act. Since confidentiality was not requested, the disclosure was permitted under subsections 8(2)(a) and 8(2)(b) of the Privacy Act.

• Applicability of the Privacy Act to military summary trials
• Whether public disclosure of medical information during a summary trial contravened the Privacy Act
• The principle of open courts in military justice proceedings
• The concept of publicly available information under section 69 of the Privacy Act

A requester alleged that the Royal Canadian Mounted Police (RCMP) failed to respond to an access to information request within the statutory time limit. The RCMP was deemed to have refused access as they did not respond by the due date. Although the RCMP cited high volume and resource pressures, the Commissioner found these reasons did not justify the delay, especially given the moderate volume of records. The complaint was found to be well-founded. An initial report with an intended order was issued, but the RCMP subsequently responded to the request, rendering the order moot.

• Failure to respond within statutory time limits
• Adequacy of reasons for delay
• Assessment of record volume and complexity

An institution applied to the Information Commissioner for approval to decline to act on an access request, claiming it was vexatious and an abuse of the right to access records. The institution noted the requester had submitted 893 requests over 17 years, many similar to the current one. The Commissioner found that 11 of the requests were duplicative and that the requester had not provided justification for resubmitting them. The Commissioner concluded that the volume and repetitive nature of the requests, combined with the requester's history of complaints, amounted to an abuse of the right of access.

• Whether the access request was vexatious
• Whether the access request constituted an abuse of the right to access records
• Whether the institution met the threshold for declining to act on the request

The Office of the Privacy Commissioner of Canada investigated two complaints concerning the disclosure of a military officer's personal health information. The Department of National Defence (DND) disclosed the information to the Department of Justice (DOJ) to defend against litigation initiated by the complainant against the government. The OPC found that both the disclosure by DND and the collection by DOJ were permissible under paragraph 8(2)(d) of the Privacy Act, as the information was disclosed to the Attorney General for use in legal proceedings involving the Crown. The OPC concluded that the Privacy Act does not distinguish between types of personal information and that the disclosure was necessary for legal defence, upholding the legal interpretation confirmed by the Federal Court.

• Permissibility of disclosing personal health information for litigation purposes under paragraph 8(2)(d) of the Privacy Act.
• Whether the collection of personal medical information by the Department of Justice was a contravention of the Privacy Act.
• Whether the disclosure of personal medical information by the Department of National Defence was a contravention of the Privacy Act.
• The scope and interpretation of paragraph 8(2)(d) of the Privacy Act regarding disclosures to the Attorney General for legal proceedings.

The complainant alleged that Trans Union disclosed his credit file information to Statistics Canada without consent, and that this information was subsequently used to initiate debt collection efforts against him. The Office of the Privacy Commissioner of Canada (OPC) found that Trans Union was authorized to disclose the information under PIPEDA, as Statistics Canada had requested it under the authority of the Statistics Act. The OPC also found no evidence that Statistics Canada disclosed the complainant's information to other institutions for debt collection purposes.

• Whether Trans Union disclosed personal information without consent contrary to PIPEDA.
• Whether Statistics Canada used disclosed information for debt collection.
• Whether the disclosure was authorized by law under PIPEDA.
• Whether Statistics Canada contravened the Privacy Act in its data collection.

This investigation examined complaints concerning Statistics Canada's collection of personal financial and credit information from a credit bureau and financial institutions for two projects. The OPC found Statistics Canada had the legal authority for the Credit Information Project, deeming that aspect not well-founded. However, the OPC had serious concerns that the Financial Transactions Project, as originally designed, would have exceeded Statistics Canada's legal authority. As this project was halted before any data was collected, no finding was made. Despite finding no contravention of the Privacy Act, the OPC identified significant privacy concerns regarding necessity, proportionality, and transparency in both projects as originally designed, and made recommendations for improvement.

• Legal authority for collecting personal information under the Statistics Act and Privacy Act
• Necessity and proportionality of collecting sensitive personal information
• Adequacy of transparency regarding data collection
• Safeguards for handling collected personal information

This joint investigation by the Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found that AggregateIQ Data Services Ltd. (AIQ) contravened Canadian privacy laws (PIPEDA and PIPA) in its handling of personal information for political campaigns. AIQ failed to ensure adequate consent for the collection, use, and disclosure of personal information, particularly when sharing data with platforms like Facebook for targeted advertising and analytics. Additionally, AIQ's inadequate security measures led to a data breach involving the personal information of millions of individuals.

