Canadian Privacy Decisions

The Information Commissioner investigated a complaint that Canadian Heritage (PCH) had suspended processing access requests due to the COVID-19 pandemic. PCH was unable to access its premises or systems from March 16, 2020, to July 10, 2020, resulting in a backlog of 224 requests. The Commissioner found the complaint well-founded, stating PCH's failure to respond breached requesters' rights under the Act.

• Impact of COVID-19 pandemic on processing access requests
• Institution's ability to access premises and remote systems
• Failure to respond to access requests within statutory timelines

The complainant disputed Transport Canada's decision to withhold information regarding vehicle safety recall completion rates, citing exemptions under sections 14, 20, and 21 of the Access to Information Act. The Information Commissioner found that neither Transport Canada nor the third party met their burden to prove the exemptions applied to the records. The Commissioner recommended that Transport Canada release all withheld information, except for specific personal details. Transport Canada agreed to implement these recommendations.

• Application of section 14 of the ATIA (intergovernmental relations)
• Application of section 20 of the ATIA (third-party information)
• Application of section 21 of the ATIA (confidential deliberations)
• Burden of proof on the institution to justify exemptions

The complainant requested information regarding a High Frequency Rail Proposal from VIA Rail Canada. VIA Rail withheld the information citing several exemptions under the Access to Information Act. The Office of the Information Commissioner found that VIA Rail failed to prove the exemptions applied and did not perform a proper severance analysis to release non-exempt portions of the records. Consequently, the complaint was found to be well founded.

• Whether VIA Rail Canada properly applied exemptions under sections 18 and 21 of the ATIA.
• Whether VIA Rail Canada conducted an adequate severance exercise.
• Whether VIA Rail Canada exercised due diligence in responding to the access request.

This investigation examined Desjardins' compliance with PIPEDA following a significant data breach that occurred between 2017 and 2019, affecting nearly 9.7 million individuals. The Office of the Privacy Commissioner of Canada (OPC) found that Desjardins contravened PIPEDA principles regarding accountability, data retention, and security safeguards. While Desjardins' mitigation measures for affected individuals were deemed adequate, the OPC issued recommendations to address the identified contraventions.

• Adequacy of security safeguards throughout the personal information lifecycle.
• Compliance with accountability principles, including implementing procedures and training staff.
• Appropriateness of data retention and destruction practices.
• Effectiveness of mitigation measures offered to individuals affected by the breach.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint from an employee of a federal institution who alleged a breach of privacy. The employee's personal information regarding her transgender identity and the reasons for her transfer were disclosed to her new supervisor and colleagues without her consent, despite assurances of confidentiality. The OPC found this disclosure contravened the Privacy Act.

• Disclosure of personal information without consent
• Confidentiality of transgender status
• Application of the Privacy Act

The complainant alleged that the Privy Council Office (PCO) failed to respond to an access request for minutes of the Joint Intelligence Committee from 1962 within the statutory time limits. PCO claimed an extension and then closed the file, stating it had not received recommendations from other government institutions, based on its “no late file” policy. The Information Commissioner found that the Act does not authorize this reason for non-response and that PCO was in deemed refusal.

• Failure to respond to an access request within the statutory time limits
• Validity of PCO's "no late file" policy
• Application of subsection 10(3) of the Access to Information Act (deemed refusal)

The complainant alleged that the Privy Council Office (PCO) failed to respond to an access request for minutes of the Joint Intelligence Committee from 1971 within the statutory time limits. PCO cited its "no late file" policy as the reason for closing the file when consultations with other institutions were not completed on time. The Information Commissioner found that PCO's failure to respond constituted a deemed refusal under the Act.

• Failure to respond within ATIA time limits
• Validity of "no late file" policy
• Deemed refusal under subsection 10(3) of the ATIA

The complainant alleged that the Privy Council Office (PCO) failed to respond to an access request for minutes of the Joint Intelligence Committee from 1968 within the statutory time limits. PCO claimed an extension for consultations, but when other institutions did not respond, PCO closed the file based on its "no late file" policy. The OIC found that the Act does not permit PCO to fail to respond due to unreceived recommendations and determined PCO was in deemed refusal.

