The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Thursday, August 25, 2005

Commissioner releases report concerning collection and security of credit information 

From the Alberta Information and Privacy Commissioner's Office:

Commissioner releases report concerning collection and security of credit information:

"Commissioner Frank Work authorized an investigation under the Personal Information Protection Act ("PIPA" or "the Act') after receiving a complaint alleging that SAS Institute Canada ("SAS") Inc. collected personal credit information in contravention of the Act.

The complainant had applied for a job with SAS as an Administrative Assistant/Receptionist. During the recruitment process, she signed a consent authorizing the organization to obtain a credit inquiry report; however, she subsequently complained that the organization's collection of her personal credit information was not reasonable. She was also concerned about the security of her personal information held by the organization contracted by SAS to conduct background checks.

SAS advanced the following purposes for collecting the complainant's personal credit information during the recruitment process:

  • To assess the applicant's suitability to manage petty cash.
  • To minimize the risk of employee corporate credit card fraud.
  • To validate employment history by identifying past employment listed in a credit report but not described on the applicant's resume.

The investigator found that the personal credit information collected by SAS was not reasonably required to establish an employment relationship because:

  • The organization had less intrusive and likely more effective means to assess the complainant's ability to manage petty cash, including contacting previous employers;
  • The complainant had not yet applied for a corporate credit card, and so the information was not required at this stage to minimize the possibility of fraud; and,
  • The organization had less intrusive and more effective means to validate the complainant's employment history.

The investigator found that the organization's purposes of collecting personal information to assess suitability to manage petty cash and validate employment history were reasonable; however, the extent of the collection was excessive for meeting those purposes. Further, the organization's collection of personal information to minimize the risk of corporate credit card fraud was not a reasonable purpose considering the complainant had not yet applied for a corporate credit card.

The investigator also found that SAS had implemented reasonable measures to ensure that personal information collected on its behalf is safeguarded as required under the Act.

Prior to this investigation, SAS had taken steps to bring its practices into compliance with privacy legislation; however, the organization agreed to refine its hiring practices and implement the following recommendations:

  • Review the responsibilities of a position when hiring to ensure that credit information is reasonably required to determine a candidate's suitability.
  • Where credit information is reasonably required, clearly state the purpose(s) for collection.
  • Where credit information is reasonably required, clearly state in all job postings/advertisements that a credit check may be required of the successful candidate.

SAS was cooperative throughout this investigation and demonstrated a commitment to ensuring the protection of privacy."

Labels: , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs