Protecting privacy in a pandemic

Special Report to Parliament

May 30, 2023

---

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec  K1A 1H3

Toll-free: 1-800-282-1376
Phone: 819-994-5444
TTY: 819-994-6591

© His Majesty the King in Right of Canada, for the Office of the Privacy Commissioner of Canada 2023.

IP54-113/2023E-PDF
978-0-660-47986-6

---

Letter to the Speaker of the Senate

BY EMAIL

May 30, 2023

The Honourable Raymonde Gagné, Senator
Speaker of the Senate
Senate of Canada
Ottawa, Ontario  K1A 0A4

Dear Madam Speaker:

I have the honour to submit to Parliament the Special Report of the Office of the Privacy Commissioner of Canada entitled Protecting privacy in a pandemic. This tabling is done pursuant to section 39(1) of the Privacy Act.

Sincerely,

---

Letter to the Speaker of the House of Commons

BY EMAIL

May 30, 2023

The Honourable Anthony Rota, M.P.
Speaker of the House of Commons
House of Commons
Ottawa, Ontario  K1A 0A6

Dear Mr. Speaker:

I have the honour to submit to Parliament the Special Report of the Office of the Privacy Commissioner of Canada entitled Protecting privacy in a pandemic. This tabling is done pursuant to section 39(1) of the Privacy Act.

Sincerely,

---

Commissioner’s Message

As Privacy Commissioner of Canada, I am pleased to table this Special Report to Parliament presenting the results of several investigations and advisory initiatives that examined the federal government’s privacy practices in relation to measures adopted during the COVID-19 pandemic.

The pandemic was a rapidly evolving and unprecedented public health crisis that has had a profound effect on our world and our lives. It also raised important issues about the protection of personal information. Technology played a key role in helping the government and public health authorities to take swift action to predict, adapt and respond to an extraordinary public health crisis. The increased reliance on technology and the digitization of many aspects of our lives comes with undeniable benefits, but also has important privacy impacts that must be addressed.

Privacy matters to Canadians. In our most recent survey, 40% of respondents said that they were more concerned about privacy now than they were at the start of the pandemic. This is troubling. Canadians should feel confident that their privacy rights are being properly considered and protected, and organizations should make this a priority because when individuals are assured that their privacy is protected, it builds necessary trust in our institutions and the initiatives that they undertake.

Throughout the pandemic, my Office has continued to give key advice to public and private sector organizations to help ensure that privacy practices are appropriate, and that the measures implemented in response to the pandemic comply with privacy laws. We released a framework to assess privacy-impactful initiatives in response to the pandemic, and published guidance to help organizations understand their privacy-related obligations. We took the position that even during a public health crisis, privacy laws and other protections still apply and should not be seen as a barrier to the appropriate collection, use and sharing of personal information, but that a flexible and contextual approach to applying the law ought to be adopted.

We also called for public institutions to continue operating under lawful authority and to act responsibly, particularly with respect to the handling of information that may be considered sensitive, such as information about individuals’ health. Public institutions should also ensure that privacy-impactful initiatives are time-limited; necessary and proportional to achieve a specific objective; that appropriate measures are taken to safeguard personal information; and that there are clear measures for transparency and accountability built in so that individuals can know and trust how their personal information is being collected, used, and disclosed.

My Office received approximately 100 formal complaints related to the COVID-19 crisis, and other privacy-related concerns were raised through media reports and before parliamentary committees. The results of our investigations, which we are making public by tabling this Special Report, found that the collection, use, disclosure and retention of personal information by federal institutions complied with the Privacy Act, with a few exceptions. We also identified areas for improvement where there are gaps or shortcomings, and some important lessons to be learned from the pandemic, the most significant being the need to modernize our privacy laws to make it a legal requirement for government institutions to demonstrate that their collection of individuals’ personal information is necessary and proportional, and to provide a framework to address the use of de-identified information about individuals.

The COVID-19 pandemic has impacted almost every aspect of our lives over the last few years in ways that will continue to be felt for a long time. As we move forward, it is important to remember that privacy is fundamental to our individual dignity and our ability to enjoy other rights and freedoms. It is essential that the government protect our fundamental right to privacy – even during times of crisis or emergency – because doing so builds necessary trust in our institutions and supports the achievement of important public interest goals.

---

Introduction

In March 2020, the World Health Organization (WHO) declared a global pandemic. Efforts to contain the COVID-19 virus and to cope with its social and economic fallout prompted abrupt and colossal change worldwide. In response to the urgent public health crisis, the Government of Canada instituted public health measures, some of which involved the collection, use and disclosure of personal information, and which were intended to: (i) track virus transmission, (ii) enforce the Quarantine Act and other measures at Canada’s borders, (iii) provide benefits and economic stimulus, and (iv) manage public servants’ remote work practices and their eventual return to federal workspaces.

The mandate of the Office of the Privacy Commissioner of Canada (OPC) is to protect privacy rights and oversee compliance with Canada’s public- and private-sector privacy laws. Throughout the COVID-19 pandemic, the OPC has played an important role protecting privacy rights by investigating complaints from individuals with respect to the personal information-handling practices of the federal public sector; consulting and providing advice to government and the private sector on a wide range of potentially privacy-intrusive proposals and initiatives related to health and safety; developing policy and collaborating with our domestic and international counterparts; and sharing information and best practices.

In the early days of the crisis, the OPC produced guidance on Privacy and the COVID-19 outbreak to address the questions being raised about privacy during a pandemic, and to provide a general overview of the applicable federal privacy laws. Soon thereafter, the OPC published a framework for assessing COVID-related initiatives as various government authorities began to describe more specifically the programs and initiatives that they intended to pursue in response to the pandemic.

“Privacy protection isn’t just a set of technical rules and regulations, but rather represents a continuing imperative to preserve fundamental human rights and democratic values, even in exceptional circumstances,” the OPC said in introducing its framework.

The framework set out the key privacy principles that government institutions should factor into any assessment of the measures proposed to combat COVID-19, including:

• Legal Authority: the proposed measures must have a clear legal basis.
• Necessity and Proportionality: the measures must be necessary and proportionate, and, therefore, be science-based and necessary to achieve a specific, identified purpose.
• Purpose Limitation: personal information must be used to protect public health and for no other purpose.
• De-Identification and Other Safeguarding Measures: use de-identified or aggregate data whenever possible.
• Vulnerable Populations: exceptional measures should be time-limited and the data collected during this period should be destroyed when the crisis ends given the likelihood that the information is sensitive and may disproportionately impact vulnerable populations.
• Transparency and Accountability: the government should provide clear and detailed information to Canadians about the basis for exceptional measures, as well as the applicable terms for such measures, and be accountable for them.

Privacy laws and other protections still apply during a public health crisis, but they are not a barrier to the appropriate collection, use and sharing of information. Rather, when privacy is properly considered and protected – even and especially in exceptional circumstances – it promotes continued trust in our institutions and ensures that fundamental rights are respected.

This Special Report will present the results of investigations into COVID-related complaints received in late 2021 and 2022. It will also highlight the consultations that we carried out with government agencies over the last 3 years, and provide key observations and lessons learned from the pandemic.

Overall, with a few exceptions, we found that the government’s response to the pandemic complied with the requirements of the Privacy Act and was also necessary and proportional considering the unprecedented public health crisis. However, to further improve the protection of privacy should a similar situation arise in the future, we have identified some lessons learned and made forward-looking recommendations with respect to purpose identification and the assessment and documentation of potentially less privacy-intrusive measures.

In one instance dealing with the ArriveCAN app, we found a breach of the Privacy Act when insufficient measures were taken to ensure the app’s accuracy, and fully vaccinated individuals were erroneously notified to quarantine as a result.

Further reading on the OPC website

Commissioner issues guidance on privacy and the COVID-19 outbreak

Commissioner publishes framework to assess privacy-impactful initiatives in response to COVID-19

Supporting public health, building public trust: Privacy principles for contact tracing and similar apps

---

Investigations

The OPC investigated more than 100 complaints from Canadians about having to provide their COVID-19 vaccination status as a condition of entering Canada, of travelling domestically by plane or train, or of being employed by the federal government. While the core issue for most was the vaccine mandates themselves, complainants also raised concerns about how personal information that was collected for the purpose of managing the pandemic would be protected from oversharing or secondary uses, and how long that information would be kept.

We also investigated complaints about the data collected by the Public Health Agency of Canada (PHAC) on patterns of movement, in response to different public health measures, that was gathered from de-identified and aggregated cellphone location data.

