Canadian Privacy Decisions

An individual complained that a sports facilities company disclosed his personal information regarding an outstanding debt to a related sports association on two occasions without his consent. The company argued that PIPEDA did not apply because it answered a direct question and there was an expectation of privacy. The OPC found that disclosing debt information is sensitive and requires consent unless a specific exemption applies. As the disclosures were not for the purpose of collecting the debt, the exemption in subsection 7(3)(b) of PIPEDA did not apply, making the complaint well-founded.

• Was the disclosure of an outstanding debt considered personal information?
• Did the disclosure of debt information fall under the exemption for debt collection purposes?
• Does an 'expectation of privacy' or answering a direct question exempt an organization from obtaining consent for disclosure?
• Did the company obtain the individual's knowledge and consent for the disclosure of his debt information?

The Office of the Privacy Commissioner (OPC) investigated two complaints against the Parole Board of Canada (PBC) concerning access to record suspension information. The OPC found that the PBC improperly refused to process access requests submitted by a third-party screening company and also improperly required requesters to provide excessive identification information. The OPC concluded that the PBC's reliance on paragraph 22(1)(b) of the Privacy Act was not justified in most cases, and its identification requirements went beyond what was necessary.

• Can a requester ask to confirm that no personal information exists?
• Is paragraph 22(1)(b) of the Privacy Act properly applied to refuse access requests for record suspension information?
• Are the PBC's identification requirements for processing requests excessive?

A condominium owner complained that a developer failed to provide access to his personal information at minimal or no cost. The owner was initially told that thousands of pages of documents would cost over $200, or he could view them for free at the developer’s lawyer's office. The OPC's early resolution unit helped negotiate a compromise where the owner narrowed his request, and the developer agreed to provide free copies of the specific documents he sought. The owner was ultimately satisfied with this resolution.

• Whether the proposed fees for access to personal information complied with the "minimal or no cost" requirement.
• Whether the offer to view documents for free, but not receive copies, met the organization's access obligations.
• The reasonable accommodation of an individual with a disability in fulfilling an access request.

An individual complained that an online service company was not addressing an issue where another client's personal information was appearing on his account. The company, after intervention from the OPC, investigated and found the problem was a technical glitch involving another organization's software interface. The glitch was corrected, and the company updated its internal policies and established contractual agreements with the other organization to prevent future breaches.

• Adequate training of front-line staff on privacy policies and procedures.
• Need for contractual agreements to mitigate data breaches when integrating online services.
• Effectiveness of escalation processes for client privacy concerns.
• Resolution of technical glitches leading to inadvertent disclosure of personal information.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a psychiatrist's handling of a patient's personal information. The patient had requested access to his information following a medical assessment conducted as part of a civil lawsuit defence. However, the OPC determined that the psychiatrist's activities were not commercial in nature but were for the purpose of defending a lawsuit. As PIPEDA only applies to commercial activities, the OPC concluded it lacked jurisdiction to investigate the complaint.

• Whether the collection and use of personal information for the purpose of defending a civil lawsuit constitutes a commercial activity under PIPEDA.
• Whether the OPC has jurisdiction to investigate complaints falling outside the scope of PIPEDA.
• The application of the 'commercial activity' exemption in PIPEDA.

The complainant alleged that a telecommunications company's response to her access request was incomplete, specifically regarding disclosures of her personal information to third parties, including law enforcement. The Office of the Privacy Commissioner found that the company's standard response did not meet its obligations under Principle 4.9 of PIPEDA. The company has since provided a direct response to the complainant and has amended its policy to ensure compliance with access to information requests.

• Adequacy of response to an access request concerning disclosure of personal information.
• Compliance with PIPEDA Principle 4.9 regarding informing individuals of disclosures.
• Application of PIPEDA subsections 9(2.1) to 9(2.4) concerning disclosures to government institutions.
• Obligations regarding disclosures to third parties beyond government institutions.

An individual complained to the OPC after receiving a credit report containing unrecognized inquiries and a notation of an "AUTOMATIC COMBINE" of accounts, which merged his file with that of another individual. The OPC found that while there was no unauthorized use or disclosure of personal information, the credit reporting agency failed to maintain the accuracy of the complainant's information when it merged the files. The agency took corrective actions, including separating the files and notifying creditors of the corrections.

• Accuracy of personal information when merging files
• Unauthorized use or disclosure of personal information

The OPC investigated two complaints regarding the Canada Border Services Agency's (CBSA) participation in the TV show "Border Security: Canada's Front Line". The investigation focused on a complaint filed by the British Columbia Civil Liberties Association on behalf of an individual filmed during a CBSA enforcement activity. The OPC found that the CBSA's participation and disclosure of personal information to the production company, Force Four, violated sections 4 and 8 of the Privacy Act due to issues with informed consent and improper disclosure of information. The OPC recommended the CBSA cease its participation in the TV program, which the CBSA accepted.

