I recently read an investigation report from the Alberta Office of the Information and Privacy Commissioner, where an employer made a big mistake and ended up violating the privacy of at least 25 employees.
The employer, a public body, had an agreement with Equifax Canada under which it was permitted to access the Equifax database to obtain credit reporting services for legally permissible purposes to conduct its work involving collecting child and spousal support payments and forward them to rightful persons. It could conduct credit checks by logging into the Equifax database, entering an individual’s identifying information (name, date of birth, social insurance number), and viewing or printing the individual’s credit report (no one could save the report).
There was an internal investigation within the public body into allegations of fraudulent cheques being cashed at various locations. It was ultimately determined that the breach was external, so the investigation was handed over to a municipal police service. However, it was still possible that an internal employee was involved in the forgeries.
Consequently, the public body decided to rule out the risk of internal involvement by obtaining credit reports on all employees working in the relevant units of the workplace. The special investigations unit was told to conduct these searches using the names, dates of birth and social insurance numbers of employees to obtain the credit reports. The credit reports were printed and delivered directly to the director of compliance. The conclusion was that there were no identified risks. The credit reports were then provided to the executive director. According to the public body, the credit reports were shredded, but this could not be confirmed because the executive director had since left the public body.
Well, you shouldn’t be surprised when the affected employees complained to the Office of the Information and Privacy Commissioner. The employees asserted that the public body violated their privacy by conducting credit checks on them without their knowledge or consent. They wanted to know why this was done, who ordered it and what could be done to correct it.
The employer admitted that it was in error. The Office of the Information and Privacy Commissioner agreed that the employer’s actions clearly violated the Freedom of Information and Protection of Privacy Act.
The public body accessed credit reports that typically contained an individual’s name, social insurance number, date of birth, address, employer name, credit inquiries, judgments, past and present history of credit checks, credit rating, level of payments and updates. The public body did this without the knowledge or consent of the individuals. The collection and use of the information was not authorized under the Act. The records were only disclosed internally to the manager, the director of compliance and the executive director.
Since the employer knew it made a mistake by conducting the credit checks on its employees, it attempted to minimize the blow and ensure it would not happen again by:
- Writing a letter of apology to each employee whose credit report was likely obtained, and agreeing to reimburse the employees for the expenses that were incurred as a direct result of the credit check
- Making changes to better protect employees’ personal information kept in the personnel records in the personnel office:
- Identifying information that was appropriate to hold and track onsite, and removing all extraneous records such as social insurance numbers (they were either shredded or moved to the appropriate file)
- Keeping the personnel records in a locked office, and granting access to only three staff members who worked with the records
- Making sure records were signed in and signed out, and the removal of other documents was not permitted
- Redefining the scope and authority of the special investigation unit officers to more specifically ensure their authority was utilized appropriately in accordance with a standing operating procedure
The employer also made it clear that employees were not to be investigated in the future.
The Office of the Information and Privacy Commissioner noted the employer’s remedial actions and commented that there was no point in taking the matter further, as there was no remedy available for the employees under the Act.
Even though the employer made a mistake that violated the Act, the employer did the right thing in the end by admitting it was in error, apologizing and ensuring the error would never be repeated.
I’m wondering, does your organization have a system in place to protect your employees’ personal information contained in personnel records? Do you hold on to extraneous information, or do you have procedures in place to discard unnecessary or dated information? Do you have policies and procedures in place regarding methods of physical protection of information, and computer security protection strategies? Have you trained your employees in these policies and procedures?
First Reference Human Resources and Compliance Editor