Finally, this report includes our investigation of an error in the ArriveCAN app that caused thousands of individuals to be incorrectly identified as needing to quarantine, as well as the details of an investigation carried out under PIPEDA that found a breach of the private sector privacy law.

In conducting these investigations, we were guided by the key principles set out in our COVID-19 guidance and framework, and the need to consider the relevant context – namely, the urgent and pressing need to take measures to protect the health of Canadians during the COVID-19 crisis, while at the same time ensuring the protection of fundamental privacy rights.

1. Vaccine mandates for domestic travel

From November of 2021 to June of 2022, Transport Canada issued a series of orders requiring air and rail passengers travelling within Canada to provide proof of being fully vaccinated. The OPC received 18 complaints under the Privacy Act alleging that the collection of this personal information – specifically, the individual’s COVID-19 vaccination status – was unlawful, and an unreasonable and unjustified limitation of their freedom of mobility. Some complaints also alleged that COVID-19 vaccines were ineffective and argued that testing or natural immunity were reasonable alternatives.

We did not assess whether the vaccination requirements were an unjustified limitation on individuals’ freedom of mobility guaranteed by the Canadian Charter of Rights and Freedoms because this issue fell outside of our privacy mandate.

We found that the collection of personal information by VIA Rail, the Canadian Air Transport Security Authority (CATSA) and Transport Canada pursuant to these orders complied with the Privacy Act because it was directly related to the organizations’ programs for ensuring health and safety on planes and trains.

We also assessed the collection of vaccination status against the principle of necessity and proportionality. Though not a requirement of the Privacy Act, necessity and proportionality is a privacy principle that our Office strongly endorses and one that is embedded in the privacy laws of many other jurisdictions, including several Canadian provinces. Limiting the collection of personal information to what is demonstrably necessary is also a requirement of the Treasury Board Secretariat (TBS) Directive on Privacy Practices.

We found that in the fall of 2021, prior to instituting the domestic travel COVID-19 vaccine mandate, the federal government had evidence that COVID-19 presented a serious health risk, and that COVID-19 vaccines were effective both in reducing the risk of spreading the virus and in reducing the risk of serious illness if infected. Apart from certain weaknesses that we elaborate on below, on balance we found that the collection of personal information by VIA Rail, CATSA and Transport Canada under the orders was necessary and proportional, as the requirement to provide proof of vaccination effectively contributed to achieving the objectives of transportation safety by reducing travellers’ risk of severe illness, and the benefits to travellers were proportional to the loss of privacy in disclosing their vaccination status.

Weaknesses identified in assessment of necessity and proportionality

While we found that, overall, the collection of personal information under the mandates was necessary and proportional, we identified 2 weaknesses with Transport Canada’s assessment of necessity and proportionality.

First, we found that the orders’ primary objective of transportation safety was broad, which could give rise to a risk that inappropriate or irrelevant factors may be considered when evaluating the necessity and proportionality of the orders. Transport Canada initially told the OPC that in considering any adjustments to the orders, it took into account factors including “vaccine coverage to support broader societal protection.” Transport Canada later clarified that this was a factor considered by PHAC in its advice to government departments, and that increasing Canada’s vaccination coverage was not an objective of the orders. However, a Government of Canada news release announcing the domestic travel and federal workplace vaccine mandates on August 13, 2021, stated: “These measures will contribute to reaching the overall levels of vaccination Canada needs to sustain a resilient economic recovery in the face of more transmissible and dangerous COVID-19 variants of concern.”

Further, the broad scope of transportation safety did not differentiate between what may be appropriate for the purposes of protecting individuals from the risks imposed on them by others, and the risks that individuals may accept for themselves. This became material in the spring of 2022, as the effectiveness of COVID-19 vaccines in preventing transmission to others declined over time, while the vaccines remained effective in reducing the risk of severe illness for individuals themselves. Therefore, we recommended that if Transport Canada considers the mandatory collection of personal information for the purpose of transportation safety in the future, that it more clearly define both the intended objectives and the scope of such measures.

Second, Transport Canada indicated it had considered potentially less privacy-invasive alternatives but provided limited documentation of this assessment to our Office. Transport Canada did not, for example, provide evidence to the OPC demonstrating that it considered COVID-19 testing as an alternative to providing proof of vaccination beyond the initial one-month grace period, despite having access to data on this issue, such as PHAC’s COVID-19 border testing figures.

While testing as an alternative can reduce the risk of infecting other travellers or transportation workers (i.e., the risk that an individual poses to others), it does not reduce the risk of suffering severe illness (i.e., the risk posed to the individual), which we accept was one of Transport Canada’s goals under the broad objective of transportation safety. Therefore, we found that testing would not have been as effective as providing proof of vaccination to achieve this objective.

Nonetheless, we recommended that if Transport Canada considers similar measures in the future, it should more clearly define the scope of the goal and the intended objectives/consequences of such measures, and that it specifically examine and document its assessment of potentially less privacy-invasive alternatives. Transport Canada accepted our recommendations.

Handling of personal information collected was reasonable

Our investigations also examined the government’s handling of the personal information collected under the vaccine mandate for domestic travel. We found the personal information handling practices of Transport Canada, CATSA and VIA Rail to be sufficient.

Specifically, we found no indications that the institutions were oversharing the personal information collected, or using it for inappropriate secondary purposes. We found that Transport Canada took appropriate steps to ensure that information-sharing requirements under the orders were clearly set out and minimized the amount of information retained by instructing rail and air carriers to verify – but not retain proof of – individuals’ vaccination credentials.

Further reading on the OPC website

Vaccine mandates for domestic travel

2. Vaccine mandate for travellers entering Canada

From July 5, 2021 to September 30, 2022, the Emergency Orders issued by the federal government under the Quarantine Act required travellers to provide proof of being fully vaccinated to enter Canada without quarantine, with certain exceptions. We received complaints from 12 individuals with respect to this requirement, similar to those received about the domestic travel vaccine mandates. Some complainants also requested that their information be disposed of and claimed that the Canada Border Service Agency’s (CBSA) and PHAC’s retention of personal information was unnecessary.

We found that the CBSA and PHAC complied with the Privacy Act, as the collection of personal information was directly related to the administration and enforcement of the Quarantine Orders; the personal information was used and disclosed for legally authorized purposes; and the retention measures met the disposal requirement in the Privacy Act, the Privacy Regulations and the TBS Directive on Privacy Practices.

We also assessed whether the collection of this personal information was necessary and proportional. Apart from certain weaknesses that are discussed below, on balance we found that the collections were necessary and proportional in the circumstances. Specifically, the Emergency Orders were issued in response to the urgent public health crisis in order to decrease the risk of introducing and spreading COVID-19 in Canada. This also served the broader goal of protecting the health of Canadians by mitigating the potential burden on the health care system. We found that the collection of travellers’ vaccination status was effective in meeting this need and that, on the whole, the loss of privacy experienced by travellers was proportional to the specific need being addressed.

Weaknesses identified in the assessment of necessity and proportionality

Our investigation identified gaps in PHAC’s assessment of potentially less privacy-intrusive alternatives, and related issues with respect to the clarity of the objectives, in the final 6 months of the orders. During this period, pre-arrival tests were no longer required for fully vaccinated international travellers while the requirement remained in place for non-fully vaccinated travellers. For this period, PHAC told the OPC that COVID-19 test positivity rates at land ports of entry were relatively similar as between non-fully vaccinated travellers and fully vaccinated travellers. For travellers entering Canada by air, COVID-19 test positivity was consistently higher among fully vaccinated travellers than among pre-arrival tested non-fully vaccinated travellers with a negative test result. PHAC noted that this suggests the effectiveness of pre-arrival testing in reducing the importation of COVID-19 into Canada.

It is a positive step that PHAC collected and reflected on this evidence about the effectiveness of pre-arrival testing. However, as in our investigation of domestic travel vaccine mandates, PHAC did not demonstrate that it considered less privacy-intrusive alternatives, such as permitting travellers to choose whether to provide a pre-arrival negative test result or proof of vaccination in order to enter Canada without quarantining after April 1, 2022.

PHAC took the position that the purpose clause in the Quarantine Act, which states that the objective of the order is “…to protect public health by taking comprehensive measures to prevent the introduction and spread of communicable diseases”, necessarily includes not only reducing the importation of a disease into Canada, but also taking steps to reduce the seriousness or impact of an illness that is introduced or spread in Canada when it is not possible to completely stop its introduction or spread.

We recommended that if PHAC considers the mandatory collection of personal information in the future, it should examine and document its assessment of potentially less privacy-intrusive alternatives against objectives that have been clearly defined. PHAC accepted our recommendation. Further, should the Quarantine Act be reviewed in the aftermath of the pandemic, we would encourage Parliament to consider explicitly clarifying the scope of the purpose clause in the Quarantine Act.

