Organization’s technical glitch results in the disclosure of a client’s personal information to another client
Early resolved case summary #2016-02
August 10, 2016
Lessons Learned:
- Organizations must ensure that front line staff are adequately trained in their privacy policies and procedures in order to recognize when to escalate a customer’s privacy concerns to the privacy officer.
- Organizations that offer integrated online services with other establishments should set up contractual agreements that include provisions to mitigate against breaches and/or inadvertent/accidental disclosure of clients’ personal information.
Complaint summary
An individual who was using an online service software interface to track his personal information held by other organizations noticed that someone else's personal information had been showing up on his account. The individual contacted the customer service department of the online service company in an attempt to correct the problem.
For months, the individual attempted to work with the online company’s customer service department and IT specialists to correct the issue with no success.
After trying unsuccessfully to escalate his concerns for several months to the online company’s privacy officer, the individual filed a complaint with our office alleging that the online company was not addressing his issue.
Outcome
Our office contacted the online company’s privacy officer about the issue, and the company immediately conducted an investigation. It was later discovered that the issue was caused by a technical glitch involving another organization’s software interface, which was being used by the individual. After several discussions with both the online company and the other organization, the technical glitch was corrected for all users, including the individual’s specific issue.
As a result of OPC’s intervention, the online company: (1) changed its internal policies and procedures regarding privacy concerns bought forward by clients to its Customer Service Centre by integrating an escalation process to its Chief Privacy Officer; (2) collaborated with the other organization to fix the technical glitch that caused the inadvertent display of the wrong individual’s personal information; and (3) developed a multi-year contractual agreement with the other organization to cover any technical issues that may arise in providing services, providing enhanced user consent provisions and expanding on mutual benefits related to compliance with PIPEDA.
The individual indicated that the issues he had experienced with his account had been resolved to his satisfaction and the complaint was considered early resolved.
- Date modified: