Store employee discloses customer telephone number to a third party

PIPEDA Case Summary #2005-298

(Principle 4.3 of Schedule 1)

Complaint

An individual complained that a store employee, an acquaintance of hers, disclosed her telephone number to a former friend.

Summary of Investigation

While visiting a pet store, the complainant decided to leave her telephone number with an employee in case the store learned of any kittens available for purchase. The complainant's number was not listed in the telephone directory under her name. Shortly afterwards, she began to receive numerous telephone calls from a former friend. Believing that the employee disclosed her number to this third party, she wrote to the store manager to complain about the disclosure.

The store investigated the matter, and the employee admitted to disclosing the complainant's telephone number. He had given a third party the complainant's telephone number in the hopes of reuniting the complainant and the third party. Instead, the employee was fired from his job for disclosing customer information and breaching the confidentiality agreement he had signed with the company.

The store contacted the complainant, apologized for the disclosure and informed her that the employee had been terminated. It also offered to pay the costs of changing her telephone number. The company circulated a memorandum to all of its employees, informing them that an employee had been fired for disclosing a customer's private telephone number, and reminding them that there is no tolerance for breaching customer confidentiality.

The store explained that when an employee is hired, he or she is trained that customer personal information is confidential and must not be disclosed to unauthorized third parties. Employees sign confidentiality agreements to keep information confidential and private, and a violation of this agreement will result in immediate termination.

The complainant, however, was not satisfied with the steps the company had taken because she was still being harassed by the former employee's friend.

Findings

Issued March 17, 2005

Application: Principle 4.3, which states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• The company appeared to have appropriate practices in place to protect its customers' personal information. It trained staff in the importance of maintaining the confidentiality of customer information. In this instance, when it became aware of the disclosure, it acted swiftly and took measures to address the matter.
• However, in spite of its policies, the fact remained that an employee had inappropriately disclosed the complainant's personal information to a third party without her consent, contrary to Principle 4.3.

The Assistant Commissioner concluded that the complaint was well-founded.

Further Considerations

During the investigation, the Office noted that the company had informed the complainant that it had terminated the employee who had disclosed her personal information, and that it had circulated a memorandum to employees, indicating that it had fired an employee for breaching customer confidentiality. Although employee information is not covered by the Act, the Office believes that organizations should nevertheless adopt the fair information principles outlined in the legislation as a matter of best practice with respect to the personal information of their employees. The Assistant Commissioner therefore cautioned the company against disclosing employee personal information, such as disciplinary measures taken against an employee, to customers or other employees.