• Validity of consent obtained for filming and disclosure of personal information
• CBSA's ability to contract out of Privacy Act obligations
• Adequacy of facial blurring to protect identity
• Disclosure of information about an intended subject prior to filming

A complainant expressed concerns that personal taxpayer information held by Mobilshred Inc. under contract with the Canada Revenue Agency (CRA) could be accessed by US authorities under the USA PATRIOT Act, due to Mobilshred's perceived US affiliation. The OPC investigated whether the CRA had adequately safeguarded this information. The investigation determined that Mobilshred Inc. is a Canadian company, and the contract explicitly requires all stored paper records to remain physically within Canada. Therefore, the CRA took adequate measures to prevent unauthorized disclosure.

• Potential for US authorities to access Canadian taxpayer information stored by a contractor under the USA PATRIOT Act.
• Whether the Canada Revenue Agency adequately safeguarded personal information entrusted to a third-party contractor.
• The corporate structure and operational location of Mobilshred Inc. and its parent company, Recall.

A First Nation band council developed a privacy policy after an employee complained about lost doctor's notes required to approve his leave. While the band council did not confirm losing the notes, it worked with the OPC to create a privacy policy and adopt best practices. The employee considered his complaint resolved, recognizing the issue would be addressed under the Canada Labour Code, and was pleased the band council was implementing a privacy policy.

• Responsibility of a First Nation band council under PIPEDA
• Disposition of medical documentation
• Development of a privacy policy

This report details an investigation into Compu-Finder's practices of collecting and using email addresses for marketing its training courses without adequate consent. The Office of the Privacy Commissioner of Canada (OPC) found that Compu-Finder contravened PIPEDA by failing to obtain meaningful consent, lacking accountability frameworks, and not being transparent about its privacy practices. While Compu-Finder agreed to implement recommendations, the complaint was found to be well-founded and resolved in part, and well-founded and conditionally resolved in part, with a compliance agreement entered into.

• Collection and use of email addresses without consent
• Lack of accountability and transparency in privacy practices
• Use of address harvesting software
• Validity of implied and express consent claims

An individual complained that a retailer's salesperson signed him up for a credit card without his knowledge or consent, and that a bank subsequently conducted a credit check using inaccurate information. The Office of the Privacy Commissioner of Canada (OPC) found that the bank failed to demonstrate it obtained the complainant's consent for the credit check and that the collected information was sufficiently accurate. The bank apologized, cancelled the credit card, and removed the inquiry from the complainant's file. The bank also discontinued its pilot program for in-store credit applications.

• Adequacy of consent for a credit card application and credit check
• Accuracy of personal information collected
• Adequacy of procedures for collecting personal information and obtaining consent

An individual complained that his employer, an international trucking company, disclosed his positive drug test results to a provincial workers' compensation board (WCB) without his consent. The company claimed it was legally obligated to do so. The OPC found the disclosure was a contravention of PIPEDA as the company's belief of a legal obligation was inaccurate, and the WCB did not require the information. The complaint regarding disclosure to co-workers was not substantiated. The company implemented the OPC's recommendations, leading to the complaint being resolved.

• Whether disclosure of drug test results to WCB required consent
• Whether disclosure to WCB was a legal obligation under PIPEDA s. 7(3)(i)
• Whether drug test results were disclosed to co-workers
• Whether the company's random drug testing program violated PIPEDA

An incident occurred where employees of a financial management firm sent a client's sensitive financial information to her personal email account without proper security measures. This led to a situation where an individual, potentially a hacker, used this information to impersonate the client and attempt to transfer funds from her investment account. Although the client's money was not stolen due to the firm's established procedures, the firm's investigation revealed a breach of security protocols and inadequate employee training. The firm took corrective actions, including disciplinary measures for employees, additional privacy training, and reinforcing account security.

• Adequacy of security safeguards for personal information
• Effectiveness of employee training on privacy and security procedures
• Appropriateness of the organization's response to a data breach

A financial institution reported a breach to the OPC after a printing error resulted in a few hundred clients receiving incorrect RRSP tax contribution statements. Some statements mistakenly included the personal information of other individuals, including names, addresses, account numbers, and Social Insurance Numbers. The institution promptly investigated, notified affected clients, provided new statements, increased account monitoring, and offered credit alert monitoring. They also reviewed and enhanced internal procedures to prevent future errors.

• Adequacy of safeguards to prevent privacy breaches
• Timeliness and appropriateness of breach response
• Notification of affected individuals
• Review and enhancement of internal policies and procedures