Couple alleges improper disclosure of telephone records to a third party

PIPEDA Case Summary #2002-54

[Principles 4.3, 4.5, 4.7.4, and 4.9., Schedule 1; and sections 7(1)(d), 8(3), and 8(5)]

Complaint

A husband and wife complained that a telecommunications company

(1) had improperly disclosed personal information from their telephone records to an individual without their knowledge and consent; and

(2) had refused them access to their personal information relating to their telephone account.

Summary of Investigation

The complainants suspected that a certain person had somehow obtained information from their telephone records. They took their complaint first to the CRTC, which instructed the telephone company in question to conduct an internal investigation into the matter. The company determined that an employee had indeed disclosed information about the complainants to a third party. The employee herself admitted that, at a friend's request, she had obtained access to the complainants' telephone service records and provided her friend with enough information from them to figure out how to contact the female complainant. The employee could not recall what specific items of information she had disclosed. The company disciplined the employee for breaching the corporate policy and ethics code, damaging the company's reputation, and violating customers' right to privacy.

Nevertheless, in response to the disclosure complaint under the Personal Information Protection and Electronic Documents Act, the company took the position that the information disclosed had been publicly available and therefore exempt from the requirement for the complainants' knowledge and consent. Specifically, section 7(1)(d) of the Act, in conjunction with section 1(a) of the Regulations Specifying Publicly Available Information, provides such an exemption for names, addresses, and telephone numbers published in white-pages directories.

Although the exact nature and extent of the disclosure could not be determined, the Commissioner's investigation did establish that it had included at least one item of information other than name, address, and telephone number. That item was the name used in the records to signify the male complainant's spouse; it was not actually his spouse's name, but rather a "code word" chosen by the complainants to remind them of their personal identification number. The company argued that, since the name was incorrect, it should not be considered the complainants' personal information for purposes of the Act.

The complainants wrote three letters to the company with a view to obtaining their personal account records. The company denied ever having received the first letter. The second, addressed to a different officer, did not make its purpose entirely clear, but did emphasize that the complainants had not yet received records previously requested. The company recipient, unclear about the letter's purpose and not recognizing it as an information access request, took no action on it. It was only after intervention by the Commissioner's Office that the company sent to the complainants, 45 days or more after receiving this letter, a number of records in response to their original request.

Not satisfied with the information sent, the complainants wrote a third letter, specifying the kinds of records they were seeking and setting out a longer period for the search. The company notified the complainants that this letter was being processed as a new access request since it sought information that had not formed part of the original request. Within 30 days of receiving the third letter, the company sent the complainants additional records that satisfied them.

Commissioner's Findings

Issued June 28, 2002

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because telecommunications companies are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information except where inappropriate. Principle 4.5 states that personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Section 7(1)(d) provides an exception to the requirement for the individual's knowledge and consent in cases where the information is publicly available in accordance with the Regulations Specifying Publicly Available Information. Principle 4.7.4 states that organizations must make their employees aware of the importance of maintaining the confidentiality of personal information. Principle 4.9 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information and given access to that information. Section 8(3) states that an organization must respond to a request with due diligence and in any case not later than 30 days after receiving it. Section 8(5) states that an organization failing to respond to a request within the time limit is deemed to have refused the request.

Re the disclosure complaint: In the Commissioner's view, the exception invoked by the company would have been applicable only if it had been established for certain that the disclosure had been limited to name, address, and telephone number. To the contrary, he determined that

• the company's telephone service records afforded significant potential for disclosure of personal information that was not publicly available as specified in the Regulations;
• the company employee had disclosed at least one such item of non-publicly-available information from the complainants' records; and
• notwithstanding the company's argument to the contrary, the item in question, despite being technically incorrect, was nonetheless clearly the complainants' personal information simply by virtue of being included among their records and traceable to them as identifiable individuals.

The Commissioner found therefore that the exception to the requirement for knowledge and consent under section 7(1)(d) of Act did not apply and that the company had thus been in contravention of Principles 4.3 and 4.5 of Schedule 1. Moreover, since the employee in question had obviously not been made properly aware of the importance of maintaining the confidentiality of personal information, he also found that the company had not met its obligation under Principle 4.7.4.

The Commissioner concluded that the disclosure complaint was well-founded.

Re the time-limit complaint: The Commissioner did not take issue with the company's contention that it had not received the complainants' first letter or with its treatment of the complainants' third letter as a new request. On the matter of the second letter, he considered the question whether it had constituted a bona fide request for access to personal information.

The Commissioner determined that, even though the second letter had not contained a clear or direct statement of purpose, it had clearly expressed a central concern about the company's lack of response to a previous information access request. In his view, instead of doing nothing about the letter, the company recipient should have either made some effort to clarify its purpose with the senders or, at the very least, referred it to the company privacy officer responsible for dealing with matters of information access. The Commissioner determined that the second letter had indeed constituted an information access request, to which the company had not responded within the 30-day limit prescribed under section 8(3). He found therefore that the company was thus deemed under section 8(5) to have refused the request and had therefore been in contravention of Principle 4.9.

The Commissioner concluded that the time-limit complaint was also well-founded.