• Timeliness of response to access request
• Proper application of time extension provisions
• PCO's "no late file" policy in relation to the Act

This joint investigation by federal, Alberta, and British Columbia privacy commissioners examined Cadillac Fairview's (CFCL) use of Anonymous Video Analytics (AVA) in mall directories and mobile device geolocation tracking. CFCL collected and used personal biometric information via AVA without valid consent, and improperly retained this data. While CFCL stated it had ceased using AVA, it disagreed with findings and refused to commit to express opt-in consent for future use. Regarding geolocation, CFCL's "Anonymous Shopper Journey" did not collect personal information, and while its "Logged In Shopper Journey" collected personal information, it did not combine it with geolocation data as initially suspected. Therefore, the geolocation aspect was found not well-founded.

• Collection, use, and disclosure of personal information via AVA technology
• Adequacy of consent and notice for AVA technology
• Appropriate retention of personal information collected via AVA
• Collection, use, and disclosure of personal information via geolocation tracking

A complainant alleged that Health Canada failed to identify all records responsive to an Access to Information Act request and should have provided an index of these records. The Information Commissioner of Canada found that Health Canada conducted a reasonable search and did not improperly withhold records. The Commissioner also determined that Health Canada was not obligated to create an index for this request, as it would have been unreasonable.

• Duty to assist
• Reasonableness of search
• Obligation to create an index of records

The complainant alleged that the Privy Council Office (PCO) failed to respond to an access request for minutes of the Joint Intelligence Committee from 1957 to 1958 within the statutory time limits. PCO claimed an extension and consulted other institutions, but failed to respond when recommendations were not received by the deadline, citing a “no late file” policy. The OIC found that the Act does not permit such a failure to respond and that PCO was in deemed refusal.

• Timeliness of response to access request
• Proper application of time extensions
• Effect of "no late file" policy on ATIA obligations

This report details a systemic investigation into the Royal Canadian Mounted Police's (RCMP) timeliness in responding to access to information requests between 2016 and 2019. The investigation found significant delays and an increasing backlog of requests. The Information Commissioner made 15 recommendations across six areas to improve the RCMP's performance. However, the Minister of Public Safety largely ignored these recommendations, failing to provide adequate explanations or commit to concrete plans for improvement. Consequently, the Commissioner found the situation dire and tabled a special report to Parliament.

• Timeliness of access to information requests
• RCMP's failure to provide representations during delay investigations
• Adequacy of the Minister's response to recommendations
• Impact of resources and systems on access to information performance

The complainant alleged that the Privy Council Office (PCO) failed to respond to an access to information request within the statutory time limits. PCO had claimed an extension and then placed the request on hold for consultations, which it conducted over several years. The Commissioner found the complaint well-founded, as PCO's indefinite hold on the request had no provision in the Act. The Commissioner recommended PCO provide a final response by June 1, 2020, but PCO failed to meet this deadline, citing the COVID-19 pandemic's impact on consultations. As the complaint was filed before recent amendments, the Commissioner's jurisdiction was limited to making recommendations.

• Timeliness of response
• Indefinite hold on request for consultations
• Impact of COVID-19 pandemic on processing
• Commissioner's jurisdiction and remedies

The complainant alleged that the Department of Justice Canada missed the deadline to respond to an access to information request. The Information Commissioner previously recommended a response date, which the institution did not accept but committed to a later date. When the institution again failed to respond, the complaint was reopened. The Commissioner found the complaint to be well-founded.

• Timeliness of response under ATIA section 10(3)
• Failure to meet commitment disclosure date

This report details a review of passport protection practices by four federal institutions: IRCC, ESDC, GAC, and CPC. While the institutions generally had reasonable measures to prevent unauthorized passport disclosures, the review identified areas for improvement in incident detection, remediation for affected individuals, and learning from past breaches. The institutions agreed to implement the OPC's recommendations to enhance these processes.

• Adequacy of measures to prevent unauthorized disclosure of passports
• Effectiveness of incident detection mechanisms
• Sufficiency of remediation measures for affected individuals
• Processes for learning from past passport breach incidents