Further reading on the OPC website

Vaccine mandates for entry into Canada

3. Investigations related to the federal government’s vaccination attestation requirement

The OPC received many complaints about the vaccination attestation requirements announced by the Government of Canada for federal employees in October 2021. We examined this issue in 3 related investigations. The main allegations were that the collection of employees’ vaccination status, and in some cases religious or medical information in support of an accommodation request to be exempted from the requirement, was unreasonable.

We found that the collection of vaccination status complied with the Privacy Act as it related directly to institutions’ health and safety responsibilities as employers during a national emergency as a result of the COVID-19 pandemic.

After careful review, we determined that while institutions’ responses to some of our questions could and should have been more fulsome and forthcoming, the measures were necessary and proportional given the emergency situation that existed and the central role that the TBS and federal public servants played in supporting the federal government’s response to the pandemic, including the protection of the health and safety of Canadians and the provision of important and often vital public services during this unprecedented health crisis.

We recommended to TBS that it assess any future contemplated vaccination measures against the 4-part test for necessity and proportionality detailed earlier in this report. The TBS has not agreed to implement this recommendation.

Our investigations also found that overall, the handling of personal information, once collected, complied with the requirements of the Privacy Act, with a few notable exceptions. For example, our examination of the system used to collect vaccine attestations for Canadian Armed Forces (CAF) members, Monitor-MASS, found that this system had inadequate oversight to prevent unauthorized access to this personal information. While we did not find any instances of inappropriate access, we recommended measures to periodically ascertain that units properly review and revoke permissions that provide access to CAF members’ sensitive information in Monitor-MASS where there is no longer, or never was, a need for access. The Department of National Defence (DND) has not agreed to implement this recommendation.

We also investigated allegations of specific incidents of inappropriate disclosure of personal information. We found that 2 cases of mail processing errors, which Canada Post subsequently investigated and addressed, led to the disclosure of personal information related to individuals’ vaccination status. One mailing error led to approximately 3,500 Canada Post employees who had not complied with the institution’s vaccine attestation requirements, or had attested to being partially vaccinated, receiving mail intended for a different employee in a similar situation. We also found that in 2 cases, DND/CAF personnel inappropriately disclosed to unauthorized recipients the identity and other details relating to the COVID-19 vaccination status of several individuals who had not attested to being fully vaccinated, or who had requested an accommodation. We also investigated situations where an employee at the CBSA and another at Global Affairs Canada inappropriately shared with the employee’s work unit that they were on leave because they were unvaccinated. We did not find any indication of systemic concerns in our investigation of these incidents.

Finally, as described in the attached report Core Public Administration vaccination report, we found that the TBS contravened section 11 of the Privacy Act by not adding a Personal Information Bank (PIB) description for the COVID-19 vaccination attestation information to its published index within the required 12-month timeframe, though it has now done so. The PIB Index is a transparency and accountability tool that describes the personal information being held by the institution, as well as how it is collected, used, disclosed and retained or disposed of. While the attestation notification provided to employees at the time clearly described the purpose for which the personal information was being collected, we remind the TBS of its obligations under section 11 of the Act.

Further reading on the OPC website

Investigation into COVID-19 vaccination attestation requirements established by the Treasury Board of Canada for employees of the core public administration

Investigation into COVID-19 vaccination attestation requirements established by Department of National Defence for members of the Canadian Armed Forces

Investigation into COVID-19 vaccination attestation requirements established by certain separate employers of the federal public service

4. ArriveCAN application error inaccurately identified certain travellers as needing to quarantine

To determine a given traveller’s applicable entry requirements under the Quarantine Orders in place from February 3, 2020 to September 30, 2022, and to ensure that these requirements were being respected, the CBSA and PHAC collected personal information from individuals entering Canada, primarily through the ArriveCAN mobile app.

Given the Emergency Orders’ important consequences on the rights and mobility of incoming travellers, it is our view that a high degree of due diligence was required under the section 6 accuracy provisions of the Act to ensure the accuracy of the personal information contained in ArriveCAN and that was used in administrative decisions about those individuals. We therefore expected to see: (i) rigorous pre-release testing for issues that could lead to high negative impacts on individual users; (ii) effective human intervention with respect to high-impact decisions on individuals and (iii) effective and timely correction and recourse for individuals.

An error in version 3.0 of ArriveCAN, which was released on June 28, 2022, had the disruptive and distressing effect of causing approximately 10,000 fully vaccinated Apple device users to receive erroneous messages advising that they were required to quarantine even though they had met the conditions for quarantine exemption. Travellers using version 3.0 of ArriveCAN for Apple mobile devices, and who had saved their submission form after selecting the travellers for the trip and then later returned to the form to complete the submission, incorrectly had their “quarantine exempted” value set as “false” by ArriveCAN. Unfortunately, the error was not caught by the CBSA’s pre-release testing of the app, and due to the system’s design, it was not caught by screening officers when the affected travellers crossed the border. It took more than 3 weeks for the CBSA to stop the error from affecting new travellers, and nearly a month until a correction was sent to all affected individuals. We acknowledge that the pandemic caused significant challenges for government and public health authorities, but also note that the incident in question occurred more than 2 and a half years after the ArriveCAN app was introduced. Ultimately, our investigation found that the CBSA did not meet the requirements of the Privacy Act because it did not take all reasonable steps to ensure the accuracy of the information about individuals that it used for administrative decision-making processes that affected them.

The OPC recommended that the CBSA correct the inaccurate information in its data holding that was generated by the error. To date, the CBSA has refused to do so, and we hope that it will reconsider its position, correct and/or dispose of the inaccurate information in its possession, and put in place all necessary measures to mitigate the risk that such errors occur in the future.

Further reading on the OPC website

Erroneous quarantine notifications from ArriveCAN

5. Investigation into the collection and use of de-identified mobility data in the course of the COVID-19 pandemic

The OPC received 12 complaints under the Privacy Act against PHAC and Health Canada regarding the collection and use of Canadians’ mobility data, which is comprised of geolocation data collected over time and other associated information.

The complainants alleged that PHAC secretly collected data on 33 million mobile devices during the COVID-19 pandemic, and that according to a request for proposal published in December 2021 to procure continued access to operator-based location data, it planned to continue to collect Canadians’ mobility data over the ensuing 5 years.

In response to the complaints, PHAC stated that it relied on de-identified and aggregated data and did not collect or use any personal identifiable information, and that as a result, the Privacy Act did not apply.

Our investigation assessed whether there was a serious possibility that an individual could be identified using the mobility data procured by PHAC alone, or in combination with other available information.

We concluded that the combination of the de-identification measures and the safeguards against re identification implemented by PHAC and its data providers reduced the risk that individuals could be re identified below the “serious possibility” threshold. Therefore, we found that PHAC did not collect personal information and the Privacy Act does not apply. As we have done previously, we recommended that the government propose amendments to the Privacy Act to include a clear legal framework that defines the different types of de-identified data and specifies the rules that should govern the production, retention, use, disclosure, and collection of each type.

Canadians also raised concerns regarding the lack of transparency about PHAC’s collection and use of mobility data. In this instance, the Privacy Act does not impose transparency obligations on PHAC because it did not collect personal information as defined under the Act. However, as noted in our framework released in the early days of the pandemic, we recommend that the government provide clear and detailed information to Canadians about the basis for any exceptional measures it implements, as well as the applicable terms for such measures, and be accountable for them.

As a final note, our investigation did not assess whether the private-sector third parties that provided the mobility data to PHAC collected and used the information in compliance with their privacy obligations, including whether they obtained informed consent. We would emphasize that organizations procuring de-identified data are also accountable and should take the necessary steps to ensure that the third parties they work with are complying with privacy laws.

Further reading on the OPC website

Investigation into the collection and use of de-identified mobility data in the course of the COVID-19 pandemic

6. Investigation under PIPEDA

Earlier in the pandemic, we investigated a complaint that Biron Health Group used a traveller’s email address to send him marketing and promotional material without his consent after he underwent COVID-19 testing upon his arrival at an airport. Biron Health Group believed that it could rely on the complainant’s implied consent to use his information in that way.

The OPC found that Biron Health Group could not imply consent of travellers arriving in Canada to use the information that it had collected for one purpose – mandatory COVID testing – for another purpose, such as marketing. Sensitive personal information generated in a crisis may have high-value applications to public and private sector organizations, but must be used within the limitations of the law. Even and especially in emergency situations, organizations must continue to operate under lawful authority and act responsibly, particularly with respect to handling personal health information, which is generally considered sensitive.

