Canadian Privacy Decisions

The institution applied for approval to decline acting on an access request for all internal correspondence over seven years, arguing it was an abuse of the right of access. The requester did not make submissions. The Commissioner found the request, due to its overbroad scope in combination with the institution's small size and limited resources, constituted an abuse of the right of access, and granted the institution's application.

• Whether the request constitutes an abuse of the right of access under subsection 6.1(1) of the ATIA.
• Whether the institution fulfilled its duty to assist the requester under subsection 4(2.1) of the ATIA.

The complainant alleged that Transport Canada improperly withheld information related to mediation services provided by the Canadian Institute for Conflict Resolution (CICR) under paragraph 20(1)(b) of the Access to Information Act. The Information Commissioner found that while the third party's hourly rate and hours billed were properly withheld, the description of services, dates, subtotals, taxes, total amount, and amount paid were not. The Commissioner ordered Transport Canada to disclose this latter information, and the Minister agreed to implement the order.

• Applicability of paragraph 20(1)(b) to financial and commercial information.
• Confidentiality of information provided by a third party.
• Discretionary application of exemptions by the institution.
• Requirement for information to be supplied by a third party.

The complainant requested information from Health Canada regarding problems with implantable medical devices. Health Canada failed to respond within the extended time limit and was deemed to have refused access. The institution faced delays due to third-party objections and a judicial review application, which was later withdrawn. The Information Commissioner recommended that Health Canada provide a final response to the complainant by May 26, 2021, and the Minister agreed to implement this recommendation.

• Failure to respond within statutory time limits
• Deemed refusal of access
• Impact of third-party objections and judicial review on processing
• Timeliness of final response

The Information Commissioner ceased an investigation into a complaint regarding an institution's search for records. The OIC had previously investigated and issued a final report on an identical matter concerning the institution's search for records from the 1990s. As continuing the investigation was deemed unnecessary and the complainant did not respond to an offer to provide further representations, the investigation was discontinued.

• Whether continuing the investigation was unnecessary
• Whether the matter had already been the subject of a previous investigation or final report

The complainant alleged that Library and Archives Canada (LAC) failed to respond to an access request within the statutory time limits. LAC took an extensive extension but still missed the deadline, resulting in a deemed refusal. The delay was partly due to a consultation with CSIS and LAC's lack of infrastructure to process Top Secret records. The Information Commissioner found the complaint well founded, recommending immediate action and a permanent solution for processing classified records.

• Failure to respond within statutory time limits.
• Validity of 425-day time extension.
• LAC's lack of infrastructure to process classified records.
• Deemed refusal under subsection 10(3) ATIA.

The complainant alleged that Employment and Social Development Canada (ESDC) wrongly refused to process an access request for emails containing specific keywords, claiming they were not under its control. The emails were stored on ESDC servers and sent using a government account. However, the OIC found that the emails were entirely personal, had no institutional purpose, and were not integrated with ESDC's records. Therefore, the OIC concluded the emails were not under ESDC's control and not subject to the Access to Information Act, resulting in the complaint being not well founded.

• Whether the requested emails were under the control of Employment and Social Development Canada for the purposes of the Access to Information Act.

The complainant alleged that Public Services and Procurement Canada (PSPC) failed to respond to an access request for COVID-19 related contracts within the statutory time limit. PSPC cited pandemic measures as a reason for the delay. The Information Commissioner found that institutions cannot suspend access request processing due to the pandemic and that PSPC failed to respond within the required timeframe. Therefore, the complaint was deemed well-founded, and PSPC is considered to have refused access.

• Failure to respond within the statutory time limit
• Justification for delay due to pandemic measures
• Application of subsection 10(3) of the ATIA (deemed refusal)

This report details a systemic investigation into Immigration, Refugees and Citizenship Canada's (IRCC) handling of access to information requests, particularly for immigration application files. The investigation found that IRCC's practice of automatically extending response times for frequent requesters violated the Access to Information Act. The Information Commissioner made five recommendations to improve IRCC's processes, including ceasing this practice, developing a work plan for performance improvements, enhancing the availability of client information through other means, and securing adequate resources for the ATIP office.

• Timeliness of response to access to information requests
• Proper application of time extension provisions under the ATIA
• Systemic issues in processing high volumes of access requests
• Accessibility of immigration application information through alternative channels

The complainant alleged that the Privy Council Office (PCO) improperly withheld the names of employees within the Prime Minister's Office. The information was requested in relation to records concerning an announcement about audits of registered charities for political activities. The OIC found that the withheld names constituted personal information and met the requirements for exemption under subsection 19(1) of the Access to Information Act. The OIC was also satisfied that none of the exceptions allowing for disclosure under subsection 19(2) applied. Therefore, the complaint was not well-founded.

