Individual complains about inappropriate personal information safeguards and disclosure

PIPEDA Case Summary #2002-107

[Principles 4.7, 4.7.1, 4.7.3 and 4.3 Schedule 1; section 5(3)]

Complaint

An individual employed by a railway supplier company complained: (1) that the railway had not instituted appropriate security measures to safeguard his personal information against unauthorized access; (2) that the company may have been improperly collecting certain personal information without his consent; and (3) that the company had disclosed to his employer, without his knowledge and consent, that he had filed a complaint against the railway with the Privacy Commissioner's Office. He also alleged that as a result of the disclosure, his employer reassigned his duties.

Summary of Investigation

The railway notified the complainant that it was implementing a new driver identification program that required him to obtain pre-approved access to the company's automated gate system. This process required him to follow several procedures, including providing his driver's licence number and fingerprints. He also signed a driver registration form, giving consent to the railway to use only the aforementioned items for identification purposes each time he entered and exited the railway terminal, and to retain this information only for as long as he was a driver accessing the railway's facilities. The first allegation of the individual's complaint arose from his concern that third parties such as law enforcement agencies and computer hackers could gain unauthorized access to the railway's database in which his personal information was stored.

The investigation revealed that upon collection, driver's licence numbers are immediately encrypted and all driver registration forms are kept in a locked cabinet, which can only be accessed by a limited number of railway employees. As well, only approved personnel have access to the company's personal information database.

The Commissioner established that the railway's automated gate system requires all authorized drivers to pass through a portal where video cameras record the condition of the goods being hauled by drivers as they enter and/or leave the facility. The second allegation of the individual's complaint arose from his concern that the video cameras could potentially capture his image - a possibility to which he had not given his consent.

Regarding the third allegation, the railway acknowledged that it did in fact call the complainant's supervisor after receiving notice of his complaint. However, the intent of the call was to address any concerns the individual's employer had about the railway's automated system. The railway representative who spoke with the individual's employer stated that a driver had filed a complaint, although his name was not mentioned. The individual's employer acknowledged that, although the complainant's name was not mentioned during the call, he was able to infer his identity from his known lack of cooperation in following the railway's security procedures and from the fact that he had done most of the driving to the railway's terminal. However, according to the individual's employer, this call occurred several days after the complainant's duties had been reassigned because he had refused to follow the railway's security procedures.

The Commissioner's Office subsequently contacted the railway to discuss the disclosure, and recommended that steps be taken to prevent such disclosures in the future. As a result of this intervention, the railway amended its "Protection of Personal Information" policy.

Commissioner's Findings

Issued December 19, 2002

Jurisdiction: As of January 1, 2001 the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because any railway company is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, and that organizations shall protect personal information regardless of the format in which it is held. Principle 4.7.3 stipulates the methods of protection should include physical measures such as locking filing cabinets; organizational methods such as limiting access to personal information on a "need-to-know" basis; and technological methods, including using passwords and encryption. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Regarding the first allegation, the Commissioner determined that the railway had put in place the necessary physical, organizational and technological measures that enable the company to adequately safeguard drivers' personal information. He found, therefore, that the company was in compliance with Principles 4.7, 4.7.1 and 4.7.3.

With respect to the second allegation, the Commissioner determined that it is possible for the image of a driver to be collected during the video recording of the arrival and departure of a railway container. However, he was satisfied that such collection of personal information would be unintentional and incidental to the purpose of the video recording as a whole - that is, limitation of liability for damages. He was also satisfied that such recordings are kept only for a limited period of time and that any driver's image thus collected would in itself be of no use or interest to the railway for any other purpose. In sum, the Commissioner stated that he was of the view that a reasonable person would not only consider the purpose for the video recordings to be entirely appropriate, but would also consider it neither necessary nor appropriate for the railway to seek individual drivers' consent for what in any case would be an inadvertent and inconsequential collection of personal information. He found, therefore, that the railway was also in compliance with Principle 4.3 and section 5(3).

The Commissioner concluded that the first two allegations of the individual's complaint were not well-founded.

In addressing the third allegation, the Commissioner determined that the railway did inappropriately disclose information about the individual, without his knowledge and consent, which enabled his employer to easily identify the fact that he had filed a complaint. He found, therefore, that the railway was in contravention of Principle 4.3.

The Commissioner concluded that the third allegation of the individual's complaint was well-founded.

Further Considerations

The Commissioner was satisfied that the railway took appropriate steps to prevent inappropriate disclosures of personal information in the future.