PIPEDA Case Summary #346E-mail message raises questions about purposes, credibility and accountability(Section 2; paragraph 4(2)(b); Principles 4.1, 4.1.4, and 4.3) The motives of a company vice president were called into question when he asked, by way of e-mail, for the name of the employer of an individual who did not work for his company. When this individual found out about the message, he was upset and questioned the vice president about his motives. What followed was an evolving set of explanations from the executive and the company about the reason for the e-mail. The complainant did not believe the reasons given. In his opinion, the executive, whose sister was representing the complainant’s ex-wife in court, had non-business related reasons for trying to glean this information. He complained to the Office about this attempted collection and the company’s lack of accountability under the Act. The Assistant Privacy Commissioner did not believe the vice president and agreed that he likely had a personal reason for sending the message. However, as the e-mail message did not yield any kind of response from the employees, there was no collection of personal information. She nevertheless expressed dismay at the attitude that the company displayed towards the management of personal information and the complainant’s right to privacy. By its actions, the company seemed to be unaware of, or untroubled by, its obligations under the Personal Information Protection and Electronic Documents Act. The company made an effort during the investigation to meet its responsibilities under the Act. The Assistant Commissioner, though, felt that the company needed to further demonstrate its commitment. She made a number of recommendations to the company to improve its accountability, with which the company complied. The following is a detailed overview of the investigation and the Assistant Commissioner’s deliberations. Summary of InvestigationThe complainant learned from a friend (an employee of the company in question) that the vice president of the company had sent an e-mail requesting information about the complainant. The subject line of the message indicated the complainant’s name and the text stated, “Does anyone know what firm (the complainant) is with?” Some backgrounds facts are essential to understanding this complaint. At the time the message was sent, the complainant was involved in a legal dispute with his former spouse. The vice president’s sister was representing the complainant’s ex-wife in court. Also relevant is the fact that the company is a commercial real estate firm. The complainant is not, and never has been, employed in the real estate industry. Shortly after learning about the e-mail, the complainant called the vice president to ask why he had sent the message. The vice president denied sending it. The complainant then wrote to the executive and enclosed a copy of the message. He also indicated in the letter his belief that the message had something to do with the executive’s sister and the complainant’s family issues. Although the complainant asked for a response in writing, the executive did not reply. The complainant escalated his concerns to the chairman of the company and asked for a reason for the e-mail message. The company’s solicitors responded to him, indicating that the company did not have any “confidential information” about the complainant and that his family matters did not involve the company. Dissatisfied with the response, the complainant wrote to the chairman again, informing him that the company was not being accountable and that the vice president was collecting information about him without his knowledge or consent. He requested a full explanation. The solicitors responded that the complainant had no basis for any possible complaint against the company. The complainant wrote one final letter to the president and chief executive officer, informing him that the company had breached the Act by failing to be accountable in matters of privacy and personal information, as it did not fully respond to his requests for an explanation and had not adopted a privacy policy. He then filed a complaint with our Office. The explanations provided by the company to the Office evolved during the investigation. Initially, it stated that the complaint did not fall under the Act and that no personal information had been collected. When asked what the purpose for the collection was, and whether there were any responses to the e-mail, the company stated that the executive had thought that the complainant was a real estate agent working with one of its industry’s member firms. Seeking the complainant’s contact information, which he did not have, the vice president sent the e-mail. According to the company, the vice president believed that someone in the company had dealt with the complainant in the past. The company claimed that no direct replies were received. The vice president told the Office that he had been talking to another employee, who thought the complainant worked for a commercial real estate broker and had asked the vice president whether he knew what firm the complainant worked for. Not knowing the answer, the vice president sent the message. When asked by our Office, the employee in question did not remember having any conversation with the vice president about the complainant. In fact, he stated that he had never heard of the complainant before. The vice president confirmed that he had told the complainant that he had never sent the message and had no interest in the complainant. He told the Office that he did so because the complainant sounded threatening and had used an intimidating tone of voice. The vice president indicated that his sister did practice family law, but that he had no idea whether his sister represented the complainant’s ex-wife. He continued to maintain that he had sent the e-mail for business and not personal reasons. The investigator from the Office, however, had the impression, based on the vice president’s comments, that the vice president already knew some information about the complainant. As for the company’s personal information handling practices, the Office was initially unable to locate the designated privacy officer. There was also no privacy policy on the company’s web site. The Office was eventually given the name of a company official who stated that he would be the designated privacy officer. The company indicated that the complainant had never requested a copy of its privacy policy in his correspondence. The company did, however, provide the Office with a copy of its “policy.” Upon review, we determined that it was a memorandum issued in October 2003, advising employees of the Act and directing them to destroy personal information. We informed the company that this document was inadequate as a privacy policy and asked it to develop an appropriate policy that would be available to the public. The company created a policy which our Office reviewed. We suggested some changes and asked it to post the revised policy on its web site as soon as possible. FindingsIssued June 15, 2006 Application: Section 2 defines personal information as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Paragraph 4(2)(b) states that Part I of the Act does not apply to any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose. Under Principle 4.1, an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the principles set out in Schedule 1 of the Act. Principle 4.1.4 requires organizations to implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. In making her determinations, the Assistant Commissioner considered the purposes for the collection, the definition of personal information, the collection itself, and accountability. She deliberated as follows: Purposes
Personal Information
On the matter of consent
The Assistant Commissioner concluded that the collection complaint was not well-founded.
On the matter of accountability
The Assistant Commissioner concluded that the accountability complaint was well-founded and resolved. |
Date published: 2006-10-16 |
Important Notices |