The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, July 29, 2008
It's been a while since we've seen a published PIPEDA finding that wasn't from a high-profile case.
In this case, a bank refused to provide a customer with access to the appraisal conducted by the bank of the customer's property. The bank argued it was about the property and not about him. Further, they argued it was confidential commercial information. The Assistant Commissioner did not agree:
Commissioner's Findings - PIPEDA Case Summary #: Residential Property Appraisal Documents are Owners’ Personal Information (May 7, 2008)
The Assistant Commissioner first examined the question of whether the residential property appraisal should be defined as personal information under section 2 of the Act. After considering both the bank’s views and the CBA’s, as well as this Office’s earlier deliberation on the same question in another finding, the Assistant Commissioner remained of the opinion that, since the property was in the complainant’s name, the information relating to the property, including its market value, was his personal information. He therefore had a right of access to it.
Friday, April 18, 2008
Privacy Commissioner Concerned With Ticketmaster's Privacy Practices, Encourages Companies to Adopt High Privacy Standards Across Operations
OTTAWA, April 18, 2008 – Privacy Commissioner of Canada Jennifer Stoddart expressed concern with the information collection and privacy practices of a major online ticket vendor. However, following an investigation by her office and that of Alberta Commissioner Frank Work , the privacy practices of Ticketmaster Canada Limited have been brought up to standard.
However, she encourages companies to adopt the highest standard of privacy practices possible, regardless of where they do business.
“Online commerce continues to grow and customers worldwide expect companies to safeguard their personal information in the course of their business,” says Jennifer Stoddart. “It simply makes good business sense for companies to implement excellent privacy practices across their operations. It is also the law in Canada.”
The Commissioner launched an investigation into the information collection practices of Ticketmaster Canada Limited after a private citizen filed a complaint alleging that the company’s policies and practices on the collection, disclosure and use of customers’ personal information did not comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Information and Privacy Commissioner of Alberta, Frank Work, investigated a similar complaint into how Ticketmaster obtained consent to collect its customers’ personal information and released an investigation report late in 2007.
The investigation conducted by the Office of the Privacy Commissioner of Canada examined the issue of consent, but also investigated whether Ticketmaster followed the principles of access, openness and accountability found in PIPEDA.
“I am now satisfied with the measures Ticketmaster undertook to resolve the complaints that were brought to our attention,” says Jennifer Stoddart. “But I am very concerned that, seven years after PIPEDA was enacted, a major online company operating throughout Canada was found to be in violation of the legislation.”
The Assistant Commissioner also found that Ticketmaster’s online customers were required to consent to their personal information being used for marketing purposes as a condition of purchasing a ticket – a clear violation of PIPEDA.
Following the two investigations, Ticketmaster has revised its privacy practices to explicitly communicate what personal information is collected, with whom it is shared, and how it is used. The company has also adapted its online notification and call-centre telephone scripts so that customers are provided with a choice of whether to opt in to receive marketing material from Ticketmaster and event providers.
The Commissioner will bring this distinction to the attention of her colleagues at the US Federal Trade Commission. As well, she will continue to encourage companies with operations in Canada and elsewhere to adopt the highest standard of information protection practices possible to ensure compliance with Canadian privacy law.
To view the case summary and backgrounder:
Tuesday, July 10, 2007
You may recall some time ago when pretexting made the headlines in Canada after a MacLean's reporter purchased the Privacy Commissioner's phone records (Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net). Today the Commissioner released a finding into the incident, accompanied by a big media release:
Here's the release:
Data broker exploits human error, weak safeguards to access phone records
OTTAWA, July 10 /CNW Telbec/ - Recent experience has shown Canadian companies must take precautions to ensure personal information and customer data is not vulnerable to data thieves and pretexters. Strong identification and authentication procedures are essential in blocking unauthorized attempts to access the personal information of Canadians.
An investigation by the Office of the Privacy Commissioner of Canada (OPC) has found that human error and weaknesses in the policies and procedures of three telecommunications companies allowed a data broker to gain unauthorized access to personal phone records.
The investigation was prompted by an article in Maclean's alleging the magazine had been able to purchase the telephone records of Privacy Commissioner Jennifer Stoddart and a senior Maclean's editor from US-based data broker Locatecell.com.
The investigation found that Locatecell.com used "social engineering" to trick phone company customer service representatives into divulging confidential information, either in the specific instances alleged and/or subsequent test cases. Social engineering involves manipulating people into divulging personal information, for example, by pretexting, or pretending to be someone authorized to obtain the information.
The OPC looked at improper disclosures of personal information to pretexters seeking to gain unauthorized access to phone records of individuals without their knowledge or consent. The three companies investigated were Bell Canada, Telus Mobility and Fido.
"In each case, we found that customer service representatives had not followed the companies' established authentication procedures. We also found that training of customer service representatives was not comprehensive enough to protect customers' personal information from illegal access by pretexters," says Assistant Commissioner Raymond D'Aoust. "As a result, the three companies failed to meet the requirements of the Protection of Personal Information and Electronic Documents Act (PIPEDA)."
All three companies revised their customer authentication procedures shortly after the disclosures took place. The OPC reviewed those changes and recommended further steps to address weaknesses in their policies and procedures to prevent unauthorized individuals from gaining access to customers' personal information. All three companies have since taken additional steps to further mitigate the risks resulting from pretexting and unauthorized access to personal records. The Office of the Privacy Commissioner is generally satisfied that all three companies have put in place an adequate set of measures to address the problems.
Nonetheless, the Assistant Commissioner says the companies should have been better prepared to deal with social engineering in the first place. The issue of data brokers using social engineering to obtain call records in the United States had been in the news some time before these incidents occurred.
"It's particularly troubling that not enough was done to let call centre employees know about this kind of threat," says Assistant Commissioner D'Aoust.
"Given the prevalence of identity theft, it is absolutely crucial that all companies adopt strong authentication processes to help ensure that they are providing information to someone who is actually authorized to have that information. It is equally vital that companies ensure that their employees are following these processes and are aware of the threats to personal information that pretexting poses."
The OPC has developed Guidelines for Identification and Authentication on its web site.
A summary of findings in the three cases is also available on the web site.
New laws in the US have recently made it an offence to use pretexting to obtain individuals' phone records in an effort to curb the activities of US information brokers, including Locatecell.com. However, this does not mean the problem has gone away either in the US, or elsewhere, particularly in other countries, including Canada, where no similar legislation yet exists.
In an appearance before a Parliamentary committee last month, Commissioner Stoddart called on the federal government to work collaboratively with the provinces and international partners to adopt a range of legislative and policy solutions to address this problem.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Friday, May 04, 2007
Commissioner's Findings - Privacy Commissioner of Canada
- PIPEDA Case summary #371: Building supplier reveals customer’s personal information to contractor
- PIPEDA Case summary #370: Airline broadens interpretation of personal information and improves handling of personal information access requests
- PIPEDA Case summary #369: The importance of explaining the reasons for collecting personal information
- PIPEDA Case summary #368: Insurance adjusters’ consent form considered overly broad
- PIPEDA Case summary #367: Need to establish procedures for handling access to personal information requests stressed
Monday, April 02, 2007
Canada's Privacy Commissioner has wrapped up her investigation of the SWIFT information sharing fuss and has concluded that SWIFT is subject to PIPEDA but did not violate the law when it handed over Canadian information in response to US subpoenas.