As Biron Health Group agreed to cease this practice in this case, the complainant agreed to treat the matter as settled. A full case summary is on our website.

Engagement under the Emergencies Act

Illegal protests linked to the vaccine mandates occurred in several locations in early 2022, leading to the invocation of the Emergencies Act. The temporary powers granted as a result of the Emergency Economic Measures Order allowed law enforcement agencies to work more closely with banks and other financial service providers, and provided additional measures to monitor and disrupt financial activity associated with illegal blockades. While the activities of federal institutions must be limited to those that fall within their legal authority and comply with applicable laws, including the Privacy Act, the Order granted a temporary authority to share certain personal information, such as a requirement for financial service providers to disclose information to the Royal Canadian Mounted Police (RCMP) or the Canadian Security Intelligence Service (CSIS). After concerns were raised by Member of Parliament Michelle Rempel Garner about the privacy implications of the use of the Emergencies Act, our Office engaged with the RCMP, CSIS and the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).

As we noted in our submission to the Special Joint Committee on the Declaration of Emergency, we assessed against the Privacy Act how these 3 institutions collected, used and disclosed personal information under the provisions of the order, and our observations are included in this report.

We found that reasonable steps were taken to identify relevant, accurate and necessary information to assist financial institutions in meeting their obligations under the order, and that the sharing of personal information was proportionate to the needs arising from the unprecedented situation and the legal obligations imposed on the institutions under the Emergencies Act.

However, we found that there was a lack of clear direction on the limits to information sharing under the order. For example, we found that the order did not specify the conditions or requirements for information sharing, including the specific types and scope of personal information that could be shared, or how the information was to be shared; nor did it contain any explicit safeguard requirements to ensure that appropriate procedures were established and implemented to protect personal information. The need for organizations to act in a timely and efficient manner during a crisis makes it important to have clear and specific processes and guidance for information sharing so that government institutions and financial entities are aware of their obligations, and to ensure transparency and accountability to Canadians for the protection of their personal information.

---

Conclusion

Overall, our investigations found, with some exceptions, that the measures implemented by the government during the pandemic complied with relevant privacy laws and were necessary and proportional in response to the unprecedented public health crisis. We also observed that government initiatives generally adhered to the privacy principles set out in our guidance and framework, as well as other statements and resolutions that we issued jointly with our provincial and territorial colleagues during the pandemic.

However, in some cases, there were weaknesses in how the government assessed and documented potentially less privacy-intrusive alternatives. The government could also have taken steps to enhance transparency with respect to the measures it implemented, such as PHAC’s use of mobility data, and to clarify the scope of the objectives of vaccine mandates. As we noted at the outset of the pandemic, greater flexibility to use personal information for the public good should be accompanied by greater transparency and accountability.

Our investigations also highlighted the importance and usefulness of including the criteria of necessity and proportionality in assessing proposed measures under privacy principles.

In our consultations with the government, we found that while federal institutions had a genuine desire to identify and mitigate privacy risks in pandemic-related initiatives, there were obstacles, including the lack of privacy expertise, resources, and reliable processes in some institutions.

The impact of the pandemic continues to reverberate throughout our society, including in relation to privacy. There is important work to be done to ensure that personal information that is no longer needed is properly deleted, where appropriate, and that any new collections initiated during the pandemic (for example, the information collected via the ArriveCAN app) be carefully reviewed for ongoing necessity and proportionality.

During the pandemic, certain privacy protective processes, such as TBS requirements to conduct Privacy Impact Assessments of new collections and new uses of personal information, were not enforced, and certain tools, like ArriveCAN, were put into place quickly to meet pressing demands. It is a privacy lesson from the pandemic that where action is taken quickly to respond to an emergency, it is even more important to ensure that the policies and tools are carefully reviewed once in place and then regularly reassessed to ensure that they remain proportional and necessary, and as privacy protective as possible.

Some technologies and programs that were developed for urgent and special purposes during the pandemic were retained and used for ordinary activities after the initial emergency waned. Changes introduced as a result of the pandemic will be leveraged for continuing programs, expanding the use of digitization and advanced data analytics. It is essential that the privacy impacts of these and any other new initiatives be considered and addressed in consultation with the OPC.

The COVID crisis underlined the importance of developing a culture of privacy – building privacy principles such as necessity and proportionality into the DNA of new initiatives that deal with sensitive personal information. Government institutions and organizations need to engage with our Office early – whether in a crisis or not – so that the OPC can help them to accomplish their goals in a privacy protective manner. While the OPC appreciates that a crisis requires expedient action, and a flexible and contextual approach to applying the law, the privacy rights of Canadians must always be protected. And finally, understanding that restrictions and impositions on privacy rights may be taken to combat a crisis, once the crisis ends, those restrictions must be promptly lifted.

---

Appendix 1: Engagement under the Emergencies Act

Table of contents

---

Overview

After concerns were raised by Member of Parliament (“MP”) Michelle Rempel Garner about the privacy implications of the use of the Emergencies Act^{Footnote 1}, our Office committed to engaging with three federal institutions regarding the implementation of the temporary emergency measures in relation to the collection and disclosure of Canadians’ personal financial information.

The scope of the engagement was focused on pursuing lines of enquiry based on the Privacy Act, and specifically, to understand how the Royal Canadian Mounted Police (the “RCMP”), the Canadian Security Intelligence Service (“CSIS”) and the Financial Transactions and Reports Analysis Centre of Canada (“FINTRAC”) handled personal information within the context of the Emergencies Act and related Emergency Economic Measures Order (the “Order”).^{Footnote 2} Specifically, we reviewed how these institutions operationalized the provisions of the Order in relation to the collection and disclosure of personal information, including: (i) the steps taken to ensure the accuracy of personal information; (ii) whether personal information was used or disclosed for other purposes than the original purpose of collection; and (iii) what consideration had been given by the institutions to the publication of a new or modified Personal Information Bank (“PIB”) to describe any personal information that was used, is being used, or is available for an administrative purpose as a result of the invocation of the Emergencies Act. We communicated the objectives of the engagement to the three institutions, in writing, in March 2022.

The Order was issued pursuant to the Emergencies Act and empowered law enforcement agencies to work more closely with banks and other financial service providers (“financial entities”) and provided additional measures to monitor and disrupt financial activity associated with the illegal blockades. These measures included, among other things: (i) a requirement for certain financial entities to determine whether they have in their possession or control, property that is owned, held or controlled by or on behalf of a designated person^{Footnote 3} and to disclose this information to the RCMP or CSIS; (ii) a temporary authority for federal, provincial and territorial government institutions (including the RCMP, FINTRAC and CSIS) to share relevant information with financial entities if the disclosing institution was satisfied that the disclosure would contribute to the application of the Order; and (iii) a requirement for certain entities (e.g., crowdfunding organizations) to register and report certain financial transactions to FINTRAC.

Based on our fact finding and consideration of the roles of these three institutions with respect to the temporary powers granted as a result of the invocation of the Emergencies Act, we have assessed, against the Privacy Act, how personal information was collected and disclosed by these institutions under the provisions of the Order.

Overall, we found that the disclosures of personal information made by the RCMP to financial entities were limited in scope and nature, and for the express purpose of allowing financial entities to meet their obligations under the Order (i.e., to determine whether they are in possession or control of property that is owned, held or controlled by or on behalf of a designated person). We found that the RCMP took reasonable steps to: (i) validate information before sharing it with financial entities, and (ii) assess and identify those entities to which disclosures should be made. There was no evidence to suggest that the disclosures of personal information made by the RCMP exceeded the parameters of what was necessary for financial entities to meet their obligations under the Order. All disclosures made by the RCMP were accompanied by a letter which provided the rationale and legislative authority for sharing the information, and a caveat for the use and safeguarding of the information. We found no indication that personal information was used or disclosed for other purposes beyond the purpose of collection – that is, to fulfil the obligations under the Order.

With respect to our engagement with FINTRAC, we found that the information exchanges that occurred during the time the Order was in place were based on the authorities set out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLTFA”).^{Footnote 4} As such, any reporting FINTRAC received from existing entities and any financial disclosures it made were based on the existing thresholds under the PCMLTFA. FINTRAC did not track information about “designated persons” as defined in the Order, nor did it confirm or take into account whether an individual or entity named in a financial intelligence disclosure was a “designated person”.

We confirmed during our engagement with CSIS that it did not request any specific measures under the Emergencies Act, nor did it benefit from any new authorities under the Emergencies Act. We also confirmed that CSIS did not receive any information from any of the financial entities set out in section 3 of the Order.

