Canadian Privacy Decisions

The Office of the Privacy Commissioner of Canada investigated two complaints concerning the disclosure of a military officer's personal health information. The Department of National Defence (DND) disclosed the information to the Department of Justice (DOJ) to defend against litigation initiated by the complainant against the government. The OPC found that both the disclosure by DND and the collection by DOJ were permissible under paragraph 8(2)(d) of the Privacy Act, as the information was disclosed to the Attorney General for use in legal proceedings involving the Crown. The OPC concluded that the Privacy Act does not distinguish between types of personal information and that the disclosure was necessary for legal defence, upholding the legal interpretation confirmed by the Federal Court.

• Permissibility of disclosing personal health information for litigation purposes under paragraph 8(2)(d) of the Privacy Act.
• Whether the collection of personal medical information by the Department of Justice was a contravention of the Privacy Act.
• Whether the disclosure of personal medical information by the Department of National Defence was a contravention of the Privacy Act.
• The scope and interpretation of paragraph 8(2)(d) of the Privacy Act regarding disclosures to the Attorney General for legal proceedings.

The complainant alleged that Trans Union disclosed his credit file information to Statistics Canada without consent, and that this information was subsequently used to initiate debt collection efforts against him. The Office of the Privacy Commissioner of Canada (OPC) found that Trans Union was authorized to disclose the information under PIPEDA, as Statistics Canada had requested it under the authority of the Statistics Act. The OPC also found no evidence that Statistics Canada disclosed the complainant's information to other institutions for debt collection purposes.

• Whether Trans Union disclosed personal information without consent contrary to PIPEDA.
• Whether Statistics Canada used disclosed information for debt collection.
• Whether the disclosure was authorized by law under PIPEDA.
• Whether Statistics Canada contravened the Privacy Act in its data collection.

This report details the OPC's investigation into six complaints concerning the Canada Border Services Agency's (CBSA) search of travellers' digital devices at the border. The OPC found that the CBSA contravened the Privacy Act by failing to adhere to its own policies and legal authorities regarding these searches, particularly concerning the scope of data accessed and the lack of proper documentation. The CBSA accepted most operational recommendations for improvement but disagreed with recommendations for legislative reform.

• CBSA's authority to examine digital devices at the border under the Customs Act
• Compliance with CBSA's internal policy on digital device examinations
• Collection and retention of personal information from digital devices
• Adequacy of training and oversight for CBSA officers

This investigation examined Loblaw's practices in its gift card program, which was established to compensate customers affected by a bread price-fixing scandal. The complainant argued Loblaw collected more personal information than necessary and was concerned about data transfers to the United States. The OPC found that while Loblaw initially collected more information than needed by requesting full identification documents, they subsequently clarified their requirements, resolving this issue. The OPC also found Loblaw's measures to protect personal information transferred to a third-party administrator in the US were sufficient and that Loblaw was transparent about cross-border data transfers.

• Collection of personal information beyond what is necessary for the stated purpose.
• Adequacy of safeguards for personal information transferred to a third-party processor in the United States.
• Sufficiency of transparency regarding cross-border data transfers.
• Requirement for additional consent for cross-border data transfers.

An institution applied to the Information Commissioner for approval to decline to act on an access request, alleging it was vexatious, an abuse of the right to request records, and made in bad faith. The requester was a former employee who had filed multiple previous access requests. The Commissioner found the institution failed to prove the request was vexatious, an abuse of the right of access, or made in bad faith, and also failed to demonstrate it fulfilled its duty to assist the requester. The Commissioner denied the institution's application.

• Whether the access request was vexatious.
• Whether the access request constituted an abuse of the right to access records.
• Whether the access request was made in bad faith.
• Whether the institution fulfilled its duty to assist the requester.

An institution applied to the Information Commissioner for approval to decline processing an access request from a former employee. The institution argued the request was vexatious, an abuse of the right to access, and made in bad faith due to the requester's previous dismissal and numerous prior requests. The Commissioner found the institution failed to provide sufficient evidence for any of these claims.

• Whether the request was vexatious
• Whether the request constituted an abuse of the right of access
• Whether the request was made in bad faith
• Whether the institution fulfilled its duty to assist

Three complainants alleged that Correctional Service Canada (CSC) was using video footage collected for security purposes to monitor employee performance. The Office of the Privacy Commissioner of Canada (OPC) investigated and found that CSC used the footage to identify systemic deficiencies in patrols following an inmate's death, aiming to improve security and prevent future deaths. The OPC determined this use was consistent with the original purpose of collection (security) and therefore not a contravention of the Privacy Act.

