Many of us have called service providers to change basic information, such as a mailing address. You pick up the phone, speak to a representative, and the change is made; no big deal, right? This seamless scenario may not always be the case. Any little misstep on an organization’s part can cause grief not only for the customer, but also for the organization itself. This proved to be true when an employee complained, to the Office of the Privacy Commissioner of Canada (the Commissioner), that her employment pension and benefit provider disclosed her personal information to a third party without her consent.
Another member of the complainant’s pension and benefit plan, who had the same name, phoned the plan provider asking that a document be re-sent to her at her new mailing address. To change a member’s address on file, however, a written request was required, including the member’s unique ID number. In this case, the woman indicated that she did not know her ID number; therefore, the provider performed a search to retrieve it and gave her the complainant’s ID number in error.
The provider made the address change as requested, but consequently, the complainant’s mailing address was changed to the address of the woman who placed the call to the provider. As a result of this change, five subsequent mailings from the provider to the complainant were being sent to the wrong address. Some of those mailings contained a considerable amount of potentially sensitive personal information, including time-sensitive insurance-related forms for the complainant to fill out and return.
Some months later, after receiving back the envelopes from the post office and then verifying the complainant’s address with her, the provider recognized and corrected its error.
Sometime after the error was corrected, the complainant received a notice stating that she had lost her life insurance coverage after failing to return certain forms. This caused the complainant to look into the matter more closely and file a complaint with the Commissioner.
Various Personal Information Protection and Electronic Documents Act (PIPEDA) principles were violated in this particular case.
4.3 Principle 3 – Consent – The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
In this particular matter, the provider admitted that the complainant’s ID number was disclosed to a third party without her consent.
4.6 Principle 6 – Accuracy – Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
4.6.1 – The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
In this particular matter, the Commissioner was concerned that the five envelopes addressed to the complainant and returned to the provider over a period of several months did not prompt a review of the complainant’s inaccurate contact information sooner, and a suspension of mailings to her.
4.7 Principle 7 – Safeguards – Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
4.7.1 – The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
In this particular case, the Commissioner questioned why proper authentication of the caller had not taken place before the complainant’s ID number was given out to the plan member with an identical name. The provider admitted that its authentication procedures had not been followed.
As a result, the Commissioner found the matter was well-founded. The complaint was deemed conditionally resolved, based on the provider’s agreement to implement the Commissioner’s recommended changes by the end of the first quarter of 2017. The changes included: (i) developing a privacy plan; (ii) reviewing its address change process; (iii) improving forms and training; (iv) improving privacy incident response procedures; and (v) providing associated training to employees.
Organizations have a responsibility to keep the contact information of their clients accurate and up-to-date. Organizations that use such information to send documents containing sensitive and/or confidential information to their clients should be especially mindful because of the risk involved in sending, even disclosing, clients’ personal information to unauthorized parties, as demonstrated in the above complaint. The complainant had missed very important correspondence from the provider, which had resulted her losing life insurance coverage.
Also, prior to discussing any clients’ personal information with them, it is important that organizations carefully authenticate clients at the very beginning. As seen in the above case, the provider failed to follow its authentication procedures. According to the Commissioner, authenticating clients at the very beginning “is essential to maintaining the accuracy of their clients’ personal account information” and will help prevent unauthorized changes. For more information on identification and authentication, the Commissioner published “Guidelines for Identification and Authentication”.