From the Commissioner:
News Release: Privacy Commissioner concludes investigation of SWIFT (April 2, 2007)
Privacy Commissioner concludes investigation of SWIFT
Ottawa, April 2, 2007 —The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the conclusion of her Office’s investigation of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a European-based financial cooperative, that supplies messaging services and interface software to a large number of financial institutions in more than 200 countries, including Canada.
In her Report of Findings, made public today, the Commissioner confirmed that SWIFT is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law, and that the organization did not contravene the Act when it complied with lawful subpoenas served outside the country and disclosed personal information about Canadians to foreign authorities. However, she emphasized that making use of existing information-sharing regimes, with built-in privacy protections, would allow for greater transparency for citizens.
Since her appointment, Ms. Stoddart has raised concerns about the personal information of Canadians flowing across borders. In her Report, the Commissioner stressed that organizations operating and connected in a substantial way to Canada are subject to PIPEDA and they must abide by the Act. “Simply because companies might operate in two or more jurisdictions does not relieve them of their obligations to comply with Canadian law,” said Ms. Stoddart.
It was alleged that SWIFT inappropriately disclosed to the US Department of Treasury (UST) personal information originating from or transferred to Canadian financial institutions. Ms. Stoddart launched a commissioner-initiated investigation into the matter to determine if there was a breach of PIPEDA, the federal law which covers the collection, use and disclosure of personal information in the course of commercial activities.
Following September 2001, the UST began issuing subpoenas to SWIFT for certain data held in SWIFT’s US-based operating centre. SWIFT obtained a series of privacy protections for the data it transferred to the UST.
In her Report, the Commissioner explained that PIPEDA allows an organization such as SWIFT to abide by the laws of other countries in which it operates. An organization that is subject to PIPEDA and that has moved personal information outside the country for business reasons may be required at times to disclose it to the legitimate authorities of that country. It is clear that in response to a valid subpoena issued by a court, person or body with jurisdiction to compel the production of information, an organization must disclose personal information and PIPEDA makes it permissible to comply with this obligation. The Commissioner stressed that multi-national organizations must comply with the laws of those jurisdictions in which they operate.
The Commissioner noted, however, that if US authorities need to obtain information about financial transactions that have a Canadian component, they should be encouraged to use existing information mechanisms that have some degree of transparency and built-in privacy protections. Accordingly, she signaled her intent to ask Canadian officials to work with their US counterparts to persuade them to use Canadian anti-money laundering and anti-terrorism financing mechanisms instead of the subpoena route.
“These alternate avenues would allow far greater Canadian involvement in the scrutiny of personal information and would better respect the value we give privacy protection,” said Ms. Stoddart. “Democratic societies must ensure that the fundamental rights and freedoms of the individual are respected to the extent possible, including the right to the protection of personal information.”
In addition to its investigation of SWIFT, the Privacy Commissioner’s Office also received complaints against six Canadian financial institutions and conducted an investigation into their involvement in the matter.
The Office reviewed the contractual documentation that exists between SWIFT and the banks, and concluded that the banks are meeting their obligations under the PIPEDA, noting that when an organization that contracts with a firm that operates both within and outside of Canada, it must respond to lawfully issued subpoenas in other jurisdictions as well as in Canada, and PIPEDA permits this.
Moreover, she found that each of the banks has very clear language in their privacy policies. These policies inform customers that the banks may send their personal information out of the country for certain purposes and that while such information is out of the country, it is subject to the laws of the country in which it is held.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.
View the Executive Summary.
View the Commissioner’s full Report of Findings.
Monday, February 26, 2007
A bunch of new findings have been released on the Privacy Commissioner's website recently:
Commissioner's Findings - Privacy Commissioner of Canada
- PIPEDA Case summary #364: Employer agrees to revise language of consent form regarding exchange of health information
- PIPEDA Case summary #363: Registrar collects personal information to combat domain name hijacking
- PIPEDA Case summary #362: Insurance adjuster readjusts its collection practices
- PIPEDA Case summary #361: Retailer requires photo identification to exchange an item
- PIPEDA Case summary #360: Bank erroneously e-mails employees’ personal information to client
- PIPEDA Case summary #359: Bank reported accurate information regarding bounced cheque
- PIPEDA Case summary #358: Individual objects to insurance company’s consent requirements
- PIPEDA Case summary #356: Customer’s banking personal information found in a recycling bin
- PIPEDA Case summary #355: Funeral home’s disclosure in pursuit of a debt allowed under the Act
- PIPEDA Case summary #354: Fees for access questioned
- PIPEDA Case summary #353: Bank’s Ombudsman revises agreement to clearly explain exchanges of personal information between it and the bank
Wednesday, January 24, 2007
The Privacy Commissioner of Canada has released a summary of a recently settled case, in which a dental clinic disclosed the fact that a patient's account was in arrears to another patient who had referred the first:
Settled Case summary #27: Clinic discloses client information when trying to collect a debt (May 16, 2006)
An individual complained that her dental clinic disclosed information about her overdue account to the person who had referred her to the clinic.
The complainant noted that she had been in hospital and in respite care for several months, and thus did not receive the invoices sent by the dental clinic. When the invoices remained unpaid, the clinic telephoned the client who had made the referral in order to determine the complainant’s whereabouts. The clinic confirmed that it had not only asked the client how it could reach the complainant, but it had also disclosed that her bill was overdue, the amount owing, and that it would be sent to collections unless paid.
The OPC and the complainant agreed that in light of the settlement the matter should be considered settled.
Tuesday, January 16, 2007
In a finding under PIPEDA published on the OPC website, the Assistant Privacy Commissioner of Canada found that an airline's obligation to provide an individual with access to his information continues to exist even if there is litigation pending between the applicant and the organization. See: Commissioner's Findings - PIPEDA Case Summary #352: Airline delays granting access to personal information, citing ongoing litigation (September 8, 2006).
It is also worth noting that the Commissioner's office had to commence an application before the Federal Court in order to get the airline to follow her recommendation.
Sunday, December 03, 2006
On Thursday, the Office of the Privacy Commissioner of Canada posted a very interesting and detailed finding on the use of GPS tracking of company vehicles. The finding is lengthy and worth a read: Commissioner's Findings - PIPEDA Case Summary #351: Use of personal information collected by Global Positioning System considered (November 9, 2006).
A summary of the summary is in the following media release:
News Release: Privacy Commissioner urges caution before installing GPS in company vehicles (November 30, 2006):
Privacy Commissioner urges caution before installing GPS in company vehicles
Ottawa, November 30, 2006 – Employers need to carefully consider the privacy rights of their workers before installing Global Positioning Systems (GPS) into their vehicle fleets, according to the Privacy Commissioner of Canada, Jennifer Stoddart.
The Office of the Privacy Commissioner of Canada (OPC) today released a summary of its findings into a case involving the workplace use of GPS, which can track the location of a vehicle in real time. The Commissioner discussed her Office’s findings at a workplace privacy seminar hosted by Ryerson University.
“This is an important issue for employers and employees across Canada. We’re seeing more and more organizations installing GPS in their cars and trucks and it’s unclear whether they are adequately addressing privacy issues,” Ms. Stoddart said.
In the case investigated by the OPC, several workers complained that their employer, a telecommunications company, is using GPS to improperly collect their personal information – specifically their daily movements while on the job.
The company is using GPS in its installation and repair, and construction vehicles to locate, dispatch and route employees to job sites. Some workers worried, however, that GPS is also being used to monitor work performance and that information gleaned from this technology will be used to justify disciplinary action.
The OPC investigation accepted most of the company’s arguments for using GPS. It agreed, for example, that using GPS to dispatch vehicles is likely to lead to better service for the company’s customers and also could help locate missing vehicles.
However, the OPC expressed concern about using GPS as an employee surveillance tool. While using GPS to track a vehicle is not overly privacy invasive, routinely evaluating worker performance based on assumptions drawn from GPS information impinges on individual privacy.
The use of GPS as an employee surveillance tool may be acceptable in certain situations, which are defined and communicated to employees beforehand, according to the OPC findings. However, a company should not routinely use GPS to monitor its workforce.
In this case, the OPC asked the company to clearly explain to its employees how GPS would be used to check up on them, and also to develop a policy outlining an appropriate process of warnings and progressive monitoring. The policy subsequently prepared by the company spelled out situations in which the company will use GPS data to monitor employees. These include an investigation into a complaint – about speeding, for example – from a member of the public; an investigation into concerns raised within the company; or to address productivity problems. The company also made a commitment to train its managers about the appropriate use of the technology.
“Systematically using GPS to check up on workers and try to determine how well they are doing their jobs would be going too far,” said Ms. Stoddart. “Employers do not have carte blanche to use GPS to constantly monitor their workforce.”
The OPC finding also cautions employers about “function creep” – collecting information for one purpose, and then using it for some other unrelated purpose in violation of basic fair information practices.
“Managing workplace privacy is a balancing act. On the one hand, employers have the right to know what workers are up to on company time. On the other, employees have a right to privacy,” the Commissioner said.
“Workers do not check their privacy rights at the factory or office door. Workplace privacy is an important part of the basic autonomy rights of individuals in our society,” she said. “Employers must find ways to weed out the bad employees without shattering the dignity and privacy rights of the good employees – who make up the vast majority of the workforce.”
The OPC is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.
The summary of the findings in the GPS investigation is available on the OPC Web site:
Once again, I am left at a bit of a loss when it comes to using PIPEDA in the workplace. Unlike PIPA in Alberta and BC, PIPEDA has no deemed consent for reasonable collection, use and disclosure in the workplace. To "make do", the practice seems to have been to use s. 5(3) of the Act to say that as long as it's reasonable, you have implied consent (particularly if there is notice). But logically you can't have consent by implication if it is clearly negated by an employee complaint. Hopefully this will become moot if the Parliamentary Committee recommends fixing up that portion of PIPEDA and something is done about it.
Tuesday, October 17, 2006
The Office of the Privacy Commissioner of Canada has just released another bunch of new findings. I haven't read them yet, but I'll probably have a comment or two when I get a chance:
- "PIPEDA Case summary #346: E-mail message raises questions about purposes, credibility and accountability
- PIPEDA Case summary #345: Private school not covered by PIPEDA
- PIPEDA Case summary #344: Couple's safety deposit box opened in error
- PIPEDA Case summary #343: Insurance company requires property owners to collect tenants' personal information
- PIPEDA Case summary #342: Owner allowed to disclose tenants’ rent information
- PIPEDA Case summary #341: Fees and the role of a medical practitioner considered in denial of access complaint
Tuesday, September 19, 2006
Yesterday, the Office of the Privacy Commissioner of Canada posted a new finding based on two separate complaints related to a law firm conducting credit checks without consent (Commissioner's Findings - PIPEDA Case Summary #340: Law firms collected credit reports without consent (May 2, 2006)).
The Assistant Commissioner concluded that the complaints were well-founded. This represents a very important finding, not so much on the question of the appropriateness of the credit checks but on important questions of jurisdiction raised. The credit checks were apparently contrary to the agreement between the firms and the credit bureaus in question. However, in my humble opinion and with the greatest respect to the Assistant Commissioner, Complaint A was incorrectly decided.
An individual complained that a law firm collected his personal information, by conducting a credit bureau inquiry, without his knowledge and consent.
Summary of Investigation
The law firm confirmed that it did conduct the credit inquiry. It argued, however, that the OPC did not have jurisdiction in this matter, as the information was collected for personal purposes of a client in relation to possible litigation, and it would therefore not provide the Office with access to its records.
The Office asserted its jurisdiction with respect to the complaint on the basis that the collection occurred during the course of the law firm’s commercial activities.
The complainant had also filed a complaint with the credit bureau regarding the collection of his credit information. The credit bureau requires its member companies, such as the law firm in this case, to obtain express consent for the collection of credit information. Since the law firm failed to provide adequate information or cooperate fully with the credit bureau’s inquiries, the credit bureau concluded that the law firm did not have the complainant’s consent to the collection. As a result, the law firm’s membership privileges were suspended.
Issued May 2, 2006
Application: Paragraph 4(1)(a) establishes that Part I of the Act applies to every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The Assistant Commissioner was satisfied that the collection occurred in the course of the firm’s commercial activities, and noted that as there was no general exclusion for the activities of law firms undertaken on behalf of their clients. The Office therefore found that it had jurisdiction in the matter, pursuant to paragraph 4(1)(a).
As for the collection, the law firm admitted that it had collected the complainant’s personal information, by way of credit inquiry. The complainant had alleged that this was done without his consent, and the law firm did not provide any evidence to the contrary.
The Assistant Commissioner therefore concluded that the information was collected without the complainant’s knowledge or consent, in contravention of Principle 4.3. She recommended that the law firm implement a policy that prohibits conducting credit checks without the individual’s consent, unless one of the exceptions to the requirement for consent, as set out in the Act, is applicable. The law firm responded by continuing to challenge this Office’s jurisdiction, maintaining that the issue did not involve any commercial activity. It stated that it continues to comply with the Act, as it has since the Act came into force. It also maintained that it does not collect the personal information of anyone without their consent. The Assistant Commissioner was not satisfied with this response, noting that the Act requires organizations to be open about their privacy policies and practices. The response from the law firm did not address the specific recommendation of the Office to implement a policy for obtaining consent to conduct credit checks. Nor did the response provide any further evidence that the Act was not contravened in this instance.
Accordingly, she concluded that the complaint was well-founded.
In my humble opinion, and based solely on this little snapshot of the facts provided above, the Assistant Commissioner was without jurisdiction to consider this particular complaint. The basis for the Commissioner's jurisdiction is in s. 4(1)(a) of PIPEDA, which states that Part I of the Act applies with respect to the collection, use and disclosure of personal information in the course of “commercial activities”. Commercial activities is further defined to mean an act or transaction or course of conduct that is of a “commercial character”. It is said that the law firm was acting for a client and that the client was engaged in litigation against the complainant. That the law firm is engaged in its own commercial activities should be irrelevant. It is merely the agent for its client.
