Railway's reasons for collecting personal information deemed appropriate; safeguards, adequate

PIPEDA Case Summary #2003-185

[Principles 4.3, 4.7, 4.7.1, 4.7.3; section 5(3)]

Complaint

Two individuals, both truckers, complained when a railway company asked that all drivers entering and exiting its intermodal terminal provide their driver's licence numbers and fingerprints as part of its new driver identification system. One of the truckers was also concerned that the company had not taken adequate measures to safeguard the personal information it collected under this program.

Summary of Investigation

The company's intermodal terminal is the drop-off and pick-up point for the trucks that haul goods packed in rail car containers. The terminal handles the shipment of a vast array of goods, including perishable foods and hazardous materials, such as explosives.

Given the nature of the cargo, recent heightened security concerns, and the need to improve efficiency, the company decided to implement a new driver identification system. It notified all affected truckers, including both complainants, about the program, which requires drivers to obtain pre-approved access to the company's automated gate system. This process requires them to follow several procedures, including providing driver's licence numbers and fingerprints. Drivers are also required to sign a driver registration form, consenting to the use of the aforementioned items for identification purposes only each time they enter and exit the railway terminal. The company retains this information only for as long as drivers access the railway's facilities.

Upon collection, driver's licence numbers are immediately encrypted, and only approved railway personnel have access to the database that stores these numbers along with the scanned fingerprints. As well, all driver registration forms are kept in a locked cabinet, which can only be accessed by a limited number of company employees.

Commissioner's Findings

Issued May 12, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a railway company is a federal work, undertaking, or business as defined in the Act.

Application: Section 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. Principle 4.3 establishes that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 stipulates that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. Principle 4.7.3 elaborates on the methods of protection and suggests that they include (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a "need-to-know" basis; and (c) technological measures, for example, the use of passwords and encryption.

The Commissioner first determined that a reasonable person would likely find the company's purposes for implementing the new system, namely, to better handle the large volume of trucks entering and exiting the terminal, to minimize its liability for damage to railway containers, as well as to reduce the potential for vandalism and acts of terrorism to its property and cargo, to be appropriate and thus in compliance with section 5(3).

He was also satisfied that the railway had taken the appropriate steps to inform drivers of the new measures and to obtain their consent, thereby meeting the requirements of Principle 4.3.

As for the allegation regarding safeguards, the Commissioner noted that the personal information of the complainant who had raised the issue had not been intercepted and that her concerns centred on the potential for unauthorized access. The Commissioner was satisfied that the company had adopted collection, storage, and retrieval practices that adequately safeguard the personal information of truckers using its facility. He therefore found that the company had complied with Principles 4.7, 4.7.1, and 4.7.3.

Accordingly, the Commissioner concluded that the complaints were not well-founded.