|
[Back to Table of Contents][Part One][Part Three] Annual Report to Parliament 2000-2001
The passage of the Personal Information Protection and Electronic Documents
(PIPED) Act is an important step forward for Canada. It is a clear commitment
to protect our fundamental right of privacy, in an age when it is threatened
as never before.,With technological developments revolutionizing the way we
do business and with organizations demonstrating a limitless appetite for personal
information, progressive nations around the globe are recognizing the need to
safeguard privacy. The PIPED Act places Canada firmly in their front
ranks.
Part 1 of the Act sets out the conditions under which organizations
may collect, use, or disclose personal information, and gives individuals rights
of access to and correction of personal information held about them by an organization.
It also sets out the process by which individuals may lodge a formal complaint
when they believe these rights have been violated or that organizations are
not in compliance with the law, and the legal remedies available to them.
This part of the Act is being implemented in three stages. In the first
stage, which began on January 1, 2001, the Act applies to personal information,
except personal health information, collected, used or disclosed in the course
of commercial activities, or about their employees, by federal works, undertakings
and businesses. This includes the banks, the broadcasting industry, inter-provincial
transportation companies and the telephone companies.
The Act also applies to disclosures of personal information traded
or sold across provincial or national borders. In addition, it applies to the
entire commercial sector in the Yukon, Northwest Territories and Nunavut, since
all local businesses in the territories are considered to be federal works,
undertakings, and businesses, and therefore under the jurisdiction of the federal
Parliament.
As of January 1, 2002, the Act will apply to personal health information
for the organizations and activities already covered in the first stage.
Part 1 of the Act will be in force across Canada in the provincially
regulated private sector as of January 1, 2004, except where a province or territory
has enacted legislation that the Governor in Council considers to be substantially
similar to the Personal Information Protection and Electronic Documents Act.
In these cases, the provincial or territorial legislation will apply to intra-provincial
collection, use or disclosure of personal information by organizations subject
to the provincial law. The federal law will continue to apply to a broad range
of interprovincial and international collections, uses or disclosures. That
means that as of January 1, 2004, the privacy rights of Canadians will be protected
throughout the private sector, either under the federal Act or under
a substantially similar provincial or territorial law.
As Privacy Commissioner of Canada, I am responsible for overseeing compliance with the rules for the collection, use, and disclosure of personal information set out in Part 1 of the Act. I receive and investigate complaints, and, as with the Privacy Act, play the role of an ombudsman, attempting to resolve disputes by negotiation. I also may, with reasonable grounds, audit the personal information management practices of an organization.
The powers of investigation granted to my Office under the Personal Information
Protection and Electronic Documents Act mirror those contained in the Privacy
Act, although I have a greatly expanded mandate to conduct research into
privacy issues, and to promote awareness and understanding of these issues among
Canadians.
This is an interim report on activities related to the Personal Information
Protection and Electronic Documents Act covering the period from January
1, 2001, to November 30, 2001.
I will interpret substantially similar as meaning equal or superior to the
federal law in the degree and quality of privacy protection provided. The federal
law is the threshold or floor. A provincial privacy law must be at least as
good, or it is not substantially similar.
To be considered substantially similar, any provincial legislation will have
to contain, at a minimum, the 10 principles set forth in Schedule 1 to the Personal
Information Protection and Electronic Documents Act. While we consider all
10 principles of this code to be interrelated and equally important, I am going
to comment on five elements of the law as key components in making an assessment
of substantially similar: consent, reasonable person test, access and correction
rights, oversight, and redress.
To the extent that privacy is the right to control access to one's person
and to personal information about oneself, there is no control without consent
and there is no privacy without control.
The requirement for consent must be at the heart of any good privacy legislation.
The federal law says that consent must be informed and that the collection,
use and disclosure of personal information without the individual's consent
may occur only in specified exceptional circumstances.
An organization can only collect, use or disclose personal information about
an individual with the individual's consent (except
in certain limited circumstances that are set out in the Act.)
After collection, personal information can only be used or disclosed for the
purpose for which consent was given (except in certain circumstances that are
set out in the Act.)
The reasonable person test provides another important check on organizations.
The law states that the collection, use, and disclosure of personal information
must be limited to purposes that a reasonable person would consider appropriate
in the circumstances.
Among other things, this test prevents organizations from using overly broad
or vague statements of the purposes for which information is being collected.
Individuals must have the right to access personal information that organizations
have about them and to correct any information that is incorrect (or to have
any disagreement noted and provided to any party who received the information).
Where an individual is of the opinion that his or her privacy rights have
been violated or the privacy law not respected, the individual must have the
ability to complain to a fully independent oversight body with the specific
mandate to resolve complaints, thoroughly investigate, mediate, conciliate and
make recommendations or issue orders. Such an oversight body also must have
the full range of investigative powers to seize documents, enter premises, and
compel testimony and initiate audits of an organization's practices.
Following my report to an organization and a complaint, the federal Act
allows the complainant (or myself directly) to apply for a hearing in the Federal
Court of Canada. The complainant or I can ask the court to order the organization
in question to correct its information handling practices and make public the
steps it has taken to do so. The court can be asked to award damages to the
complainant.
Decisions of the Federal Court can be appealed to the Federal Court of Appeal and with leave to the Supreme Court of Canada.
I believe that there must be corresponding redress provisions in any provincial
legislation which purports to be "substantially similar".
To date, Quebec is the only province in Canada with personal data protection
in effect that applies to enterprises operating in the province as defined in
its Civil Code. Elsewhere in Canada, two provincial governments-British Columbia
and Ontario-have begun to explore legislative options for the regulation of
the collection, use, and disclosure of personal information in the private sector.
This is in preparation for the January 1, 2004, date for provincial governments
to have legislation in place that is deemed by the Governor in Council, through
an exemption order, to be substantially similar to the Personal Information
Protection and Electronic Documents Act.
The provinces of Alberta, Manitoba and Saskatchewan have all passed health-specific
privacy legislation. The legislation in Manitoba and Alberta is currently in
force. In December 2000, Ontario introduced the controversial Bill 159, the
Personal Health Information Privacy Act. This bill died on the order
paper.
New Brunswick's Protection of Personal Information Act came into force
in April 2001. Prince Edward Island's Freedom of Information and Protection
of Privacy Act received Royal Assent on May 15, 2001, and will come into
force in November 2002. With the introduction and passage of these two acts,
every province and territory in Canada with the exception of Newfoundland now
has statutory protection for personal information held by government departments
and agencies.
As of November 30, 2001, my Office had received 95 formal complaints under
the Personal Information Protection and Electronic Documents Act. During
this first year of the Act, these complaints have been confined to the federally
regulated sector, with nearly half of them involving the banks.
In spite of the lead-in time organizations had to prepare for the coming into
force of the Act, some still have not embraced its principles in their
business practices. Many complaints have raised systemic issues dealing with
the violation of privacy rights in the federally regulated private sector. Where
it was determined that they were well-founded, I have recommended that organizations
make important changes to existing policies and procedures.
Section 13 of the Personal Information Protection and Electronic Documents
Act gives me the authority to ask that organizations report back on the
progress made in implementing these changes. Experience to date suggests that
this will be a useful tool to ensure the necessary changes are made.
My approach to the investigation and resolution of these complaints is similar
to my approach under the Privacy Act. When my Office receives a complaint,
I give the organization formal notice of the nature of the allegations, and
invite it to make representations. I try, whenever possible, to resolve disputes
through conciliation, consultation, persuasion and mediation.
I may make one of the following findings in handling a complaint:
- Not well-founded: This means that there is no evidence to lead me
to conclude that the organization violated the Act.
- Well-founded: This means that the investigation revealed that the
organization failed to respect a provision of the Act.
- Resolved: This means that the organization has taken corrective
action to remedy the situation, or that the complainant is satisfied with
the results of my Office's inquiries.
- Discontinued: This category applies to investigations that are terminated
before all the allegations have been fully investigated. A case may be discontinued
for any number of reasons-for example, when the complainant is
no longer interested in pursuing the matter.
The following are my findings under the PIPED Act up until November
30, 2001. For the sake of consistency, the findings are presented in the format
in which they will appear on our Web site at www.privcom.gc.ca.
Since January 2001 my Office has completed investigations and issued findings
and recommendations in the investigation of 27 complaints under the Personal
Information Protection and Electronic Documents Act and two incidents. Complaints
almost identical in nature have been combined and written as one finding.
Complaint
The Information and Privacy Commissioner of the Northwest Territories and Nunavut complained that a security company had improperly collected personal information without the consent of individuals by means of surveillance cameras installed on the main street of Yellowknife.
