Law firm’s shoddy privacy practices result in missing personal information; request for access denied
PIPEDA Case Summary #2007-377
[Principles 4.1.3, 4.1.4(a) and (b), 4.5, 4.5.3, 4.7.1, 4.9, 4.9.4 and subsection 8(3)]
Lessons Learned
- Proper personal-information handling practices (policies, procedures, retention schedules) are necessary to protect personal information and to provide individuals with access to their information.
- Personal information handled by third-party service providers is considered to be under the control of the party that has contracted out the service.
- Businesses must ensure that third parties have a comparable level of protection in place for the personal information they process.
The investigation into this denial of access complaint uncovered shoddy personal information handling practices. The complainant, who had been a client of the respondent legal firm, wanted access to all of his personal information held by the firm. When he received no response, he complained to the Office.
It transpired that the firm had lost his file. While it eventually did provide him with some of the financial records the complainant was seeking, his actual file could not be provided to him. The Assistant Privacy Commissioner was disturbed by the lack of privacy policies and procedures, and retention schedules and found it unacceptable that the complainant’s file was missing. She recommended that the firm implement a privacy policy and procedures to give effect to the principles. She stated that special attention had to be paid to ensuring that third parties conducting work on behalf of the firm have comparable levels of protection in place, setting appropriate retention and destruction schedules, and establishing procedures to handles requests for access to personal information in a timely manner. The firm only agreed to implement one of these recommendations; the Assistant Commissioner therefore concluded that the complaint was well-founded, and advised the organization that the Office would be pursuing the matter in accordance with its authorities under the Personal Information Protection and Electronic Documents Act.
The following is an overview of the investigation and the Assistant Commissioner’s deliberations.
Summary of Investigation
The complainant had been a client of the firm in question. As a legal agent, the law firm prepares such documentation as affidavits to be used by clients. In this case, the law firm did so, then referred the complainant (along with the related documentation) to another lawyer with whom it contracts for legal representation. This is firm’s customary practice when referring a client to a lawyer for representation.
The complainant wanted to have all documents held by the firm, such as cancelled cheques, affidavits, and the copy of evidence used in the court proceeding. When informed that he could access the information at the court house (the information is retained for a 10-year period), the complainant stated that he went to the court house but did not get any documents. He also told us that the lawyer he had been referred to never gave him his documentation back.
The law firm had provided the complainant with some information prior to his written access request. This included letters from the law firm, as well as some documents that would likely be attached to an affidavit.
In an effort to determine what, if any, information the law firm still held, representatives of the Office visited the firm and reviewed its personal information policies, procedures, safeguards and retention schedule.
The investigation established that the law firm did not have any written privacy policies or procedures in place. Client information is kept, destroyed or returned as required. After a client has been referred to another lawyer, the client’s file is provided to that lawyer. The files may or may not be returned to the law firm as the file is sometimes provided to the client at the end of the process. There are no set procedures regarding the handling of the file or how long it is retained once a case is completed. We were informed, though, that the law firm maintains client confidentiality.
We reviewed the client file process, step by step, with the firm. A client visits the office, a file is opened, and all material received or generated as a result of the case is place on the file. The legal counsel who is contracted to handle the case picks up the file to go to court for the hearing. At the conclusion of the hearing or court appearance, the file is returned to the law firm by the lawyer handling the case or the client. The file is then retained at the office unless the client wants the file given to him or her.
We reviewed the process by which the firm documents meetings with clients, prepares for hearings or trials, and bills clients for work done. We noted that the complainant had received a computer-generated invoice from the firm, which contained his personal information. The law firm indicated that its office may have other computer-generated electronic records containing personal information, which had not been provided to the complainant.
The law firm explained that a record is kept when payments are made. It admitted that it had not considered financial records when it received the request for access to his personal information and that it may have interpreted the scope of the request too narrowly. Following our meeting with the firm, it confirmed that there was additional documentation containing the complainant’s personal information (financial transaction records), which it sent to him nearly 23 months after he had made his request.
However, the question of where the complainant’s legal file was remained. A representative of the law firm could not recall exactly how much information was in this file, but thought the file was “thick.” The law firm eventually admitted that it could not explain what had happened to the file, and that it had been lost. It searched its offices and checked with the legal counsel who worked on the complainant’s case (as well as the other lawyer it contracts with), and the file has not been found. We confirmed with the lawyer who represented the complainant that he did not have any information about him. He stated that he typically gives the file to the client or returns it to the respondent law firm, depending on the circumstances and situation.
According to the law firm, its electronic database is purged only periodically, but hard copy files are not retained indefinitely. It stated it keeps only current files. It then expanded on this explanation by indicating that for real estate files, it keeps the information for a “couple of years.” Criminal cases are kept for the appeal period, and labour and human resources cases, if the client wants the file and the service is complete, the client is encouraged to pick up the file. The law firm stated that it always asks the client to provide it with photocopies of the information or to make photocopies for the client to keep. If the client does not want the file back, the law firm keeps labour and human resource files for no more than seven years.
Findings
Issued April 5, 2007
Application: Principle 4.1.3 states that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Principle 4.1.4 obliges organizations to implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information; and (b) establishing procedures to receive and respond to complaints and inquiries.
Principle 4.5 states that organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Principle 4.5.3 states that personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information. Principle 4.7.1 stipulates that the security safeguards protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
Principle 4.9 states that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. Principle 4.9.4 states that an organization shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. Subsection 8(3) stipulates that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.
In making her determinations, the Assistant Commissioner deliberated as follows:
- She began by noting that this case was a disturbing example of how poor personal information handling practices result in individuals being unable to access their personal information.
- The complainant had made a simple request. Nearly two years later, and after the Office’s intervention, he was provided with access to some of his personal information, namely, financial transaction records. The rest of the information he was seeking was not and cannot be provided to him because the law firm could not account for what happened to it.
- The Assistant Commissioner commented that, in order to provide individuals with access, which organizations are obliged to do under Principle 4.9 of the Act, they have to have adequate policies, procedures, and retention schedules in place – all of which are required under the law.
- Based on the investigation, it would appear that the law firm in question failed to meet each of these obligations.
- There were no set privacy policies and procedures to protect personal information or to respond to a request for access to personal information, contrary to Principle 4.1.4(a) and (b).
- The law firm, which collects the information from the client, in essence is turning over responsibility for the information, contrary to its obligations under Principle 4.1.3, in that it does not appear to know exactly what happens to files once they leave its physical possession. It completely failed to ensure that the lawyer with whom it has contracted to do work for it has proper personal information handling practices. As a result, it had not ensured that personal information under its control (and it is under the law firm’s control whether it is physically with the firm or with the contracted lawyer) was properly protected, as required under Principle 4.7.1.
- It had also not set schedules for the retention and destruction of personal information.
- It was therefore of little surprise to the Assistant Commissioner that the law firm lost the complainant’s file. It was of course utterly unacceptable that it had.
- The Assistant Commissioner was of the view that the firm had to address these inadequacies in order to ensure that it was meeting its obligations under the Act, generally, and its obligations to provide access to personal information in a timely manner, specifically.
- She recommended that the firm develop a privacy policy and procedures that give effect to the principles under the Act. She noted that special attention had to be paid to:
-
- ensuring that third parties who conduct work on its behalf have in place a comparable level of protection while the information is being processed by the third party;
- setting retention and destruction schedules for personal information it holds; and
- establishing procedures to handle requests for access to personal information.
- The firm responded to only the last of the recommendations. It addressed the issue of handling requests for access to personal information, and was discussing a schedule of all documents that are delivered to third parties.
- The Assistant Commissioner noted that, while this addressed, in part, the problems encountered during the investigation (and helped it meet the requirements of Principles 4.1.4(a) and (b) and 4.9 and 4.9.4), the firm had not fully responded to its obligations under the Act, as recommended. She therefore found that the firm remained in contravention of Principles 4.1.3, 4.5, 4.5.3, 4.7.1.
Accordingly, the Assistant Commissioner concluded that the complaint was well-founded. She advised the organization that the Office would be pursuing the matter in accordance with its authorities under the Personal Information Protection and Electronic Documents Act.
See also
Settled Case Summaries:
#11 Trucking Business Formulates and Implements Privacy Policy
#18 Business learns that it must have a privacy policy
Postscript
The Commissioner indicated her intention to file a Notice of Application under section 15 of PIPEDA in the Federal Court. The matter was settled prior to the issuance of the Commissioner’s Notice of Application.
- Date modified: