PIPEDA Case Summary #366Auto body shop implements privacy policy and undertakes changes to privacy practices[Principles 4.1, 4.1.4, 4.3 and 4.3.1] Following an automobile accident, the complainant had had some body work done to her car. When a warranty issue arose, the body shop called her dealership to find out whether the work it had completed was covered. During investigation we learned that it ought to have followed the established process in the province, whereby the body shop makes the repairs determined by the provincial auto insurance organization. The Assistant Privacy Commissioner determined that some information was collected by the auto body shop without the complainant’s knowledge or consent, though it could not be determined with certainty that the document that was faxed to the auto body shop was the complainant’s bill of sale. She also found that the shop had failed to implement privacy policies and practices. She recommended that the company ensure that it has customer consent in advance of the collection and use of their personal information and that it develop and implement a privacy policy that is available to employees and customers. The auto body shop accepted the recommendations. The following is a detailed overview of the investigation and the Assistant Commissioner’s findings. Summary of InvestigationUpon completion of the work to her car, the complainant questioned some of the work that was done as she believed that it was under warranty. When she followed up on the warranty issue with her dealership, she learned that the auto body shop had requested a copy of her bill of sale, and that the dealership faxed a copy of it to the auto body shop. (The complainant was not interested in pursuing a privacy complaint against the dealership.) The dealership confirmed to us that it had received a call from the auto body shop, wanting to verify that the complainant had purchased paint protection and rust protection as the shop was reapplying these to her car. The representative of the dealership to whom we spoke indicated that the auto body shop should not have verified whether the complainant had purchased this particular protection. We were told that it was up to the provincial auto insurance organization to determine what work is to be done on an individual’s vehicle. The insurance process for repairs is as follows: after reporting damage to a vehicle, the affected party needs to obtain an estimate at one of public insurance organization’s claim centres. An estimator will examine the damage and list what needs to be replaced or repaired. The estimator will give the customer a repair form in order to have the car fixed. The customer then provides the form to his or her car repair shop of choice. The auto body shop provided the Office with a list of documents that it had in its possession concerning the complainant. The bill of sale was not among them. During the investigation, we also learned that the auto body shop did not have a privacy officer or a privacy policy in place. FindingsIssued January 19, 2007 Application: Under Principle 4.1, an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the principles set out in Schedule 1 of the Act. Principle 4.1.4 requires organizations to implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.1 stipulates that consent is required for the collection of personal information and the subsequent use or disclosure of this information. It notes that, typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In making her determinations, the Assistant Commissioner deliberated as follows:
Accordingly, the Assistant Commissioner concluded that the complaint was well-founded and resolved. |
Date published: 2007-05-03 |
Important Notices |