We note that FINTRAC and CSIS may have collected and disclosed personal information pursuant to their own legislative authorities during the period the Emergencies Act was invoked, however, we did not pursue lines of enquiry beyond the scope of the engagement objectives (i.e., how these institutions operationalized the temporary powers granted in the Order for the collection and disclosure of personal information).

These were extraordinary circumstances^{Footnote 5} and institutions were compelled to act quickly to respond to the requirements of the Order. Given the privacy implications and the potential for these temporary measures to infringe on Canadians’ privacy rights, we also considered the use of these powers in light of the general principles of necessity and proportionality. While not legal requirements under the Act, government institutions should ensure that measures taken are necessary and proportionate, even in exceptional circumstances. Our Office encourages organizations to apply a four part test to weigh the appropriateness of potentially privacy-invasive measures. Adapted from the 1986 Supreme Court of Canada decision in R. v. Oakes^{Footnote 6}, the test weighs privacy implications in light of four questions relating to the necessity, effectiveness and proportionality of the measure, and whether less privacy-invasive methods could have achieved the same goal. Based on this, our engagement examined whether information exchanges pursuant to the Order were necessary and proportionate to the needs and legal obligations arising as a result of the temporary measures. We did not examine whether the specific temporary measures selected by the Government to deal with the situation that led to the declaration of the public order emergency were necessary and proportionate (and/or met the four part test). This issue is being considered by the Public Order Emergency Commission (“POEC”)^{Footnote 7} and by the Special Joint Committee on the Declaration of Emergency (“DEDC”).^{Footnote 8}

In light of the above, we considered whether only necessary information was shared, that the information was shared with the appropriate entities, and whether the information shared was proportionate to the need and level of risk. Based on the information we received during the engagement, we found that reasonable steps were taken to identify relevant, accurate and necessary information to assist financial entities in meeting their obligations under the Order. We also found that steps were taken to limit the sharing of that information, and that there was consideration for the safeguarding of the information disclosed. Information sharing was also time-limited and ceased when the temporary powers were revoked. Overall, we found that the sharing of personal information was proportionate to the needs arising from the unprecedented situation and the legal obligations deriving from the declaration of a public order emergency under the Emergencies Act.

Notwithstanding the above, we found that there was a lack of clear direction and/or guidance in relation to the specific requirements for information sharing under the Order. In particular, we noted that the Order did not include provisions for the precise types and scope of personal information that should be shared by financial entities with the RCMP, or how information should be shared by federal, provincial and territorial government institutions with financial entities. These were unique circumstances that allowed for the sharing of sensitive personal information. The mere fact that these individuals were identified as “designated persons” elevates the sensitivity of the information being disclosed and requires processes to ensure that information sharing practices are understood and effectively implemented. Further, given the urgent circumstances, the RCMP and financial entities had to act in a timely and efficient manner to fulfil their obligations under the Order. This underscores the importance of having clear and specific processes and guidance for information sharing so that both government institutions and financial entities are aware of their obligations, and to ensure transparency and accountability to Canadians for the protection of personal information. This will assist institutions to effectively meet their obligations under the temporary measures, and also under relevant privacy laws, including the Privacy Act and the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

At the conclusion of our engagement, the RCMP, FINTRAC and CSIS were provided with an opportunity to review and comment on the findings and observations noted by our Office. We would like to express our appreciation to each of these institutions for their open and collaborative engagement with our Office on this important matter.

Our engagement findings and observations are detailed in the report that follows.

Background

1. On February 14, 2022, the federal government declared a public order emergency under the Emergencies Act to end border disruptions, blockades and the occupation of the city of Ottawa. As a result of the invocation of the Emergencies Act, the federal government made special temporary measures for dealing with the emergency which were detailed in the Emergency Measures Regulations (the “Regulations”).^{Footnote 9} In addition, a series of financial measures to limit funding of illegal blockades and restore public order were announced. The details of those measures were outlined in the Order. The declaration of the public order emergency was revoked by the federal government on February 23, 2022.
2. On February 17, 2022, the OPC received correspondence from MP Rempel Garner expressing concerns about the privacy implications of the use of the Emergencies Act, including the disclosure of financial information to the RCMP, CSIS and FINTRAC. MP Rempel Garner requested that we “investigate the use of these temporary powers in light of existing privacy laws and the concept of proportionality”.
3. While MP Rempel Garner’s correspondence did not raise a complaint with respect to a specific contravention of the Privacy Act, we felt that due diligence was required given the privacy implications and concerns raised following the invocation of the Emergencies Act. As such, we opted to pursue an informal engagement with these three institutions to better understand how they operationalized the temporary powers granted under the Emergencies Act in relation to the collection and disclosure of personal information.
4. We also note that during our engagement with these institutions, various parliamentary committees were concurrently studying the Government’s actions in relation to the invocation of the Emergencies Act and related measures. We have followed with interest the testimony presented by the RCMP, CSIS and FINTRAC to those committees, as well as the POEC which was established to inquire into the circumstances that led to the declaration of emergency and the measures for dealing with the emergency.

Scope

5. The scope of the engagement was limited at the outset to the three government institutions identified in MP Rempel Garner’s correspondence, namely the RCMP, CSIS and FINTRAC, and was focused on pursuing lines of enquiry based on the Privacy Act.
6. The objectives of the OPC’s engagement were to:
   1. understand the role of these three institutions with respect to the execution of the temporary powers and authorities deriving from the Emergencies Act as they relate to the collection and disclosure of personal financial information, and how these institutions operationalized the provisions of the Order with respect to the collection and disclosure of personal financial information; and
   2. within the context of the Emergencies Act, to understand and assess how these three institutions handled personal information pursuant to the Privacy Act, including:
      1. what steps were taken, as required by Section 6 of the Privacy Act to ensure accuracy of personal information used for administrative purposes;
      2. with respect to sections 7 (use) and 8 (disclosure) of the Privacy Act, whether these institutions used or disclosed personal information collected for other purposes than the original purpose of collection and if so for what purposes; and
      3. what consideration has or will be given by the institutions to the publication of a new or modified PIB description, as required by sections 10 and 11 of the Privacy Act, to describe any personal information that has been used, is being used, or is available for an administrative purpose as a result of the invocation of the Emergencies Act.
7. The findings of the OPC’s engagement with each of the three institutions are outlined below.

The Order

8. The Order was issued pursuant to the Emergencies Act to allow law enforcement agencies to work more closely with financial entities and provided additional measures to monitor and disrupt financial activity associated with the illegal blockades. These measures included:
   • A requirement for financial entities^{Footnote 10} listed under section 3 of the Order to determine whether they have in their possession or control property that is owned, held or controlled by or on behalf of a designated person and to disclose this information, without delay, to the RCMP or CSIS. “Designated person” means any individual or entity that was engaged, directly or indirectly, in an activity prohibited by sections 2 to 5 of the Regulations.
   • The authorization for federal, provincial, and territorial government institutions to disclose information to any entity set out in section 3 of the Order if satisfied that the disclosure would contribute to the application of the Order. This allowed law enforcement agencies to share the identity of designated persons with financial entities, enabling them to cease their dealings with those designated persons at their discretion.
   • A requirement for certain entities (crowdfunding platforms and some payment service providers not previously subject to registration and reporting requirements to FINTRAC) to register with FINTRAC if they were in possession or control of a designated person’s property. The Order also required that these entities report certain suspicious and large value transactions to FINTRAC.
9. The Order was automatically revoked when the Emergencies Act was revoked on February 23, 2022.

Engagement with the RCMP

Temporary powers granted under the Order

10. Section 5 of the Order required financial entities set out in section 3 to disclose information to the RCMP or CSIS, including the existence of property in their possession or control that was owned, held or controlled by or on behalf of a designated person, and any information about a transaction or proposed transaction in respect of that property.
11. The Order also authorized the RCMP to disclose information to financial entities when it was satisfied that the disclosure would contribute to the application of the Order, as per section 6. This allowed the RCMP to share the identity of individuals involved in the illegal protest, and that of owners and/or drivers of vehicles who did not want to leave the areas impacted by the protest, with financial entities, thereby enabling them to cease their dealings with those designated persons at their discretion.
12. The financial entities had a duty to determine on a continuing basis whether they were in possession or control of property that was owned, held or controlled by or on behalf of a designated person, and to cease dealings with that designated person (i.e., freeze assets), as per sections 2 and 3 of the Order.