• Whether the names of Prime Minister's Office employees constitute personal information under subsection 19(1) of the ATIA.
• Whether the information fell under exceptions to the definition of personal information.
• Whether the institution properly exercised its discretion to disclose the information under subsection 19(2) of the ATIA.

The complainant requested information regarding legal fees for a specific litigation file from the Department of Justice Canada. The Department withheld expense details and disbursements under section 23 (legal advice and litigation privilege), citing solicitor-client privilege and a presumption of privilege for legal bills. The Information Commissioner found that while disbursements are generally presumed privileged, this presumption was rebutted in this case. The Commissioner concluded that the information was not subject to privilege as there was no reasonable possibility that it could be used to deduce protected communications, and recommended its disclosure. The Department of Justice Canada agreed to implement this recommendation.

• Whether section 23 (legal advice and litigation privilege) of the ATIA applied to the withheld expense details and disbursements.
• Whether the presumption of privilege for legal bills, as established in Maranda v. Richer, was rebutted.
• Whether the withheld information could be used by an assiduous inquirer to deduce privileged communications.

This investigation report concerns a large-scale breach of personal information at the Bank of Montreal (BMO), affecting approximately 113,000 customers. The OPC found that BMO's online banking software had significant vulnerabilities, including issues with developer security testing, vulnerability management, and oversight/monitoring, which allowed attackers to access sensitive data such as financial account numbers and SINs. BMO has since implemented substantial improvements to its security safeguards.

• Adequacy of BMO's technical safeguards to protect personal information.
• Effectiveness of BMO's developer security testing and evaluation processes.
• Sufficiency of BMO's vulnerability management protocols.
• Appropriateness of BMO's oversight and monitoring capabilities for detecting cyberattacks.

This investigation concerned a complaint that Fido Solutions Inc. failed to safeguard a customer's personal information, allowing fraudsters to access and alter account details. It was found that Fido's customer service representatives repeatedly failed to follow authentication protocols, leading to unauthorized access. Additionally, the complaint alleged Fido failed to provide a requested transcript in an understandable format. Fido has committed to implementing enhanced safeguards regarding authentication protocols and has since provided the requested transcripts.

• Adequacy of safeguards to protect customer personal information from unauthorized access.
• Effectiveness of authentication protocols and employee adherence.
• Proper response to customer requests for access to personal information.
• Provision of personal information in a generally understandable format.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding a charitable organization's donor list trading program. The OPC found that the charity required express opt-in consent, not opt-out, for sharing donor contact information, as this practice fell outside donors' reasonable expectations. The OPC also determined that the information provided to donors was insufficient to ensure meaningful consent, lacking details about what information would be shared with whom and for what purpose. The charity agreed to implement recommendations to obtain opt-in consent and provide clearer information.

• Requirement for opt-in versus opt-out consent for donor list trading.
• Sufficiency of information provided to donors for meaningful consent.
• Application of the 'reasonable expectations' principle under PIPEDA.
• Compliance with PIPEDA's requirements for consent for information sharing.

The Office of the Privacy Commissioner of Canada (OPC) investigated CoreFour Inc. concerning its compliance with PIPEDA regarding its learning management system, Edsby. The OPC found that CoreFour's safeguards were not adequate due to vulnerabilities in password requirements and protection of student profile pictures, and a lack of an overarching information security framework. The OPC also found that CoreFour lacked a robust accountability framework, including written policies and adequate privacy training. However, the OPC found CoreFour to be in compliance with its breach reporting and notification obligations. CoreFour has accepted the recommendations and is implementing corrective measures.

• Adequacy of safeguards for personal information
• Breach reporting and notification obligations
• Accountability for privacy compliance
• Development of privacy management and information security frameworks

The complainant alleged that a computer services company remotely accessed his laptop without his express consent during a help desk call. The Office of the Privacy Commissioner of Canada (OPC) found that the company failed to obtain meaningful express consent for remote access and did not have adequate safeguards to protect customer information. The company has since restructured, ceased offering personal help desk services, and no longer uses the remote access software, leading the OPC to find the complaint well-founded and resolved.

• Whether meaningful express consent was obtained for remote computer access.
• Whether adequate safeguards were in place to protect customer data during remote access.
• The nature of consent required for accessing potentially sensitive personal information on a customer's laptop.