Airline accused of collecting too much information for U.S. authorities

PIPEDA Case Summary #2003-128

[Principles 4.2, 4.4, 4.7, Schedule 1; section 5(3)]

Complaint

An airline crewmember complained that his employer
(1) had collected more personal information than was strictly necessary to fulfil identified purposes in connection with the United States Aviation and Transportation Security (ATS) Act; and
(2) had not used adequate safeguards to protect such information.

Summary of Investigation

As a result of the ATS Act, the airline had been required to collect certain personal information from all its flight crewmembers over a two-week period in December 2001. The information was to be used to pre-screen crewmembers travelling to the U.S. With the stated purpose of meeting the requirements of the new American legislation, the airline collected and photocopied crewmembers' passports, employee cards, and "Ministry of Transport" (MOT) cards. Although all three identification cards were represented as "requirements" for compliance with the ATS Act, the information on the passports alone would have filled the actual informational requirements set out in the legislation itself.

The complainant questioned whether the collection of employee cards and MOT cards had been necessary for the stated purpose. He also questioned the collection methods, suggesting that the airline, in its haste, might have neglected to institute proper safeguards for the personal information. He was particularly concerned that the collection had been carried out not by staff of the personnel office, but rather by fellow crewmembers; that personal documents had been photocopied and compiled in too public an area; and that unused photocopies had been left in the garbage.

The airline explained that it had needed to collect employee cards precisely for the purpose for which the cards existed in the first place - that is, to identify individuals as employees on the occasion of the collection. Hence it had not been the American authorities who required the personal information on these cards, but rather the airline itself, in order to confirm that individuals were bona fide employees who qualified both for the collection at hand and for any subsequent prescreening related to the new American legislation. As for the MOT cards, whose ordinary purpose was site-specific airside access, the airline acknowledged that these documents had been sought for a separate administrative purpose, unrelated to the requirements of the ATS Act.

Given the urgency and relatively short time frame of the collection, the airline had used staff immediately available at the communications centre where the collection had occurred. Some of these were grounded crewmembers, on temporary assignment with the centre because of pregnancy or disability. The airline considered its collection staff duly qualified in that all employees, on being hired, are required to read and sign a confidentiality clause regarding personal information.

The communications centre itself was found to be inaccessible to unauthorized persons and reasonably secure as a venue for the collection and storage of personal information. However, the allegation that photocopies of poor quality had been put in a garbage bin proved to be true. Admitting that such practice was unacceptable, the airline agreed to purchase shredders for destroying unused copies in future. The airline also undertook to make several other improvements in its methods.

Commissioner's Findings

Issued March 4, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because an airline is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.2 states that the purposes for which personal information is collected must be identified by the organization at or before the time of collection. Principle 4.4 states that the collection of personal information must be limited to that which is necessary for the purposes identified by the organization. Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.

On the first count of the complaint, the Commissioner deliberated as follows:

• The photocopying of crewmembers' passports was fully in keeping with the stated purpose of the collection - compliance with the ATS Act. However, to determine whether the same might be said of the employee cards and MOT cards, the ordinary purpose of each must be considered.
• The ordinary purpose of the employee card is to identify an individual as an employee of the airline in situations where such identification is warranted. Given the serious security implications, employee identification was clearly warranted in the circumstances of the collection at issue. No crewmember should have been surprised or offended at being asked to verify his or her relationship with the company in the course of a company initiative of such import.
• Moreover, although the employee card was not required specifically for compliance with the American legislation, it is understandable that the airline itself might have regarded employee identification as being integral to the compliance exercise as a whole and thus have represented the purpose accordingly.
• In sum, a reasonable person would have considered the collection of the employee cards both consistent with, and appropriate for, the stated purpose in the circumstances.
• On the other hand, the airline had admittedly photocopied the MOT cards for a separate though unidentified internal purpose. Absent any specific explanation of that distinct purpose, a crewmember accustomed to presenting this card for its ordinary purpose might well have wondered what it had to do with meeting American information requirements and whether the collection was legitimate.
• The purpose for collecting the MOT card should have been specified for what it was. In the actual circumstances, where the purpose was represented otherwise, a reasonable person would not consider the collection of MOT cards to have been appropriate.

The Commissioner found therefore that, with regard to MOT cards, the airline had not been in compliance with Principles 4.2 and 4.4 and with section 5(3).

On the second count, though satisfied that over all the airline had had adequate safeguards in place for the personal information collected, the Commissioner determined that the discarding of unused photocopies in garbage bins constituted an inexcusable exception. He observed that this was an unacceptable practice under the Act, in that it posed a serious risk of disclosure of sensitive personal information to unauthorized third parties. On the basis of this exception, therefore, he found that the airline had not been in compliance with Principle 4.7.

He concluded that the complaint was well-founded.

Further Considerations

In closing, the Commissioner noted that he was pleased with the improvements the airline had undertaken to make in its methods of collecting and protecting crewmembers' personal information.