Canadian Privacy Decisions

The complainant alleged that CSIS failed to sufficiently identify which portions of the requested records were redacted and on what basis. CSIS used negative redactions and did not specify exemptions on the records themselves, claiming it could cause harm. The Information Commissioner found this insufficient, recommending CSIS provide a new response clearly identifying withheld portions and citing specific exemptions, cease using negative redactions, and cite exemptions on the records themselves. CSIS agreed to implement these recommendations.

• Adequacy of identification of redacted portions and grounds for withholding.
• Propriety of using negative redactions.
• Requirement to cite exemptions on the records themselves versus in response letters.
• CSIS's obligation to assist the requester.

The complainant alleged that National Defence did not conduct a reasonable search for records related to unidentified aerial phenomena (UAP). The investigation found that the institution misinterpreted the request and relied too heavily on a keyword search. An additional search was ordered, which located 11 pages of previously unreleased records. National Defence has stated it will comply with the order to release these records.

• Reasonableness of search
• Interpretation of access request
• Use of keyword search

An individual complained that Transport Canada failed to publish a description of the Personal Information Bank (PIB) for its Incentives for Zero-Emission Vehicles Program. The investigation found that Transport Canada did not submit the PIB description for approval until 19 months after the program launched, and it was still not approved by the Treasury Board Secretariat (TBS) by the time the OPC's report was issued. Transport Canada has since confirmed the PIB has been approved and published.

• Failure to publish a Personal Information Bank (PIB) description for a program
• Timeliness of PIB approval and publication by government institutions and TBS
• Adequate notification to individuals about the collection and use of their personal information

Twenty federal employees complained after the Treasury Board of Canada Secretariat (TBS) mistakenly disclosed their email addresses and the fact they had filed claims for damages related to the Severe Phoenix Impacts program. The OPC found that TBS contravened the Privacy Act by improperly disclosing personal information. While TBS argued the breach was not material, the OPC disagreed, emphasizing the importance of contextual factors and the potential for harm, even if not all individuals experienced severe injury.

• Was the disclosure of personal information authorized under the Privacy Act?
• Was the privacy breach considered "material" by TBS?
• Did TBS conduct a holistic and context-informed assessment of the breach's materiality and potential harm?

The complainant alleged that Library and Archives Canada (LAC) had improperly withheld information under subsection 15(1) (national security and international relations) of the Access to Information Act. The records requested were from the Intelligence Advisory Committee, 1989-1995, concerning migration trends and global developments. The OIC found that similar records had been disclosed previously and the information reflected public debate, thus not meeting the requirements of subsection 15(1). LAC disclosed the records in full on January 20, 2023.

• Applicability of subsection 15(1) to records concerning migration trends and global developments
• Burden of proof on the institution to justify withholding records
• Prior disclosure of similar information by the Canadian Government
• Information reflecting public and Parliamentary debate

An institution applied to the Information Commissioner for approval to decline an access to information request, arguing it was vexatious and an abuse of the right to access records. The requester sought all emails, text messages, and computer files from three HR employees. The Commissioner found the request was overly broad, placed an undue burden on the institution, and impeded the rights of others, thus constituting an abuse of the right to access records. The Commissioner also found the institution had met its duty to assist the requester prior to making the application.

• Whether the access request constitutes an abuse of the right to make a request under subsection 6.1(1) of the ATIA.
• Whether the institution met its duty to assist obligations under subsection 4(2.1) of the ATIA.
• Whether the request was vexatious.

The Office of the Privacy Commissioner of Canada investigated Home Depot for disclosing customer email addresses and purchase details to Meta (Facebook) through Meta's "Offline Conversions" tool without valid consent. Home Depot used this tool to measure the effectiveness of its Facebook ads. The OPC found that Home Depot's privacy statement and Meta's policy were insufficient to obtain implied consent for this disclosure, as customers were not reasonably expected to understand that their data would be shared for these secondary purposes. Home Depot has since discontinued the use of the tool and agreed to implement recommendations for obtaining express consent should they restart the practice.

• Whether Home Depot obtained valid consent for disclosing customer purchase data to Meta.
• Whether the information disclosed was sensitive.
• Whether Home Depot's privacy statement and Meta's policies provided sufficient notice and clarity.
• Whether express opt-in consent should have been obtained.

The complainant requested information related to applications and Minimum Safe Manning (MSM) Documents for the passenger ship Queen of Cumberland. Transport Canada withheld information under subsections 19(1) (personal information) and 20(1)(b) (confidential third-party information). The complainant later withdrew the section 19(1) aspect of the complaint. The Information Commissioner found that Transport Canada failed to demonstrate that the withheld information met the requirements of paragraph 20(1)(b), ordering the disclosure of all information previously withheld under that provision.

• Whether the withheld information met the criteria for paragraph 20(1)(b) of the ATIA, specifically concerning its technical nature, confidentiality, whether it was supplied by a third party, and if it was consistently treated as confidential by the third party.
• Whether the information was publicly available or observable by passengers, impacting the confidentiality claim.
• Whether the MSI's handwritten notes and the completed MSMDs constituted information supplied by a third party.
• The third party's (BC Ferries) lack of position on the disclosure of the information.

The complainant alleged that Employment and Social Development Canada (ESDC) improperly withheld information related to Canadian universities' engagement in the Federal Contractors Program. The withheld information was claimed under sections related to personal information, confidential third-party commercial information, and disclosure restricted by another law. The Information Commissioner found the complaint to be well-founded, determining that ESDC had not adequately demonstrated that all withheld information met the exemption criteria or that it had properly exercised its discretion. As a result, the Commissioner ordered ESDC to disclose the information at issue, and ESDC indicated it would implement the order.

• Whether information withheld under subsection 19(1) (personal information) was about identifiable individuals and whether discretion was properly exercised.
• Whether a completed Employment Equity Achievement Awards Application Form met the requirements for exemption under paragraph 20(1)(b) (confidential third-party commercial information).
• Whether information withheld under subsection 24(1) (disclosure restricted by another law) was properly withheld (this was removed from scope).
• Whether the institution properly severed non-exempt information from exempt information.

The complainant alleged that Trans Mountain Corporation (TMC) improperly responded to an access request by invoking section 10(2) of the Access to Information Act, refusing to confirm or deny the existence of records, and indicating that any responsive records would be withheld under section 16(2) (facilitating the commission of an offence). The Information Commissioner found that TMC failed to demonstrate that the existence of records itself warranted withholding, especially since TMC had previously acknowledged similar records. Furthermore, TMC did not sufficiently establish that any responsive records would meet the criteria for exemption under section 16(2).

• Proper application of section 10(2) (neither confirm nor deny existence of records)
• Whether the existence or absence of records can itself be information warranting withholding under the Act
• Whether records could reasonably be expected to facilitate the commission of an offence under section 16(2)
• TMC's inconsistent responses and blanket policy regarding record disclosure