Canadian Privacy Decisions

The complainant alleged that Crown-Indigenous Relations and Northern Affairs Canada (CIRNAC) had improperly withheld records related to land ownership and transactions on the Bruce/Saugeen Peninsula under section 23 (solicitor-client and litigation privilege). CIRNAC initially claimed solicitor-client privilege but later conceded this did not apply. The institution then argued litigation privilege, citing ongoing court cases. However, the Commissioner found CIRNAC failed to demonstrate that the records were created for the dominant purpose of litigation. The Commissioner recommended full disclosure, but CIRNAC refused to implement the recommendation.

• Applicability of section 23 (solicitor-client privilege)
• Applicability of section 23 (litigation privilege)
• Dominant purpose test for litigation privilege
• Institution's discretion to exercise privilege claims

The complainant alleged that the Department of Justice Canada did not conduct a reasonable search for a 2009 workplace report. The Department stated that the record's retention period was five years and it was requested seven years later, meaning it would have been destroyed. While the complainant claimed the consultant still had a copy, the Department argued it was not reasonable to contact the consultant directly given the nature and age of the contract. The OIC agreed that the Department conducted a reasonable search.

• Did the institution conduct a reasonable search for the requested records?
• Whether the institution was required to contact the consultant directly to fulfill the request.

The complainant requested historical Canadian intelligence assessment records. The Privy Council Office (PCO) initially withheld information under subsections 15(1) (national security) and 19(1) (personal information) of the Access to Information Act. While the OIC found PCO's use of subsection 19(1) justified, it determined that PCO failed to demonstrate how disclosing the remaining information under subsection 15(1) would cause harm. The Information Commissioner ordered PCO to disclose the records.

• Whether the Privy Council Office met the requirements of subsection 15(1) of the Access to Information Act for withholding records related to distribution markings, CSE employee names, and allied distribution lists.
• Whether the Privy Council Office met the requirements of subsection 19(1) of the Access to Information Act for withholding personal information.
• Whether the Privy Council Office reasonably exercised its discretion in deciding not to disclose the information withheld under subsection 15(1).
• The timeliness and appropriateness of the Privy Council Office's submissions following the issuance of the initial report.

The complainant alleged that the Canada Mortgage and Housing Corporation (CMHC) improperly withheld information under several sections of the Access to Information Act, including government information, personal information, third-party commercial information, advice, deliberations, and solicitor-client privilege. The scope of the complaint was narrowed during the investigation. While CMHC disclosed some information, it continued to withhold information under paragraph 20(1)(b) related to third parties TD Bank Financial Group and Andrew Kalotay Associates, Inc. The Information Commissioner found that CMHC failed to demonstrate that this information met the requirements of paragraph 20(1)(b) and ordered its disclosure.

• Applicability of paragraph 20(1)(b) to withheld information
• Confidentiality of third-party information
• Objective standard for confidentiality
• Third-party representations

This investigation examined whether the collection, use, and disclosure of traveller vaccination status by Transport Canada, VIA Rail, and CATSA complied with the Privacy Act. The Office of the Privacy Commissioner found that the personal information was collected, used, and disclosed in compliance with the Act's requirements. While the Act does not mandate necessity and proportionality, the OPC also considered these principles and found the measures were generally necessary and proportional, though recommended clearer definition of objectives and documentation of less privacy-invasive alternatives for future initiatives.

• Whether the collection of vaccination information was directly related to the operating programs or activities of CATSA and VIA Rail.
• Whether the use and disclosure of personal information, and the centralized collection by Transport Canada, complied with sections 4, 7, and 8 of the Privacy Act.
• Whether the collection of personal information was necessary and proportional, considering the circumstances and available alternatives.

This investigation examined whether the collection, use, retention, and disclosure of personal information by the Public Health Agency of Canada (PHAC) and the Canada Border Services Agency (CBSA) related to COVID-19 vaccine mandates for travellers entering Canada complied with the Privacy Act. The OPC found that the agencies had the authority to collect this information as it was directly related to their mandate under the Quarantine Act and the Emergency Orders. While the OPC identified some weaknesses in PHAC's documentation regarding the necessity and proportionality of the measures, overall, the collection, use, and disclosure of personal information were deemed compliant with the Act.

• Whether personal information collected was directly related to an operating program or activity of PHAC and CBSA.
• Whether personal information was used or disclosed for the purpose for which it was compiled or in accordance with an Act of Parliament.
• Whether personal information was disposed of in accordance with the Privacy Regulations and the Directive on Privacy Practices.
• Whether the collection of personal information under the Emergency Orders was necessary and proportional.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding erroneous quarantine notifications sent by the ArriveCAN application to approximately 10,200 Apple device users. The OPC found that the Canada Border Services Agency (CBSA) did not take all reasonable steps to ensure the accuracy of the personal information used for administrative decisions, contravening subsection 6(2) of the Privacy Act. The CBSA disagreed with this finding and refused to correct the inaccurate information, although they later informed the OPC that the defect had been fixed and affected individuals notified.

