Canadian Privacy Decisions

The complainant alleged that the Parole Board of Canada (PBC) contravened the Privacy Act by disclosing her medical information to external parties involved in a Public Service Staffing Tribunal (PSST) hearing. The PBC acknowledged that a human resources employee inadvertently emailed documents containing the complainant's medical information, which was outside the scope of the PSST's order. The PBC apologized to the complainant, ensured the recipients disposed of the information, and reported the breach internally.

• Was the complainant's medical information disclosed without consent or lawful authority?
• Did the disclosure contravene the Privacy Act's provisions on disclosure of personal information?
• Were the corrective actions taken by the PBC satisfactory?

A complaint was made against a telecommunications company and a credit-reporting agency after a fraudulent telecommunications account led to a false debt appearing on the complainant's credit report. The telecommunications company initially refused to correct the information or prove the complainant opened the account. Following OPC's involvement, the company's fraud team investigated, confirmed the account was fraudulent, cancelled it, and updated the credit-reporting agency with accurate information.

• Accuracy and completeness of personal information
• Correction of inaccurate personal information
• Adequacy of customer authentication procedures
• Accountability for information transferred to third parties

A customer complained that a department store was displaying photographs of individuals on a bulletin board to identify suspected shoplifters. The Office of the Privacy Commissioner of Canada (OPC) advised the store that posting such photographs without consent contravened PIPEDA. The store agreed to remove the pictures and discontinue the practice, opting instead to work with the police.

• Public display of photographs of suspected shoplifters without consent
• Application of PIPEDA to photographs taken from video surveillance

An individual complained that her telecommunications provider disclosed her personal information without consent when a technical support representative remotely accessed her computer to fix an email issue. The representative inadvertently set up an automatic email forwarding to an acquaintance's address, causing personal emails, including a temporary password, to be sent to the wrong recipient. While the provider implemented corrective measures, the OPC noted the provider initially misrepresented steps taken to address the issue.

• Disclosure of personal information without consent
• Accuracy of representations made to the OPC
• Adequacy of internal procedures and training

A couple complained after their personal information was fraudulently used by a marketing company posing as an employee of their anti-virus service provider. The couple suspected the service provider employee disclosed their account number to the marketing company. The OPC investigated and found the service provider had failed to adequately protect customer information. The service provider dismissed the employee responsible and implemented new safeguards, including an auditing system and a streamlined procedure for addressing privacy concerns.

• Adequacy of security safeguards
• Unauthorized access to personal information
• Complaint handling procedures
• Accountability for employee actions

An individual complained that her manager at a credit union accessed her personal bank account without consent. The manager suspected the employee was not actually sick and used her customer data to check her debit card usage outside the province. The credit union acknowledged the improper access and agreed to apologize and address the manager's conduct. The employee was satisfied, and the matter was resolved.

• Manager accessing employee's personal banking information without valid business purpose
• Use of personal information for a purpose other than that for which it was collected
• Employee's right to privacy while also being a customer of the institution

The requester sought access to the Firearms Registry database from the RCMP on March 27, 2012. The RCMP provided an incomplete response, which the requester argued was not justified and that the destruction of records obstructed their access rights. The OIC investigated the complaint.

• Incompleteness of the provided information
• Lack of justification for incomplete response
• Destruction of records obstructing right of access under section 67.1 of the ATIA

The complainant alleged that the Canada Border Services Agency (CBSA) improperly disclosed his personal information to his country of origin without consent. The CBSA disclosed a court judgment related to the complainant's criminal history to the High Commission of Canada to Ghana, which then forwarded it to Interpol for verification. The OPC found that while the disclosure was for a consistent purpose under the Privacy Act (enforcing immigration law), the CBSA's procedures for such disclosures were insufficient at the time, and the electronic transmission of information raised concerns.

• Disclosure of personal information to a foreign entity for verification purposes.
• Whether the disclosure constituted a consistent use of information under the Privacy Act.
• Adequacy of CBSA procedures for international disclosure and verification requests.
• Concerns regarding the electronic transmission of personal information.