Scope of personal information received by the RCMP

13. The RCMP confirmed that it received information from 20 different financial entities, as required by section 5 of the Order. The information related to financial products held by 69 individuals who were subject to account freezing under the Order. In certain cases, linked corporate accounts were also frozen. Of these 69 individuals, the RCMP confirmed that it received information in relation to approximately 20 individuals that did not appear to be resulting from information disclosed by the RCMP to financial entities. The information of these 20 individuals was disclosed pursuant to the financial entities ongoing duty noted in paragraph 12 above.
14. However, the RCMP noted that the Order did not describe the types of information that financial entities were required to report; therefore, the information received by the RCMP varied in scope and detail. For example, in certain cases, the information reported may have included account holder names, account numbers, account balances, and rationales for the account freezes. In other cases, very little detail was reported by financial entities – i.e., the entity reported that “action had been taken in relation to X number of individuals”, unaccompanied by any identifying particulars such as name or account number.
15. The RCMP confirmed that it did not request additional information from those financial entities that did not provide any identifying particulars in relation to individuals against whom they took action. The RCMP reported that, pursuant to sections 2 and 3 of the Order, the onus was on financial entities to determine whether they were in possession or control of a designated person’s property and to cease dealings with those individuals (i.e., to freeze the assets of those individuals). Further, the RCMP stated that it had no oversight or authority over the actions taken by financial entities under the Order.
16. The RCMP confirmed that the information it received pursuant to section 5 of the Order is being managed in the Police Reporting and Occurrence System (“PROS”) – the RCMP’s occurrence records management system. The personal information will be retained for five years in accordance with the RCMP’s information retention policies.^{Footnote 11}
17. The PIB that describes the collection, use, retention and disclosure of personal information for the administration or enforcement of the law is listed in InfoSource^{Footnote 12} as RCMP PPU 005 entitled “Operational Case Records”.^{Footnote 13} The RCMP indicated that it has not yet identified a consistent use^{Footnote 14} for the information that it received pursuant to section 5 of the Order.

Scope of personal information disclosed by the RCMP

18. The RCMP submitted that its efforts were focused on identifying individuals and entities who were actively involved in illegal action, either by organizing or influencing the illegal activities or by being present at the illegal protests.
19. The RCMP reported that there were two streams of disclosures made pursuant to the Order. In the first stream, the RCMP acted as a channel of communication between the Ottawa Police Service (“OPS”) and the Ontario Provincial Police (“OPP”) and financial entities,^{Footnote 15} and disclosed information on behalf of those police services relating to individuals who were identified as implicated in the illegal protest. The personal information included the names of individuals, dates of birth, residential addresses, relevant open source information^{Footnote 16}, and related police information regarding their subjects of investigation. Given that the RCMP acted as a conduit between the police services and financial entities, the RCMP confirmed that it did not assess or supplement the information it shared on behalf of the police services.
20. In the second stream, the RCMP received information from the OPP in relation to vehicles observed in the assembly area. The RCMP corroborated the vehicle information and presence of individuals involved in the illegal protest and disclosed information in relation to individuals who were identified as owners and/or drivers of vehicles who did not want to leave the assembly area. The personal information disclosed included the name of the registered owner of the vehicle, the registered address on file, and information that would have contributed to the application of the Order, including open source information such as social media posts (i.e., Facebook, Twitter, LinkedIn, etc.) that supported the positive identification and potential last known location of an individual connected to a vehicle.
21. With respect to the nature and limits of personal information disclosed from open sources, the RCMP confirmed that the open source information included the names, addresses, and photographs of individuals and information on related businesses, including the names of businesses, the phone number, address and web address associated to the businesses where applicable, and the names of lawyers representing the businesses. The RCMP submitted that the sharing of open source information was limited in scope and only disclosed to assist financial entities to confirm and/or verify the identity of the individual in question. This also assisted entities to avoid targeting individuals that may share the same or similar name to the individuals participating in the illegal blockades.
22. The RCMP confirmed that it did not share information relating to individual donors or those who purchased merchandise linked to the convoy/illegal protests.
23. According to the RCMP, it conducted extensive research to validate and ensure the accuracy of information before making disclosures to financial entities.^{Footnote 17} This included contacting individuals to confirm their ongoing participation in prohibited activities before sharing information with financial entities. For example, a number of individuals contacted by the RCMP confirmed that they were participating in the blockade in Ottawa and refused to leave. These individuals were advised by the RCMP of the risk that their bank accounts could be frozen pursuant to the Order. In other cases, there were individuals who wanted to leave but were not able to do so because the streets were not cleared. The RCMP reported that these individuals were instructed to ensure their truck was ready to leave when the streets were cleared, and information related to these individuals was not provided to financial entities.
24. The RCMP also indicated that, in a number of instances, its investigation resulted in a decision to not disclose information to financial entities if there was insufficient information to believe the person or entity was involved (i.e., the licence plate was invalid in the police database system, the person was attempting to leave but were unable to, or it was no longer believed the person or entity was involved). In some cases, the individual either left on their own accord or were removed by local police services.
25. According to the RCMP, it made a total of 57 disclosures to financial entities pursuant to section 6 of the Order. These disclosures included the identity of 62 individuals and 17 businesses.^{Footnote 18}
26. The RCMP confirmed that the disclosures to financial entities were framed as being “relevant to individuals or entities that are engaged, directly or indirectly, in an activity prohibited by sections 2 to 5 of the Emergency Measures Regulations”. The RCMP also advised the financial entities that they would need to supplement the law enforcement information provided with their internal holdings in order to meet their own obligations under the Order.
27. During our engagement, we asked the RCMP to confirm how it determined which financial entities to share information with. The RCMP indicated that it made best efforts to identify entities to whom disclosure should be provided pursuant to section 6 of the Order, and to provide those entities with timely and relevant information. Therefore, the RCMP submitted that it assessed that certain organizations, such as banks, the Canadian Bankers Association, the Investment Industry Regulatory Organization of Canada, the Canadian Securities Administration, Credit Unions, and the Mutual Fund Dealers Association, were entities as defined by section 3 of the Order, and that disclosure to these entities would contribute to the application of the Order (as required by section 6).
28. The RCMP provided our Office with a list of all financial entities to which the information was disclosed pursuant to the Order, along with the RCMP’s justification for sharing with those entities. As the disclosing institution, the RCMP submitted that it was satisfied that the information was relevant to individuals or entities that were engaged, directly or indirectly, in an activity prohibited by sections 2 to 5 of the Regulations, and that disclosure would contribute to the application of the Order.
29. We also asked the RCMP to confirm the steps taken to ensure the safeguarding of the information disclosed, including any provisions regarding the sensitivity of the information, or any instructions for the safeguarding, sharing or dissemination of the information by receiving entities. The RCMP confirmed that it identified points of contact within the financial entities to send the information to in order to minimize the broad circulation of the information. In addition, the RCMP provided financial entities with a “disclosure letter” which outlined the rationale and legislative authority for sharing the information and the classification level of the information being provided by the RCMP. The disclosure letters included a caveat that the document was the property of the RCMP, that it was provided on loan with the understanding that it was not to be further disseminated, reclassified or used for other purposes without the consent of the RCMP, and that distribution was to be done on a need-to-know basis. The caveat also stated that the document was to be protected in accordance with normal safeguards for law enforcement information.
30. According to the RCMP, once the information was received by the financial entities, it was understood that it was the responsibility of each entity to safeguard the information in line with their own regulations and policies, as well as their obligations under PIPEDA, and that the information was only to be used to fulfil the entities’ obligations pursuant to the Order.
31. The RCMP provided our Office with a redacted copy of a sample disclosure made pursuant to the Order. As noted previously, the disclosure document included categories of information such as tombstone data (name, home address, date of birth), vehicle information, RCMP database checks^{Footnote 19} and relevant open source information.
32. We also requested information from the RCMP regarding the classification of the information disclosed to financial entities and the method of transmission. The RCMP confirmed that the information it disclosed was sent via unencrypted email to the points of contact identified within the financial entities. According to the RCMP, the information it disclosed is classified as “Protected A”^{Footnote 20}, therefore, in accordance with the RCMP’s Departmental Security Policy, the RCMP stated that it was authorized to transmit the information via unencrypted email.
33. The RCMP confirmed that any personal information collected and disclosed pursuant to the requirements of the Order is retained in PROS.