Summary of Investigation
The security company in question had mounted, on the roof of its office building, four video cameras aimed down into a main intersection of Yellowknife and had set up two monitors in its offices. For several days in early May 2001, company staff had monitored live feed from the street 24 hours a day. On several occasions, staff had noted incidents and contacted police. By the company's own admission, this surveillance activity had been a marketing demonstration intended to generate business. On negative publicity, the company removed the cameras less than a week after they had been installed.
Commissioner's Findings
(Issued June 15, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection and
Electronic Documents Act applies to federal works, undertakings, or businesses.
The CommissionerZhad jurisdiction in this case because any company in the Northwest
Territories is a federal work, undertaking, or business as defined in the Act.
APPLICATION: Principle 4.3, Schedule 1, states that the knowledge and consent
of the individual are required for the collection, use, or disclosure of personal
information, except where inappropriate.
Since the company's principal reason for installing video surveillance equipment
was to monitor the activities of people, the Commissioner concluded that the
information at issue was personal information for purposes of the Act.
Since the company had admitted that its video surveillance activity was a marketing
demonstration, the Commissioner concluded that the activity was a commercial
activity within the meaning of the Act.
The fact that the video feed was live and not taped, was deemed not relevant,
since the Act does not restrict personal information to recorded information.
On the evidence, the Commissioner was satisfied that individuals had not consented
to the collection. He found that the company had collected personal information
without consent in contravention of Principle 4.3.
In presenting his findings, the Commissioner commented as follows: "There
may be instances where it is appropriate for public places to be monitored for
public safety reasons. But this must be limited to instances where there is
a demonstrable need. It must be done only by lawful public authorities and it
must be done only in ways that incorporate all privacy safeguards set out by
law. There is no place in our society for unauthorized surveillance of public
places by private sector organizations for commercial reasons."
The Commissioner concluded therefore that the complaint was well-founded.
FURTHER CONSIDERATIONS
No further action was required in respect of the complaint, since the company
had already removed the cameras before the Commissioner issued his findings.
However, the matter was not fully resolved, in that the security company indicated
an intention to pursue its efforts to provide video surveillance services to
the Yellowknife community. The Commissioner has advised the company that its
intended public video surveillance for commercial purposes is unlawful and should
not be pursued.
Complaint
A customer complained that her Internet service provider (ISP) was using her
personal information, namely her e-mail address, without her consent by sending
unsolicited e-mail notices to her.
Summary of Investigation
The complainant had received several unsolicited e-mail notices from her ISP
about its services. At first she complained directly to the ISP, but was not
satisfied with the company's suggestion that she simply reconfigure her browser
so as to route the notices directly to a bulk-mail or trash-bin folder. Her
position was that the onus should not be on the user to filter unsolicited e-mail
notices from the ISP. The company's position was that it had a right to send
such messages under the terms and conditions of its subscriber agreement, which
contains a consent clause.
Since the initial one-year subscription had been a gift from a friend, the complainant had not personally considered these terms and conditions at the start of her service, but had subsequently been presented with them on renewing her subscription after a year. The complainant did renew her subscription with the same company even though her complaint remained unresolved at the time.
Commissioner's Findings
(Issued July 3, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings, or
businesses. The Commissioner had jurisdiction in this case because Internet
service providers are federal works, undertakings, or businesses, as defined
in the Act.
APPLICATION: Principle 4.3, Schedule 1, states that the knowledge and consent
of the individual are required for the collection, use, or disclosure of personal
information, except where inappropriate.
On reviewing the subscriber agreement of the ISP in question, the Commissioner
was satisfied that the company's practice of sending periodic e-mail notices
to customers was clearly outlined in the agreement. Hence, he considered it
reasonable that customers would expect to receive such notices from time to
time. Moreover, he determined that the complainant had consented to the practice
on renewing her subscription. He found that in this case the ISP had not contravened
Principle 4.3.
The Commissioner concluded therefore that the complaint was not well-founded.
FURTHER CONSIDERATIONS
The Commissioner informed the complainant that he considered the ISP's initial
proposal for resolving her concern to have been reasonable.
He also commented: "The e-mail notices are in keeping with the purposes
for which consent to use the e-mail address was originally obtained, that is,
to enable efficient ISP service."
Complaint
A customer complained that an investment company, a subsidiary of a chartered bank, had improperly disclosed to a third party, namely a regulatory body that oversees the company's activities, his personal information related to financial transactions.
Summary of Investigation
The investigation in this case was limited to the Commissioner's determination of whether or not he had jurisdiction in the matter.
Commissioner's Findings
(Issued July 19, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies strictly to federal works, undertakings,
or businesses and to transborder disclosures of personal information for consideration.
Banks are federal works, undertakings, or businesses as defined in the Act.
In this case, however, the investment company, though a subsidiary of a bank,
operates as a separate and distinct legal entity, does not disclose information
across borders for consideration, and is provincially regulated. The company
in question is not currently subject to the Act.
The Commissioner concluded that he lacked jurisdiction.
Complaint
A customer complained that a bank had denied her access to her personal information regarding her credit score.
Summary of Investigation
The complainant had telephoned her branch of the bank in question and asked
for her credit score information. A customer service representative at the branch
advised her that the bank did not release such information to its customers.
On being informed of this complaint, the bank undertook an extensive search
of its records and subsequently reported that it could not find any credit product
or credit application in the complainant's name and therefore had no corresponding
credit score for her. The complainant subsequently confirmed that she had no
credit products with the bank and had never submitted any credit application
to the bank.
Commissioner's Findings
(Issued July 23, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection and
Electronic Documents Act applies to federal works, undertakings, or businesses.
The Commissioner had jurisdiction in this case because financial institutions
are federal works, undertakings, or businesses as defined in the Act.
APPLICATION: Principle 4.9, Schedule 1, states that upon request an individual
must be informed of the existence, use, and disclosure of his or her personal
information and be given access to that information. Section 8 sets out conditions
under which a request may be deemed to have been refused.
The Commissioner was satisfied that the requested information did not exist
in the bank's files. He found therefore that the complainant had not been denied
a right of access to her personal information under section 8 of the Act.
The Commissioner concluded that the complaint was not well-founded.
Complaint
A credit card applicant complained that, after turning down her application, a bank had refused her request that the personal information collected for her application be deleted from the bank's records.
Summary of Investigation
The complainant had applied in person for a credit card, but the bank in question had declined her application. The complainant then requested that the personal information she had provided in her application be removed from the bank's computer system. The branch manager replied that he himself did not have the delegated authority to remove the information, and he took no steps to determine whether some other course could be taken.
In fact, the bank's corporate privacy officer and the business manager for
the credit cards had the delegated authority for removal of such information
on special request, but in this case the complainant's request was not relayed
to either of these officials. For credit card applications made in person, the
bank's usual practice was to enter the personal information collected immediately
into the computer system at the branch and then forward it for adjudication
to the host computer system of the bank's central loan processing centre. If
the application was declined, the information was not automatically purged.
Unless the unsuccessful applicant made a special request for removal, the personal
information remained in the bank's computer system and was accessible indefinitely
at the branch level.
Commissioner's Findings
(Issued July 23, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings, or
businesses. The Commissioner had jurisdiction in this case because banks are
federal works, undertakings, or businesses, as defined in the Act.
APPLICATION: Principle 4.5, Schedule 1, states that personal information must
be retained only as long as necessary for the fulfillment of the purposes for
which it was collected.
The Commissioner considered it unreasonable that, after the bank had used the complainant's personal information for the purpose for which it had been collected (i.e., making the decision about the credit card), the information would have remained accessible indefinitely at the branch level had the complainant not insisted on its removal. He found that the bank in this case had contravened Principle 4.5.
However, the Commissioner also noted that the bank had subsequently deleted
the complainant's personal information and had confirmed that it had not been
communicated to any third party. He also noted that the complainant was satisfied
with this resolution.
The Commissioner concluded therefore that the complaint was well-founded
and resolved.
FURTHER CONSIDERATIONS
To address the inconsistencies revealed by the Commissioner's investigation, the bank in question has agreed to undertake an extensive review of its current practices for the retention of personal information. The bank has also agreed to implement a communications strategy for educating employees and customers on the bank's privacy complaints process.
Complaint
Citing several provisions of the Personal Information Protection and Electronic
Documents Act, an individual complained that a bank was not taking adequate
security measures to safeguard customers' information disclosed via its automated
telephone service.
Summary of Investigation
The bank in question offers an automated telephone service for Visa customers who do not have other dealings with the bank. Users of this service cannot conduct transactions, but can gain limited access to their Visa account information by providing the 16-digit Visa account number and, at the random selection of the system, either the last four digits of the cardholder's home telephone number or the cardholder's year of birth.
Commissioner's Findings
(Issued July 23, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection and
Electronic Documents Act applies to federal works, undertakings, or businesses.
The Commissioner had jurisdiction in this case because banks are federal works,
undertakings, or businesses, as defined in the Act.
APPLICATION: Principle 4.7, Schedule 1, states that an organization must protect
personal information by security safeguards appropriate to the sensitivity of
the information.
On consideration, the Commissioner deemed the complainant's concern to be valid. He determined that a coding procedure relying so much upon a cardholder's telephone number or year of birth was not adequate to prevent unauthorized persons from gaining access to users' sensitive personal information. He found that the bank in question was not in compliance with Principle 4.7.
Nevertheless, the Commissioner noted that the bank had proposed and initiated
a detailed three-phase action plan to address the security concerns raised in
the complaint. He also noted both he and the complainant found all aspects of
this plan satisfactory.
The Commissioner concluded therefore that the complaint was well-founded
and resolved.
FURTHER CONSIDERATIONS
The action plan proposed by the bank comprises three-phases as follows:
Immediate: All automated access to the complainant's Visa account is
disabled, so that any unauthorized attempt to obtain the complainant's personal
information will fail. The complainant himself will be able to access his account
through an agent by reference to a preselected password.
Short-term: By October 31, 2001, the bank's Visa-only customers will
be allowed to disable their automated telephone access upon request and likewise
deal directly with an agent, if they so choose. This phase includes a communications
strategy for informing the customers.
Long-term: The bank has agreed to implement a new telephone bank solution
addressing the privacy and security concerns of customers within three years
and to report on progress to the Privacy Commissioner no later than July 31,
2002.
The Commissioner has commented: "I am satisfied that the measures [the bank] has put in place to resolve the security safeguard issues identified . are acceptable."
Complaint
A musician complained that the professional organization representing his interests had, without his consent, collected personal information about him, namely his annual salary, from his employer.
Summary of Investigation
The complainant is the only musician working in a certain establishment. One
of the activities of the professional organization in question is to collect
copyright dues for its members, subject to the requirements of the Copyright
Act. In order to file the applicable tariff with the Copyright Board and
collect the copyright dues, the organization first needs to know the total entertainment
budget of a given establishment. The complainant was concerned that, since he
was the only musician at the establishment in question, a third-party might
be able to identify him as the sole recipient of the salary allotment included
in the entertainment budget. However, in collecting such information, the organization
has no interest in knowing which musicians or how many are working in the establishment
and therefore does not collect names or numbers. Nor does it publish or communicate
to third parties the information it collects in respect of the establishment.
Commissioner's Findings
(Issued July 23, 2001)
JURISDICTION: The professional organization in question stated that it was
subject to the Personal Information Protection and Electronic Documents Act.
The Commissioner did not dispute this position.
APPLICATION: Section 2 of the Act defines personal information to be
". information about an identifiable individual .".
On the evidence, the Commissioner was satisfied that the professional organization
had the legal authority to collect the information at issue and that the collection
did not involve personal information about an identifiable individual. He found
that the collection was therefore not subject to the requirements of the Act.
The Commissioner concluded that the complaint was not well-founded.
FURTHER CONSIDERATIONS
In conveying his findings, the Commissioner commented: "Having established
that the information collected is not personal, I need not make a finding on
its appropriateness with respect to sections 4.3 (consent) and 4.4 (limiting
collection) of Schedule 1 or to section 7 (collection without knowledge or consent)
of the Act, which might otherwise have applied in this case."
Complaint
Citing several provisions of the Personal Information Protection and Electronic
Documents Act, an individual complained that a telecommunications company was:
- Using and disclosing customers' personal information without their knowledge
and consent by publishing names, addresses, and telephone numbers in the company's
white-pages directory and on two Web sites; and
- Inappropriately charging customers for opting not to have their information
published.
Summary of Investigation
The telecommunications company in question publishes customers' names, addresses,
and telephone numbers in its white-pages directory and on its own directory
assistance Web site. In accordance with Canadian Radio-television and Telecommunications
Commission (CRTC regulations, the company gives the same information to the
Bell Canada subsidiary that operates the "Canada 411" Web site. Customers
are asked how they wish their personal information to appear in the company's
white pages and are given the option of not having their information published.
For those who choose non-publication, the company charges fees, in accordance
with CRTC regulations. The company also provides list services to selected organizations
for a fee, excluding information on non-published customers and customers who
ask to be de-listed.
Commissioner's Findings
(Issued August 14, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection and
Electronic Documents Act applies to federal works, undertakings, or businesses.
The Commissioner had jurisdiction in this case because telecommunications companies
are considered to be federal works, undertakings, or businesses, as defined
in the Act.
APPLICATION: Principle 4.3, Schedule 1, states that the knowledge and consent
of the individual are required for the collection, use, or disclosure of personal
information, except where inappropriate.
On the matter of consent, the Commissioner considered relevant the company's
questioning of customers regarding how their information should appear in the
white-pages directory. He determined that the question itself implies the eventual
appearance of the information in publicly available directories. By choosing
not to take the option of non-publication, customers implicitly give consent
for their personal information to be made available to the public. Moreover,
since the information subsequently published in other formats merely reflects
what is published in the white-pages directory, it too is considered publicly
available information for purposes of the regulations under the Act and
may be collected, used, or disclosed without consent. In sum, the Commissioner
found that the company did obtain valid consent and was in compliance with regulations
on publicly available information.
On the matter of charging fees for non-publication of customers' information,
the Commissioner noted that the company had duly applied for and received permission
from the CRTC, under Telecom Order 98-109, which states that telecommunications
companies can charge no more than $2 per month for non-published telephone service.
He founded therefore that the company in question did have authority to charge
its monthly fee of $2 for non-publication.
The Commissioner concluded that the complaint was not well-founded.
Complaint
An individual complained that a bank had created the potential for an improper disclosure of his personal information to a third-party without his consent when a teller wrote his account number on the back of a cheque when cashing it.
Summary of Investigation
The complainant had gone to a branch of his bank to cash a personal cheque from a third party. The bank teller wrote the complainant's account number on the back of the cheque. The complainant's concern was that, if the cheque was for any reason returned to the third party who had written it, the account number would be disclosed to that person.
The bank argued that, in cashing cheques, banks are in effect extending credit
until such time as the cheque's value can be debited from the cheque-writer's
account. In cases of exception (e.g., fraud or insufficient funds), banks require
an efficient means of recovering the cheque value from the customer who presented
the cheque. Moreover, names written on the front of cheques are not an efficient
enough means, in that they may vary significantly from the exact names in which
customers' bank accounts are registered. This bank's position was that recording
account numbers on cheques is a longstanding industry-wide practice, necessary
for protecting a bank's interests in ensuring that it can collect its money
from either the cheque-writer or the person who deposits or cashes the cheque.
Commissioner's Findings
(Issued August 14, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection and
Electronic Documents Act applies to federal works, undertakings, or businesses.
The Commissioner had jurisdiction in this case because banks are federal works,
undertakings, or businesses as defined in the Act.
APPLICATION: Section 5(3) states that an organization may collect, use or
disclose personal information only for purposes that a reasonable person would
consider are appropriate in the circumstances.
The Commissioner determined that the bank's recording of the account number
at the time a cheque is presented is a reasonable practice and that it is reasonable
for a customer to expect such practice. The Commissioner was satisfied that
the complainant had thus given implied consent to the collection, use, and disclosure
of his personal information. The Commissioner found that no contravention of
the Act had been established.
He concluded therefore that the complaint was not well-founded.
FURTHER CONSIDERATIONS
In presenting his findings, the Commissioner commented as follows: "Upon
presenting the cheque for negotiation, the [bank's] customer is giving implied
consent for the disclosure of the personal information on the back, just as
the drawee is providing express consent to disclosure of their personal information
(on the front of the cheque) to the payee."
Complaint
A dismissed employee complained that his former employer, an international
trucking company, had improperly attempted to collect personal information by
insisting that he complete and return to the company an application for a program
instituted by the Canada Customs and Revenue Agency (CCRA).
Summary of Investigation
The trucking company in question had sent the complainant, one of its international
drivers,£a letter advising that he was required to complete a "Commercial
Driver Registration Application" under the new Customs Self-Assessment
Program instituted by the CCRA. This letter also advised that the driver was
to return the completed application to the company itself. The complainant refused,
not wishing his employer to have access to the personal information he was required
to provide on the application. The company sent him a second letter ordering
him to complete and return the application by a given date or else be disciplined
under the collective agreement and have his employment placed in jeopardy. The
complainant again did not comply, and the company terminated his employment
five days after the given date. According to the company, the CCRA expected
employers to gather applications and submit them to the CCRA on their drivers'
behalf. In fact, the CCRA clearly instructs, on both the application form and
the program pamphlet, that drivers submit their completed applications directly
to the CCRA's processing centre in Niagara Falls.
Commissioner's Findings
(Issued August 17, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings, or
businesses. The Commissioner had jurisdiction in this case because interprovincial
trucking companies are federal works, undertakings, or businesses as defined
in the Act.
APPLICATION: Principle 4.4, Schedule 1, states that collection of personal
information must be limited to that which is necessary for the purposes identified
by the organization and that information must be collected by fair and lawful
means.
The Commissioner determined that, although it was necessary for a driver to
complete an application for the Customs Self-Assessment Program and return it
to the CCRA, it was not necessary or appropriate for the company itself to collect
the information. He also determined that threatening employees with loss of
their jobs was not a fair means of collection. He found that the company was
not in compliance with Principle 4.4.
The Commissioner noted that the company had been prompt in changing its policy
so as no longer to require its drivers to return their applications to the company.
Nevertheless, he did not consider the complaint to have been resolved, pending
reinstatement of the complainant with the company and compensation for any damages.
The Commissioner expressed his intention to pursue these matters with the company.
The Commissioner concluded that the complaint was well-founded.
FURTHER CONSIDERATIONS
The complainant subsequently informed the Commissioner that a settlement regarding
the termination of his employment had been reached through arbitration and that
he considered the complaint to have thus been satisfactorily resolved.
Complaint
A customer complained that a bank had failed to protect her personal information
when documents containing her Social Insurance Number (SIN), name, address and
unlisted telephone number were lost during a transfer between offices.
Summary of Investigation
Human Resources Development Canada had issued the complainant a new SIN after
her discovery that her old one had been used fraudulently. She later completed
forms that her bank required for updating her investment account information
with the new SIN. She gave the completed forms to staff at a local branch office
of the bank for transfer to the office of the subsidiary that manages the investment
account. The documents were lost during the transfer.
Commissioner's Findings
(Issued September 7, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection and
Electronic Documents Act applies to federal works, undertakings, or businesses.
The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.
APPLICATION: Principle 4.7, Schedule 1, states that personal information must
be protected by security safeguards appropriate to the sensitivity of the information.
Section 12(2) states that the Commissioner may attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation.
At the outset of the Commissioner's investigation, the parties indicated an interest in resolving the matter. Discussions ensued, and a settlement satisfactory to both parties eventually resulted. Furthermore, the Commissioner was satisfied that the bank in question had taken steps to ensure that appropriate safeguard policies, practices, and procedures were in place.
The Commissioner concluded therefore that the complaint was resolved and
no further action necessary.
FURTHER CONSIDERATIONS
Both the complainant and the bank expressed satisfaction with the role that
the Commissioner's Office had assumed in settling this matter.
Complaint
An individual complained that a bank was refusing to process his credit card application because he would not consent to the bank's information-sharing policy.
Summary of Investigation
In filling out an application for a credit card, the complainant had marked up the terms and conditions by hand. His intention in doing so had been to indicate his disagreement with the bank's stated policy of sharing personal information and to exercise the option of not having his personal information shared and not receiving the bank's direct marketing service. The bank subsequently advised him by letter that it was unable to process his application as submitted because the legal wording had been amended. The complainant interpreted this letter as being a refusal on the bank's part to issue a credit card unless he authorized its information-sharing policy. In a second letter, the bank assured the complainant that applicants did have the right to opt out of the direct-marketing service and that his own application had been returned to him simply because he had altered it. The bank also offered to reconsider his credit card application and at the same time to remove his name from its direct-marketing and shared-marketing lists. The complainant agreed.
On being finally issued a credit card, the complainant pronounced himself
satisfied with the bank's response and indicated that his complaint file the
Office could be closed.
Accordingly, this complaint was discontinued.
Complaint
An individual complained that a bank had denied her access to her personal information in the form of two "Small Business Bonds" that she believed the bank was holding under her name.
Summary of Investigation
The complainant specified that the documents[she was seeking were the paper
versions or certificates of two "Small Business Bonds". In 1982, the
complainant and her spouse had consolidated their outstanding indebtedness to
the bank in question under the Small Business Bond (SBB) Program, a federal
government initiative that provided interest relief for borrowers. The bank
had advised the complainant as early as 1984 that "Small Business Bond"
was only a term used and that the only actual document signed in respect of
the SBB Program was a form entitled "Election in Respect of an SBB".
Both the bank and Industry Canada have confirmed that this form was the only
document directly related to the program; no actual paper versions or certificates
of SBBs had ever existed. In 1998, during a lawsuit over the complainant's defaulting
on her loan agreement, the bank had been obliged to disclose to the complainant
and her lawyer all documents it held in relation to her involvement in the SBB
Program. The complainant received her signed "Election in Respect of an
SBB" form at that time and was still in possession of it when she filed
her complaint with the Office.
Commissioner's Findings
(Issued September 18, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings, or
businesses. The Commissioner had jurisdiction in this case because banks are
federal works, undertakings, or businesses as defined in the Act.
APPLICATION: Principle 4.9, Schedule 1, states that upon request an individual
must be informed of the existence, use, and disclosure of his or her personal
information and be given access to that information. Section 8 sets out conditions
under which a request may be deemed to have been refused.
The Commissioner found no evidence of the existence of SBB-related documents
other than those already received by the complainant. Satisfied that the documents
sought by the complainant did not exist, he found that the bank had not refused
the complainant a right of access.
The Commissioner concluded therefore that the complaint was not well-founded.
Two Complaints
In two separate complaints an individual and a physician complained that the
Canadian arm of a U.S.-based international marketing firm was improperly disclosing
personal information by gathering and selling data on physicians' prescribing
patterns without their consent.
Summary of Investigation
The marketing firm in question gathers, from pharmacies and other Canadian sources, information related to medical prescriptions. The accumulated information includes names, identification numbers, telephone numbers, and prescribing details of physicians. This information is transferred to the firm's processing centre in the U.S., where the firm produces customized information products. These products typically identify physicians in a given territory and rank them, either individually or in groups, by monthly prescribing activity for various types or classes of drugs. The information products are then transferred to the firm's Montreal operation, where they are disclosed to clients for a fee. Pharmaceutical sales representatives from several Canadian provinces regularly buy these products.
Commissioner's Findings
(Issued September 21, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to any information disclosed outside
a province for consideration. Since the information at issue was regularly transmitted
across borders, the Commissioner determined that it was information disclosed
outside a province for consideration and therefore that he was required to receive
and investigate the complaint.
APPLICATION: Section 2 of the Act defines personal information as "information
about an identifiable individual, but does not include the name, title or business
address or telephone number of an employee of an organization." Section
3 of the Act sets out the Act's purpose in terms of balancing
the individual's right of privacy with the need of organizations to collect,
use, or disclose personal information for purposes that a reasonable person
would consider appropriate.
The primary consideration for the Commissioner was whether the information
at issue was personal information within the meaning, scope, and purpose of
the Act. In making this determination, the Commissioner took the view
that the meaning of "personal information", though broad, is not so
broad as to encompass all information associated with an individual. An individual
prescription, though potentially revealing about a patient, is not in any meaningful
sense about the prescribing physician as an individual. Rather, it is about
the professional process that led to its issuance and should be regarded as
a work product-that is, the tangible result of the physician's work activity.
The Commissioner determined that interpreting "personal information"
so broadly as to include prescriptions or prescribing patterns would not fulfil
the purpose set out in section 3 of the Act (see above). Specifically,
it would not be reasonable to extend the definition to prescriptions, lest it
be extended also to other work products such as legal opinions or documents
written in the course of employment. Nor would it be reasonable to extend the
definition to prescribing patterns, lest it be extended also to patterns discoverable
among other types of work products and thus preclude many kinds of legitimate
commercial consumer reporting.
In sum, the Commissioner found that prescription information, whether in the
form of an individual prescription or in the form of patterns discerned from
many prescriptions, is not personal information about a physician.
The Commissioner concluded therefore that the complaints were not well-founded.
FURTHER CONSIDERATIONS
Because of widespread public interest in the case, the Commissioner published
his letter of findings as a press release, dated October 2, 2001.
Complaint
An estate executor complained that a bank had refused his request for personal information relating to the safety deposit box of his deceased aunt.
Summary of Investigation
The complainant suspected that a certain unauthorized person had, with help from the estate's lawyers, gained access to the deceased aunt's safety deposit box and removed items of value. The complainant had obtained a piece of evidence (i.e., a negative reply by fax from one branch of the bank) strongly suggesting that the bank had received at least one independent inquiry from the lawyers concerning the bank holdings of the
deceased. In his capacity as estate executor, the complainant asked the bank
for access to the signature card for the safety deposit box and to any correspondence
between the bank and the estate's lawyers. The bank responded that it could
locate neither the card nor any such correspondence. An exhaustive search of
the bank files, involving the bank's own ombudsman, the Canadian Banking Ombudsman,
and the Office of the Privacy Commissioner, proved unsuccessful in locating
any of the information sought by the complainant.
Normally, the bank keeps safety deposit box signature cards for seven years. All the safety deposit boxes had been transferred from one branch of the bank to another eight days after the aunt's death, but appropriate security measures had been taken during the transfer. It was not bank policy for a branch to keep records of an account, an investment, or a safety deposit box once transferred to another branch. Nor was it bank policy for a branch to keep requests for information pertaining to a file it no longer held.
Commissioner's Findings
(Issued October 12, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings, or
businesses. The Commissioner had jurisdiction in this case because banks are
federal works, undertakings, or businesses as defined in the Act.
APPLICATION: Principle 4.9, Schedule 1, states that upon request, an individual
shall be informed of the existence, use, and disclosure of his or her personal
information and shall be given access to that information. Section 8(7) states
that an organization that responds within the time limit and refuses a request
shall inform the individual in writing of the refusal, setting out the reasons
and any recourse that they may have under this part.
The Commissioner determined that the information the bank could not produce
should have been retained in accordance with Principle 4.5 or should not have
been lost. He therefore found that the bank had not complied with Principle
4.9. He also found that the bank's response constituted a refusal under section
8(7).
The Commissioner concluded therefore that the complaint was well-founded.
FURTHER CONSIDERATIONS
The Commissioner recommended that the bank revise its practices concerning the
destruction of documents containing personal information and develop a written
policy on the retention of such documents in conformance with the relevant provisions
of the Act.
Complaint
An employee of a large corporation complained that his employer was improperly
disclosing his and other employees' personal information, including information
related to cash bonuses, without the employees' consent or prior knowledge,
to the investment firm involved in an RRSP and savings plan sponsored by the
corporation.
Summary of Investigation
The corporation in question has admitted that it discloses employees' personal
information without their explicit consent to the investment firm involved in
its RRSP and savings plan for hourly employees. The information disclosed consists
of the individual's payroll and personal identification numbers, name, address,
social insurance number, marital status, gender, preferred language, seniority
service date, birth date, department, group code, and union code. The corporation
also informs the investment firm when it awards cash bonuses, but does not specify
the recipient or the amount of the bonus. The RRSP and savings plan was established
by the corporation in fulfillment of a commitment under its collective agreement
with the employees' union. The corporation pays the investment firm for the
services it provides under the plan and does not disclose the information to
the investment firm for consideration, monetary or otherwise.
Commissioner's Findings
(Issued October 18, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies strictly to federal works, undertakings,
or businesses or to disclosures of personal information across borders for consideration.
The corporation in question is neither a federal work, undertaking, or business
as defined in the Act, nor does it disclose the personal information
at issue across borders for consideration.
The Commissioner concluded that he lacked jurisdiction to pursue the matter
further.
Complaint
An individual complained that a credit-reporting agency refused his request
to disclose his credit report to him.
Summary of Investigation
The complainant had written to the credit reporting agency to request access
to any credit report the agency held on him. In his complaint, he alleged that
he did not subsequently receive a response from the agency. The agency's consumer
relations centre has a staff of six who are responsible for receiving and processing
access requests according to standard procedures. By those procedures, a client
request is not filed unless it has been matched to a credit report that has
either been mailed or handed to the client. The centre does have on file a copy
of the complainant's access request, with a handwritten notation to the effect
that a response was mailed to the complainant's correct address 13 days after receipt of the request. The mailing of a response was also confirmed
by reference to a computerized log and a computer-generated audit report. The
complainant at one point allowed the possibility of having merely overlooked
the credit report on receiving it. Later he declared it highly unlikely that
he had received the report without noticing it.
Commissioner's Findings
(Issued October 26, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to disclosures of personal information
across borders for consideration. The Commissioner had jurisdiction in this
case because the credit reporting agency in question had disclosed personal
information across borders for consideration.
APPLICATION: section 8(3) of the Act states that an organization shall
respond to a request with due diligence and in any case not later than 30 days
after receipt of the request. Section 8(5) states that if the organization fails
to respond within the time limit, the organization is deemed to have refused
the request.
The Commissioner found no reason to doubt the evidence that the credit-reporting
agency had received the complainant's access request and mailed a response within
the time limit prescribed. He found that the agency had complied with section
8(3) of the Act.
The Commissioner concluded that the complaint under section 8(5) was not
well-founded.
Complaint
Three air travellers complained that an airline company had denied them access to personal information about their experiences during a Mexican vacation.
Summary of Investigation
The complainants had requested access to all personal information the airline
and its travel affiliate held regarding certain incidents they had experienced
during a vacation in Mexico. A representative responded initially that the company
was under no obligation to provide such information. On being advised of its
obligations under the Personal Information Protection and Electronic Documents
Act by the Office of the Privacy Commissioner, the company took immediate
action to appoint an official to be accountable for compliance with the Act,
processed the complainants' access request, and sent them the personal information
requested. On reviewing this information, the complainants were of the opinion
that the company had not included incident reports. The investigator for the
Privacy Commissioner examined the company's original files containing the complainants'
personal information, but found no evidence of information other than that which
the complainants had already received. The company confirmed in writing that
it did not have in its possession any additional information about the complainants,
including incident reports.
Commissioner's Findings
(Issued October 31, 2001)
JURISDICTION: As of January 1, 2001, the PIPED Act applies to federal
works, undertakings, or businesses. The Commissioner had jurisdiction in this
case because airlines are federal works, undertakings, or businesses, as defined
in the Act.
APPLICATION: Principle 4.1, Schedule 1, states that an organization is responsible for personal information under its
control and shall designate an individual or individuals who are accountable
for the organization's compliance with [the principles in] Schedule 1. Principle
4.9 states that upon request, an individual shall be informed of the existence,
use, and disclosure of his or her personal information and shall be given access
to that information.
Regarding Principle 4.1, the Commissioner determined that the airline company
had not designated an individual until his Office intervened. He found therefore
that the company had initially failed to comply with this principle. However,
he also noted that the company had subsequently designated a senior official
responsible for ensuring compliance with the Act. The Commissioner considered
this issue resolved.
Regarding Principle 4.9, the Commissioner likewise determined that the company had provided the complainants with their personal information only after intervention by his Office. He found therefore that the company had not initially been in compliance with this principle. He noted, however, that the complainants were satisfied that they had received all of their personal information in the company's possession; they were also satisfied with the outcome of the investigation.
The Commissioner concluded that the complaint was well-founded and resolved.
Complaint
An employee of a telecommunications company complained that her employer:
- Used her personal information for a purpose without her consent by printing
her bank account and bank transit numbers on her pay statements; and
- Did not adequately safeguard employees' pay statements given the sensitivity
of the information in them.
Summary of Investigation
The employees of the telecommunications company in question receive their
pay by direct deposit and their pay statements by delivery in sealed envelopes
at the workplace. As a result of a merger and a subsequent conversion of payroll
systems, bank account and bank transit numbers began to be included on all employees'
pay statements as of January 1, 2001. Printing of such numbers on pay statements
has become standard practice in both the private and the public sectors. On
this company's statements, there is no indication what the numbers refer to;
only a person familiar with the bank's information codes would know what the
numbers represent. On delivery to the complainant's workplace, the sealed envelopes
containing employees' pay statements are collected together in a larger envelope
and left on a manager's desk, where they often remain unsecured and largely
unattended for periods as long as 24 hours.
The complainant had originally consented to having her pay deposited directly into her bank account, but had never explicitly consented to having the numbers appear on her statement. She believed that her employer was thus using her personal bank account information without her consent and for a purpose inconsistent with that for which she originally had provided it. She also believed that her employer did not adequately safeguard employee pay statements at her workplace.
The company's position was that the information was still being used only for the original purpose of directly depositing payroll funds; that the practice of printing account and branch numbers on pay statements had become imperative for purposes of verifying allocations of funds and resolving discrepancies; and that many employees had already come to expect and rely upon the appearance of these numbers²on their statements. The company also argued that it did adequately safeguard its employees' bank account information by delivering statements in confidential sealed envelopes.
Commissioner's Findings
(Issued November 5, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings, or
businesses. The Commissioner had jurisdiction in this case because telecommunications
companies are federal works, undertakings, or businesses as defined in the Act.
