Customer claims telecommunications company refused access to account records

PIPEDA Case Summary #2002-31

[Principle 4.9, Schedule 1; and sections 8(3) and 8(5)]

Complaint

A customer complained that his telecommunications company had denied him access to his personal information in the form of company records pertaining to his account.

Summary of Investigation

The complainant had had an account with the company in question since September 1999. At the time of the complaint, the company had recently been acquired and renamed by a larger telecommunications corporation. In May 2001, the complainant had sent the company two letters relating to certain service complaints he was pursuing. In both letters, he had also requested access under the Personal Information Protection and Electronic Documents Act to all the company's records about him. In August 2001, a company official told him that the processing of his access request had not been initiated because the company considered the information in question to be its own property. The company's view was that the records were not releasable in that they were used not to collect information about the complainant, but rather to conduct daily activities on the account. It was then that the complainant filed his complaint with the Office of the Privacy Commissioner.

On being informed of the complaint under the Act, the parent corporation's privacy officer immediately agreed to expedite the release of the complainant's personal information, to ensure that the company's staff were made aware of the Act's requirements, and to bring the company's privacy policy into line with that of the parent corporation. This official explained the existing discrepancy between the two privacy policies as being a result of the relatively recent acquisition of the company. In October 2001, 137 days after the initial request, the company gave the complainant access to the information he had requested.

However, the complainant protested that the company had made its staff members anonymous in the records provided. His position was that these names were integral to his personal information and that the practice of making them anonymous was inconsistent with the Act. The corporation argued that the names of employees were not the complainant's "personal information" within the meaning of the Act. The parties held further discussions and eventually reached a compromise. In this case, the company agreed to reprocess the complainant's records so as to make its employees less anonymous by including their first names only.

On receiving the reprocessed records, the complainant was satisfied that the company had given him all information to which he was entitled, and he considered the matter resolved.

Commissioner's Findings

Issued January 8, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because telecommunications companies are federal works, undertakings, or businesses, as defined in the Act.

Application: Principle 4.9, Schedule 1, states that, upon request, an individual must be given access to his or her personal information. Sections 8(3) and 8(5) state that, if an organization fails to respond to a request within 30 days of receipt, the organization is deemed to have refused the request.

The Commissioner found that the company had clearly not met its obligations under Principle 4.9 and sections 8(3) and 8(5). However, he was pleased to note both that the company was taking appropriate steps to bring its privacy policy into compliance with the Act and that the complainant was satisfied with the outcome of the case.

He concluded therefore that the complaint was well-founded and resolved.