Engagement Findings – RCMP

34. Overall, we found that the disclosures of personal information made by the RCMP to financial entities were limited in scope and nature (i.e., the disclosures included the identity of 62 individuals and 17 businesses), and for the express purpose of allowing financial entities to meet their obligations under the Order (i.e., to determine whether they are in possession or control of property that is owned, held or controlled by or on behalf of a designated person).
35. We found that the RCMP conducted due diligence by assessing and validating the information before sharing it with financial entities, which included validating licence plate information, the use of open source information^{Footnote 21} to support the positive identification and potential last known location of an individual connected to a vehicle, and contacting individuals to confirm their presence and/or participation in the illegal blockades. The RCMP also advised individuals of the consequences of their participation in prohibited activities in light of the requirements of the Order and did not disclose information related to individuals who were attempting to leave but were not able to do so because the streets were not cleared.
36. In our view, the RCMP took reasonable steps to ensure the accuracy and completeness of the information it disclosed to financial entities and that the information was relevant to individuals or entities engaged in an activity prohibited by sections 2 to 5 of the Regulations. This is in line with the RCMP’s obligations under subsection 6(2) of the Privacy Act which requires government institutions to take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.
37. With regards to the RCMP’s use and disclosure of personal information collected under the authority of the Order, we found no indication that personal information was used or disclosed by the RCMP for purposes other than the purpose of collection. In particular, the RCMP received information from 20 different financial entities which related to financial products subject to freezing under the Order, and which was required by section 5 of the Order. The RCMP confirmed that it shared information received from a financial entity with another police service during the time the Order was in force for law enforcement purposes; but otherwise noted that it has not identified a consistent use for the information it received pursuant to section 5 of the Order that would warrant its sharing with a third party.
38. In addition, the RCMP collected information in relation to individuals who were identified as owners and/or drivers of vehicles who did not want to leave the assembly area, then disclosed the relevant information to financial entities pursuant to the Order. We found no indication that personal information collected for this purpose was used or disclosed for any other purpose.
39. Based on the information we received from the RCMP, it took steps to share relevant and timely information with financial entities and to ensure that the information shared did not exceed the parameters of what was necessary for financial entities to meet their obligations under the Order (i.e., to determine whether individuals were designated persons). The “disclosure letter” the RCMP provided to financial entities was precise, clear, and supported the steps taken by the RCMP to disclose relevant and consistent categories of information to assist financial entities in making a determination.
40. Further, the RCMP took steps to assess and identify those financial entities to which disclosures should be made, and as noted above, accompanied those disclosures with a letter which provided the rationale and legislative authority for sharing the information, and a caveat for the use and safeguarding of the information. Based on our engagement with the RCMP, the RCMP’s actions in fulfilling its legal obligations under the Order were compliant with sections 7 and 8 of the Privacy Act, which place limits on the use and disclosure of personal information without an individual’s consent.
41. With respect to the RCMP’s transmission of information to financial entities, we noted that the RCMP disclosed information by unencrypted email, which was, according to the RCMP, in line with its Departmental Security Policy requirements for “Protected A” information. While Government of Canada institutions are responsible for stipulating and applying the required level of security for their information and assets, we question whether the information disclosures made to financial entities may not have been classified to reflect the sensitivity of the information and degree of injury that could reasonably be expected if compromised.
42. We accept that tombstone data (e.g., address, date of birth) may generally be classified as Protected A; however, when this information is combined with other categories of personal information (in this case, information gleaned from RCMP database checks and open source information), along with the fact that the disclosures identified individuals determined to be “designated persons” pursuant to the Order, we would expect that consideration be given to ensuring that the information is appropriately classified to the degree of injury caused by unauthorized disclosure.^{Footnote 22} In our view, compromise of the information could have resulted in financial impacts and reputational harm to the individuals in question.
43. While it is not the role of our Office to review the classification of an institution’s information or assets, we note that it is the classification of the information that determines, in part, the security requirements and safeguards for that information, including the appropriate transmission requirements. In this case, the RCMP transmitted inherently sensitive information to financial entities by unencrypted email.
44. While federal departments and agencies have the capability to send and receive emails through encrypted channels, we acknowledge that information sharing between public and private sector entities does not, in most cases, benefit from the same level of information security^{Footnote 23}. Nevertheless, given the nature of the personal information disclosed, we would expect that consideration be given to the manner in which the information is shared and to ensure that institutions can implement the appropriate technological safeguards to protect the information.
45. Our engagement found that the RCMP retained the personal information collected during the time the Emergencies Act was in force in accordance with its retention policies, thus meeting its obligations under subsection 6(1) of the Privacy Act, which requires government institutions to retain personal information that has been used for an administrative purpose for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information.
46. As required by sections 10 and 11 of the Privacy Act, the personal information collected by the RCMP as a result of the invocation of the Emergencies Act is described in the PIB entitled RCMP PPU 005. According to the RCMP, it has not yet identified a consistent use for the information it received pursuant to section 5 of the Order; therefore, in line with the requirements of the Privacy Act, we expect that the RCMP will modify the PIB description to include a statement of any of the uses and purposes of that personal information before the information is used or disclosed.
47. At the conclusion of our engagement, we provided the RCMP with an opportunity to review the observations noted by our Office. The RCMP indicated that it accepts the recommendations we made, which included to: (i) ensure that information is protected according to its sensitivities; and (ii) update the relevant RCMP PIB descriptions to ensure that all consistent uses are listed.

Engagement with FINTRAC

Temporary powers granted under the Order

48. FINTRAC’s mandate is to facilitate the detection, prevention and deterrence of money laundering and the financing of terrorist activities, while ensuring the protection of personal information under its control. FINTRAC reported that its mandate was not expanded as a result of the temporary emergency measures granted under the Order. The emergency measures created registration and reporting obligations for certain entities not subject to the PCMLTFA^{Footnote 24} prior to the Order being made, including those referred to in paragraphs 3(k) and 3(l) of the Order (i.e., crowd funding platforms, payment service providers and certain cryptocurrency platforms). These entities were required to register with FINTRAC if they determined that they were in possession of property owned, held or controlled by a designated person, and to report certain financial transactions to FINTRAC.
49. The Order also authorized FINTRAC to disclose information to any financial entity set out in section 3 of the Order when it was satisfied that the disclosure would contribute to the application of the Order (section 6).

Scope of personal information received by FINTRAC

50. FINTRAC reported that it did not have an opportunity to formally register any new entities as required by section 4 of the Order; therefore, no new entities reported suspicious or other financial transactions by designated persons to FINTRAC during the time the Order was in place. FINTRAC confirmed that any financial transaction reports it received during that time were received under the authority and thresholds of the PCMLTFA from existing entities.
51. In addition, FINTRAC reported that, as no new entities registered with FINTRAC as a result of the Order, no amendments or modifications were required or made to its existing PIBs to describe any collection, uses or disclosures of personal information by these entities.

Scope of personal information disclosed by FINTRAC

52. FINTRAC reported that all disclosures of tactical financial intelligence which were made by FINTRAC to police, law enforcement and national security agencies during the time the Order was in place were made solely under the authorities set out in the PCMLTFA. This means that FINTRAC met one of the legal thresholds for disclosure, which requires FINTRAC to determine that its intelligence would be relevant to investigating or prosecuting a money laundering offence, or a terrorist activity financing offence, or would be relevant to threats to the security of Canada.
53. FINTRAC reported to our Office that it did not track information about “designated persons” as defined in the Order, nor did it confirm or take into account whether an individual or entity named in a tactical financial intelligence disclosure was a “designated person”. We note that FINTRAC also confirmed in its testimony to the DEDC that it did not receive a list of "designated persons.^{Footnote 25}

Engagement Findings - FINTRAC

54. Based on our engagement with FINTRAC, the information exchanges that occurred during the time the Order was in place were based on the authorities set out in the PCMLTFA. As such, any reporting FINTRAC received from existing entities and any financial disclosures it made were based on the existing thresholds under the PCMLTFA.
55. Given that this was an informal engagement, our Office did not pursue lines of enquiry beyond the stated objectives for the engagement, and specifically, we did not review the activities of FINTRAC in relation to any collection and/or disclosure of personal information pursuant to its legislative mandate and authorities under the PCMLTFA.
56. FINTRAC was provided with an opportunity to review and comment on our engagement findings and indicated that it had no additional comments with respect to our understanding of its role as a result of the invocation of the Emergencies Act.

Other

57. We noted that amendments to the PCMLTFA Regulations and PCMLTFA Administrative Monetary Penalties Regulations came into force in April 2022.^{Footnote 26} The changes mean that crowdfunding platforms and certain payment providers are now covered as money services businesses (“MSBs”) or foreign money services business (“FMSBs”) under the PCMLTFA and have the following obligations: (i) to register with FINTRAC; (ii) to develop and maintain a compliance program; (iii) to carry out “know your client” requirements, including verifying the identity of persons and entities for certain activities and transactions; (iv) to keep certain records, including records related to transactions and client identification; and (v) to report certain transactions to FINTRAC.

