Employee objects to company's use of social insurance numbers on forms

PIPEDA Case Summary #2002-69

[Principle 4.2.4, 4.5, 4.7 and 4.7.3 Schedule 1; and section 5(3)]

Complaint

An employee of a courier company alleged that the company was improperly using her personal information, specifically her social insurance number (SIN), for purposes to which she had not consented and without due regard for confidentiality.

Summary of Investigation

The complainant's allegations related to the company's use of its employees' SINs on United Way pledge forms and two types of internal forms - an operations report and a delivery record.

In the case of the United Way forms and delivery record, the complainant questioned the non-consensual use of SINs for purposes other than payroll. Regarding the operations report, she expressed concern about the company's usual distribution practice whereby a non-management staff member would print and circulate the forms, with SINs displayed, and leave them in view on employees' desks even in the individual's absence. She also alleged that every employee in the company's call centres had computer access to the SINs of delivery drivers via the delivery record system, which customer service representatives used for the supplementary purpose of tracking.

The company did not dispute the allegations. However, it defended its inclusion of SINs in the operations report forms on the grounds that the report related to legitimate payroll purposes. Initially the company offered the same argument in respect of the delivery record forms, but later yielded to counterargument by the Commissioner's Office. The Office pointed out that, despite any link to payroll, inclusion of SINs was rendered inappropriate through the use of the delivery record system for the additional purpose of tracking.

The company has taken the following remedial action:

• Omitting SINs from United Way pledge forms;
• Ceasing to circulate operations report forms within its offices (the company will continue to use SINs on the forms for payroll purposes including income tax deduction); and
• Replacing the delivery record system with a new integrated tracking system whereby delivery drivers are identified by other means and customer service representatives no longer have access to drivers' SINs.

Commissioner's Findings

Issued September 4, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because interprovincial courier companies such as this one are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.2.4 states that, when personal information is to be used for a purpose not previously identified, the new purpose must be identified prior to use; also, unless the new purpose is required by law, the individual's consent is required prior to use. Principle 4.5 states that personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.3 states in part that methods of protection should include physical measures such as locked filing cabinets and restricted access to offices and organizational measures such as limiting access on a "need-to-know" basis. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.

The Commissioner began by reiterating his Office's longstanding position on the use of SINs. Specifically, they are confidential personal information the use of which in the private sector should normally be restricted to payroll purposes, especially income tax deduction, and should not extend to general purposes of identification.

On that basis, the Commissioner determined firstly that it was only for the previously unidentified secondary purpose of identification that the company had used its employees' SINs on United Way pledge forms. He further determined that the company had not fulfilled its obligations under Principle 4.2.4 to identify the new purpose and obtain employees' consent before use. Moreover, he did not believe that a reasonable person, as envisaged under section 5(3), would have considered such use of SINs for purposes of identification appropriate in the circumstances.

Regarding the delivery record system and Principle 4.5, the Commissioner likewise determined that the company, by allowing its customer service representatives access to delivery drivers' SINs in the system, had in effect used employees' personal information without their consent in the course of fulfilling a purpose other than that for which the information had been collected. Nor, again, did he believe that a reasonable person would have considered such use for such a purpose appropriate in the circumstances.

The Commissioner found therefore that the company had been in contravention of Principles 4.2.4 and 4.5 and section 5(3) of the Act.

Regarding the issue of confidentiality, the Commissioner determined that the company did not institute appropriate safeguards to protect employees' SINs from access by employees other than those who needed to know them for legitimate purposes.

The Commissioner found that the company was also in contravention of Principles 4.7 and 4.7.3.

Nevertheless, he was satisfied with the remedial measures that the company had put in place, and was pleased to note that the complainant herself was satisfied with the outcome of the case.

Accordingly, the Commissioner concluded that the complaint was well-founded and resolved.