Mass mailout results in disclosure of contest entrants e-mail addresses

PIPEDA Case Summary #2004-277

(Principles 4.3 and 4.7.1 of Schedule 1)

Complaint

Eleven members of a loyalty program complained that the company that runs the program failed to safeguard their personal information, and as a result, disclosed it to other members.

Summary of Investigation

The complainants had entered a photography contest sponsored by the company. When they received an e-mail from the company regarding the contest — an e-mail that was sent to 618 participants, also program members — they noticed that their addresses appeared in the "to" field and that they were viewable by everyone who received the message.

The company did not dispute the allegations. It indicated that the sub-contractor, which was responsible for distributing the message on the company's behalf, had made an error when sending the message. The sub-contractor used a software application that allows a user to create an e-mail group name and to subsequently enter individual e-mail addresses into the group for the purpose of confidential, mass e-mail distribution.

The individual who had prepared the mass e-mail had never used this particular application. He tested it internally prior to sending the message. He had created a group and entered the 618 addresses. When he entered the group name in the "to" field during the test trials, only the group name appeared. All the member e-mail addresses remained confidential.

Our Office and the same individual conducted a test of the software, creating a group and entering a couple of e-mail addresses. When the e-mail was sent, only the group name appeared and not the individual addresses. It would appear then that the software application functioned properly during this particular test.

The sub-contractor had dealt with the company for a number of years; however, at the time of the incident, no formal contractual agreement was in place. The company indicated that the sub-contractor was well aware of the company's privacy policy and had provided the company with a certificate of compliance attesting to its ability to meet the company's privacy standards.

Following the incident, the company took a number of measures to address the situation:

• It issued an apology to the affected members.
• It informed the sub-contractor that it would not be permitted to distribute group e-mail communications for the company until further notice.
• Company employees were advised of the situation and given information to deal with customer or media inquiries.

Findings

Issued September 2, 2004

Application : Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; and Principle 4.7.1 stipulates that security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.

The company admitted that its sub-contractor had, on its behalf, erroneously sent an e-mail message to 618 members that allowed all of these addresses to be viewed by the members who received the message. While the Assistant Privacy Commissioner was satisfied that the company had a privacy policy in place, and was committed to adhering to that policy, as was its sub-contractor, the fact remained that the complainants' personal information was disclosed without their knowledge and consent, contrary to Principle 4.3.

Although the investigation established that the sub-contractor had appropriate safeguards in place (the software application did allow for addresses to remain confidential), it would appear that either the employee did not correctly use the software or it did not function properly. The Assistant Commissioner therefore found that the company did not meet the requirements of Principle 4.7.1.

She concluded that the complaints were well-founded.