A question of responsibility

PIPEDA Case Summary #2003-251

[Principles 4.7 and 4.7.1]

Complaint

An employee of a company complained that his manager inappropriately collected his personal information by intercepting and reading a fax receipt, which contained a small-print version of a confidential letter that the complainant's union representative had faxed to another party on his behalf.

Summary of Investigation

The faxed letter concerned a separate union matter involving the complainant and the manager. As the union representative was in a hurry, he did not use a fax cover sheet, nor did he remain at the fax machine to collect the receipt, returning instead to his office to attend to another matter. Shortly afterward, the manager went to the fax machine to send a letter. He did not use a cover sheet, but he remained at the machine until a receipt was produced. Thinking it was his, the manager picked up the fax receipt, noticed that it contained his name in the body of the letter, and began to read it.

When the union representative returned to the machine and found the manager reading the receipt, he asked the manager to return the receipt immediately as it contained confidential information pertaining to a union matter. The manager, however, continued to read it in its entirety before returning it.

The fax machine is located in the common area of an administrative office and is accessible to anyone in the office. As a courtesy, the company provided the union representative with access to the company fax machine, which is also used by supervisors.

The company does not have a formal fax policy in place. However, there is a common understanding that the fax should generally be restricted to company activities and business. On the company's internal web site, it encourages fax users to never leave the original document in the fax machine, and to never send sensitive information to an unattended fax machine.

Fax cover sheets are available at the fax station in question. While at the time of the incident no sign was posted near the machine advising users to use a cover sheet, one has since been put up.

In the company's view, the circumstances, namely, multiple users, the open office access, and the routine accumulation of transmission reports in the tray of the fax machine, do not support an expectation of privacy with regard to the use of the fax machine. The company stated that no intrusion was intended by the manager when he reviewed the correspondence sitting in the tray of the fax machine.

Findings

Issued December 12, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Assistant Privacy Commissioner had jurisdiction in this case because a transportation company is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 stipulates that security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

The Assistant Commissioner deliberated as follows:

• As far as the Act was concerned, the company met its obligations to provide appropriate safeguards. Cover sheets were available for all users and the company's Intranet site did advise employees to take steps to protect their personal information when using the fax machine. The Assistant Commissioner also noted that the circumstances of the office, namely, the location of the fax machine in an open area, with multiple users, and the routine accumulation of fax receipts in the tray, placed some responsibility on users to take appropriate precautions should they intend to use the fax to send sensitive information. The Assistant Commissioner thus found the company in compliance with Principles 4.7 and 4.7.1 of the Act.
• The Assistant Commissioner noted that this case raised issues that were not strictly covered by legislation but rather touched on larger questions of personal responsibility and respect for privacy. The company contended that responsibility for this incident really lay with the union representative, an assertion that the Assistant Commissioner agreed with to a point. The representative should have taken greater care to protect the complainant's personal information by using a cover sheet and remaining at the fax. The fact that he chose to use the fax machine to transmit the letter was also questionable.
• Nevertheless, the manager's actions clearly revealed a certain disregard for the right to privacy. While it was understandable that he should pick the fax receipt up (since he thought it was his) and glance at it, he would have quickly realized that it did not belong to him. The Assistant Commissioner noted that he crossed the line when he continued to read the contents of the receipt to the end before returning it to the union representative.
• However, given that the representative did not take full precautions, the Assistant Commissioner could not issue a finding against the company.

Accordingly, she concluded that the complaint was not well-founded.

Further Considerations

Notwithstanding the finding, the Assistant Commissioner recommended that the company take steps to reinforce with its employees the importance of protecting and respecting privacy in the workplace.