E-mail message raises questions about purposes, credibility and accountability
PIPEDA Case Summary #2006-346
(Section 2; paragraph 4(2)(b); Principles 4.1, 4.1.4, and 4.3)
The motives of a company vice president were called into question when he asked, by way of e-mail, for the name of the employer of an individual who did not work for his company. When this individual found out about the message, he was upset and questioned the vice president about his motives. What followed was an evolving set of explanations from the executive and the company about the reason for the e-mail. The complainant did not believe the reasons given. In his opinion, the executive, whose sister was representing the complainant’s ex-wife in court, had non-business related reasons for trying to glean this information. He complained to the Office about this attempted collection and the company’s lack of accountability under the Act.
The Assistant Privacy Commissioner did not believe the vice president and agreed that he likely had a personal reason for sending the message. However, as the e-mail message did not yield any kind of response from the employees, there was no collection of personal information. She nevertheless expressed dismay at the attitude that the company displayed towards the management of personal information and the complainant’s right to privacy. By its actions, the company seemed to be unaware of, or untroubled by, its obligations under the Personal Information Protection and Electronic Documents Act.
The company made an effort during the investigation to meet its responsibilities under the Act. The Assistant Commissioner, though, felt that the company needed to further demonstrate its commitment. She made a number of recommendations to the company to improve its accountability, with which the company complied.
The following is a detailed overview of the investigation and the Assistant Commissioner’s deliberations.
Summary of Investigation
The complainant learned from a friend (an employee of the company in question) that the vice president of the company had sent an e-mail requesting information about the complainant. The subject line of the message indicated the complainant’s name and the text stated, “Does anyone know what firm (the complainant) is with?”
Some backgrounds facts are essential to understanding this complaint. At the time the message was sent, the complainant was involved in a legal dispute with his former spouse. The vice president’s sister was representing the complainant’s ex-wife in court. Also relevant is the fact that the company is a commercial real estate firm. The complainant is not, and never has been, employed in the real estate industry.
Shortly after learning about the e-mail, the complainant called the vice president to ask why he had sent the message. The vice president denied sending it. The complainant then wrote to the executive and enclosed a copy of the message. He also indicated in the letter his belief that the message had something to do with the executive’s sister and the complainant’s family issues. Although the complainant asked for a response in writing, the executive did not reply.
The complainant escalated his concerns to the chairman of the company and asked for a reason for the e-mail message. The company’s solicitors responded to him, indicating that the company did not have any “confidential information” about the complainant and that his family matters did not involve the company. Dissatisfied with the response, the complainant wrote to the chairman again, informing him that the company was not being accountable and that the vice president was collecting information about him without his knowledge or consent. He requested a full explanation. The solicitors responded that the complainant had no basis for any possible complaint against the company.
The complainant wrote one final letter to the president and chief executive officer, informing him that the company had breached the Act by failing to be accountable in matters of privacy and personal information, as it did not fully respond to his requests for an explanation and had not adopted a privacy policy. He then filed a complaint with our Office.
The explanations provided by the company to the Office evolved during the investigation. Initially, it stated that the complaint did not fall under the Act and that no personal information had been collected. When asked what the purpose for the collection was, and whether there were any responses to the e-mail, the company stated that the executive had thought that the complainant was a real estate agent working with one of its industry’s member firms. Seeking the complainant’s contact information, which he did not have, the vice president sent the e-mail. According to the company, the vice president believed that someone in the company had dealt with the complainant in the past. The company claimed that no direct replies were received.
The vice president told the Office that he had been talking to another employee, who thought the complainant worked for a commercial real estate broker and had asked the vice president whether he knew what firm the complainant worked for. Not knowing the answer, the vice president sent the message. When asked by our Office, the employee in question did not remember having any conversation with the vice president about the complainant. In fact, he stated that he had never heard of the complainant before.
The vice president confirmed that he had told the complainant that he had never sent the message and had no interest in the complainant. He told the Office that he did so because the complainant sounded threatening and had used an intimidating tone of voice.
The vice president indicated that his sister did practice family law, but that he had no idea whether his sister represented the complainant’s ex-wife. He continued to maintain that he had sent the e-mail for business and not personal reasons. The investigator from the Office, however, had the impression, based on the vice president’s comments, that the vice president already knew some information about the complainant.
As for the company’s personal information handling practices, the Office was initially unable to locate the designated privacy officer. There was also no privacy policy on the company’s web site. The Office was eventually given the name of a company official who stated that he would be the designated privacy officer. The company indicated that the complainant had never requested a copy of its privacy policy in his correspondence. The company did, however, provide the Office with a copy of its “policy.” Upon review, we determined that it was a memorandum issued in October 2003, advising employees of the Act and directing them to destroy personal information. We informed the company that this document was inadequate as a privacy policy and asked it to develop an appropriate policy that would be available to the public. The company created a policy which our Office reviewed. We suggested some changes and asked it to post the revised policy on its web site as soon as possible.
Findings
Issued June 15, 2006
Application: Section 2 defines personal information as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. Paragraph 4(2)(b) states that Part I of the Act does not apply to any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose.
