Canadian Privacy Decisions

The complainant alleged that Innovation, Science and Economic Development Canada (ISED) contravened the accuracy provisions of the Privacy Act by using inaccurate information about him when staffing a position. ISED confirmed that it failed to ensure the accuracy of the information used, which was linked to the complainant’s profile in the MyGCHR human resources system. The investigation found the complaint to be well-founded.

• Whether ISED contravened the accuracy provisions of the Privacy Act.
• Whether ISED took reasonable steps to ensure the accuracy of personal information used for staffing.
• The role of the MyGCHR system in the accuracy of personal information.

This investigation concerned Microsoft's Windows 10 privacy settings, which were initially set to 'on' by default during installation. The Office of the Privacy Commissioner of Canada (OPC) investigated whether Microsoft obtained valid consent for the collection, use, and disclosure of users' personal information. While Microsoft made several updates to improve clarity and consent mechanisms, the OPC identified ongoing concerns regarding the meaningfulness of consent for certain settings, particularly regarding diagnostics, tailored experiences, and speech recognition. Microsoft committed to implementing further changes, including obtaining opt-in consent for all installation privacy settings, enhancing transparency, and improving data protection measures.

• Validity of consent for default privacy settings during Windows 10 installation.
• Clarity and completeness of privacy communications provided to users.
• Adequacy of measures to protect sensitive diagnostic data from being used for targeted marketing.
• Ensuring meaningful consent for cloud-based speech recognition services.

The Office of the Privacy Commissioner of Canada investigated a complaint from a federal inmate who alleged that Correctional Service Canada (CSC) contravened the Privacy Act by denying him access to personal information, specifically video and audio recordings. This was a repeat issue, as similar allegations were found to be well-founded in a previous investigation. While CSC properly exempted some recordings, it failed to respond to some requests entirely and, critically, failed to retrieve and retain requested video recordings before they were overwritten in two instances, despite previous recommendations to improve processes for short-retention period records. The complaint was found well-founded due to these failures to provide timely access.

• Timeliness of responding to access to information requests.
• Retention and destruction of personal information, particularly video recordings.
• Appropriate application of exemptions to disclosure.
• Failure to implement previous recommendations regarding record retrieval.

The Office of the Privacy Commissioner of Canada (OPC) investigated complaints against Profile Technology Ltd. (Profile Technology), a New Zealand-based company, for copying and using personal information from Facebook profiles without consent. The OPC found that Profile Technology's website was not merely a search engine but a social networking site, and that the information was not "publicly available" under PIPEDA. The company's practice of repurposing outdated Facebook data without consent or consideration for privacy settings was deemed inappropriate. Additionally, Profile Technology was found to be retaining help desk ticket information longer than necessary. The OPC concluded that Profile Technology contravened PIPEDA by using and disclosing personal information for purposes not appropriate in the circumstances and without consent.

• Jurisdiction over a foreign-based organization
• Definition of "publicly available" information under PIPEDA
• Requirement for consent for collection and use of personal information
• Appropriateness of purposes for using personal information

This is a systemic investigation report that examined how federal institutions handle access to information requests related to scientists and scientific information. The investigation was initiated by a complaint from the Environmental Law Clinic at the University of Victoria and Democracy Watch. It concluded that while some progress had been made, challenges remained in ensuring timely and complete access to information concerning scientists within federal institutions.

• Timeliness of access to information requests concerning scientists
• Completeness of information provided in response to requests about scientists
• Impact of institutional practices on the right of access to information regarding scientists

Several complainants alleged that the Correctional Service Canada (CSC) unlawfully collected personal information through the use of a cell-site simulator near the Warkworth Institution. While CSC confirmed collecting six text messages, it denied intercepting conversations and stated the collection was not authorized. The Office of the Privacy Commissioner of Canada (OPC) found that while the collection of metadata was consistent with the Privacy Act given security concerns, the interception and collection of text message content was not authorized and therefore contravened the Act.

• Whether the collection of cell phone metadata and text messages by CSC constituted personal information under the Privacy Act.
• Whether the collection of cell phone metadata was directly related to CSC's operating programs or activities.
• Whether the interception and collection of text message content was authorized under the Privacy Act.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding the Department of National Defence’s (DND) disclosure of deceased Canadian Forces members’ medical records to Military Police investigators for suicide investigations. The OPC found that while DND’s Directorate of Access to Information and Privacy (DAIP) generally acted appropriately in assessing the necessity of the requested information, its record-keeping practices were insufficient, failing to retain all requested disclosure forms as required by the Privacy Act. DND was recommended to improve its policies and procedures to ensure full retention of request forms, verify the statutory authority for investigations, and maintain more comprehensive disclosure records.

• Adequacy of DND's assessment of necessity for disclosing medical records under paragraph 8(2)(e) of the Privacy Act for suicide investigations.
• Sufficiency of DND's record-keeping practices concerning requests and disclosures under paragraph 8(2)(e).
• DND's interpretation of its obligations regarding lawful investigations and adherence to its own policies.
• Whether DND's disclosure of records was consistent with the Privacy Act and TBS Directive.

