Telecommunications company improves its collection and disclosure practices

PIPEDA Case Summary #2002-72

[Principles 4.3 and 4.7, Schedule 1]

Complaint

A former customer service representative complained that a telecommunications company had improperly disclosed the personal information of other employees and of customers, had not properly safeguarded the personal information of customers, and had not obtained consent to the practice of monitoring calls for quality assurance purposes.

Summary of Investigation

The complainant requested access to his personal information after leaving the company. A manager did subsequently disclose much of the contents of his personnel file, but did not take care to ensure that the names of third parties were deleted from the material disclosed. As a result, the complainant received a copy of an e-mail written to a human resources employee that contained information about a colleague. As well, in disclosing other documents, the manager neglected to block out the names and identifying information of third parties.

With respect to these allegations, the company advised that the disclosures of third party information were inadvertent, due to the manager's inexperience with the practical application of the Act's provisions. The company presented evidence of a comprehensive training program it had undertaken for all management staff.

The complainant also alleged that the company had not properly safeguarded the personal information of customers in two ways. First, it was using computer screen print-outs of customer change orders as scrap paper in the workplace. Second, the company's employees were periodically accessing tape recordings of customer service calls. They were able to effect such access simply by dialing a telephone number and entering their valid employee identification number.

With respect to the two issues regarding safeguards, the company took the following steps. It determined that one of its offices had been using the screen print-outs of customer orders as scrap paper, as one strategy in support of its 're-use/re-cycle' program. The company's management directed that the practice cease, once apprised of it through the allegations in the complaint. With regard to the second issue, the company claimed to be unaware that some staff might be accessing recorded customer service calls, and noted that if this were proven to be true, it would be a serious breach of the company's Code of Ethics and would be grounds for employee discipline. The company committed to identifying stronger measures to restrict access to recorded calls.

The complainant also alleged that the company failed to obtain the consent of customers to the recording of their calls for the purposes of quality assurance. Furthermore, he indicated that periodically, the company used live calls from customers for coaching purposes. On the advice of the Office of the Privacy Commissioner, the company committed to discontinue its practice of non-consensual monitoring of telephone calls.

Commissioner's Findings

Issued October 7, 2002

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because telecommunications companies are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

The Commissioner determined that the company had, in the course of responding to the complainant's access request, disclosed the personal information of third parties. He accepted the company's explanation that this breach of the Act was due to the manager's inexperience, and was reassured by the company's undertaking to prevent further inappropriate disclosures. He also found that the company did not obtain the consent of its customers before monitoring customer service calls for quality assurance purposes.

The Commissioner concluded that the complaint was well-founded with respect to the allegations of unauthorized collection and disclosure practices, contrary to the provisions of Principle 4.3 of Schedule 1.

The Commissioner determined that the company's practice of re-using customer service orders as scrap paper was inappropriate. He also determined that there was a potential for misuse of customers' personal information, when employees are able to access tape recorded calls for no valid reason, by simply dialing into a company number and entering valid employee identification.

The Commissioner concluded that the complaint was well-founded with respect to the allegations of inappropriate safeguards, contrary to the provisions of Principle 4.7 of Schedule 1 .

The Commissioner made three recommendations:

• That the company restrict access to the calls recorded for quality assurance purposes;
• That it ensure that third party information is excluded from its responses to requests for access to personal information;
• That it adopt the practices outlined in a document, entitled "Guidelines for Recording Customer Telephone Calls" that he attached to his letter of finding.