APPLICATION: Principle 4.3, Schedule 1, states that the knowledge and consent
of the individual are required for the collection, use, or disclosure of personal
information, except where inappropriate. This principle also stipulates (4.3.5)
that the reasonable expectations of the individual are relevant. Principle 4.7
states that personal information shall be protected by appropriate security
safeguards appropriate to the sensitivity of the information.
On the first aspect of the complaint (consent), the Commissioner determined
that employees who provide their bank account and bank transit numbers for direct-deposit
purposes could reasonably expect those numbers to appear on transaction records
for the entirely consistent purpose of verifying proper allocation of funds.
He was satisfied that the complainant had thus implicitly given consent. He
found that the company therefore had met its obligations under Principle 4.3,
Schedule 1.
The Commissioner concluded that this aspect of the complaint was not well-founded.
In the second aspect of the complaint (security safeguards), the Commissioner
determined that the company's operational controls at the complainant's workplace
were not consistent with the sensitivity of the personal information contained
in the pay statements. He found that the company did fail to meet its obligations
under Principle 4.7, Schedule 1.
However, he noted that the company, on being informed of its obligations, had taken immediate and appropriate steps to correct its information management practices related to employee pay statements.
The Commissioner concluded that this aspect of the complaint was well-founded
and resolved.
FURTHER CONSIDERATIONS
As a short-term solution, the company agreed to implement tighter operational controls at the complainant's own workplace and offered the complainant the option of having her pay statement mailed to her home.
Complaint
An individual complained that a telecommunications company had improperly
collected her personal information in the form of her Social Insurance Number
(SIN).
Summary of Investigation
In signing-up the complainant for Internet connection, the telecommunications
company in question had asked her for her SIN. According to the complainant,
the company representative with whom she had spoken had told her, "No SIN,
no connection," and she had therefore felt obliged to give up her number
in order to obtain the service. It was the company's written policy to collect
sins from persons requesting services. The purpose of this policy was to avoid
confusion over similar names among customers. However, by the same policy, the
company did not insist on obtaining the SIN in cases where the customer refused
and did advise its employees that the collection was not obligatory.
Commissioner's Findings
(Issued November 5, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings, or
businesses. The Commissioner had jurisdiction in this case because telecommunications
companies are federal works, undertakings, or businesses, as defined in the
Act.
APPLICATION: Principle 4.3.3, Schedule 1, states that an organization shall
not, as a condition of the supply of a product or service, require an individual
to consent to the collection, use, or disclosure of information beyond that
required to fulfil the explicitly specified and legitimate purposes. Principle
4.4.1 states that organizations shall not collect personal information indiscriminately.
Both the amount and the type of information collected shall be limited to that
which is necessary to fulfil the purposes identified. Section 5(3) states that
an organization may collect, use, or disclose personal information only for
purposes that a reasonable person would consider are appropriate in the circumstances.
Regarding Principle 4.4.1, the Commissioner determined that, by the company's own policy, the collection of sins was non-obligatory and therefore not necessary to fulfil explicitly specified and legitimate purposes. He found that the collection was thus indiscriminate and that the company was not in compliance with this principle.
Regarding Principle 4.3.3, the Commissioner was satisfied that the complainant
had clearly received the impression that giving her SIN was a condition of service.
He found therefore that the company was not in compliance with this principle.
Regarding section 5(3), the Commissioner was mindful of his Office's longstanding
position that the SIN should not be used as a universal identifier and that
citizens should not give out their SIN unless legally required to do so for
purposes of the limited number of federal government programs authorized for
such collection. He was satisfied that a reasonable person would object to the
collection of sins for purposes of Internet connection. He found that the company
was therefore not in compliance with section 5(3).
The Commissioner noted that the company had removed the SIN from the complainant's
file and was in the process of changing its policy so that sins would no longer
be requested.
The Commissioner concluded therefore that the complaint was well-founded
and resolved.
FURTHER CONSIDERATIONS
The Commissioner also recommended that the company take steps to review its files and remove any other unnecessary sins collected from its other customers.
Complaint
An individual complained that the owner of her former Internet service provider
(ISP):
- Had improperly collected her personal information without her consent in
that he had read her e-mails; and
- Was blocking e-mail she was attempting to send through a new ISP to users of her former ISP.
Summary of Investigation
The complainant had been a subscriber with a certain ISP for two years. During
that time, she had had a disagreement with the ISP owner concerning her use
of her account, specifically her attempts to transmit large files by e-mail.
She alleged that during that disagreement the owner had told her that he could
read her e-mails. She further alleged that, after she had moved to another city
and subscribed with a different ISP, the same owner had begun to block the e-mails
she was trying to send to users of her former ISP. The owner in question said
that he could not remember any disagreement with the complainant, but he did
allow that, on detecting a large number of "delivery failure" messages
(indicating attempts to transmit large files by e-mail), it would have been
his usual practice to call the user and discuss the matter. He denied being
able to read anything other than "delivery failure" messages in relation
to the complainant's account. He also denied blocking her messages.
The investigation confirmed that the ISP in question can monitor users' account
activity and detect "delivery failure" messages, but does not receive
e-mails or attachments and cannot read the content of users' e-mail messages.
Nor was there any evidence that the owner had been blocking the complainant's
e-mails from her new server. In fact, several weeks before the owner was notified
of the complaint against him, the blocking problem ceased when a computer technician
changed the Internet protocol address on the complainant's computer.
Commissioner's Findings
(Issued November 5, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection and
Electronic Documents Act applies to federal works, undertakings, or businesses.
The Commissioner had jurisdiction in this case because Internet service providers
are federal works, undertakings, or businesses as defined in the Act.
APPLICATION: Principle 4.3, Schedule 1, states that the knowledge and consent
of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The Commissioner was satisfied that the ISP could not read its users' e-mails
and had not blocked the complainant's messages. He also determined that a reasonable
person would expect the ISP to monitor the services it provides and respond
to persistent "delivery failure" messages. He found that the ISP in
this case was not in contravention of Principle 4.3, Schedule 1.
The Commissioner concluded therefore that the complaint was not well-founded.
Complaint
An employee of an airport authority complained that her employer had, without
her consent, disclosed to three third parties her personal information in the
form of copies of a letter of response to access requests she had made.
Summary of Investigation
The complainant had submitted requests under the Personal Information Protection
and Electronic Documents Act for access to information held by her employer.
The employer subsequently sent her a letter of response to the effect that the
organization was refusing her requests. This letter also indicated that copies
were being sent to three other persons-specifically, two union representatives
and the coordinator of employee relations at the airport. The complainant had
not sent copies of her access requests to these parties and had not explicitly
consented to having copies of the response letter sent to them.
The union representatives had previously attended the meeting at which the
issue of access to the complainant's personal information had first been raised.
The employee relations coordinator had previously intervened in a harassment
complaint filed by the same complainant and had in his possession certain related
documents to which the complainant had requested access. On the grounds of these
prior involvements, the employer argued that the complainant had implicitly
consented to the disclosures. The complainant maintained that she had submitted
the access requests personally on her own behalf, without union intervention.
Commissioner's Findings
(Issued November 5, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings, or
businesses. The Commissioner had jurisdiction in this case because airports
are federal works, undertakings, or businesses, as defined in the Act.
APPLICATION: Principle 4.3, Schedule 1, states that the knowledge and consent
of the individual are required for the collection, use, or disclosure of personal
information, except where inappropriate. Principle 4.5 states that personal
information shall not be used or disclosed for purposes other than those for
which it was collected, except with the consent of the individual or as required
by law. Section 5(3) states that an organization may collect, use, or disclose
personal information only for purposes that a reasonable person would consider
appropriate in the circumstances.
Regarding Principle 4.3 and the disclosure to the union representatives, the
Commissioner determined that there would have been implied consent for the employer
to send response copies to those parties only if the complainant had indicated
that she had sent them copies of her access requests. The complainant had the
right to exercise her formal recourse without union intervention, and it was
not necessary for the employer to inform the union of its response. The Commissioner
found that no implied consent had existed as far as the union representatives
were concerned. Furthermore, in consideration of section 5(3), he was satisfied
that a reasonable person would have considered the disclosure to the union representatives
to be unacceptable.
He concluded therefore that this aspect of the complaint was well-founded.
Regarding Principle 4.5 and the employee relations coordinator, given the direct involvement of that party in the access request, the Commissioner determined that it had been appropriate for the employer to inform him of its decision to refuse the complainant access to the documents she had requested. Furthermore, in consideration of section 5(3Ü, the Commissioner was satisfied that a reasonable person would have considered the communication to the employee relations coordinator to be acceptable. He found that the employer was thus in compliance with Principle 4.5 as far as the employee relations coordinator was concerned.
He concluded therefore that this aspect of the complaint was not well-founded.
FURTHER CONSIDERATIONS
During the investigation, the Office of the Privacy Commissioner advised the airport authority in question that it is preferable not to send copies of responses to third parties, but rather to allow the individual requester to judge whether or not to share a response with others after receiving it. The Commissioner was pleased to note that the organization had followed this advice in dealing with subsequent access requests by the complainant.
Complaint
An individual complained that a telecommunications company's collection of
personal information from new subscribers was inappropriate, in that the company
required a deposit from new customers who refused to supply the information.
Summary of Investigation
When the complainant attempted to obtain a new telephone service from the
company in question, an operator asked her to supply two pieces of personal
identification. When the complainant expressed reluctance, the operator told
her that she would have to´provide a deposit if she did not comply. The operator
also told her that the purpose of the information collection was to confirm
her identity. A company supervisor subsequently gave her the same explanation
for the collection and confirmed that she would have to provide a deposit if
she did not supply the information.
It is company policy for operators to ask new subscribers for two pieces of identification, to demand a deposit in cases of refusal, and to explain the information collection simply as confirmation of identity. However, in cases where an applicant is a new customer with no previous business relationship with the company, the actual purpose of the collection is to run a credit check on the applicant, in accordance with CRTC regulations, given that the provision of telephone services constitutes an extension of credit on the company's part.
Commissioner's Findings
(Issued November 8, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings, or
businesses. The Commissioner had jurisdiction in this case because telecommunications
companies are federal works, undertakings, or businesses, as defined in the Act.
APPLICATION: Principle 4.2.3 states that purposes should be identified at
or before the time of collection. Principle 4.3.2 states that organizations
must make a reasonable effort to advise the individual concerned of the purposes
for which the information will be used and must do so in such manner that the
individual can reasonably understand. Principle 4.3.3 states that organizations
must not, as a condition of supplying a product or service, require an individual
to consent to the collection, use, or disclosure of information beyond that
required to fulfil the explicitly specified and legitimate purposes. Section
5(3) states that an organization may collect, use, or disclose personal information
only for purposes that a reasonable person would consider appropriate in the
circumstances.
Regarding Principle 4.3.3 and section 5(3), the Commissioner determined that a reasonable person would consider it appropriate for the company to collect personal information for the purpose of confirming whether a potential customer is credit worthy or, in the case of repeat customers, confirming identity.
He concluded that this aspect of the complaint was not well-founded.
Regarding Principles 4.2.3 and 4.3.2, the Commissioner determined that a reasonable
person would conclude that the company did not explicitly state the purpose
for its collection of personal information with respect to first-time subscribers.
He concluded that this aspect of the complaint was well-founded.
FURTHER CONSIDERATIONS
The company agreed to amend its practice in identifying purposes. Specifically,
the company will inform first-time subscribers that the purpose of its information
collection is to assess credit-worthiness given that the company supplies credit
in the form of long-distance calling service.
Complaint
An individual complained that a broadcaster had attempted, through its advertising
server, to collect his personal information, specifically the NETBIOS information
on his computer, without his consent.
Summary of Investigation
The complainant had a computer equipped with both a cable modem for Internet
connection and a firewall designed to detect and block attempts at intrusion.
Every time he tried to log onto the organization's Web site, his firewall detected,
rejected, and reported on, an attempt by the broadcaster's advertising server
to gain access to the NETBIOS information on his computer. A NETBIOS is a computer's
common or "friendly" name related to its Internet protocol (IP) address.
If an IP address is traced, it allows access to information such as Web sites
visited by the computer's user or recent passwords used in obtaining access
to secure accounts. The likelihood of tracing an IP address is small if the
user has dial-up Internet access, but significantly greater if the user has
a fixed Internet connection via a cable modem, as was the case with the complainant.
After conducting internal inquiries, the organization confirmed that the complainant's
allegation was true. The broadcaster explained that the network administrator,
on installing Microsoft Windows NT had neglected to deactivate certain features
that come automatically with that program. These features, known as Internet
Name Services, enable a server to collect the NETBIOS information of Web site
users. Once informed that the features were on, the network administrator promptly
turned them off. The complainant subsequently confirmed that his firewall no
longer detected any attempts by the organization to obtain his NETBOIS information.
Commissioner's Findings
(Issued November 20, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings or businesses.
The Commissioner had jurisdiction in this case because broadcasters are federal
works, undertakings or businesses, as defined in the Act.
APPLICATION: section 2 of the Act defines personal information to be
". information about an identifiable individual .". Principle 4.3
of Schedule 1 states that the knowledge and consent of the individual are required
for the collection, use, or disclosure of personal information, except where
inappropriate.
The Commissioner was satisfied that in some circumstances, notably the complainant's,
a NETBIOS might be used to obtain information traceable to an identifiable individual.
He determined therefore that the information at issue was personal information
for purposes of the Act.
The Commissioner found that the broadcaster had failed to meet its obligations
under Principle 4.3. However, he did not dispute the broadcaster's explanation
that this failure had been unintentional, and he noted that its response had
been satisfactory.
He concluded therefore that the complaint was well-founded and resolved.
Two Complaints
A husband and wife complained in two separate complaints that a bank had denied them access to their personal information in that it had not responded to their request for information related to a loan application.
Summary of Investigation
The complainants had written, jointly signed, and submitted two letters requesting
personal information about two different credit products from their local branch
of the bank in question. The letters were identical, except for their subject
lines, one of which referred to a numbered loan application and the other to
a numbered mortgage, both relating to the complainants. Within the month, the
bank sent them the information they had requested about their mortgage, but
no information about their loan application. The complainants wrote the bank
another letter, outlining in greater detail the information they were seeking
about the loan application. Approximately one month after this second submission,
a lawyer for the bank responded, informing the complainants only that they would
be required to pay photocopying charges of 25 cents per page. The complainants
then submitted another letter in which they enclosed a cheque to cover reproduction
costs and confirmed that they still wanted the information in question. When
they received no further response after three weeks, they filed their complaints
with the Office of the Privacy Commissioner.
The bank at first denied the allegation, insisting that the complainants' second submission had been the first to make reference to the loan application. However, on being presented with a copy of the letter containing the prior reference, the bank checked its records and acknowledged receipt of that earlier letter. The bank explained that its failure to respond had been unintentional, in that the employee who had received the first submission had not noticed the different subject headings on the two similar-looking letters, had assumed they were identical, and had therefore forwarded only one of them (the one referring to the mortgage) on for response.
Commissioner's Findings
(Issued November 26, 2001)
JURISDICTION: As of January 1, 2001, the Personal Information Protection
and Electronic Documents Act applies to federal works, undertakings, or
businesses. The Commissioner had jurisdiction in this case because banks are
federal works, undertakings, or businesses, as defined in the Act.
APPLICATION: Section 8(3) of the Act states that an organization shall respond
to a request with due diligence and in any case not later than thirty days after
receipt of the request. Section 8(5) states that if the organization fails to
respond within the time limit, the organization is deemed to have refused the
request.
The Commissioner found that the bank had failed to respond within the time limit and was thus in contravention of section 8. However, he was satisfied that this failure had been unintentional, and he noted that the bank had subsequently provided to the complainants all the information they had sought.
He concluded therefore that the complaints were well-founded and resolved.
Incidents are matters that come to my attention through various sources including
issues raised in the media. These are usually issues where there is no identified
victim and where no complaint has been filed. During the past 11 months my Office
has looked into the following two incidents.
Incident
It was alleged that a transportation company's sales agents were:
- asking for date of birth and citizenship as well as name from individuals
making train bookings by phone or in person for the Toronto-to-New York run;
and
- disclosing this information to United States Customs (USC) and the United
States Naturalization and Immigration Service (USNIS).
Summary of Investigation
The Canadian company confirmed that the practice in question has been taking
place since December 2000, by agreement among the company, the U.S. transportation
company, Canada Customs and Revenue Agency, and USC/USNIS The purpose is to
minimize delays at the Canada/U.S. border. The personal information thus collected
is stored in the company's reservation computer system and deleted if the individual
does not eventually purchase the ticket. If the passenger does purchase the
ticket, his or her name, date of birth, and citizenship are printed on a manifest,
which is then faxed to USC/USNIS and a copy given to the service manager on
board the train. The service manager destroys the manifest shortly after the
trip is completed.
The Office of the Privacy Commissioner of Canada determined that the sales agents, on written instruction from the company, had been representing the practice as a requirement for passengers on the Toronto-to-New York run.
Outcome
The company asked the Office of the Privacy Commissioner of Canada for instructions
on an acceptable resolution to the problem. The Office advised that it issue
to its sales agents a clear directive to the effect that passengers' provision
of date of birth and citizenship must be represented as voluntary and that agents
may, after booking a ticket, ask customers whether they would be willing to
provide this information in order to facilitate customs clearance at the border.
