Canadian Privacy Decisions

A financial institution reported a breach to the OPC after a printing error resulted in a few hundred clients receiving incorrect RRSP tax contribution statements. Some statements mistakenly included the personal information of other individuals, including names, addresses, account numbers, and Social Insurance Numbers. The institution promptly investigated, notified affected clients, provided new statements, increased account monitoring, and offered credit alert monitoring. They also reviewed and enhanced internal procedures to prevent future errors.

• Adequacy of safeguards to prevent privacy breaches
• Timeliness and appropriateness of breach response
• Notification of affected individuals
• Review and enhancement of internal policies and procedures

The Office of the Privacy Commissioner of Canada investigated a complaint regarding a property management company maintaining a "bad tenant" list for a landlord association. The complainant alleged improper collection, use, and disclosure of personal information without consent. The OPC found that the list functioned like a credit reporting agency and that consent was not properly obtained, nor was there a mechanism for individuals to challenge the accuracy of the information. The property management company agreed to destroy the list and cease its collection, leading to the matter being resolved.

• Adequacy of consent for collecting and using tenant information.
• Whether the "bad tenant" list functioned as a credit reporting agency.
• Ensuring the accuracy of personal information and the ability for individuals to challenge it.
• Appropriateness of the purpose for collecting, using, and disclosing tenant information.

This report details an incident where a fraudster impersonated an unknown individual to trick a financial institution's employees into revealing customer contact information. The fraudster then used this information to extract further personal details from approximately 100 customers, increasing their risk of identity theft. The financial institution took immediate steps to mitigate the breach, including offering credit monitoring and enhancing staff training.

• Effectiveness of internal controls to prevent unauthorized disclosure of personal information
• Adequacy of breach response and mitigation measures
• Risks of identity theft and fraud due to personal information disclosure

The complainant alleged an insurance company refused to provide her with access to her personal information, including a recording of a telephone conversation, and documents related to her complaint to the company's ombudsman office. The company claimed the ombudsman process was a "formal dispute resolution process" exempt from PIPEDA and that the process was not a "commercial activity." The OPC found the company contravened PIPEDA by unduly delaying access to the recorded conversation and by incorrectly withholding documents from the ombudsman process. The OPC determined the ombudsman office was not a "formal dispute resolution process" and its activities were subject to PIPEDA.

• Is an internal ombudsman office a "formal dispute resolution process" under PIPEDA?
• Are the services of an internal ombudsman office considered "commercial activity" under PIPEDA?
• Does an organization need spousal consent to release joint account information when third-party information can be severed?
• What are the obligations of an organization responding to an access to information request under PIPEDA?