Phone message left at client’s workplace disclosed personal information without consent

PIPEDA Report of Findings # 2012-009

---

The complainant, who was an employee of a hair salon, was contemplating leaving her employer and setting up her own salon at home. She contacted an insurance company to inquire about business insurance, and she was told that an agent would call her back with a quote. The complainant claims that during the initial call she specifically instructed the insurance company not to contact her at her workplace.

However, the insurance agent did call the complainant’s workplace and left a recorded message on her employer’s general voicemail system requesting more information about the complainant’s anticipated home-based hair-styling business. The complainant’s employer heard the message and he summarily fired her. The complainant then complained to this Office that the insurance agent had disclosed her personal information to others without obtaining her consent.

The Assistant Commissioner found that there had been a disclosure without her consent (either explicit or implied). Consequently, the Assistant Commissioner made specific recommendations to the insurance company, and it ultimately agreed to 1) implement a new procedure that minimizes the amount of information that employees leave in client telephone messages, and 2) amend existing procedures to ensure client contact information and messaging preferences are updated regularly to maintain accuracy. The insurance company also agreed to communicate these updated procedures to its employees.

The complaint was well-founded and resolved.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

1. The complainant alleges that an insurance company disclosed her personal information on her employer’s telephone messaging system without her consent.

Summary of Investigation

2. The complainant was employed in a hair salon. When she telephoned an insurance company in January 2011 to receive a quote for liability insurance for a home-based hair styling business, she was advised that a representative would call her back with the information.

3. The complainant claims that she asked the insurance company not to call her at her workplace as her employer was unaware of her intention to start a home-based business. The insurance company denies ever being advised of this.

4. A few days later, the complainant’s employer retrieved a voice mail message from the insurance company on the workplace voicemail system. The message was intended for the complainant. The complainant alleges that the message was from an insurance company representative who asked the complainant to return the call and to provide more information about the home-based business that she would be starting.

5. According to the complainant, she then informed her employer of her intention to resign from the hair salon in approximately five weeks, long enough to allow her to set up her own business and for the salon to hire a replacement. However, her employment was unexpectedly terminated within one week.

6. The complainant contacted the insurance company to notify them that she had been dismissed. She also sent an email to its privacy officer, in which she advised that she may contact a lawyer. She also asked the insurance company what it would consider to be fair compensation. The privacy officer replied immediately, claiming that as far as she could ascertain, the office’s employees had not been advised to only call the complainant at home. However, the privacy officer expressed an interest in resolving the issue with the complainant.

7. The complainant did not accept the privacy officer’s assertion that the insurance company employees were unaware of a pre-arrangement to only call her at home. She attempted to re-establish contact with the company about the matter but was unsuccessful. She then filed a complaint with our Office, which we accepted on March 17, 2011.

8. In its representations to this Office, the insurance company admitted that one of its employees had left a message for the complainant on her employer’s general voice mailbox. The insurance company contends that the purpose of the phone message was to follow up on the complainant’s request for professional liability insurance for the home-based business that she would be starting.

9. During our investigation, the insurance company provided us with certain internal documents. From this information, we established that the first insurance employee with whom the complainant had spoken had referred the inquiry to a colleague (“a commercial lines representative”). The commercial lines representative was advised in an email that the complainant would be best reached on a Monday. The email did not indicate that the complainant did not work on Mondays. A phone number (at the hair salon) was provided, but no alternative contact number.

10. We reviewed the commercial lines representative’s note log for January 10, 2011. In it, she states that she had left a message for the complainant to call back with details “on her hair salon to provide her with a quote.”

11. The next day, the representative documented in the note log system that the complainant had returned her call and was very upset. In her call, the complainant pointed out to the representative that explicit instructions had been given to only call her at home.

12. In the note log system, the representative then summarized what had happened in the first call, making a distinction between a business phone number and a work phone number (“I phoned the business number # on the system and left a message for her, this was her work phone #” [sic]). She claims that she apologized to the complainant and invited the latter to contact her later at home about the insurance quote.

13. During our investigation, we also reviewed copies of the insurance company’s Staff Confidentiality Agreement, signed and acknowledged in December 2004 by the two insurance representatives with whom the complainant had spoken about the matter at hand. In that agreement, both employees agreed to abide by the provisions of the Act. However, we were informed that the insurance company had no specific policy or procedure with respect to leaving information on answering machines. When we recommended to the organization that it implement supplementary policies and practices to protect personal information under its control, the privacy officer did not share our view.

14. The insurance company indicated to us in its representations of April 26, 2011, that it was still intending to try to settle the matter with the complainant.

