Interpretation Bulletin: Safeguards

June 2015

One of the Commissioner’s primary roles is to investigate and try to resolve privacy complaints against organizations. The Commissioner’s findings will depend on the facts of each case and will be informed by evolving jurisprudence. Over time, findings on certain key issues crystallize into general principles that can serve as helpful guidance for organizations.

In an effort to summarize the general principles that have emerged from court decisions and the Commissioner’s findings to date, the OPC issues Interpretation Bulletins on certain key concepts in PIPEDA. These Interpretation Bulletins are not binding legal interpretations, but rather, they are intended as a guide for compliance with PIPEDA. As the Commissioner issues more findings, and the courts render more decisions, these Interpretation Bulletins may evolve and be further refined over time.

I. Relevant Statutory Provisions of PIPEDA

Principle 4.7: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.”

Principle 4.7.1: “The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.”

Principle 4.7.2:  “The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage.  More sensitive information should be safeguarded by a higher level of protection.  The concept of sensitivity is discussed in Clause 4.3.4.”

Principle 4.7.3:“The methods of protection must include
(a) physical measures, for example, locked filing cabinets and restricted access to offices;
(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and
(c) technological measures, for example, the use of passwords and encryption.”

Principle 4.7.4:  “Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.”

Principle 4.7.5:  “Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3).”

II. General Interpretations by the Courts

1. “Video recordings kept in a locked location that are only accessed by responsible managers or corporate police officers following a reported incident are considered to be adequately safeguarded.  Video recordings that do not capture incidents should be destroyed within an appropriate time frame. (Eastmond v Canadian Pacific Railway 2004 FC 852, [2004] FCJ No 1043)
2. The appropriateness of a security safeguard is to be evaluated based on existing circumstances, not hypothetical new uses of existing technologies or new technologies that have yet to be developed. (Turner v TELUS Communications, 2005 FC 1601,[2005] FCJ No 1981)
3. An organization can implement safeguarding measures that involve employee biometrics as long as that information is properly safeguarded. In this case, the information was sufficiently safeguarded by converting a vocal tract into a matrix of numbers that are stored under substantial security. (Turner v TELUS Communications, 2005 FC 1601,[2005] FCJ No 1981)
4. Disclosure of personal information, in itself, cannot be taken as evidence of inadequate safeguards.  In this case, a clerical error caused the applicant’s personal medical information to be mailed to an incorrect address and to an unauthorized advisor. (Townsend v Sun Life Financial 2012 FC 550, [2012] FCJ No 777)

III. Application by the OPC in Different Contexts

Whether an organization can be said to meet its safeguard obligations under PIPEDA will vary depending on the facts of each complaint and investigation. The following examples illustrate how the safeguard principle has been interpreted and applied by the OPC and some of its general findings derived from different contexts.

Policies, Practices, and Procedures

• Organizations must put in place security safeguards that are commensurate with the level of sensitivity of the personal information involved. 
  • PIPEDA Case Summary #2001-5 Security of a bank’s automated telephone service
  • PIPEDA Case Summary #2002-72 Telecommunications company improves its collection and disclosure practices
  • PIPEDA Case Summary #2003-177 Bank leaves computer logged on in public area; customer obtains sensitive personal account information without password
  • PIPEDA Case Summary #2003-180 Bank uses tape-recording of customer’s call for unidentified training purpose; connects another customer to the recording
  • PIPEDA Report of Findings #2012-009 Phone message left at client’s workplace disclosed personal information without consent
  • PIPEDA Report of Findings #2014-003 Insurance company overhauls its security safeguards following privacy breach
• Safeguarding policies and practices must be diligently and consistently followed in practice in order to be effective.
  • PIPEDA Report of Findings #2012-004 Weak authentication allowed imposter to hijack customer’s cell phone account
  • PIPEDA Case Summary #2003-190 Bank opens former employee’s mail
  • PIPEDA Case Summary #2005-289 Stolen laptop engages bank’s responsibility
  • PIPEDA Case Summary #2008-393 Laptop theft at bank and long delay before informing victims were both avoidable
  • PIPEDA Case Summary #2008-395 Commissioner initiates safeguards complaint against CIBC
  • PIPEDA Case Summary # 2013-015 Online dating service used former customer’s personal information without consent and failed to provide him access to his personal information
  • Settled case summary #2014-001 Passport information of client inadvertently distributed with travel agency’s promotional email
  • PIPEDA Report of Findings # 2012-004 Report of Findings Weak authentication allowed imposter to hijack customer’s cell phone account
• Organizations must develop and implement procedures for the secure disposal of personal information.
  • PIPEDA Case Summary #2002-72 Telecommunications company improves its collection and disclosure practices
  • PIPEDA Case Summary #2003-128 Airline accused of collecting too much information for US authorities
  • PIPEDA Case Summary #2006-356 Customer’s banking personal information found in a recycling bin
• One of the best safeguarding practices an organization can have is not to collect or retain more personal information than is necessary.
  • Report of an investigation into the security, collection and retention of personal information (2007) TJX Companies Inc/Winners Merchant International LP
• Organizations that inadvertently collect personal information must keep it secure until it can be properly – and legally - deleted.
  • PIPEDA Report of Findings #2011-001 Google Inc WiFi data collection
• Proper safeguarding of personal information includes diligent and accurate record-keeping practices that clearly document original authorizations and any irregular uses or disclosures.
  • PIPEDA Case Summary #2005-299 Thief cashes convenience cheque on cancelled credit card account
  • PIPEDA Case Summary #2007-378 Bank teller gives customer’s credit card account statements to wife
  • PIPEDA Case Summary #2007-380 Bank’s record-keeping practices considered inadequate safeguard
  • PIPEDA Case Summary #2007-381 Bank improves safeguards after individual’s personal information used fraudulently to open credit card account
• Organizations that collect personal information about customers must collect and store the information in a manner that does not permit customers to view or hear the personal information of other customers.
  • Settled Case Summary #29 Department store revises process for collecting personal tax exemption information
  • PIPEDA Case Summary #2005-304 Movie theatre chain strengthens personal information handling practices
  • PIPEDA Case Summary #2003-245: Bank alleged to have unnecessarily collected and improperly disclosed personal information

