Here’s something readers might want to know about: the Federal Court has awarded damages in a case based on the Personal Information Protection and Electronic Documents Act (PIPEDA). Why is that special? Well, it’s the first damages award in the 10-year history of the Act.
When the Royal Bank rejected Mirza Nammo’s loan application to start a business, Nammo cried foul. Upon investigation, it turned out that Transunion, the credit reporting agency that provided the bank with Nammo’s credit information, had supplied another person’s information, including a different name, date of birth, Social Insurance Number and address history. Transunion had failed to maintain personal information in its database “as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used” (as per Schedule 1, Section 4.6 of PIPEDA).
- Collecting inaccurate personal financial information concerning the applicant
- Transmitting inaccurate personal financial information concerning the applicant to third parties, including to the Royal Bank of Canada
- Failing to promptly correct the inaccurate personal financial information concerning the applicant that it held in its database
- Failing to transmit the amended personal financial information concerning the applicant to third parties, including to the Royal Bank of Canada
Transunion argued that it had fulfilled its duty to Nammo by correcting its information when it became aware of the error (per Schedule 1, Section 4.9.5). But the judge disagreed, stating, “Just because an organization has taken steps to correct a breach does not mean that the breach did not occur. Rectification of the breach is something that is more properly a factor to consider when determining what remedy, if any, this Court should award.” Consequently, Transunion could not use clause 4.9.5 “as an escape hatch” to free it from its obligation to maintain accurate information.
Although the applicant, Nammo, incurred no financial loss, the Court awarded him damages of $5,000.
Take note! While somehow perpetrators had previously managed to escape financial penalties under PIPEDA, the Federal Court has broken the ice with this precedent, and future judges may not feel so timid about awarding damages for similar offences.
Finance and Accounting PolicyPro from First Reference discusses Records Management and Retention in the Governance volume, and Information Technology PolicyPro provides guidelines and principles on Confidentiality and Privacy with respect to PIPEDA. The Human Resources PolicyPro also offers valuable information for employers on their obligations with respect to PIPEDA. All of these publications also include customizable sample policies.
In addition, The Human Resources Advisor provides a clear and easy way to grasp the essence of the principles and factors stemming from key court cases, as well as accepted and approved best practices.
Adam Gorley
First Reference Human Resources and Compliance Editor
I think to a certain extent that this “right to be forgotten” is a terrific idea. The value of anonymity increases with each intrusive technological advance, but each step also places that anonymity further from our reach.
However, I also believe that there are valid public-interest reasons for certain information to remain available for all—particularly journalism and accountability.
This reminds me of the case of a prominent Toronto-area businessman who hired someone to “bury” an unflattering Toronto Star news story. The “someone” essentially offered a bribe to the author to remove the story! But if the businessman had the right to be forgotten, he could have demanded the Star either retract the story or remove his name and any identifying information from it.
In fact, I’m not sure journalism could even take place in a world where everyone had the right to be forgotten.
Of course, if the issue is libel, slander, or even just errors, I think we have laws that cover those bases already…
Interesting European angle to the right to privacy … see: http://searchengineland.com/google-confronting-spains-right-to-be-forgotten-67440. Just a matter of time before we see similar cases here.
“In a case that could have EU-wide implications a Spanish court is asking Google to remove data about a private individual from its index. This is known in Spain and elsewhere in Europe as “the right to be forgotten.””