Laurier Optical Improperly Discloses Client’s Personal Information

PIPEDA Report of Findings #2010-005

An individual who was seeking a refund from Laurier Optical because two pairs of prescription eyeglasses didn’t satisfy him, was shocked to discover the company had copied its written response to his request to 10 different parties.

He complained to our Office that the optometry chain, which has locations in Ontario and Quebec, disclosed his personal information without consent and subsequently failed to provide him with access to his personal information.

The man had obtained two prescriptions from Laurier Optical and found that neither satisfied him. As a result, he obtained a prescription from an independent optometrist who worked elsewhere.

After receiving the refund request, Laurier Optical initiated a complaint against the independent optometrist with the Ontario College of Optometrists. The company alleged the optometrist had incorrectly told the complainant that Laurier Optical had not performed a proper eye exam.

In its written response to the refund request, Laurier Optical included the complainant’s home address, telephone number and details of his three prescriptions, as well as a description of the prescription dispute. The complainant felt it contained false statements damaging to his character. The letter also stated that Laurier Optical would ask two other professional bodies and the two biggest lens manufacturing labs in Canada to evaluate the three prescriptions and obtain neutral opinions.

The letter was copied to 10 different parties, including various Laurier Optical officials; the Ontario College of Optometrists; the College of Opticians of Ontario, the independent optometrist; the company that made the complainant’s lenses, as well as another lens manufacturing company.

The complainant also requested access to his personal information held by Laurier Optical, but received no documentation in response.

Following an investigation, our Office found both the disclosure and access complaints to be well founded.

It was not necessary for Laurier Optical to disclose the complainant’s personal information to the College of Opticians or the lens manufacturers in order to demonstrate that the lenses it had provided to the complainant were appropriate. Even if these organizations could provide relevant input, they could have done so without knowing the complainant’s name, address, telephone number or details of the dispute. Similarly, it was not necessary to provide the independent optometrist with this information.

We recommended that Laurier Optical train its staff about PIPEDA’s requirements regarding the protection of clients’ personal information.

The organization did not respond.

As a result of the circumstances examined in this investigation and the outstanding issues, the Privacy Commissioner was of the view that Laurier Optical’s personal-information handling practices in this case should be made public and exercised her discretion to publicly name the organization.

Report of Findings

Complaints under the Personal Information Protection and Electronic Documents Act (the “Act”)

1. The complainant alleges that 1663066 Ontario Inc., c.o.b. as Laurier Optical (“Laurier Optical”): (i) disclosed his personal information without his consent; and (ii) failed to provide him with access to his personal information.

Summary of Investigation

2. The complainant purchased prescription eyeglasses from Laurier Optical.

3. The complainant was not satisfied with his purchase, and in particular was not satisfied with the prescription obtained from Laurier Optical. As a result, Laurier Optical had another one of its optometrists evaluate the complainant’s eyesight and provide him with a prescription, following which a second pair of glasses was ordered.

4. The complainant was still not satisfied, and went to another optometrist for a further eye exam.

5. The complainant sought a refund from Laurier Optical.

6. Laurier Optical wrote to the complainant by letter dated March 3, 2008 addressing various issues relating to the complainant’s prescription eyeglasses. This letter set out the complainant’s dispute, along with the details of his various prescriptions. The letter also set out the complainant’s address and home phone number. The complainant believes that the letter accused him of making statements that are both false and damaging to his character.

7. In its March 3 letter, Laurier Optical stated that it would be sending the complainant’s file to the College of Optometry, College of Opticians and to the two biggest labs in Canada to evaluate the three prescriptions (two by Laurier Optical and one by the other optometrist the complainant consulted), in order to obtain their neutral opinion.

8. This letter was copied to 10 different parties, as follows:

1. Laurier Optical — care of the manager of the location which served the complainant
2. Financial Controller
3. Laurier Optical’s corporate lawyer
4. Ontario College of Optometrists
5. College of Opticians of Ontario
6. The optometrist the complainant consulted
7. An optometrist working with Laurier Optical who provided the complainant with prescription advice
8. A second optometrist working with Laurier Optical who provided the complainant with prescription advice
9. A lens manufacturing company that supplies lenses to patients across Ontario and Quebec
10. The lens manufacturing company that made the complainant’s lenses

9. Laurier Optical had earlier initiated a complaint with the Ontario College of Optometrists against the optometrist the complainant consulted. Laurier Optical alleged that the optometrist the complainant consulted had wrongly advised the complainant that Laurier Optical had not performed a proper eye exam. The College conducted an investigation into the complaint and rendered a decision, which is now under appeal. In the course of our investigation, Laurier Optical stated that it also copied the Ontario College of Optometrists with the March 3, 2008 letter in order to keep the College apprised of relevant matters relating to the investigation.

10. By letter dated March 18, 2008, the College of Optometrists replied to the March 3, 2008 letter indicating that it did not have the mandate to provide the neutral opinion sought by Laurier Optical.

11. The complainant commenced a small claims court action against Laurier Optical. The court action was commenced on March 6, 2008.

12. During the course of our investigation, counsel for Laurier Optical stated that:

Considering that [the complainant] had made then a full blown attack against the quality of the prescriptions, of the frames, of the ophthalmic appliances and services rendered, in order to elicit from the parties involved in the rendering of said services, their views and positions to make them known to the [Court] and to the College of Optometrists, said persons were copied on our client’s letter.

13. On March 31, 2008, the complainant sent a letter to Laurier Optical requesting access to all of his personal information regarding the issue of his dissatisfaction with his prescription as well as his requested refund. The letter specifically noted that under the Act, Laurier Optical was required to respond within 30 days.

