The Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to private sector organizations’ commercial activities in all provinces, except organizations that collect, use or disclose personal information entirely within provinces that have their own privacy laws, which have been declared substantially similar to the federal law (i.e. Alberta, British Columbia, Ontario and Quebec). In such circumstances, it is the substantially similar provincial law that will apply instead of PIPEDA. However, PIPEDA continues to apply to federal works, undertakings or businesses and to interprovincial or international transfers of personal information.
A recent privacy complaint was filed against a telecommunications company under PIPEDA regarding frequent email problems.
An individual was experiencing difficulties with her email service. Specifically, she had difficulties with her password and she was unable to successfully send emails to an acquaintance. As a result, she contacted her telecommunications provider and spoke to a technical support representative (the “representative” or “first representative”).
During a troubleshooting session, the individual provided her consent allowing the representative to remotely access her computer. The representative attempted to correct the individual’s email problem by changing an option on her email application. With respect to the individual’s password issue, during the same troubleshooting session, the representative emailed her a temporary password. However, unbeknownst to the individual, due to the changes made by the representative, her emails were being automatically forwarded to the address of her acquaintance.
After that troubleshooting session, the individual learned from her acquaintance that she was receiving emails intended for the individual, including the email containing the individual’s temporary password sent by the representative during the troubleshoot session. As a result, the individual again contacted the telecommunications provider, who assigned another representative to her issue. The second representative dealt with the new problem by reversing the first representative’s changes.
Subsequently, the individual made a complaint against the telecommunications provider with the Office of the Privacy Commissioner of Canada (the “Office”).
During the Office’s investigation, the telecommunications provider explained that the first representative had not followed its mandatory procedure for conducting troubleshooting calls, and should not have accessed the email forwarding settings in the individual’s email application.
Based on the facts provided, the Office determined that there had been a disclosure of the individual’s personal information without her consent as a result of the first representative’s actions. Consequently, there was a contravention of Principle 4.3 of PIPEDA.
The Office had no evidence indicating that the events leading to the complaint were part of a systemic problem within the telecommunications provider. However, during the Office’s investigation, the telecommunications provider had misinformed the Office, in several ways, about measures it had allegedly taken to prevent a recurrence of the disclosure.
The telecommunications provider initially informed the Office that it had:
- offered coaching for the first representative, who had a history of non-compliance;
- implemented progressive disciplinary measures for the first representative;
- terminated the first representative’s employment; and
- sent a communiqué to the relevant technical support team about the importance of following the mandatory procedure.
However, supporting documents the Office requested did not corroborate the four claims made above. For instance:
- regarding the employee coaching, the evidence demonstrated that the matter had only been brought to the attention of a senior manager, who never responded.
- regarding the progressive disciplinary measures, the employee citation the Office received was not signed by anyone in authority and it covered a period outside the events in the complaint.
- when pressed for evidence regarding the representative’s dismissal, the telecommunications provider amended its original statement and submitted instead a copy of the representative’s letter of resignation.
- the telecommunications provider was unable to prove to the Office that it had sent a special communiqué about procedures to its technical support team following the incident.
Although, the Office accepted that the telecommunications provider did have certain measures in place to prevent a recurrence, including:
- employees sign a code of conduct agreeing to follow the mandatory procedure;
- there is normal coaching as part of the team lead/employee relationship;
- there is auditing of employee compliance with the mandatory procedure through various quality/coaching opportunities; and
- discipline is meted out to employees, as appropriate, when cases of misuse occur.
In all, based on the evidence that was reviewed by the Office, it was determined that the complaint was “well-founded and resolved”.
However, because the Office was concerned that the telecommunications provider had not exercised greater diligence prior to making factual representations to the Office, it encouraged the telecommunications provider to ensure that its representations are accurate and complete in the future.
The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate (Principle 4.3 of PIPEDA).
Organizations should take their responsibility to provide accurate information to the Office seriously so investigations are concluded efficiently.
Interested in reading another complaint made under PIPEDA? This complaint is about video surveillance in the workplace.