Canadian Privacy Decisions

This report details an investigation into the loss of a USB key containing the personal information of 5,045 Canada Pension Plan Disability appellants. The investigation found that both Employment and Social Development Canada (ESDC) and Justice Canada failed to adequately translate their privacy and security policies into practice, leading to weaknesses in physical, technological, administrative, and personnel controls. Both departments accepted nine recommendations to improve data protection, many of which were similar to those made in a previous investigation involving ESDC.

• Adequacy of physical, technological, administrative, and personnel security controls
• Failure to translate privacy and security policies into meaningful business practices
• Protection of sensitive personal information including SIN and medical details
• Custody and storage of portable electronic devices containing personal information

The Information Commissioner initiated an investigation into Public Works and Government Services Canada (PWGSC) regarding the processing of eight access to information requests made between July 2008 and January 2010. The investigation focused on potential interference in how these requests were handled. The Commissioner has reported her findings.

• Possibility of interference in the processing of access to information requests
• Timeliness and completeness of response by PWGSC

This report details an investigation into the loss of an external hard drive at Employment and Social Development Canada (ESDC), which contained the personal information of 583,000 Canada student loan borrowers and 250 employees. The Office of the Privacy Commissioner of Canada (OPC) found that while ESDC had appropriate policies in place, there was a significant gap in their implementation, leading to inadequate physical, technical, administrative, and personnel security controls. Consequently, ESDC was found to be in contravention of sections 6(3), 7, and 8 of the Privacy Act. ESDC accepted all of the OPC's recommendations for improvement.

• Adequacy of physical security controls for storing personal information on portable media.
• Sufficiency of technical safeguards, such as encryption, for personal information on external hard drives.
• Effectiveness of administrative controls, including asset management and inventory of portable devices.
• Level of employee awareness and training regarding the risks associated with handling personal information on portable devices.

This systemic investigation examined the use and preservation of instant messages, such as BlackBerry PIN messages, on government devices. The investigation was prompted by complaints of missing records, including a case where devices were destroyed before an access request could be fulfilled. The OIC found that the use of instant messaging posed a risk to the right of access to information.

• Use and preservation of instant messaging on government devices
• Impact of instant messaging on the right of access to information
• Destruction of devices containing potential records
• Timeliness of access to information

The Office of the Privacy Commissioner of Canada investigated two separate incidents involving misdirected faxes containing personal information at two banks. In both cases, the banks failed to adequately safeguard personal information, leading to its disclosure to unintended recipients. While both banks took corrective actions, including revising policies and procedures, the OPC recommended further improvements in customer notification and information recovery.

• Adequacy of safeguards for personal information transmitted by fax
• Effectiveness of privacy policies and employee awareness
• Timeliness and scope of customer notification following a privacy breach
• Procedures for recovering erroneously transmitted personal information

This report details an investigation into CIBC's handling of misdirected faxes containing customer personal information, which occurred between 2001 and 2004. The investigation found that CIBC's privacy practices failed to adequately address these incidents, resulting in breaches of customer data and trust. The bank has since implemented significant remedial measures to enhance its privacy safeguards.

• Adequacy of CIBC's privacy policies and procedures
• Effectiveness of CIBC's response to misdirected fax incidents
• Timeliness and appropriateness of customer notification following a privacy breach
• Organizational awareness and adherence to privacy obligations