14. By letter dated April 28, 2008, Laurier Optical responded to the complainant’s letter dated March 31, 2008. Laurier Optical’s only response to the complainant’s access request was to state that the complainant had filed his personal information with the Court. It did not, however, specifically address the issue of access to personal information held by Laurier Optical.

15. In the course of our investigation, Laurier Optical stated that as of the date of the complainant’s request for access, it did not have any personal information of the complainant in its files which had not been already provided to the complainant. In particular, Laurier Optical stated that it did not have any internal correspondence or correspondence with third parties relating to the complainant’s dispute and request for a refund, other than what had been sent or copied to the complainant.

16. The complainant’s court action was settled on March 27, 2009.

Application

17. In making our determinations, we applied Principles 4.3 and 4.9, as well as subsections 7(3), 8(3) and 8(5) of the Act.

18. Principle 4.3 states the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

19. Subsection 7(2) and (3) permit use and disclosure without consent in certain specified circumstances.

20. Principle 4.9 states that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information.

21. Subsection 8(3) of the Act states that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

Findings

Issued March 31, 2010

22. The March 3, 2008 letter in question contained the complainant’s personal information: his address and telephone number, the nature of his dispute with Laurier Optical, and his prescription information. Therefore, Laurier Optical was required to obtain the complainant’s consent before using this information and disclosing this information to third parties (unless exceptions under the Act applied).

23. The sharing of personal information with other employees or agents of an organization is not considered a disclosure under the Act. It is, however, considered a “use” of personal information. Therefore, the complainant’s consent was needed in relation to Laurier Optical’s copying of the March 3 letter to the manager of the location which served him, its financial controller, and the two optometrists working for Laurier Optical who provided prescriptions to the complainant.

24. We are satisfied that by complaining about his prescriptions and by seeking a refund, the complainant gave implied consent for Laurier Optical to share its written response to his complaint with those at Laurier Optical who had been involved with his dispute, including in this case the two optometrists who provided prescriptions to the complainant, as well as the manager of the Laurier Optical store at the centre of the dispute. It was appropriate for those individuals working at Laurier Optical who were involved with the complainant’s dispute to know of the exact response provided to the complainant by Laurier Optical. Given that the complainant had also requested a refund, the implied consent extended to Laurier Optical’s financial controller, who is ultimately responsible for refunds issued.

25. In relation to Laurier Optical’s disclosure to its lawyer, paragraph 7(3)(a) of the Act permits disclosure to a lawyer representing the organization.

26. We find that there was no implied consent provided by the complainant to permit the disclosure of its March 3, 2008 letter to the Ontario College of Optometrists, the College of Opticians of Ontario, the optometrist the complainant consulted, Toronto Lab and Nikon. When the complainant complained to Laurier Optical, he could not have reasonably assumed that Laurier Optical would need to copy its response to the above organizations.

27. Laurier Optical has relied on the complainant’s court action as justification for its disclosure. It argues that it had the implied consent of the complainant to disclose his personal information in defence of the court action. The court action, however, was commenced subsequent to the March 3, 2008 letter in question. Therefore, Laurier Optical cannot rely on implied consent for disclosures which were made prior to March 6, 2006, the date the court action was commenced.

28. Laurier Optical has also relied on the fact that it had initiated a complaint with the Ontario College of Optometrists against the optometrist the complainant consulted, and in that context states that it had an obligation to copy the College with the March 3 letter. In our view, the fact that Laurier Optical had initiated a complaint against the optometrist the complainant consulted did not require it to disclose to the College of Optometrists all of the personal information about the complainant set out in the March 3, 2008 letter, and the College would not have had jurisdiction to compel the production of this information in the context of investigating the complaint, as much of it was not relevant to the complaint against the optometrist the complainant consulted. We can find no exception under subsection 7(3) of the Act permitting the disclosure of the complainant’s personal information to the College of Optometrists. The College itself noted that it did not have the mandate to provide the neutral opinion requested by Laurier Optical.

29. In order to demonstrate that the lenses provided to the complainant by Laurier Optical were appropriate, it was not necessary for Laurier Optical to disclose the complainant’s personal information to the College of Opticians, or the two lens manufacturing companies. Even if these three organizations could provide relevant input, they could have done so without needing to know the name of the complainant, his address and phone number, and all of the details of the dispute set out in the March 3, 2008 letter. Similarly, it was not necessary for Laurier Optical to provide all of the complainant’s personal information set out in the March 3, 2008 letter to the optometrist the complainant consulted. We find that the complainant did not provide consent to these disclosures (either express or implied), and that no exception to the requirement to obtain consent under section 7 of the Act applied.

30. In our view, Laurier Optical did not respond in a meaningful way to the complainant’s request for access to his personal information. By failing to respond (other than noting that the complainant had disclosed his personal information to the Court — which is not a response at all), Laurier Optical violated subsection 8(3) of the Act, and was deemed, in accordance with subsection 8(5), to have refused the complainant’s access request.

31. We are satisfied, however, that Laurier Optical did not at the time have documents in its possession containing the complainant’s personal information, other than letters which the complainant had received himself.

Conclusion

32. Accordingly, we conclude that the complaints are well-founded.

33. We strongly recommend that Laurier Optical take steps to train its management and staff about the requirement under the Act to protect a client or former client’s personal information from disclosure to third parties, including when responding to complaints from clients and former clients.

34. We are asking that Laurier Optical provide my Office with evidence of acceptance and implementation of this recommendation within thirty (30) days from the date of issuance of this report, absent which we will consider how to address this issue in accordance with our authority under the Act.

Postscript

As a result of the organization’s lack of response to the recommendations and the circumstances examined in this investigation, the Privacy Commissioner was of the view that Laurier Optical’s personal-information handling practices in this case should be made public and exercised her discretion to publicly name the organization.  A case summary, which named Laurier Optical, was included in her 2010 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act.