This position is supported by the decision of Justice Dawson of the Ontario Superior Court of Justice in Ferenczy v. MCI Medical Clinic,  O.J. No. 1775. Justice Dawson concluded that video surveillance of a medical malpractice plaintiff is not “commercial activity” for the purposes of PIPEDA:
25 The plaintiff submits that the private investigator (an organization) retained by the CMPA (an organization) was collecting and making a record (videotape) of the plaintiff's personal information (images) during the course of commercial activity (while being paid), and that as the plaintiff did not consent to the collection and release of the information, the investigator and the CMPA are in contravention of the Act.
26 For a number of reasons I disagree. I will deal with some specific reasons momentarily, but first I will make a few general comments.
27 The legislation in question is complex and so broadly worded that a reasonable argument could be made to extend its reach so far as to transform both civil and criminal litigation into something very different than it is today. The arguments advanced on behalf of the plaintiff here prove that point. On the basis of the plaintiff's argument, Dr. Weinstein might be permitted to take his own video camera and record surveillance evidence in his own defence, but a licenced private investigator could not do so on his behalf if he was being paid to do so.
28 This argument would extend to an accused in a criminal case. While there are exceptions in the Act that allow law enforcement agencies to investigate and collect information about a suspect or an accused, an accused would arguably be prevented from utilizing a private investigator, or other paid agent, to collect information or conduct surveillance that could be vital to his or her defence. …
30 One way to avoid this result, and I conclude it is the correct interpretation of the Act, is to apply the principles of agency. On this analysis it is the defendant in the civil case who is the person collecting the information for his personal use to defend against the allegations brought by the plaintiff. Those whom he employs, or who are employed on his behalf, are merely his agents. On this analysis s. 4(2)(b) of the Act governs. That section reads as follows:>4(2) This part does not apply to ...
(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose;
The defendant through his representatives was employing and paying an investigator, to collect information for him. It is the defendant's purpose and intended use of the information that one should have regard to in determining the applicability of the Act. On the basis of this analysis I conclude that the defendant is not collecting or recording personal information in the course of commercial activity. He, through his agents, was collecting information to defend himself against the lawsuit brought by the plaintiff. This is a personal purpose in the context of the civil action brought against him by the plaintiff. In my view, this conclusion is consistent with the overall purpose of the Act which is aimed primarily at information collected as a part of commerce. [emphasis added]
The collection, use and disclosure of personal information in connection with private litigation is a private matter and not "commercial activity". Simply put, a claim for damages under the common law or litigation related to such a claim cannot be reasonably said to be a “commercial activity”. The fact that the relationship between the defendant, on one hand, and the law firm, on the other hand, is commercial is not relevant: As PIPEDA requires a “commercial activity” nexus to be applicable, the fact that the law firm is being paid is immaterial, no such nexus would exist and PIPEDA should not apply.
Parliament limited PIPEDA’s application to “commercial activities” (and federal works, undertakings and businesses) because federal jurisdiction is limited by the Constitution Act, 1867. In passing PIPEDA, Parliament relied upon its jurisdiction over the “Regulation of Trade and Commerce” contained in s. 91(2). A private lawsuit between two individual litigants (and all matters ancillary thereto), are a matter of “Property and Civil Rights in a Province”, which is an area of jurisdiction specifically reserved to the Provinces in s. 92 of the Constitution Act, 1867. Simply put, an attempt to enforce PIPEDA between two private individuals, acting in their private capacities (even if one is acting through a paid agent) would be an unconstitutional application of PIPEDA.
If Section 4(1)(a) is going to be read in such an expansive way, virtually all activities fall within "commercial activities". A public hospital will be engaged in commercial activities because it gets paid by medicare and because most attending physicians are actually incorporated contractors. (Even worse: some hospitals charge for casts and splints and private rooms!) All universities are engaged in commercial activity since they collect tuition and charge room and board. All public schools are engaged in commercial activities because students have to pay for field trips. All provincial government departments are engaged in commercial activity because you have to pay to register your car.
At the end of the finding, the following is noted:
For both complaints the Assistant Commissioner also indicated that she would pursue the matter in accordance with the Act and referred the cases to her litigation counsel. Shortly after being contacted by the Commissioner’s counsel, both law firms agreed to implement the recommendations thus avoiding the need to follow through with an Application in the Federal Court.
I can understand why the firms would not want to be drawn into an expensive proceeding in the courts, but it is regrettable that this finding will remain unchallenged.
Friday, September 08, 2006
Wednesday, July 19, 2006
The flow of findings posted on the website of the Office of the Privacy Commissioner has slowed to a trickle this year, but the floodgates opened long enough to release seven new findings today. I'll comment on them in greater detail before too long, but here are their titles and links:
- PIPEDA Case summary #334: Bank requires piece of identification before responding to request for access to personal information
- PIPEDA Case summary #333: Canadian-based company shares customer personal information with U.S. parent
- PIPEDA Case summary #332: Bank issues new guidelines and educates employees after customer information is faxed to the wrong individual
- PIPEDA Case summary #331: Credit card account history disclosed to estranged spouse
- PIPEDA Case summary #330: Assistant Commissioner considers the nature of certain dispute resolution processes in denial of access complaint
- PIPEDA Case summary #329: Wireless phone company improves safeguards for estranged spouses
- PIPEDA Case summary #328: Medical records storage company revises its access policy
In a conversation with the Assistant Commissioner, I've been told that there is no shortage of complaints but only a shortage of complaints that raise novel issues. Astute observers will note that most of these findings deal with novel issues, particularly situations of marital breakdown.
Thursday, June 22, 2006
The Privacy Commissioner recently released her finding following a complaint brought by a bank employee about the bank directly withdrawing funds from the employee’s bank account. (Commissioner's Findings - PIPEDA Case Summary #327: Bank retrieves overpayment of wages from employee's account (February 2, 2006))
In this case, the Complainant had been receiving benefits under the bank’s disability policy. She had been receiving payments for several weeks when it was determined that she was not eligible for the benefits. The bank determined that it was necessary to stop the next payment but it was too late as the amounts had already been deposited in the employee’s account. The bank then placed a hold on the funds and subsequently withdrew them directly from the employee’s account.
The individual complained to the Office of the Privacy Commissioner and reference was made, either by the Complainant or by the bank, to Section 254.1(2)(d) of the Canada Labour Code which allows an employer to make deductions from wages for “overpayment of wages by the employer.” It was the bank’s argument that it was entitled to take the funds from the account based on this particular provision.
The Privacy Commissioner of Canada considered the complaint and the provisions of the Canada Labour Code, including that the bank might have been entitled to deduct such amounts from wages before they are paid it and the Personal Information Protection and Electronic Documents Act do not allow the bank to unilaterally retrieve a sum of money from her account. The Commissioner concluded “the bank had misused the Complainant’s personal information when it took advantage of its dual role as her employer and bank and retrieved money from her account, without her knowledge or consent, thereby breaching Principle 4.3”.
The Complaint was found to be “well founded and resolved” and the bank has committed to change its procedure for recovering funds due from the accounts of bank employees.
Sunday, May 14, 2006
In this recent complaint to the Privacy Commissioner, an individual objected to an insurance company's policy of providing access to medical information by giving it to the individual's physician, who would then provide the information to the individual. This practice is contemplated by Principle 4.9 in Schedule I to PIPEDA. The Commissioner found that the insurance company had not violated its obligations under PIPEDA in providing access in this manner.
In this recent finding, the Commissioner dealt with a complaint by a bank customer who had contacted his bank asking not to be marketed to but subsequently was contacted a number of times by his branch about products and services.
