Canadian Privacy Decisions

The Office of the Privacy Commissioner of Canada investigated a complaint regarding a property management company maintaining a "bad tenant" list for a landlord association. The complainant alleged improper collection, use, and disclosure of personal information without consent. The OPC found that the list functioned like a credit reporting agency and that consent was not properly obtained, nor was there a mechanism for individuals to challenge the accuracy of the information. The property management company agreed to destroy the list and cease its collection, leading to the matter being resolved.

• Adequacy of consent for collecting and using tenant information.
• Whether the "bad tenant" list functioned as a credit reporting agency.
• Ensuring the accuracy of personal information and the ability for individuals to challenge it.
• Appropriateness of the purpose for collecting, using, and disclosing tenant information.

The complainant alleged an insurance company refused to provide her with access to her personal information, including a recording of a telephone conversation, and documents related to her complaint to the company's ombudsman office. The company claimed the ombudsman process was a "formal dispute resolution process" exempt from PIPEDA and that the process was not a "commercial activity." The OPC found the company contravened PIPEDA by unduly delaying access to the recorded conversation and by incorrectly withholding documents from the ombudsman process. The OPC determined the ombudsman office was not a "formal dispute resolution process" and its activities were subject to PIPEDA.

• Is an internal ombudsman office a "formal dispute resolution process" under PIPEDA?
• Are the services of an internal ombudsman office considered "commercial activity" under PIPEDA?
• Does an organization need spousal consent to release joint account information when third-party information can be severed?
• What are the obligations of an organization responding to an access to information request under PIPEDA?

An individual complained that a collection agency refused to provide access to their personal information, despite multiple written requests. The agency failed to respond to several of these requests within the timeframes required by PIPEDA. Although the agency eventually sent the information, and the individual refused to sign for it, the agency was deemed to have provided access. The agency acknowledged it did not follow its own procedures for handling access requests and committed to revising them and providing refresher training.

• Timeliness of response to access requests
• Failure to follow internal procedures for handling access requests
• Adequacy of providing access to personal information

Canada Post's collection of electronic signatures for mail tracking was investigated following a complaint. The OPC found that Canada Post's collection, use, and disclosure of signatures for tracking purposes complied with the Privacy Act, as it was consistent with the original purpose of collection and a permitted disclosure under paragraph 8(2)(a) of the Act. However, the OPC identified shortcomings in the security and privacy controls of Canada Post's online tracking website and made recommendations for improvement, which Canada Post accepted.

• Adequacy of notice provided to individuals regarding the collection, use, and disclosure of their electronic signatures.
• Compliance with the Privacy Act regarding the collection, use, and disclosure of personal information.
• Adequacy of security and privacy controls for digitized signatures displayed on Canada Post's online tracking website.

The OPC investigated a complaint concerning a cable provider that posted a list of customers with overdue accounts on a public Facebook page. The provider believed this was permissible, citing municipal practices of publishing names of those in property tax arrears. The OPC clarified that while PIPEDA permits disclosure of information for debt collection purposes to third parties, it does not authorize public dissemination without consent.

• Public dissemination of personal information for debt collection
• Application of PIPEDA's debt collection exemption
• Comparison of debt collection practices with municipal tax arrears publications

A customer complained that a retail store employee disclosed his personal information, including his name and in-store behaviour, to his employer without his knowledge or consent. The Office found that the disclosed information was personal information and that the store could not rely on implied consent for the disclosure, as the information was sensitive and disclosure to an employer was not a reasonable expectation. The matter was resolved after the store implemented recommendations to communicate its PIPEDA obligations.

• Whether information disclosed in a public store is personal information.
• Whether implied consent applied to the disclosure of sensitive personal information to an employer.
• Whether the disclosed information qualified as publicly available information under the regulations.