Engagement with CSIS

Temporary Powers Granted under the Order

58. Section 5 of the Order required those financial entities set out in section 3 of the Order to disclose, without delay, certain information to CSIS or the RCMP, including: (a) the existence of property in their possession or control that they have reason to believe is owned, held or controlled by or on behalf of a designated person; and (b) any information about a transaction or proposed transaction in respect of property referred to in paragraph (a).
59. The Order also authorized CSIS to disclose information to any financial entity listed in section 3 of the Order if satisfied that the disclosure would contribute to the application of the Order.

Engagement Findings - CSIS

60. We confirmed that CSIS did not request any specific measures under the Emergencies Act, nor did it benefit from any new authorities under the Emergencies Act. We also confirmed that CSIS did not receive any information from any of the financial entities set out in section 3 of the Order pursuant to the Regulations or the Order itself. We have no concerns with respect to CSIS’ activities from a privacy standpoint in the context of this engagement.
61. We note that CSIS’ authority to collect information and intelligence on threats to the security of Canada rests primarily in section 12 of the Canadian Security Intelligence Service Act (“CSIS Act”).^{Footnote 27} CSIS confirmed in its Institutional Report prepared for the POEC that it has information sharing protocols in place with the RCMP and other law enforcement agencies. Throughout the period of blockades and protests, CSIS and the RCMP worked under these protocols to share relevant intelligence on potential threats to the security of Canada.^{Footnote 28}
62. Given that this was an informal engagement, our Office did not pursue lines of enquiry beyond the stated objectives for this engagement, and specifically, we did not review the activities of CSIS in relation to any collection and/or disclosure of personal pursuant to its legislative mandate and authorities under the CSIS Act, or other information sharing protocols.

Observations

63. This was an informal engagement to better understand how the RCMP, CSIS and FINTRAC operationalized the temporary powers and authorities granted as a result of the invocation of the Emergencies Act. Our general objective was to assess against the Privacy Act these temporary powers – and specifically the authority to share information – against the requirements of the Privacy Act.
64. We note that there is a concurrent and ongoing study by the DEDC to review the exercise of powers and the performance of duties and functions pursuant to the declaration of emergency. Our Office was invited to submit a brief for the DEDC’s consideration by January 23, 2023.^{Footnote 29} The DEDC is to present its final report in the House of Commons and the Senate no later than March 31, 2023.
65. In addition, the POEC examined and assessed the basis for the Government’s decision to declare a public order emergency, the circumstances that led to the declaration, and the appropriateness and effectiveness of the measures selected by the Government to deal with the then-existing situation. The POEC also conducted a policy review of the legislative and regulatory framework involved, including whether any amendments to the Emergencies Act are necessary. The POEC’s Commissioner, the Honourable Paul Rouleau, released the Report of the Public Inquiry into the 2022 Public Order Emergency on February 17, 2023.^{Footnote 30}
66. In light of these concurrent studies, we note that there may be potential for overlap with the observations from our engagement. Nevertheless, given the importance of this matter, we take this opportunity to share certain observations we made during our engagement with these three institutions.
67. Overall, we found that information exchanges were limited in scope and nature, and reasonable steps were taken to identify relevant, accurate and necessary information to assist financial entities in meeting their obligations under the Order (i.e., to determine whether individuals were designated persons). We also found that reasonable steps were taken to ensure that disclosures made pursuant to the Order did not exceed the parameters of what was necessary for financial entities to meet their obligations under the Order, that there was consideration given to ensure that information was shared with the appropriate entities, and that there were caveats placed on the information disclosed. Information sharing was also time-limited and ceased when the temporary powers were revoked.
68. Given the privacy implications and the potential for these temporary measures to impact on Canadians’ privacy rights, we considered the use of these powers in light of the general principles of necessity and proportionality.^{Footnote 31} Overall, we found that the sharing of personal information was proportionate to the needs arising from the unprecedented situation and the legal obligations deriving from the declaration of a public order emergency under the Emergencies Act.
69. Nevertheless, the privacy impacts of temporary measures such as those granted pursuant to the Emergencies Act need to have formal consideration within the framework of the emergency measures in order to ensure accountability in the protection of Canadians’ privacy. On this point, we share the following observations.
70. First, the Order provided the authority to share inherently sensitive personal information. The mere fact that the information disclosures related to individuals identified as “designated persons” and potentially subject to financial measures, combined with other personal identifying information and financial information (which is often reputationally sensitive), requires clear and appropriate processes and procedures to handle information privacy and security risks. This is particularly important where the personal information, if compromised, could cause significant reputational or other harms to the individuals affected.
71. We noted that the Order did not specify the conditions or requirements for information sharing, including the specific types and scope of personal information that should be shared. As such, the information received by the RCMP pursuant to section 5 of the Order varied in scope and detail. This can be problematic from an accountability and transparency perspective. Limitations on information sharing need to be defined to ensure that: (i) only the minimum amount of personal information is disclosed for the stated purpose, (ii) recordkeeping practices are consistent and as complete as possible, and (iii) the integrity and reliability of the information to be used for authorized purposes.
72. We also noted that the Order did not prescribe how information was to be shared with financial entities. According to the RCMP, it acted as a conduit for provincial and territorial institutions in order to streamline communications and the sharing of information with financial entities. While this approach may have increased efficiencies and reduced redundancy during the crisis (as noted by the RCMP), it also meant that information was transmitted and handled by a third party, which increases the privacy and security risks to the information. Information sharing practices need to be defined with clear controls and limits, and the expectations for information sharing must be understood by institutions so that they can ensure that the information-sharing activity is compliant with privacy laws, and that measures are implemented to mitigate potential privacy risks.
73. In addition, the Order did not contain any explicit safeguard requirements to ensure that appropriate procedures were established and implemented to protect the personal information, particularly given that the Order authorized information sharing between the Government and private sector entities. Security safeguards protect information against loss or theft, as well as unauthorized access, use, disclosure, copying or modification, and include: (i) physical measures (e.g., locked filing cabinets); (ii) organizational measures (e.g., limiting access on a “need-to-know” basis); and (iii) technological measures (e.g., the use of passwords and encryption).
74. Lastly, the RCMP indicated that it did not have authority to provide oversight over the actions that the entities took in relation to designated persons and the freezing of assets. In this light, we noted that the Order did not prescribe any formal oversight or reporting structure to capture the exchanges of information. This also makes it difficult to hold institutions accountable for the information they are sharing, or for the Government of Canada to assess the effectiveness of the measures and demonstrate transparency to Canadians.

Conclusions

75. Our Office has previously noted that privacy protection is more than just a set of technical rules and regulations, but rather represents a continuing imperative to preserve fundamental human rights and democratic values, even in exceptional circumstances. During any crisis, privacy laws still apply, but they should not pose a barrier to appropriate information sharing.^{Footnote 32}
76. For example, during the COVID-19 health crisis, our Office released a “Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19”.^{Footnote 33} This framework highlights that new laws and measures implemented relating to the crisis should also provide specific provisions for oversight and accountability, as institutional safeguards become more, not less, important during times of crisis.
77. The authority to share sensitive personal information – particularly in the midst of a crisis when extraordinary measures are being implemented – needs to be supported by clear processes and guidance such that government institutions and financial entities are aware of their obligations at the outset, and to ensure transparency and accountability to Canadians for the protection of personal information.
78. In our view, this includes provisions and/or guidance to govern the implementation of the temporary measures, and specifically, the sharing of personal information, that at a minimum: (i) define the specific elements of personal information to be shared, (ii) define the specific purposes for the sharing, (iii) limit secondary uses and onward disclosures, and (iv) include provisions for a commensurately high level of safeguards to protect the information. Provisions framed in this manner will provide clarity and guidance to institutions and assist institutions in meeting their obligations under the temporary measures and privacy laws.
79. As noted above, new laws and measures specific to the crisis – and in particular those that authorize the sharing of personal information – require provisions for oversight and/or a reporting mechanism to track the exchanges of information. This will ensure that there are clear and reliable records of what is being disclosed, to whom, and for what purposes. Further, it will aid institutions in ensuring that they are meeting their legal obligations as required by the temporary measures, but also ensuring compliance with the Privacy Act and PIPEDA.
80. The invocation of the Emergencies Act in early 2022 was the first time powers under that legislation had ever been utilized. This was in reaction to extraordinary events, both in Ottawa, elsewhere in Canada and similar events abroad. We were pleased to engage on this important matter with the RCMP, FINTRAC and CSIS, and we would like to express our appreciation for their open and collaborative engagement with our Office. We hope that the observations we made as a result of this engagement provide helpful insight to the Government of Canada regarding the sharing of information, and also the provisions we would expect to see in the law for privacy oversight and accountability, in times of crises.