The Office of the Privacy Commissioner of Canada investigated a complaint against Facebook Inc. regarding a privacy breach where personal information of users and non-users was inadvertently disclosed through the 'Download Your Information' tool. The investigation found that while Facebook had safeguards in place, they were not adequate prior to the breach, leading to the unauthorized disclosure of contact information. Additionally, Facebook was not sufficiently open about its practice of matching contact information across address books. Facebook has since implemented corrective measures, including a new Privacy Framework and revised notices, resolving the issues.

• Adequacy of safeguards for personal information.
• Facebook's practice of matching contact information across address books and consent requirements.
• Openness and transparency of Facebook's policies and practices regarding contact information.
• Facebook's provision of access to and correction of personal information.

Four complainants alleged that Transport Canada's requirement for owners of unmanned aircraft to display their personal information on the device contravened the Privacy Act. They argued this obligation to publicly display contact information without consent was a violation of disclosure provisions. The Office of the Privacy Commissioner of Canada (OPC) found that while the information collected is personal, the requirement did not constitute a collection by Transport Canada itself, and therefore, the disclosure provisions of the Act did not apply. The OPC concluded the complaints were not well-founded, acknowledging the measure was an interim safety precaution but noted Transport Canada intended to revise the regulations to address privacy concerns.

• Whether the requirement to display personal information on unmanned aircraft constitutes a collection under the Privacy Act.
• Whether the disclosure of personal information on unmanned aircraft contravenes the disclosure provisions of the Privacy Act.
• The balance between aviation safety and public privacy.
• The authority of the Minister of Transport to issue interim orders for aviation safety.

This investigation concerned a complaint alleging that Statistics Canada (StatCan) improperly disclosed confidential census data to Shared Services Canada (SSC) when transferring its IT infrastructure. The complainant also raised concerns about the adequacy of safeguards and supervision of SSC employees handling the data. The OPC found that StatCan did not disclose personal information contrary to the Privacy Act, as it was legally required to transfer its IT infrastructure to SSC. Furthermore, StatCan took reasonable measures to define its relationship with SSC and ensure privacy and security considerations were addressed.

• Whether StatCan improperly disclosed confidential census data to SSC.
• Whether StatCan took reasonable measures to safeguard the census data transferred to SSC's IT infrastructure.
• Whether StatCan adequately supervised SSC employees with access to the data.
• Whether the transfer of data was consistent with the Statistics Act and the Privacy Act.

The complainant alleged that a courier company disclosed her personal information without consent by delivering a package addressed to her to her neighbour. The investigation found that the courier company had contravened PIPEDA's consent principle by not obtaining consent directly from the complainant for its practice of delivering packages to neighbours, nor by demonstrating due diligence to ensure the shipper had obtained such consent. In response to the OPC's recommendations, the courier company committed to ending the practice of delivering to neighbours, and this commitment was confirmed.

• Was personal information disclosed without consent by delivering a package to a neighbour?
• Did the courier company exercise due diligence to ensure the shipper obtained consent for the delivery to a neighbour practice?
• Is an unlisted telephone number on a package label sensitive personal information?

The complainant alleged that Health Canada collected more personal information than necessary for adjudicating claims under its Non-Insured Health Benefits (NIHB) Program. Specifically, concerns were raised about the detailed patient information required for the approval of drug benefits. Health Canada demonstrated that the information collected through Limited Use forms for drug benefits was directly related to the administration of the NIHB Program and necessary for determining eligibility based on established clinical criteria.

• Was the personal information collected by Health Canada directly related to an operating program or activity of the institution?
• Was the information collected necessary for the adjudication of claims for limited use drug benefits under the NIHB Program?
• Did Health Canada require more personal information than necessary for the adjudication of claims?

This investigation examined a breach of WADA's Anti-Doping Administration and Management System (ADAMS) database, which resulted in the public disclosure of athletes' personal information, including health details. The OPC found that WADA's security safeguards were insufficient, contravening PIPEDA principles. While WADA committed to implementing recommendations, including enhanced security measures, the matter was resolved conditionally pending compliance.

• Sufficiency of security safeguards for sensitive personal information
• Access controls and authentication mechanisms for the ADAMS database
• Monitoring, logging, and incident response capabilities
• Policies, procedures, and training related to information security

The OPC investigated a complaint against an online marketplace that sent an email to members inviting them to sign a petition without their explicit consent. The OPC found that the marketplace retained information appropriately but failed to obtain adequate consent for sending the petition email, which was beyond the scope of their services. The OPC also found that the marketplace did not handle the complainant's privacy concerns effectively. The matter was conditionally resolved when the marketplace committed to implementing recommendations, including obtaining opt-in consent for such emails and improving complaint handling. The issue was later resolved upon evidence of implementation.

• Adequacy of consent for using personal information for advocacy emails.
• Proper handling and escalation of customer privacy complaints.
• Appropriate retention of personal information.
• Clarity of purposes stated in the privacy policy.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint following a global data breach at VTech Holdings Limited, which potentially compromised the personal information of over 316,000 Canadian children and 237,000 Canadian adults. The investigation found significant deficiencies in VTech's information security safeguards, including a lack of testing, inadequate access controls, cryptographic issues, and absence of security monitoring. Although VTech contravened PIPEDA Principle 4.7, the OPC concluded the matter was resolved because VTech implemented timely and comprehensive measures to address the breach and improve its security.

• Adequacy of information security safeguards for children's data
• Failure to test for and mitigate known vulnerabilities
• Insufficient access controls and cryptographic protection
• Lack of comprehensive security management program