The bank informed the Commissioner that there are two circumstances where the customer may be contacted notwithstanding a "do not solicit" flag on his or her file: (a) in-branch generated sales leads and (b) leads developed by data mining but taking advantage of service-related communication opportunities such as GIC and mortgage renewals.
The Commissioner considered that the bank had not followed the consent principle 4.3 and determined the complaint to be well-founded and resolved.
In this just-released finding, an individual complained that a credit bureau required that the individual provide two pieces of identification before providing him a copy of his credit report. The Commissioner consulted with another credit bureau and found that their policy was the same.
In this case, the Commissioner relied on principle 4.9.2, in which an organization can require additional information in order to fulfil an access request. The complaint was not well founded as the credit bureau has to authenticate an individual's identity before handing over this sensitive information. (As an aside: I expect they'd be risking a complaint about inadequate security if they did not do so.)
One of the most commonly identified "defects" with PIPEDA is that it does not contemplate and efficiently handle the disclosure of personal information in connection with the sale of a business, including pre-sale due diligence. This complaint dealt with the sale of a dentist's practice before the Ontario health information privacy law came into effect and was declared to be "substantially similar" to PIPEDA.
In this particular case, the complainant was given a "consent form" that contemplated that patient records may be disclosed in connection with the sale of the dental practice. It is not clear what the form actually said and whether it purported to obtain patients' consent. (Again, we have a situation where the lack of full detail in the summarized finding makes it very difficult to pull out best practices for the future.)
The Commissioner determined that the disclosure of certain patient records in connection with pre-purchase due diligence in this case was not contrary to PIPEDA. She reasoned:
Does this mean that a company that is not "subject to numerous regulations concerning privacy" can't disclose customer information as part of the sale process? I don't know.
In a finding by the Office of the Privacy Commissioner released on Friday, two individuals complained that a credit bureau was keeping positive credit information on file for too long. Retention of negative information is limited by provincial law, but there was no self-imposed retention period for favourable information. During the course of the investigation, the bureau decided on twenty years and also decided to give individuals the right to have it removed before then. The Commissioner therefore considered the complaint to be resolved.
Saturday, February 18, 2006
The Privacy Commissioner's office has recently released a new finding (Commissioner's Findings - PIPEDA Case Summary #319: ISP's anti-spam measures questioned (November 3, 2005)) after a subscriber to a residential high-speed internet service complained that its anti-spam measures violated PIPEDA. In this case, the ISP filtered outgoing packets and blocked any access to outgoing mail servers (SMTP) that are not part of the ISP's service. This is part of the ISP's anti-spam measures. The complainant alleged that by "reading" his outgoing e-mail, the ISP was collecting and using his personal information without consent.
The Assistant Commissioner disagreed. Here's the gist:
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
- The first issue the Assistant Commissioner considered was whether any of the information under discussion in this complaint could be considered “personal information” as defined in section 2.
- In her view, an IP address can be considered personal information if it can be associated with an identifiable individual.
- In the complainant’s case, he is assigned a dynamic IP address, which means that it changes each time he logs on. This IP address was associated with the particular computer he was using.
- The ISP does not identify the user before he or she is allowed to send e-mail, but ensures that the user is directly connected to the ISP network and is therefore a customer of the ISP.
- For the purposes of this complaint, which involved the sending of e-mail by the complainant, the Assistant Commissioner accepted that the originating IP address identified the complainant and was therefore his personal information, as per section 2.
- The ISP needs to know the destination IP address in order to deliver the message that is being sent. A port address, however, is not personal information as it is not linked to an identifiable individual.
- The complainant accepted the terms of the service agreement, which specify that the ISP collects and uses personal information for the purpose of providing service. By virtue of sending e-mail, the complainant also consented to the ISP reading the IP addresses to route the mail.
- She therefore did not find the ISP in contravention of Principle 4.3 when it reads the originating IP address.
- As for the allegation that the ISP reads the contents of the entire e-mail packet without the complainant’s consent, the Assistant Commissioner determined that there was no evidence to suggest that this was the case.
- The ISP denied that it reads anything apart from the IP and port addresses (the latter is not personal information). When the port information on the address is read, it is read by the ISP’s mail servers, electronically. No person actually reads the e-mail in this process.
- The process of reading and routing e-mail address information does not require the servers to access or read the user portion of the e-mail. The software program is set to access a predetermined portion of the address, and therefore this is the only portion of the address that is read.
The Assistant Commissioner therefore found that the ISP did not contravene Principle 4.3. She therefore concluded that the complaints were not well-founded.
Tuesday, February 14, 2006
The Privacy Commissioner of Canada has published a few more findings on her website, including one in which I acted for the respondent.
In case summary #320, the complainants challenged an insurer's right to request an independent medical examination for individuals seeking benefits under Section "B" of the insurance policy. (Interestingly, the insureds were seeking benefits beyond the four-year limit set out in the policy, which the insurer has no obligation to pay.) The complainants wanted to only be exmined by their own physicians, so they refused to submit to an examination by a licensed physician hired by the insurer. It was, they argued, a violation of privacy.
The case hinged on the language contained in the policy of insurance, which is standard for all auto insurers in the province and is approved by the province's Superintendant of Insurance. The policy reads, in part:
Section B – Accident Benefits
The Insurer agrees to pay to or with respect to each insured person as defined in this section who sustains bodily injury or death by an accident arising out of the use of operation of an automobile:
Subsection 1 – Medical, Rehabilitation and Funeral Expenses
(1) All reasonable expenses incurred within four years from the date of the accident as a result of such injury for necessary medical, surgical, dental, chiropractic, hospital, professional nursing and ambulance service and for any other service within the meaning of entitled services in the Hospital Services Act or the Medical Services Payment Act and for such other services and supplies which are, in the opinion of the physician of the insured’s person’s choice and that of the Insurer’s medical advisor, essential for the treatment, occupational retraining or rehabilitation of said person, to the limit of $50,000 per person.
The insurance policy also contains a provision saying that the insured has the right to examine the insured person when and as often as it reasonably requires while the claim is pending. The insurer argued that the individual agreed, by being a party to the policy of insurance, to submit to an IME to support a claim for benefits and submitting to an IME is a condition of receiving benefits.
The commissioner determined that the complaint was not well-founded:
Application: subsection 5(3) [of PIPEDA] states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances; Principle 4.2 requires that the purposes for which personal information is collected be identified by the organization at or before the time the information is collected; and Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information except where inappropriate.
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
- In keeping with the requirements of Principle 4.2, the automobile insurance policy in question clearly specifies that the insurer has the right to request a medical examination by a physician of the insurer’s choice for the purpose of investigating and processing the insured person’s claim. The policy also states that both the physician of the insured person’s choice and the insurer’s medical advisor must concur with the expenses being claimed.
- In the Assistant Commissioner’s opinion, a reasonable person would likely consider it appropriate for an insurance company to request a medical examination in order to ensure the validity of a claim, and to collect information from the examination and use it to assess the claim. Such a purpose would therefore meet the expectations of subsection 5(3). As all automobile insurance policy language is standard in the province, all insurance companies have this requirement.