More Sensitive Information Requires Higher Level of Protection

• Payroll information is considered highly sensitive personal information in need of stronger protection and must be protected from all but a few authorized personnel in order to be adequately safeguarded.
  • PIPEDA Case Summary #2003-190 Bank opens former employee’s mail
  • PIPEDA Case Summary #2003-242 Individual objects to temporarily assigned workers hand payroll information
• Medical information, particularly information on specific diagnoses, is considered amongst the most sensitive forms of personal information and must be protected by strict safeguards.
  • PIPEDA Case Summary #2003-226 Company’s collection of medical information unnecessary; safeguards are inappropriate
  • PIPEDA Report of Findings #2013-003 Profiles on PositiveSingles.com dating website turn up on other affiliated dating websites
• Social Insurance Numbers are confidential personal information that must not be used for general identification; access to them must be limited to employees that need to know them for legitimate purposes.
  • PIPEDA Case Summary #2002-69 Employee objects to company’s use of social insurance number on forms
• Personal information about employee’s work performance requires special protection due to its very sensitive nature.
  • PIPEDA Case Summary #2003-228 A transportation company disclosed an employee’s personal information without consent
    
• Live video-streaming over the Internet of very young children is considered highly sensitive information that may require strong security measures such as enhanced contractual and technological safeguards.
  • PIPEDA Report of findings #2011-008 Daycare centre modified webcam monitory to increase privacy protection
• The level of sensitivity of biometric data will depend on the type of biometric data and the technology used; the strength of security safeguards adopted to protect biometric data must be modulated accordingly. 
  • PIPEDA Case Summary #2004-281 Organization uses biometrics for authentication purposes
  • PIPEDA Case Summary 2008-389 Law School Admission Council Investigation
  • PIPEDA Case Summary #2010-007 Test administrator revises measures aimed at preventing exam fraud
  • PIPEDA Case Summary #2011-012 GMAT test-taker objects to palm-vein scanning

Employee Training

• Organizations must communicate their safeguard procedures to their employees and provide employees with training to ensure the procedures are implemented correctly.
  • PIPEDA Report of Findings #2012-009 Phone message left at client’s workplace disclosed personal information without consent
  • PIPEDA Report of Findings #2011-001 Report of Findings  Google Inc. WiFi Data Collection
  • PIPEDA Case Summary #2002-54 Couple alleges improper disclosure of telephone records to a third party

Third Party Organizations

• Organizations that transfer their clients’ personal information to third parties must ensure that these third parties have proper safeguards in place for protecting personal information.
  • PIPEDA Case Summary #2007-377 Law firm’s shoddy privacy practices result in missing personal information; request for access denied
• Organizations that permit third parties access to their clients’ online profiles must use technological safeguards to ensure their information is adequately protected and being used only for its intended purposes.
  • PIPEDA Case Summary #2009-008 Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc Under the Personal Information Protection and Electronic Documents Act by Elizabeth Denham Assistant Privacy Commissioner of Canada
  • PIPEDA Report of Findings #2014-11 Investigation into the personal information handling practices of Ganz Inc.