15. On June 15, 2012, our Office issued a Preliminary Report of Investigation to the insurance company in which we examined the issues raised in the complaint and requested that the insurance company respond to our recommendations. What follows is the result of our analysis of the evidence obtained during our investigation.

Application

16. In making our determinations, we applied Principles 4.3, 4.1.4, 4.7 and 4.7.4 of Schedule 1 of the Act.

17. Principle 4.3 requires the knowledge and consent of the individual for the collection, use, or disclosure of personal information, except where inappropriate.

18. Principle 4.1.4 states, in part, that organizations shall implement policies and practices to give effect to the principles, including: (a) implementing procedures to protect personal information, and (c) training staff and communicating to staff information about the organization’s policies and practices.

19. Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

20. Principle 4.7.4 requires that organizations make their employees aware of the importance of maintaining the confidentiality of personal information.

Findings

August 8, 2012

Consent

21. In our view, the information at issue – that the complainant was seeking a quote for liability insurance for a home-based business she was starting – constitutes the complainant’s personal information.

22. Our investigation did not reveal any evidence to corroborate the complainant’s claim that she had specifically requested that the insurance company call her only at home.

23. Nonetheless, there is no dispute between the parties that there was an attempt to contact the complainant via her workplace phone number. This resulted in a disclosure of the complainant’s personal information, without her consent, in a recorded message that was accessible to others. This represented a clear contravention of Principle 4.3, which requires an individual’s knowledge and consent for any disclosure of their personal information.

24. Given the excessive amount and sensitive nature of the complainant’s personal information that was revealed in the voice-mail message, and that the information was accessible to others at her workplace, we are of the view that the insurance company could not have relied on the complainant’s implied consent to leave the message as it did.

Safeguards

25. In our view, the insurance company revealed more information than was necessary for the complainant to merely return the insurance representative’s call.

26. We are of the view that in this particular context – where information about an individual’s home-based salon is disclosed on an employer’s general voicemail – the information at issue is sensitive personal information.

27. Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.4 requires that organizations make their employees aware of the importance of maintaining the confidentiality of personal information.

28. Minimal safeguards were thus not provided in this case to protect the complainant’s personal information. Further, it appears from circumstantial evidence that her personal information that was made available at her workplace was sensitive enough to lead to her loss of employment.

Accountability

29. As the current case has shown, serious consequences can result from careless disclosures of a client’s sensitive personal information to unauthorized third parties. These disclosures can be avoided when an organization takes proper precautions when calling back its clients and when it has policies to dictate to its staff how to leave messages for clients.

30. Since a substantial part of client contact in an insurance business occurs via telephone, we are concerned that the insurance company has no policy communicating to its employees how messages are to be left for clients on telephone messaging systems in order to protect personal information.

31. Principle 4.1.4 states, in part, that organizations shall implement policies and practices to give effect to the principles, including the principle of the protection of personal information. Also under this principle, organizations must train their staff and communicate to them information about the organization’s policies and practices.

32. The insurance company’s privacy officer was not in agreement with this Office’s suggestion to amend existing policies and practices, with the view to protecting personal information under the insurance company’s control and preventing a recurrence of such a disclosure. By not complying, the organization is in contravention of Principle 4.1.4.

33. The insurance company may find the following document informative: A Guide for Businesses and Organizations: Your Privacy Responsibilities. Created by our Office, it contains guidelines to assist organizations in meeting their responsibilities and obligations under the Act.

34. In our Preliminary Report of Investigation, we asked the insurance company to commit to the following recommendations: i) That it develop policies to reduce the risk of disclosing clients’ personal information to unauthorized third parties when leaving messages for clients, and ii) that it provide privacy training that complies with the Act to the organization’s privacy officer(s) and employees.

35. The insurance company responded to our preliminary report on July 11, 2012.

36. In its response, the company committed to aligning its procedures with the provisions of the Act by implementing a new procedure that restricts to a minimum the amount of information that employees leave in client telephone messages. The insurance company has provided us with details of its new messaging procedure.

37. The insurance company has also amended internal procedures whereby client contact information and messaging preferences are to be updated regularly to maintain accuracy. This includes modifications to information recorded in its automated insurance management system, and how this information is displayed to system users.

38. Overall, we find that these new and amended procedures (combined with the communication of these procedures to its client-service employees) render the insurance office in compliance with Principles 4.1.4, 4.7 and 4.7.4 of the Act.

39. We strongly encourage the insurance company and its employees to rely on these new procedures in their routine client-contact activities so as to avoid any recurrence of events similar to those of this complaint.

Conclusion

40. Accordingly, we conclude that the matter is well-founded and resolved.

Other

41. We note that the insurance company and the complainant have had exchanges over what is fair compensation in the circumstances. We encourage both parties to enter into direct negotiations with a view to resolving the matter of compensation.