An individual complained that an investment brokerage collected more personal information than necessary to open a self-directed investment account. The brokerage stated the information was required to comply with regulatory obligations, including "Know Your Client" rules from the Investment Industry Regulatory Organization of Canada (IIROC) and anti-money laundering (AML) requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), as well as provincial securities legislation. The OPC found that the requested information, including net worth, marital status, and spouse's occupation, was necessary for these regulatory purposes.

• Whether the brokerage collected more personal information than necessary for opening a self-directed investment account.
• Whether the collection of information was a condition of service contrary to PIPEDA.
• Whether the brokerage's collection purposes met regulatory requirements.
• The applicability of "Know Your Client" and AML rules to self-directed accounts.

The complainant alleged that Public Services and Procurement Canada (PWGSC) contravened the Privacy Act when a Director disclosed that the complainant had filed a harassment complaint against her during a management meeting. The investigation confirmed the disclosure, and found that the Director had not obtained the complainant's consent and that the attendees did not need to know the information. As a result, the complaint was found to be well-founded.

• Definition of personal information under section 3 of the Privacy Act
• Rules regarding the disclosure of personal information under section 8 of the Privacy Act
• Application of Treasury Board and departmental policies on confidentiality of harassment complaints

The Office of the Privacy Commissioner of Canada investigated Peoples Trust after a breach compromised the sensitive personal information of 12,000 customers. The investigation found that the financial institution failed to implement adequate safeguards in its online application portal and retained customer data unnecessarily on a vulnerable, unencrypted web server. These failures contravened PIPEDA's principles regarding safeguards and data retention. Following the breach, Peoples Trust took comprehensive remedial actions, including redesigning its portal, enhancing monitoring, and improving retention practices, which resolved the issues.

• Adequacy of information security safeguards for sensitive personal data.
• Unnecessary retention of personal information beyond required purposes.
• Vulnerabilities in web application portal development and maintenance.
• Effectiveness of breach response and risk mitigation measures.

A complainant was concerned that a hotel chain linked her IP address to her phone number after she received a promotional phone call. The hotel chain clarified that it does not engage in promotional calls and that the call was a fraudulent telemarketing scam by an unrelated party. The complainant suggested the hotel warn its customers about such scams, which the hotel did, leading to the matter being resolved.

• Unauthorized collection of personal information
• Misrepresentation by a third party
• Complainant's concern about IP address linkage to phone number

This investigation concerned a complaint against Health Canada (HC) regarding the mailing of 41,514 letters using windowed envelopes that revealed the name of the "Marihuana Medical Access Program" (MMAP). The Office of the Privacy Commissioner of Canada (OPC) found that HC contravened the Privacy Act by disclosing sensitive personal information without consent or legitimate purpose. Although HC cited administrative error and argued implicit consent or consistent use, the OPC determined that the sensitive nature of the program name required greater protection. HC has since implemented stricter mail-out procedures and created a new working group.

• Whether the visible program name in the return address constituted a disclosure of personal information.
• Whether implied consent was obtained from recipients.
• Whether the disclosure was a 'consistent use' of information under section 8(2)(a) of the Privacy Act.
• Whether Health Canada took reasonable steps to protect sensitive personal information.

The complainant, a former Canadian Forces member, alleged that the Department of National Defence (DND) contravened the Privacy Act by prematurely destroying an audio recording of his Progress Review Board (PRB) hearing. The OPC found that the recording contained personal information used for an administrative purpose and should have been retained for at least two years, as required by the Act, unless the complainant consented to its destruction. DND's destruction of the recording shortly after the hearing was deemed premature. The OPC recommended that DND develop a policy for retention and disposal of PRB hearing records and, in the interim, retain such recordings or transcriptions for at least two years.

• Whether the audio recording of the PRB hearing contained personal information used for an administrative purpose.
• Whether the complainant consented to the destruction of the audio recording.
• Whether DND's destruction of the audio recording violated the retention provisions of the Privacy Act.
• Whether DND provided access to accurate records following the hearing.

A tenant complained about five video surveillance cameras installed in common areas of their office building by another tenant. The complainant was particularly concerned about two cameras that monitored activity near his office door and the elevators, viewing it as an invasion of privacy. Following the OPC's involvement, the cameras of most concern were relocated inside the other tenant's offices, resolving the complainant's privacy concerns.

• Appropriateness of video surveillance in common areas
• Collection of personal information in shared spaces
• Minimum collection principle for video surveillance