Canadian Privacy Decisions

This special report details an investigation into unauthorized disclosures and modifications of taxpayer personal information at the Canada Revenue Agency (CRA). The Office of the Privacy Commissioner (OPC) found that the CRA contravened the Privacy Act regarding accuracy and disclosure of personal information. While the CRA has made efforts to improve its security, shortcomings remain in prevention, monitoring, detection, remediation, and governance, particularly concerning the handling of "Unauthorized Use of Taxpayer Information by a Third Party" (UUTP) incidents. The investigation concluded that the CRA contravened subsections 6(2) and 8(2) of the Act.

• Adequacy of safeguards to protect taxpayer personal information from unauthorized disclosure and modification.
• Timeliness and strength of multi-factor authentication implementation.
• Effectiveness of monitoring and detection mechanisms for UUTPs.
• Coordination and proactivity of the CRA's governance for addressing UUTPs.

This joint investigation by privacy authorities across Canada found that OpenAI contravened privacy laws in its collection, use, and disclosure of personal information through its ChatGPT models GPT-3.5 and GPT-4. Specifically, the investigation found that OpenAI's collection of personal information from publicly accessible websites for training purposes was overbroad and inappropriate. The company also failed to obtain valid consent and be sufficiently transparent about its data practices. While OpenAI has since implemented new mitigation measures and committed to further improvements, some provincial authorities found the new measures insufficient to meet their specific legislative requirements.

• Appropriateness of purpose for data collection and use
• Validity of consent and transparency obligations
• Accuracy of generated information
• Individual rights to access, correction, and deletion