On receiving a copy of such a directive sent by the company to its sales agents,
the Office informed the company that the incident file would be closed, subject
to the Office's continued monitoring of sales agents' booking practices. The
Office also advised that at some point the company send its sales agents a follow-up
note clarifying in stronger terms that they are not to collect personal information
at the time of booking without the informed consent of the individual.
Incident
The Ottawa Sun reported on June 7, 2001, that an Ottawa-based Web site
was streaming live audio from cellular telephones onto the Internet from a radio.
A scanner was intercepting cellular telephone traffic. The scanner was connected
to a computer that was hosting a Web site. By connecting to the Web site, anyone
could listen in on private cell phone conversations.
Outcome
As the Office of the Privacy Commissioner began its investigation, the Internet
service provider (ISP) in question shut down the Web site because of bandwidth
problems. This was caused by an employee who had a personal network account
that had been forwarding data through another server. On discovery, the ISP
had immediately relieved the employee of his duties. The ISP indicated that
the Web site in question had moved to a New York server under new management.
Given that the Ottawa-based Web site had been shut down, the Office's investigation was discontinued. The Web site will be monitored periodically for an indefinite length of time.
|
Subject
|
Number
|
| Criminal records
|
30
|
| Drug Testing
|
3
|
| Encryption
|
7
|
| Financial Institutions
|
1,519
|
| Identity Theft
|
38
|
| Information Request
|
2,558
|
| Interception/monitoring
|
154
|
| Interpretation
|
2,024
|
| Jurisdiction
|
1,975
|
| Marketing
|
439
|
| Medical Records
|
137
|
| Calls from Members of Parliament
|
7
|
| Publication Requests
|
675
|
| Social Insurance Number
|
1,834
|
| Telecommunications
|
786
|
| Transportation
|
139
|
| Other
|
388
|
| Total
|
12,713
|
The Personal Information Protection and Electronic Documents Act allows
me to audit the compliance of private organizations if I have "reasonable
grounds to believe" that the organizations are contravening a provision
of the Act.
Following accepted standard audit objectives and criteria, the Privacy Practices
and Reviews Branch of my Office will conduct compliance reviews and audits under
section 18 of the Act. As it has come into effect at the beginning of
this year, I have not yet initiated any such audit. I have focused instead on
educating businesses and organizations on the impact of the new legislation,
and giving them guidance for establishing privacy policies that comply with
it.
This is the first application for judicial review to be filed in the Federal
Court under the PIPED Act. Mathew Englander filed a complaint with the
Office of the Privacy Commissioner on January 1, 2001 claiming, inter alia,
that Telus uses and discloses customers' names, addresses and telephone numbers
in its White Pages directories and otherwise, without customers' knowledge and
consent and that Telus inappropriately charges customers for choosing to have
their telephone number "non-published". The applicant submitted that
these actions by Telus contravene subsections 5(1) and (3) of the PIPED Act
as well as several clauses of Schedule 1 of the PIPED Act.
After investigating the complaint, I concluded that Telus is in full compliance
with the Act in respect of the matters of which the complaint was made.
I concluded that a reasonable person would consider Telus' initiation of service
practice and subsequent publishing of customers' personal information in its
white pages is an appropriate collection, use and disclosure of the information.
I further concluded that Telus has the authority to charge its customers a fee
for non-published telephone service and that this is not an unreasonable practice
so as to contravene principle 4.3.3 of Schedule 1.
I found the complaint not well-founded. As permitted by section 14 of the
PIPED Act, Mr. Englander has applied to the court for a hearing in respect
of the matter.
The applicant has applied for a hearing in the Federal Court, as permitted
under section 14 of the PIPED Act, after having complained to me that IMS Health improperly discloses personal information by gathering
and selling data on physicians' prescribing patterns without their consent.
After having investigated the matter, I found that prescription information,
whether in the form of an individual prescription or in the form of patterns
discerned from many prescriptions, is not personal information about a physician.
In determining whether the information at issue was personal information within
the meaning, scope and purpose of the Act. I took the view that the meaning
of "personal information", though broad, is not so broad as to encompass
all information associated with an individual. I found that an individual prescription,
though potentially revealing about a patient, is not in any meaningful sense
about the prescribing physician as an individual but is about the professional
process that led to its issuance and should be regarded as a work product-that is, the tangible result of the physician's work activity. In sum, I concluded
that the complaint was not well-founded.
Mr. Maheu has applied to the court for a hearing in respect of this matter.
Included in the Notice of Application was a request by the applicant, under
the Federal Court rules, that my Office transmit material in its possession
to the applicant and the Registry of the Federal Court. The Office of the Privacy
Commissioner has objected to the request, as all documents not already in the
possession of the applicant cannot be disclosed by the Privacy Commissioner
pursuant to provisions of the PIPED Act.
Under the PIPED Act, my Office was given a broader mandate for public
education in order to increase awareness and understanding of privacy issues.
To focus on this important new responsibility, establishing the Communications
and Strategic Analysis Branch was one of the first steps I took following my
appointment. This branch has undertaken a number of activities during the past
year to help raise awareness of privacy issues and to inform Canadian citizens
and businesses about the new private sector legislation.
Public speaking is an invaluable tool that helps me fulfill my responsibility
for promotion, public education and awareness of privacy issues. I have given
35 speeches to a range of organizations across Canada and internationally over
the past year. Another 31 speeches were delivered by other senior staff. Speeches
have focused on the major issues of the day, such as the security versus privacy
debate that ensued following the Sept. 11 attacks on the U.S. Many other speaking
engagements have been used to tell citizens and businesses alike about the new
Act and how it affects them, to discuss privacy in the workplace, and
to raise privacy concerns about specific initiatives, including Government On-Line,
electronic health records and the growing use of video surveillance.
As well, recognizing the influence of the media in setting the agenda for public debate and in raising public awareness, my Office has begun to proactively track privacy issues in the media and has become much more engaged in a variety of media relations activities.
These activities have included disseminating public statements, news releases
and feature articles to both mainstream and targeted media; granting media interviews
and participating in editorial board meetings; and providing media relations
support for speeches, conferences and other special events. In addition, my Office has responded to inquiries from the media, providing comment and background information on a wide variety of privacy-related issues.
Every month, the number of media queries continues to increase, currently
averaging anywhere from 80 to 100 per month. In addition, I have granted
more than 210 media interviews since September 2000.
My Office has produced and distributed promotional and educational material
to satisfy an increased demand for information under the PIPED Act. We
have published comprehensive guides to the new Act for both businesses
and individuals. More than 21,000 of both of these guides have been distributed
during 2001.
In addition, we have created posters, privacy kits, notepads and bookmarks.
All these products help to satisfy the demand for more information on privacy
issues by individuals, businesses and other organizations.
As part of the public outreach program to raise awareness of the new privacy
rights of Canadians in the private sector, beginning with federally regulated
businesses, my Office placed advertisements in more than 1,300 daily and community
newspapers in all parts of Canada, These ads were directed at informing Canadians
of their rights under the PIPED Act. The advertisement, under the banner
"Your privacy is our concern" and « Votre vie priveé,
ça nous regarde », which ran in March 2001, reached millions
of Canadians in all regions of the country.
A second advertisement ran in the 12 newspapers in the three territories,
pointing out that the Personal Information Protection and Electronic Documents
Act applies to all businesses in the territories as they are considered
to be federal works and undertakings. Following the appearance of the advertisements,
my Office noted a significant increase in the number of inquiries and requests
for further information about the PIPED Act.
Over the past year, my Office's Web site has undergone a complete redesign
and considerable expansion as part of our greater mandate for public education
and awareness under the new Act.
Every effort is made to ensure the Web site is an up-to-date resource for
privacy information, as well as a useful tool for research on privacy-related
issues. Ultimately, the redesigned Web site is more interactive, user-friendly
and relevant to both individuals and businesses.
I am pleased to report that the Web site is an increasingly efficient tool
for reaching Canadians and others with information about privacy issues. Visits
to our site continue to increase, with an average of 11,500 visits per month.
|
Activity
|
Number
|
| Speeches delivered by Privacy Commissioner
|
35
|
| Speeches delivered by senior staff
|
31
|
| News Releases
|
15
|
| Media Interviews
|
210
|
| Distribution of materials
|
27,586
|
|
|
Business Guides
|
13,005
|
|
|
Citizen's Guides
|
8,707
|
|
|
Other (Annual Reports, bookmarks,
fact sheets, Acts, etc.)
|
5,874
|
| Average number of visits to Web site per month
|
11,500
|
[Back to Table of Contents][Part One][Part Three]
|
Privacy Practices and Reviews
