Building supplier reveals customer’s personal information to contractor

PIPEDA Case Summary #2007-371

[Principle 4.3; paragraph 7(3)(b); subsection 5(3)]

A couple and their former building contractor were locked in a dispute that ended up in Small Claims Court. The couple claimed that, during the court proceedings, the contractor stated under oath that the building supply store had told him about the couple’s credit account and how much they owed the store. The evidence regarding the disclosure appeared somewhat contradictory, but the Assistant Privacy Commissioner ultimately concluded that a disclosure had taken place. She determined that the exception to consent for disclosure for the purpose of pursuing a debt owed by an individual to an organization did not apply. The company had contended that, in fact, it had the complainants’ consent by virtue of a signed application form. The Assistant Commissioner, however, found that the consent wording on that form was overly broad and did not provide for meaningful consent. She recommended that the company revise the wording of its form to ensure that the purposes for the collection, use and disclosure of personal information are clearly explained and that the purpose(s) meet(s) the “reasonable person” test. The company agreed to do so, and the Assistant Commissioner concluded that the complaint was well-founded and resolved.

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

The complainants had a line of credit with the building supplier, and both they and their contractor at the time bought building supplies from the store when they were building a home. During that time, they had several conversations with an employee in customer accounts at the store. The couple stated that she had reassured them that no one outside of the store was privy to their credit or account information.

A few months after receiving the line of credit, a dispute arose between the complainants and their contractor regarding the house. The couple stated that, in a Small Claims Court proceeding, their former building contractor explained to the court clerk that the store had divulged to him information about their credit account. The couple indicated that he alleged that “his people/contacts at (the store) released this information to him.” According to the couple, the information he was referring to was their credit information and balance owing.

Following this incident, they contacted the president and general manager of the store. He indicated that he would investigate the matter and advise them of the outcome, but they did not receive a response.

Our Office spoke to the building contractor who allegedly referred to the couple’s financial information in court. He stated that he did not recall anyone at the store ever telling him specifically about their finances. He did recall the husband once telling him that he (the husband) would be a long time paying the store. The contractor recalled making the comment “you guys haven’t paid (the store) yet” during the pre-trial proceeding in Small Claims Court.

According to the company, only three employees would have had access to the couple’s financial information: the comptroller, the president and general manager, and the customer accounts employee.

A few months prior to the court proceedings, the store was attempting to collect a debt the complainants owed it. The customer accounts employee called the building contractor with the intent of determining the status of the litigation between him and the complainants. In an e-mail to the president of the company, the employee writes: “I have a call into (the contractor) to see if he has been paid or if he has any info.”

According to the store, this employee had a vague recollection of the building contractor telling her that he was pursuing collection of a debt owed by the complainants in small claims court. The company stated that the employee did not remember whether she told the contractor that the store had not been paid. The store indicated, however, that the employee did not reveal to the contractor any of the particulars about the account, either the age of the account or the amount owed.

The store comptroller received a phone call from the wife, in which the wife stated that she had just returned from Small Claims Court, where the contractor, under oath, had discussed information pertaining to their account with the store. The wife insisted on speaking to the president and general manager. The comptroller passed the message on to him, and he indicated that the customer accounts employee would follow up.

The Office spoke to the customer accounts employee. She stated that she had spoken to the contractor to determine whether he, as the building contractor, had been paid by the complainants. She did not recall how she knew that he was the contractor. She informed us that she had told him that the couple had an outstanding account with the store.

She stated that, at one time, it had been common practice for the store to meet with other suppliers and openly discuss outstanding accounts that the businesses had with common customers. She added, however, that the store no longer has such discussions. She also pointed out that the complainants had signed a document that is used when customers apply for credit. The form includes the following statement under the heading, “Account Terms”:

The undersigned consents to the obtaining of credit and/or personal information as may be required in connection with the credit hereby applied for or any renewal or extension thereof and to the disclosure of any credit information concerning the undersigned to and (sic) credit reporting agency or to any person with whom the undersigned has or proposes to have financial relations. (emphasis added)

The store provided a copy of the complainants’ signed application, which included the above-noted clause. In the store’s view, the complainants had agreed to the account terms regarding the collection and disclosure of their credit information.

The store stated that, since the complaint, it amended some of its personal information handling practices. It committed to enhancing its existing privacy policy, and at staff meetings, the company reviews its obligations under the Act with employees. It also revised its credit application forms to indicate that provision of the social insurance number is optional. The portion of the form previously entitled “Account Terms” is now referred to as the “Disclosure Statement.” This portion can be torn off for customers to keep for reference. However, the clause relating to the collection and disclosure of personal information remained unchanged. In the store’s view, all information requested is pertinent and required for its account records.