• Was CSC using video footage to monitor employee performance?
• Was the use of video footage for identifying and addressing security deficiencies consistent with the original purpose of collection?
• Did the use of video footage contravene the Privacy Act's use provisions?

This joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) examined Facebook's compliance with privacy laws concerning the disclosure of user data to third-party apps, specifically the "thisisyourdigitallife" (TYDL) app. The investigation found that Facebook failed to obtain valid and meaningful consent from users whose information was disclosed, had inadequate safeguards to protect user data, and lacked accountability for the information under its control. These failures are particularly concerning given similar findings by the OPC in a 2009 investigation, indicating a lack of substantive improvement in Facebook's privacy practices.

• Meaningful consent from installing users
• Meaningful consent from affected users (friends of installing users)
• Adequacy of safeguards to protect user data from third-party apps
• Facebook's accountability for user data

The complainant alleged that Global Affairs Canada (GAC) improperly collected personal information from his diplomatic passport for an administrative investigation. The complainant had used his diplomatic passport for personal travel, and GAC requested the original passport as evidence. GAC did not demonstrate how the personal travel information collected related to its operating programs or activities, nor did it provide sufficient cooperation to confirm its authority to collect this information.

• Whether GAC had the authority to collect personal travel information from a diplomatic passport.
• Whether the collection of personal travel information related directly to GAC's operating programs or activities.
• Whether GAC provided sufficient information regarding the administrative investigation and its authority to collect the passport.

The complainant alleged that Grey House Publishing Canada (Grey House) collected, used, and disclosed his personal information without his knowledge or consent. Grey House collected the complainant's contact information from a non-profit association's webpage and included it in its print directory and database. Grey House then sold an email distribution list containing this information to Economic and Social Development Canada (ESDC), which used it to send emails promoting a federal program. The OPC found that Grey House contravened PIPEDA by collecting and using the complainant's personal information without adequate consent, as the information was not considered business contact information and did not fall under the exceptions for publicly available information. The OPC also found that Grey House contravened PIPEDA's openness principle by having an inadequate privacy statement.

• Whether the complainant's contact information constituted personal information or business contact information under PIPEDA
• Whether Grey House was conducting commercial activity under PIPEDA
• Whether Grey House obtained adequate consent to collect and use the complainant's personal information
• Whether Grey House's privacy statement adequately reflected its practices

The complainant alleged that Employment and Social Development Canada (ESDC) contravened the Privacy Act by collecting his personal information for a second time, despite his previous objection, through a third-party company. The OPC found that while ESDC's collection was not for an administrative purpose directly affecting the complainant, it failed to comply with section 4 of the Act because the information was not collected in accordance with the terms of its program, as the third party had obtained the information without consent. ESDC also continued to use the complainant's information despite his request to be removed from the list.

• Collection of personal information without consent
• Collection of personal information from a third party
• ESDC's responsibility to ensure third-party compliance with contractual obligations
• ESDC's continued collection of information after a request for removal

The Office of the Privacy Commissioner of Canada (OPC) investigated 411Numbers, a website operator that provided free access to telephone numbers and associated information. A complainant alleged that 411Numbers collected, used, and disclosed his personal information without consent, used it for an inappropriate purpose (paid removal service), over-collected information for removal services, and was unresponsive to privacy concerns. The OPC found that 411Numbers contravened PIPEDA by publishing unlisted telephone numbers without consent, and that its previous practice of requiring extensive identification for removal services was an over-collection. The paid removal service was also deemed inappropriate. However, 411Numbers has since ceased its paid removal service and implemented new practices for information removal and data collection.

• Jurisdiction over a non-Canadian company with a real and substantial connection to Canada
• Collection, use, and disclosure of unlisted telephone numbers without consent
• Appropriateness of using personal information for a paid removal service
• Over-collection of personal information for identity verification during removal requests

The complainant, an air passenger rights advocate, requested access to records about himself from the Canadian Transportation Agency (CTA). The CTA denied access to most records, arguing the information was not personal information, or that it was exempt under various provisions of the Privacy Act. The OPC found that the CTA had erred in withholding information and improperly invoked exemptions under section 70(1). However, most information withheld under sections 26 and 27 was found to be properly exempted, with specific exceptions.

• Whether records containing the complainant's name and discussions about his advocacy activities constituted personal information under the Privacy Act.
• Whether information withheld under paragraph 12(1)(b) was properly excluded from the scope of accessible personal information.
• Whether information was correctly exempted under sections 26 (third-party personal information), 27 (solicitor-client privilege), and subsection 70(1) (cabinet confidences).