- By being a party to the motor vehicle insurance policy and by submitting a claim under the policy, each of the complainants consented to the terms of the policy, one of which is that the insurer has the right to “examine the person of the insured person.” She therefore found that the insurance company did not contravene the consent provisions set out in Principle 4.3 of Schedule 1.
You can read the full finding here: Commissioner's Findings - PIPEDA Case Summary #320: Refusal to undergo an independent medical examination results in termination of insurance benefits (December 5, 2005).
Friday, October 21, 2005
The Office of the Privacy Commissioner just released a finding related to a free e-mail provider's PIPEDA compliance, particularly with respect to access, security and challenging compliance. The complainant thought her estranged husband had been accessing her e-mail and was responsible for changing her password on a number of occasions. Trying to deal with customer service people at the e-mail provider proved fruitless and the Assistant Commissioner found that the company was not in compliance with Principle 10 of PIPEDA, which requires that any complaints be escalated to the company's privacy officer. The Assistant Commissioner also concluded that the IP address of the person who had been resetting her password might be information about a third-party, but the company could release it to the complainant becuase it could not be linked to a third-party without the assistance of the ISP involved. Finally, the Assistant Commissioner concluded that the company could not be faulted for inadequate security because the customer didn't follow the instructions to make her own password and "personal question" more secure. Read the full finding here: Commissioner's Findings - PIPEDA Case Summary #315: Web-centred company's safeguards and handling of access request and privacy complaint questioned (August 9, 2005).
The Office of the Privacy Commissioner has just posted to its website a finding related to a complaint filed by an insured under an automobile policy who was looking for information about a claim that has been filed by a third party related to damage to a motor vehicle. Though the insurer settled the claim, the insured disputed whether she was at fault.
The insurer refused to provide the insured with access to the particulars of the claim because, in its view, it contained personal information about the claimant. That information, it argued, could not be disclosed without consent under PIPEDA. The insurer attempted to get this consent and was not able to do so.
The insured enlisted the help of the province's superintendent of Insurance but to no avail. She then complained to the Privacy Commissioner that she was denied access to her personal information under Principle 9 of PIPEDA.
The Privacy Commissioner concluded that the third-party personal information should have been severed from the records and the remainder provided to the insured:
Commissioner Findings - PIPEDA Case Summary #314: Insurance company denies access to personal information in statement of claim (August 9, 2005)
Application: Principle 4.9 states that upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. An exception to access is included in subsection 9(1), which states that an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
- Based on her review of the statement of claim in question, the Assistant Commissioner was of the opinion that some of the information in the statement of claim was the complainant personal information.
- While she noted that the statement also contained the third party claimant's personal information, this information could be severed in the manner described in subsection 9(1), and the complainant personal information provided to her.
- As this had not been done, and instead the complainant was denied access to the entire document, the Assistant Commissioner determined that the insurance company had denied the complainant access to her personal information, contrary to Principle 4.9.
The Assistant Commissioner concluded that the complaint was well-founded.
I have some questions about this that are not dealt with in the published finding. First, it refers simply to the "statement of claim". If it is a statement of claim filed in a lawsuit, it's a public document that the complainant can get in other ways and you can likely imply consent to its disclosure. Secondly, and perhaps more importantly, is that the finding does not address any aspects of agency between the insurer and the insured. The insurer is simply the agent of the insured. The information collected and held by the insurer is done on the behalf of the insured. Using principles of agency, the information (arguably) is constructively held by the insured herself. The insured would have the ability and right to that information under agency principles, regardless of PIPEDA. I don't know if this argument was ever raised before the Assistant Commissioner, but I'd be interested to see whether it would fly.
Thursday, August 18, 2005
The Office of the Privacy Commissioner has just released the summary of a new finding. This is the first time that I can remember where the complainants have asked to remain anonymous and the Commissioner proceeded to initiate a complaint of her own accord, as is provided for under PIPEDA. In this case, a number of residents of the United States complained that a Canadian-based internet pharmacy had unlawfully disclosed their personal information without consent to two American companies, who used the information without consent. The disclosure, which was by unauthorized employee activity, took place before 2004 and the Assistant Commissioner concluded she was without jurisdiction to issue a finding in that regard. Though the companies that acquired the lists did so without notice that it was purloined, the use was still without consent and the Assistant Commissioner concluded that portion of the complaint was well founded. Read the full finding on the Commissioner's website here: PIPEDA Case Summary #310: Commissioner initiated complaints against Internet pharmacies.
Monday, August 08, 2005
The Assistant Privacy Commissioner of Canada has recently released a finding that addresses the question of whether PIPEDA applies to "not for profit" organizations. In this case, an individual was seeking access to personal information in the custody of a daycare. The Assistant Commissioner concluded that PIPEDA does apply to this daycare as it was not municipally run:
Commissioner's Findings - PIPEDA Case Summary #309: Daycare denied parent access to his personal information - April 18, 2005:
"...The first matter that needed to be determined in this case was the issue of jurisdiction. Daycare officials said that the centre was a non-profit organization subsidized by city funding. They also claimed that the centre was subject to provincial and municipal legislation. This Office confirmed that the centre is not a municipal-run day care. We also found that there was a commercial activity involved, namely, payment for child care services. As such, this Office determined that the daycare was subject to the Act...."
This finding is interesting and could be instructive but ... the dearth of details about this particular daycare leaves little assistance in trying to surmise whether a particular organization is in or out of PIPEDA. My local YMCA runs a daycare that charges for its services. Commercial activity? The university up the street has a daycare. Commercial activity? Sadly, this summary of the Assitant Commissioner's decision provides almost no help for answering those questions, which pop up with surprising regularity.
Tuesday, June 21, 2005
The OPC has released a new finding related to the information management practices of a theatre chain and, in particular, the information it collects when it loans out assistive technology for the disabled.
I've been contacted by the complainant in this case, who tells me he'll have a webpage up about the case in the coming days. I'll post a link when it is up and running. In the meantime, enjoy the new finding: Commissioner's Findings - PIPEDA Case Summary #304: Movie theatre chain strengthens personal information handling practices - June 7, 2005.
Thursday, May 05, 2005
The Office of the Privacy Commissioner has released three new summaries of findings under PIPEDA, located here.
Though the findings are coming out in dribs and drabs, recently posted ones are addressing some issues not previously touched upon.
I'd also note that finding #297 relates to Michael Geist's complaint, which I blogged about in December of last year: PIPEDA and Canadian Privacy Law: Privacy Commissioner issues first spam decision under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Friday, April 29, 2005
Finally some clarity on the privacy aspects of independent medical examinations since PIPEDA. I've had to deal with a number of these over the last year and though all my files are still winding their way through the OPC's system, it's good to see some clarity on the issue.
In this finding, a complaint was made against a physician who was working for an insurance company doing medical examinations of insurance claimants. The individual asked for access to his/her records and was denied as the physician did not keep any records provided to him/her. The individual also complained that the doctor disclosed his/her medical information without consent. The Assistant Commissioner found that both complaints were not well founded.
Commissioner's Findings - PIPEDA Case Summary #294: Denial of access and inappropriate disclosure allegations are made against a physician - March 17, 2005 - Privacy Commissioner of Canada:
An individual alleged that a physician refused to provide him with access to his personal information and disclosed a medical report about him to an insurance company without his consent. The complainant in this case also filed two complaints against the insurance company, which are discussed in greater detail in Case Summary #293.