Findings

Issued January 12, 2007

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. An exception to this requirement is found in paragraph 7(3)(b), which states that an organization may disclose personal information without knowledge or consent for the purpose of collecting a debt owed by the individual to the organization. Under subsection 5(3), an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• The first issue to consider was whether there had been a disclosure. The building contractor told us that he did not recall anyone at the store stating anything specific about the complainants’ finances, though he did acknowledge commenting at the pre-trial that they had not paid the store yet. In an e-mail prior to the court proceedings, the customer accounts employee informed the company president and general manager that she had a call into the building contractor to see whether he had been paid or had any information. When interviewed, the comptroller stated that the wife called shortly after Small Claims Court and told her that the contractor had, under oath, discussed information about the couple’s credit account with the company. However, according to the company’s official response to the complaint, the customer accounts employee did not remember whether she had told the contractor that the complainants had not paid the store. When interviewed by our Office, she stated that she had told the contractor that they owed money. She also indicated that it was, at one time, common practice for the store to discuss outstanding debts with other businesses that had the same customers.
• Thus, in light of the customer accounts employee’s comments (namely, that she had told the contractor that the complainants owed money), the Assistant Commissioner concluded that the company did disclose information about the couple’s account to the building contractor.
• The Assistant Commissioner then turned to the question of whether the disclosure was inappropriate. Was consent obtained, as the store contended, by virtue of the couple’s signed credit application form or was consent even necessary, given paragraph 7(3)(b), which allows organizations to disclose personal information about an individual, without knowledge or consent, in order to collect a debt owed by that individual to the organization?
• With respect to the exception to consent, it was clear that the complainants did owe money to the store at the time of the disclosure. However, the Assistant Commissioner did not accept that the purpose of the disclosure to the building contractor was to collect a debt. In her view, the information appeared to have been disclosed for the purpose of obtaining information about the couple’s financial situation to ascertain whether the debt was collectible.
• Given this, she did not think that the disclosure fell under the exception to consent provided by paragraph 7(3)(b).
• The store contended that it had consent and pointed to a signed agreement with a clause referring to the disclosure of any credit information concerning the complainants to any person with whom they have or propose to have financial relations. Based on this document, it appeared that they had consented to the store disclosing their personal information to an individual with whom they had “financial relations.”
• The Assistant Commissioner noted that this agreement had been signed in 2003, some five months prior to the store becoming subject to the Act. The disclosure occurred after the law came fully into effect in 2004. Given this, the question of consent must be considered within the context of the Act.
• Subsection 5(3) of the Act states that organizations may collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. It goes on to require that organizations obtain the individual’s “knowledge and consent” to any such collection, use or disclosure, and places responsibility on organizations to ensure that consent is “meaningful” by ensuring that purposes are explained in such a way that a person could reasonably understand what these purposes are.
• The Assistant Commissioner did not think a reasonable person would have deemed it appropriate for the store to have disclosed to the complainants’ former contractor the fact that they owed money in order to obtain information about their financial situation. Certainly, the complainants had no idea that their account information would be shared with a building contractor, with whom they were in litigation.
• Moreover, the wording of the consent clause on the agreement they signed did not fully explain the purpose(s) of any possible disclosures. Indeed, it did not spell out the purpose(s) for the collection either, though this could likely be inferred. In the Assistant Commissioner’s view, the company’s purposes were vaguely stated and consequently did not meet the requirements of Principle 4.3.2, namely, that organizations state their purposes in such a manner that an individual can reasonably understand the use or disclosure of his or her personal information. The consent clause did not achieve this.
• Therefore, since the wording of the consent clause that the complainants signed failed to inform them of the purpose for collecting, using and disclosing their personal information, the store did not have their consent to the disclosure.
• The Assistant Commissioner recommended that the store revise its consent clause to ensure that the purposes for the collection, use and disclosure of personal information are clearly explained. She also reminded the company that its purposes must not only be clearly stated but must also meet the “reasonable person” test outlined in subsection 5(3).
• The company revised the credit account application form, consent statement and policy. These documents have been incorporated into the company’s operating procedures. The company will be distributing them to all current customers, and will be communicating this information to staff and training them on it.
• Based on these actions, the Assistant Commissioner was satisfied that the company will be meeting its obligations under subsection 5(3) and Principle 4.3.

Accordingly, she concluded that the complaint was well-founded and resolved.