Privacy Act Complaints

Privacy Act Complaints

Online Posting Practices of Administrative Tribunals: Pension Appeals Board; Office of the Umpire (Employment Insurance appeals)

On July 25, 2007, CIPPIC filed a complaint with the Privacy Commissioner of Canada under s.29 of the federal Privacy Act about two federal tribunals that post full decisions online without redacting often highly sensitive personal information.  In its letter, CIPPIC asked the Privacy Commissioner to establish guidelines for federal agencies regarding the online posting of decisions and other documents that contain personal data about individual applicants, appellants, or complainants.  CIPPIC argued that openness and accountability do not require the identification of individual applicants/appellants/complainants.

The Privacy Commissioner agreed with CIPPIC that the federal Office of the Umpire should not be publishing personal details as part of the employment appeal decisions it posts online.  In a letter dated July 8, 2008, the Assistant Privacy Commissioner sets out the history of his investigation of this matter, his analysis, findings and recommendations to Service Canada, and notes that after initial resistance, Service Canada has now agreed to implement his recommendations.

The Office of the Privacy Commissioner (OPC) also found that CIPPIC's PAB complaint was "well-founded". PAB decisions contain extremely sensitive personal information about appellants and their families. By way of a letter dated October 15, 2008, the OPC analysed the various arguments made by the PAB in defence of its policy of posting full unredacted decisions online, and concluded that the protection of privacy in this case requires the use of randomized initials in place of names.  Because the PAB refused to randomize initials, it remains in violation of the Privacy Act.  The OPC Report of Findings sets out guidelines for depersonalization of such decisions, as well as for determining whether the public interest in disclosure outweighs privacy concerns.

CRTC policy of posting personal information on website

After being alerted by a concerned citizen about the CRTC's policy of posting on its website comments received from individual members of the public in the context of public processes, together with all personal contact information provided by the individual, CIPPIC investigated the matter and wrote to the CRTC in January 2005, explaining how this policy is inappropriately privacy-invasive and possibly illegal, and proposing an alternative, privacy-respectful approach.

The CRTC responded (930 KB) in April 2005, defending its policy as appropriate in order to ensure the transparency and accountability of public processes, and to avoid the administrative effort that would be required to excise personal contact information from submissions.

In June 2005, CIPPIC wrote to the federal Privacy Commissioner, asking her to investigate this issue and determine:

  1. whether the CRTC's policy is permitted under the federal Privacy Act, and
  2. whether the policy represents an appropriate balance between the competing values of privacy on one hand and transparency/accountability on the other hand.

The CRTC reconsidered its position and investigated a variety of options to address the problem raised by CIPPIC. In the fall of 2005, CRTC staff proposed to implement a number of procedures in order to protect the privacy of individuals responding to its public notices. Such procedures include standardizing warning notices, installing a program to protect personal information from major search engines, putting in place mechanisms to prevent email harvesting of personal information posted on the site, and possibly amending online forms.

The CRTC also committed to consider other changes to its online forms and processes to protect the privacy of individuals participating in its public processes, and to consult with CIPPIC with respect to those changes.

CIPPIC is satisfied with the CRTC's response, but awaits a determination from the Privacy Commissioner of Canada with respect to the broader policy issue of posting personal information of citizens on government websites, as it applies to the federal government generally.

In a letter to the CRTC dated Nov.17, 2005, The Privacy Commissioner's office (OPCC) expressed its appreciation for the CRTC's responsiveness and asked to be advised when the proposed initiatives are implemented. The OPCC also noted that "the issue of government organizations publishing personal information on the Internet is one that warrants attention. Therefore, we will discuss the matter with the Research and Policy Branch of this Office".  It appears that no further action is being taken by the OPCC on this matter.