Summary of Investigation
The complainant had been absent from work for medical reasons, and was insured under the terms of a group insurance policy between his employer and an insurance company. The physician, an independent medical consultant under contract with the insurance company, provided it with a report on the complainant's medical condition. After obtaining a copy of this report from the insurance company, the complainant wrote to the doctor requesting a copy of his file, including copies of the materials provided to the doctor by the insurance company and an independent medical examiner.
The doctor works as a non-treating medical consultant on the premises of the insurance company, approximately one day a week. His position was that he was hired by the company to provide medical opinions on disability files and that these files are owned by the company. As a result, he was not in a position to grant or deny access to them. He states that he does not keep his own files or copies of any records relating to his work for the insurance company. He dictated his report for the company, which was subsequently typed by one of its employees. The company confirmed that its employees type the reports dictated by doctor, and the report also indicated that it was first dictated and later typed.
The College of Physicians and Surgeons of Ontario has a policy for its members, governing the standards of care for non-treating physicians who prepare reports for third parties. Where the doctor is providing a report to a third party based on a file review, which was the case with the physician in question, the policy states that there is no obligation to keep notes or records. The duty to provide a copy of the report will vary according to the nature of the agreement with the third party. The policy also states:Physicians who are given... documentation to review should make a comprehensive list of all materials reviewed in preparation of the report... Once a comprehensive list of materials is prepared and the report has been submitted to the third party, the physician may keep a copy of this material in his or her file but is not obligated to do so. This background material can be returned to the third party without making a copy....
The doctor's practice appeared to be consistent with the guidelines of the Ontario College of Physicians and Surgeons.
As for the inappropriate disclosure allegation, the doctor stated that, as per his contractual obligations, he prepared a report summarizing his review of the complainant's file, which was under the control of the insurance company. In his view, he was acting as an agent of the company and thus there was no disclosure.
We reviewed the consent form the complainant signed when applying for disability benefits, and noted that he consented to the provision and exchange of information between any physician and the insurance company for the purpose of assessing his claim and providing rehabilitation assistance.
Issued March 17, 2005
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; and Principle 4.9 stipulates that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.
The Assistant Privacy Commissioner deliberated as follows:
With respect to the denial of access complaint, the Assistant Commissioner was satisfied that the information the complainant requested from the doctor was neither in his possession nor under his control, and that as a result he could not provide the complainant with access to his personal information. The Assistant Commissioner found that the doctor had not contravened Principle 4.9. She therefore concluded that the access complaint was not well-founded.
As for the disclosure complaint, the Assistant Commissioner noted that even if she did not accept the doctor's claim that he was acting under contract to the insurance company, it nevertheless was the case that the complainant had provided his consent to the exchange of personal information between the physician and the company for the purpose of assessing his claim for benefits. She therefore found that there was no contravention of Principle 4.3.
The Assistant Commissioner concluded that the disclosure complaint was not well-founded."
Tuesday, April 05, 2005
Another new finding from the Office of the Privacy Commissioner. This one concludes that asking for four -- four -- pieces of ID to set up a cellular phone account is requiring more information than reasonably necessary, contrary to PIPEDA: Commissioner's Findings - PIPEDA Case Summary #288: Identification requirements for cell phone services - February 1, 2005 - Privacy Commissioner of Canada.
A new finding released by the Office of the Privacy Commissioner of Canada deals with the theft of a bank laptop containing personal information. A laptop was stolen from a bank employee's car in an underground parking garage. The info was on the laptop so that a financial advisor could market additional services to the complainant. After the laptop was stolen, the bank proactively notified the individuals whose information was compromised.
One affected individual complained that the bank violated PIPEDA's "use" and "safeguard" principles. Oddly, the Assistant Commissioner found that the bank had his implied consent to "use" the information, but then criticised the bank for not following the Commissioner's guidelines for getting adequate consent. No surprise, the bank fell down on the job of safeguarding personal information.
Commissioner's Findings - PIPEDA Case Summary #289: Stolen laptop engages bank's responsibility - February 3, 2005 - Privacy Commissioner of Canada:
"Application: Principle 4.5, which states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law; and Principle 4.7, which stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
On the matter of inappropriate use of his personal information, the Assistant Privacy Commissioner noted that the reason the complainant's personal information was on the laptop was that the bank intended to market other bank products and services to him. The bank had sent the complainant two privacy notices that described this practice and offered clients the opportunity to have their names suppressed from the bank's marketing lists. As the complainant had not requested suppression, it would appear that the bank had his implied consent to include his name on such a list, and was acting in accordance with Principle 4.5. When the complainant informed the bank after the theft of the laptop that he wanted his name removed from the list, the bank suppressed it.
She therefore concluded that the use complaint was not well-founded.
As for the safeguards, the Assistant Commissioner noted that, with respect to laptop computers, the bank had policies and procedures in place that required passwords and safe physical storage of the computers. Although these policies and procedures appeared to meet the requirements of Principle 4.7, the financial planner in this instance did not follow the bank's recommendations regarding physical security, and left the laptop unattended on the seat of her vehicle. The Assistant Commissioner therefore found the bank in contravention of Principle 4.7.
The Assistant Commissioner concluded that the safeguard complaint was well-founded.
Tuesday, March 15, 2005
The first summary finding of 2005 has been released by the Canadian Privacy Commissioner. In it, the Commissioner concludes that the complainant's employer did not violate PIPEDA by seeking medical information about the employee who occupies a "safety sensitive" position. The complainant also alleged that the employer collected information directly from his/her physician without consent, a complaint that was well-founded.
Commissioner's Findings - PIPEDA Case Summary #287: Request for medical information deemed reasonable, but consent procedures not properly followed - January 5, 2005 - Privacy Commissioner of Canada:
"...An employee of a transportation company made two allegations against his employer: (1) that his employer was requiring him to provide more medical information than necessary and would not allow him to return to his position until he supplied the information; and (2) that the company obtained medical information about him from his doctor without his consent...."
I am informed by a colleague who made an inquiry of the Office of the Privacy Commissioner that finding summaries are going to be published less frequently than in the past. This is unfortunate. Desipte their serious shortcomings, these findings provide the only insight into the Commissoner's thought process and also make good case studies to teach companies how to deal with PIPEDA.
Thursday, November 11, 2004
Ther Personal Information Protection and Electronic Documents Act allows an organization to disclose personal information without consent in connection with the collection of a debt owed to that organization (see s. 7(3)(b) of the Act). This does not, however, provide blanket permission to disclose the debtor's circumstances and credit history in doing so. The Privacy Commissioner's office has just released finding #282, in which an individual complained about excessive disclosure during collections actions by a bank:
Commissioner's Findings - PIPEDA Case Summary #282: Excessive disclosures in the pursuit of a debt - October 21, 2004 - Privacy Commissioner of Canada: "An individual claimed that a bank disclosed a significant amount of his personal information to two of his employees without his consent. The complainant alleged that these disclosures were extremely damaging to his reputation and contributed to his decision to resign as the head of a company."
The complainant alleged, an produced compelling evidence, that the bank in question "had told [the complainant's employees] that the complainant’s account was severely delinquent, his credit card was suspended from further use, his payment history was sketchy, the bank was intending to enforce its claim against the complainant, and as part of that enforcement, was going to garnish his wages, which would be embarrassing for both the company and the complainant."