• Whether the CBSA took all reasonable steps to ensure the accuracy of personal information used for administrative decisions.
• Whether the 'quarantine_exempted' data field constituted personal information used for an administrative purpose.
• Whether the CBSA's pre-release testing, human intervention, and correction mechanisms were adequate.
• Whether the CBSA should correct the erroneous information it holds despite the measures taken.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that the Canada Border Services Agency (CBSA) contravened the Privacy Act by collecting and using DNA from a complainant for genetic genealogy analysis to determine his nationality for deportation purposes. The OPC found that the CBSA contravened the Act by failing to obtain valid authorization for the indirect collection of the complainant's genetic information from FamilyTreeDNA (FTDNA), by improperly disclosing his personal information to other FTDNA users, and by failing to adequately describe the collection of relatives' genetic information in its public notices (PIBs).

• Was the CBSA's collection of genetic genealogy information directly related to its operations?
• Was the authorization for indirect collection from FTDNA valid?
• Did incidental disclosures of personal information contravene the Act?
• Were the transparency obligations under Section 11 met?

The spouse of a Correctional Services Canada (CSC) employee complained that the employee's manager inappropriately collected personal information about them from their public Facebook page in relation to the employee's use of "Other leave with pay (699)". The OPC found that CSC contravened section 4 of the Privacy Act by collecting information that was not related directly to an operating program or activity of CSC. The OPC also noted that CSC's ATIP office incorrectly advised the complainant on how to raise a privacy concern.

• Whether the collection of personal information from a public Facebook page was related directly to an operating program or activity of CSC.
• Whether information collected from a public source is exempt from the collection provisions of the Privacy Act.
• Whether CSC's ATIP office provided appropriate guidance to a member of the public wishing to raise a privacy concern.

The complainant alleged that Transport Canada improperly withheld information regarding applications and Minimum Safe Manning Documents for the motor vessel Spirit of Vancouver Island, citing personal information and confidential third-party commercial/technical information exemptions. The Information Commissioner found that the personal information exemption was no longer at issue. While some information on page 50 met the criteria for the third-party emergency management plan exemption (paragraph 20(1)(b.1)), the Commissioner found that only the titles and headings of that document should be disclosed. The Commissioner also found that the third-party commercial/technical information exemption (paragraph 20(1)(b)) was not met for any of the remaining withheld information.

• Application of paragraph 20(1)(b.1) to emergency management plans
• Application of paragraph 20(1)(b) to confidential third-party information
• Whether Transport Canada properly exercised its discretion regarding disclosure
• Whether the institution met the burden of proof for the exemptions

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint concerning the Immigration and Refugee Board of Canada's (IRB) improper disclosure of an employee's sensitive medical information to their management team. The IRB shared a "Fitness to Work" report containing intimate medical details without the employee's consent and beyond what was necessary for accommodation. The OPC found that while some information disclosure was consistent with the purpose of collection, the disclosure of highly sensitive medical information was not, thus contravening the Privacy Act. The IRB has since updated its policies and tools, but the OPC found the complaint to be well-founded and not adequately resolved, urging the IRB to implement its recommendations, including training and a meaningful apology.

• Whether the IRB obtained the complainant's consent to disclose their medical information.
• Whether the disclosure of the medical information in the FTW report to management constituted a "consistent use" under paragraph 8(2)(a) of the Privacy Act.
• Whether the IRB's disclosure practices complied with the Treasury Board Secretariat's "Standard" on fitness to work evaluations.
• The adequacy of the IRB's response to the OPC's recommendations.

The complainant alleged that Public Safety Canada's 240-day extension to respond to an access request was unreasonable. The request was for correspondence between Public Safety and the RCMP in May 2022. Public Safety could not justify the lengthy extension, as the volume of records was not large and the RCMP's consultation timeline was based on service standards rather than record complexity. The Information Commissioner found the extension invalid, deeming the delay a refusal of access.

• Reasonableness of time extension under subsection 9(1) of the ATIA
• Definition of 'large number of records' under paragraph 9(1)(a)
• Justification for consultation delays under paragraph 9(1)(b)
• Timeliness of institution's response

The complainant alleged that the Public Health Agency of Canada (PHAC) did not conduct a reasonable search for records related to masks, requested under the Access to Information Act. PHAC initially stated no records existed as an employee deleted their entire email mailbox. During the investigation, PHAC conducted additional searches and found responsive records. The Commissioner found the complaints to be well-founded due to the initial inadequate search.

• Reasonableness of the search conducted by the institution
• Disposition of electronic records by an employee
• Institution's obligation to search beyond the employee's direct records
• Information management practices of the institution

The complainant alleged that Public Services and Procurement Canada (PSPC) failed to respond to an access request for records concerning the procurement of new handguns for the military within the 30-day time limit. PSPC did not respond by the due date of July 5, 2021, and cited backlogs, operational challenges, and staffing issues for the delay. The Information Commissioner found the complaint well-founded, noting that these reasons do not absolve PSPC of its statutory obligation.

• Timeliness of response to access request
• Effect of operational challenges and staffing shortages on statutory obligations
• Definition of a "response" under the Act

The complainant alleged that National Defence (DND) failed to respond to an access request within the 30-day timeframe. DND refused to process the request, believing it did not meet the clarity requirements of section 6 of the Access to Information Act. The Information Commissioner found that the request did meet the requirements and that DND should have processed it without clarification. DND was therefore deemed to have refused access. The Commissioner ordered DND to provide a complete response to the request, and DND indicated it would comply.

• Whether the access request met the requirements of section 6 of the Access to Information Act.
• Whether National Defence properly refused to process the access request.
• Whether National Defence failed to respond within the time limits set out in the Act.