Under Principle 4.1, an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the principles set out in Schedule 1 of the Act. Principle 4.1.4 requires organizations to implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
In making her determinations, the Assistant Commissioner considered the purposes for the collection, the definition of personal information, the collection itself, and accountability. She deliberated as follows:
Purposes
- The first issue the Assistant Commissioner had to consider was the alleged purpose for the attempted collection of personal information. The company eventually provided the Office with a reason for the e-mail: the vice president wanted to conduct business with the complainant. The Assistant Commissioner, however, upon reviewing the evidence, questioned the credibility of this stated purpose.
- She noted that the vice president initially denied to the complainant that he sent the message. The Assistant Commissioner reasoned that if the vice president had truly wanted to do business with the complainant, he would have explained his reasons and asked his questions when he had the complainant on the phone.
- The Assistant Commissioner was also concerned that subsequent letters to company officials did not yield any further information on the reason for the message. It was not until the Office became involved that the company finally indicated that the vice president thought the complainant worked in real estate and was seeking to contact him. Such floundering suggested to the Assistant Commissioner that perhaps the company was having trouble deciding what the real purpose for the message was.
- The Assistant Commissioner noted that the complainant did not work in real estate and never had.
- To further cast the stated purpose into doubt, the employee (whom the vice president alleged had asked him for information about the complainant’s employer) did not support the vice president’s story.
- The Assistant Commissioner was therefore of the view that the vice president had his own reasons for attempting to find out the name of the complainant’s employer.
- She noted that paragraph 4(2)(b) states that Part I of the Act does not apply to any individual (the Assistant Commissioner’s emphasis) in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclosure for any other purpose.
- She stressed the term “individual” because to her it was the key consideration. She stated that paragraph 4(2)(b) is not intended to absolve an organization of responsibility for an employee who uses their position within the organization to collect, use or disclose personal information for their own purposes.
- In this case, the vice president sent an e-mail to employees in his capacity as vice president of the company, using the company’s e-mail system and office equipment. She reasoned that while he may have had personal reasons for sending the e-mail, he did not act as an individual in doing so. His actions had every appearance of being conducted on behalf of the company, for business-related purposes.
- Therefore, she concluded that paragraph 4(2)(b) was not relevant, and that the actions of the vice president in this instance were subject to the provisions of the Act.
Personal Information
- The Assistant Commissioner then turned to the question of whether the information the vice president was requesting was the complainant’s personal information as defined in section 2. Noting that section 2 excludes the employee’s name, title, business address and business phone number from the definition of personal information, she commented that the name of the company an individual works for is not explicitly referred to in section 2. She conceded that a job title could include the identity of the employer. So too could a business address reveal the name of an individual’s employer.
- Did this therefore mean that the name of the employer is not personal information, as defined in section 2? To answer that question, the Assistant Commissioner considered the context of the attempted collection. The vice president noted the complainant’s name in the message, and asked whether anyone knew who he worked for. He did not ask for the complainant’s title or his work address, which are clearly excluded from the definition of personal information in section 2.
- Therefore, she determined that, given the context in which the question was asked, the name of the complainant’s employer was his personal information as defined in section 2.
On the matter of consent
- Although the Assistant Commissioner found it difficult to believe that not a single employee responded to the e-mail, the Office could find no evidence that the complainant’s personal information was collected. There was clearly an attempt to collect this information without the complainant’s knowledge or consent. There was no evidence, however, that this attempt was successful, and the Assistant Commissioner could therefore not find the company in contravention of Principle 4.3.
The Assistant Commissioner concluded that the collection complaint was not well-founded.
- Nevertheless, she stressed that, unless a situation described in one of the exceptions to consent applies, an organization must obtain an individual’s consent to the collection, use or disclosure of personal information, and must inform the individual of the reasons for such a step. She also emphasized to the company that those reasons must be legitimate, business-related and clearly identified at the time of collection – and not determined at some later date as an afterthought.
On the matter of accountability
- The Assistant Commissioner indicated her dismay at the cavalier attitude displayed by the vice president in particular and the company as a whole towards the complainant’s personal information and right to privacy. In her view, it reflected a disturbing disregard for privacy issues and the company’s obligations under the Act. The response the complainant received from the vice president when he first queried him on his reasons for sending the e-mail was clearly dishonest, and the responses he later received from the company’s solicitors amounted to little more than a “privacy run-around.” That the Office was also given a questionable reason for the attempted collection demonstrated a lack of understanding of and respect for the Act. It was evident to the Assistant Commissioner that until the complaint to this Office, the company was unaware of or, at worst, untroubled by its obligations under the Act to ensure that its personal information handling practices were fair, just and open, and that its employees were aware of their own responsibilities with respect to these practices, as demonstrated by the vice president’s actions.
- The investigation established that the company did not have appropriate privacy policies or procedures in place, nor was there initially a designated privacy officer accountable for compliance, contrary to Principles 4.1 and 4.1.4.
- She acknowledged that the company, after the Office’s intervention, made an effort during the investigation to bring itself into compliance with the accountability requirements of the Act. It now has a designated privacy official and has developed a privacy policy for posting on its web site.
- While the Assistant Commissioner was encouraged by such actions, she believed that the company needed to further demonstrate its commitment to meeting its obligations under the Act, and to show that the entire organization is responsible for sound privacy practices.
- She therefore recommended that the company post its privacy policy on its web site, ensure that it is disseminated to all employees, and provide staff with privacy training regarding proper privacy policies and practices.
- The company fully implemented the Assistant Commissioner’s recommendations.
The Assistant Commissioner concluded that the accountability complaint was well-founded and resolved.
- Date modified: