The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Thursday, July 21, 2005
On the privacy front, Alberta is apparently where it's at:
Commissioner releases report concerning disclosure and security of personal information by a collection agencyClick here to download Investigation Report P2005-IR-006.
Commissioner Frank Work authorized an investigation under the Personal Information Protection Act ("PIPA" or "the Act") after receiving a complaint alleging that CBV Collection Services Ltd. ("CBV") contravened the Act.
The complainant reported that CBV faxed a form to the complainant's place of employment, and specifically to a non-confidential fax machine. In so doing, the complainant alleged CBV failed to adequately protect her personal information from possible disclosure to other colleagues and employees in her workplace
The investigator found that although CBV did have some policies and procedures in place to address information privacy and confidentiality requirements, a CBV employee acted to the contrary. As a result:
- CBV disclosed the complainant's personal information when it faxed the form to the complainant's place of employment.
- CBV contravened section 19 of the Act as the disclosure in this case was not for a reasonable purpose.
- CBV contravened section 34 of PIPA by failing to make reasonable arrangements to mitigate the risks associated with sending personal information by fax.
In response to the incident and this Office's investigation, CBV revised its process and internal policy documents with respect to requesting verification of employment (VOE), particularly when doing so by fax, and developed a plan to communicate the new process to all offices across Canada. Among other things, the new process requires that:
- A Collection Supervisor verify that a VOE is authorized in the circumstances.
- The collector pre-arrange sending the VOE with the appropriate receiving party.
- Fax transmissions must be sent to a confidential fax machine and must include a confidential cover sheet that does not state the name of the debtor.
- The collector must confirm receipt of a fax or email within 30 minutes of sending it.
The circumstances in this case illustrate that organizations need to be diligent in reviewing information privacy and confidentiality policies and procedures with their staff on an ongoing basis, and in following-up any failure to comply.
With respect to transmitting personal information by fax, organizations must ensure their employees are aware of the potential risks involved, and implement appropriate measures to mitigate that risk."
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.