The Assistant Privacy Commissioner was not amused. She found:
In short, any organization collecting a debt may only disclose the minimum amount of personal information necessary. Any more, and you are likely offside.
Thursday, October 28, 2004
The Privacy Commissioner released a new finding yesterday (the finding itself is dated September 3, 2004), the first finding to address the mandatory use of biometrics in the workplace. In this case, the employer used voice-print technology for security and managing the employer-employee relationship. The Assistant Commissioner determined that the use of this technology was reasonable, and struck the appropriate balance for security purposes.
Commissioner's Findings - PIPEDA Case Summary #281: Organization uses biometrics for authentication purposes - September 3, 2004 - Privacy Commissioner of Canada:
"Several employees complained that their employer was forcing them to consent to the collection of biometric information, namely, their voice print, for the purpose of accessing a number of the company's business applications. These applications are used for logging work-related information, as well as for absence reporting. "
Saturday, September 11, 2004
In the last batch of findings released by the Office of the Privacy Commissioner, the Assistant Commissioner had an opportunity to consider the installation of video surveillance equipment in an un-named workplace. The broadcasting company had installed the surveillance system following a full security review. The most interesting aspect of the case is that there is no reference to the requirements that former (and disgraced) Privacy Commissioner George Radwanski laid out as a pre-requisite to installing video surveillance equipment. These were referred to an implicitly supported by the Federal Court in Eastmond v. Canadian Pacific Railway, 2004 FC 852:
 In answering this question, all parties urged I adopt the factors or considerations which the Privacy Commissioner looked at to determine whether CP's purposes for collecting personal information are those a reasonable person would consider are appropriate.
 I am prepared to take into account and be guided by those factors which I repeat are:
- Is camera surveillance and recording necessary to meet a specific CP need;
- Is camera surveillance and recording likely to be effective in meeting that need;
- Is the loss of privacy proportional to the benefit gained;
- Is there a less privacy-invasive way of achieving the same end?
 As argued by all parties, these considerations or factors enumerated by the Privacy Commissioner are those which, over the years prior to PIPEDA, arbitrators adjudicating privacy issues under collective agreements involving camera surveillance have taken into account in balancing privacy interests of employees with the legitimate interests of employers.
In this new finding, Commissioner's Findings - PIPED Act Case Summary #273, the Assistant Commissioner did not refer to section 5(3) of PIPEDA, which sets out a baseline reasonableness for the collection, use and disclosure of personal information:
5(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
Instead, the Assistant Commissioner focused on whether the company had taken sufficient steps to inform employees of the monitoring and its purposes.
Furthermore, the investigation established that the use of such a surveillance system constituted an appropriate means of protecting its employees. Since the cameras are not used to collect employees’ personal information and are not used in places where there is a reasonable possibility of invasion of privacy, it does not seem appropriate that the employer would be required to obtain employee consent for its use. Assuming that the cameras were, inadvertently, collecting employees’ personal information, the employer would be able to use the information thus collected without the employees’ consent only in the circumstances set out in the subparagraphs 7(2)(a) and (b) of the Act.
The Assistant Commissioner appreciated the employer’s flexibility and availability: during the investigation, the employer stated that the employees would be informed of the purposes, and that it would develop a policy document regarding the use of cameras, including the objectives of the security system, the installation sites, the employees authorized to operate the system, the time of surveillance and recording and the equity principles applicable to recording.
The Assistant Commissioner concluded that the complaint was resolved insofar as the firm agreed to:
- ensure that its employees are informed of the purposes for which the cameras are being used, in accordance with principle 4.3.2.; and
- develop a policy document on the use of the surveillance cameras that is made available to the employees, in accordance with principle 4.1.4. The firm will advise the Commissioner about the adoption of such a policy within 60 days following receipt of the letter of finding.
This finding appears to say that you can use video surveillance if it is an appropriate security measure, as long as the employees whose information will be incidentally collected are informed of the surveillance and of its purposes.
Thursday, June 24, 2004
A new finding from the Office of the Privacy Commissioner that strongly suggests that sensitive personal information should not be left on someone's answering machine:
"An individual alleged that her bank improperly disclosed her personal information when it left an automated message on her answering machine stating that she was behind on making a payment on her credit card. She stated that she had not given her consent for the bank to leave a message that anyone in her family or a visitor could hear, and objected to this disclosure of her financial status in an unsecured and non-private forum."
The Assistant Commisioner found the complaint to have been resolved by the bank's undertaking not to leave such messages again.
The moral of the story is to not leave sensitive personal information on someone's voice-mail or answering machine without their OK. This will surely apply to physicians who may wish to leave a reminder about an upcoming appointment or a pharmacist leaving a message that the patient's Viagra prescription is ready to pick up.
Finally, a new batch of findings from the Privacy Commissioner of Canada. Of particular interest is finding #269, which considers an employer's use of video surveillance by a private investigator. I'll do a fuller analysis later, the "Further Considerations" at the end of the finding is instructive:
Notwithstanding the findings, the Assistant Commissioner stressed that while she was satisfied that the company only resorted to video surveillance after having taken numerous measures to obtain the required information with the complainant's knowledge and consent, she recommended that the company formalize the steps it took by developing policy and practices that are privacy conscious.
Such a policy, she suggested, should take into account the following:
The Assistant Commissioner asked the company to report back to her within 120 days regarding this policy."
Tuesday, January 06, 2004
Commissioner's Findings - September 4, 2003 - Privacy Commissioner of Canada: PIPED Act Case Summary #211: Bank accused of improperly disclosing overdraft information to another bank
Among other complaints to the OPC, a couple complained that they were not allowed to withdraw their consent for future information disclosure to other lenders, credit bureaus or credit-reporting agencies. The couple's account had become delinquent and was referred to the bank's collections division. The couple got a loan from another bank and wanted to refuse to allow the original bank to communicate their credit information to other parties.
The first bank's position was that it had the couple's consent to the disclosure of their personal information by virtue of the personal loan service authorization they had signed a few years earlier when their personal credit reserve was arranged. This document stated that the couple authorized the bank to disclose to other lenders, credit bureaus or other credit-reporting agencies personal and credit information about them. The bank further stated that the couple could not withdraw their consent for future disclosure because the sharing of such personal information is required to maintain the integrity of the Canadian credit-granting system.
Commissioner's Findings ...
It has been confirmed in other cases considered by the Office that the credit system in Canada depends upon the fulfillment of myriad contractual and legal obligations.
If individuals could withdraw their consent to disclosure of their credit history with a particular lender, the credit system would not work.
On this basis, the Commissioner determined that the bank was justified, on legal and contractual grounds, in refusing to honour the couple's request for withdrawal of consent to the sharing of their personal financial information with other lenders, credit bureaus or credit-reporting agencies. He found, therefore, that the bank was not in contravention of Principle 4.3.8.
This finding appears to answer (albeit not definitively) a relatively common query among credit grantors when informed that PIPEDA contains the following provision:
4.3.8 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.
It appears that as long as the credit agreement contains a consent to the exchange of credit information with the usual parties, the debtor is not able to unilaterally withdraw that consent. Prudence would suggest that credit grantors would want to include language that explicitly informed individuals that they are not able to withdraw consent.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.