• AIQ's collection, use, and disclosure of personal information for political campaigns.
• AIQ's compliance with consent requirements for personal information.
• AIQ's implementation of reasonable security measures to protect personal information.
• Cross-jurisdictional data handling and privacy obligations.

This report details the OPC's investigation into six complaints concerning the Canada Border Services Agency's (CBSA) search of travellers' digital devices at the border. The OPC found that the CBSA contravened the Privacy Act by failing to adhere to its own policies and legal authorities regarding these searches, particularly concerning the scope of data accessed and the lack of proper documentation. The CBSA accepted most operational recommendations for improvement but disagreed with recommendations for legislative reform.

• CBSA's authority to examine digital devices at the border under the Customs Act
• Compliance with CBSA's internal policy on digital device examinations
• Collection and retention of personal information from digital devices
• Adequacy of training and oversight for CBSA officers

This investigation examined Loblaw's practices in its gift card program, which was established to compensate customers affected by a bread price-fixing scandal. The complainant argued Loblaw collected more personal information than necessary and was concerned about data transfers to the United States. The OPC found that while Loblaw initially collected more information than needed by requesting full identification documents, they subsequently clarified their requirements, resolving this issue. The OPC also found Loblaw's measures to protect personal information transferred to a third-party administrator in the US were sufficient and that Loblaw was transparent about cross-border data transfers.

• Collection of personal information beyond what is necessary for the stated purpose.
• Adequacy of safeguards for personal information transferred to a third-party processor in the United States.
• Sufficiency of transparency regarding cross-border data transfers.
• Requirement for additional consent for cross-border data transfers.

An institution applied to the Information Commissioner for approval to decline to act on an access request, alleging it was vexatious, an abuse of the right to request records, and made in bad faith. The requester was a former employee who had filed multiple previous access requests. The Commissioner found the institution failed to prove the request was vexatious, an abuse of the right of access, or made in bad faith, and also failed to demonstrate it fulfilled its duty to assist the requester. The Commissioner denied the institution's application.

• Whether the access request was vexatious.
• Whether the access request constituted an abuse of the right to access records.
• Whether the access request was made in bad faith.
• Whether the institution fulfilled its duty to assist the requester.

An institution applied to the Information Commissioner for approval to decline processing an access request from a former employee. The institution argued the request was vexatious, an abuse of the right to access, and made in bad faith due to the requester's previous dismissal and numerous prior requests. The Commissioner found the institution failed to provide sufficient evidence for any of these claims.

• Whether the request was vexatious
• Whether the request constituted an abuse of the right of access
• Whether the request was made in bad faith
• Whether the institution fulfilled its duty to assist

Three complainants alleged that Correctional Service Canada (CSC) was using video footage collected for security purposes to monitor employee performance. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that CSC used the footage to identify systemic deficiencies in patrols following an inmate's death, aiming to improve security and prevent future deaths. The OPC determined this use was consistent with the original purpose of collection (security) and therefore not a contravention of the Privacy Act.

• Was CSC using video footage to monitor employee performance?
• Was the use of video footage for identifying and addressing security deficiencies consistent with the original purpose of collection?
• Did the use of video footage contravene the Privacy Act's use provisions?

This joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) examined Facebook's compliance with privacy laws concerning the disclosure of user data to third-party apps, specifically the "thisisyourdigitallife" (TYDL) app. The investigation found that Facebook failed to obtain valid and meaningful consent from users whose information was disclosed, had inadequate safeguards to protect user data, and lacked accountability for the information under its control. These failures are particularly concerning given similar findings by the OPC in a 2009 investigation, indicating a lack of substantive improvement in Facebook's privacy practices.

• Meaningful consent from installing users
• Meaningful consent from affected users (friends of installing users)
• Adequacy of safeguards to protect user data from third-party apps
• Facebook's accountability for user data