Client Identification and Authorization

• Organizations must have safeguards in place and follow proper client-authentication procedures to guard against unauthorized third-party access to personal information.
  • PIPEDA Case Summary #2007-372 Disclosures to data brokers expose weaknesses in telecoms’ safeguards
  • PIPEDA Case Summary #2007-381 Bank improves safeguards after individual’s personal information used fraudulently to open credit card account
  • PIPEDA Case Summary #2005-292 Former employer changed account information of Air Canada frequent flyer member
  • PIPEDA Case Summary #2006-344 Couple’s safety deposit box opened in error
  • PIPEDA Report of Findings #2012-004 Weak authentication allowed imposter to hijack customer’s cell phone account
  • PIPEDA Report of Findings #2012-006 Failure to follow authentication procedures allowed imposter to modify client’s cellular phone contract without his knowledge or consent
• Organizations must be particularly vigilant when safeguarding personal information in situations involving family relationships, joint account holders, individuals living in the same household or having similar names.
  • PIPEDA Case Summary #2006-329 Wireless phone company improves safeguards for estranged spouses
  • Settled Case Summary #14 Disclosure of personal information to estranged spouse
  • PIPEDA Case Summary #2002-100 Woman accuses bank of telling her mother about her bank account
  • PIPEDA Case Summary #2002-108 Wife accuses bank of telling husband about her credit card
  • PIPEDA Case Summary #2003-150 Credit agency accused of improper disclosure of personal information
  • PIPEDA Case Summary #2003-254 Daughter racks up long-distance charges; mom blames phone company
  • PIPEDA Report of Findings #2011-007 Car company fails to correct errors in customer file or provide appropriate access
  • PIPEDA Case Summary #2007-378 Bank teller gives customer’s credit card account statements to wife
  • Early resolved case summary #3 Utility company errs in sending customer’s bill to his ex-spouse after computer system uses out-of-date information
  • Guidance on Managing Family Member/Household Accounts
• Requiring proof of identification can be a reasonable safeguard to protect the personal information of customers from unauthorized access, even if a customer objects to them.
  • PIPEDA Case Summary #2001-27 Man objects on principle to bank’s identification program
  • PIPEDA Case Summary #2006-324 Consumer complains about requirement to provide identification in order to obtain credit report

Mail, E-Mail, and Fax

• When mailing or faxing personal information, organizations must have safeguards in place to confirm that only the personal information of the client is delivered and the proper destination address or fax number is being used to avoid unauthorized disclosure of personal information to third parties.
  • PIPEDA Case Summary #2002-28 Bank sends customers’ pay stubs to wrong party
  • Incident Summary #2 CIBC’s privacy practices failed in cases of misdirected faxes
  • PIPEDA Case Summary #2006-332 Bank issues new guidelines and educates employees after customer information is faxed to the wrong individual
  • PIPEDA Case Summary #2006-335 Customer receives banking information of other clients
  • PIPEDA Case Summary #2006-337 Income tax preparation company mails personal information to wrong clients
  • Index Summary #3: Misdirected faxes
• When mailing personal information, organizations must ensure that no sensitive personal information is visible through the address window of the envelope.
  • PIPEDA Case Summary #2002-33 Bank offers $20 gift certificate as compensation for privacy violation
  • Settled case summary #9 Windows reveal too much information
  • PIPEDA Incident Summary #5 Life insurance company employs best practices in responding to mass mailing error that risked exposing personal information
• When mailing personal information, envelopes containing personal information that are sealed by a machine must be double checked to ensure they have been properly sealed before being mailed out.
  • PIPEDA Case Summary #2003-154 Couple dismayed at receiving unsealed envelope from bank
  • PIPEDA Case Summary #2003-197 Individual alleged bank sent personal information in unsealed envelopes
  • PIPEDA Case Summary #2013-013 Insufficient evidence of an actual disclosure of personal information may be grounds to discontinue an investigation
• An organization was found to have met its safeguarding obligations when it used first- class mail to deliver credit cards and personal identification numbers.
  • PIPEDA Case Summary #2002-43 Credit card fraud victim questions bank’s use of first-class mail as privacy safeguard
• When faxing personal information, organizations must ensure fax cover sheets do not contain sensitive personal information.
  • PIPEDA Case Summary #2005-317 Fax from debt collector contained debtor’s personal information
• When e-mailing multiple recipients, organizations must ensure that individual recipients’ e-mail addresses are not disclosed.
  • PIPEDA Case Summary #2004-277 Mass mailouts results in disclosure of contest entrants e-mail addresses
  • Incident Summary #4 Service provider inadvertently discloses email addresses of nearly 300 customers in mass email

Internet and Technology

• Organizations that re-sell electronic devices containing personal information must wipe the information of the previous owner before resale.
  • Settled Case Summary #1 (2004) Store implements changes following laptop lapse
  • Audit Report of Staples Business Depot
• Organizations that store personal information online must ensure that the information is adequately protected from unauthorized individuals through the use of passwords or encryption protection.
  • PIPEDA Case Summary #2009-017 Third-Party landlord organization collected, used and disclosed tenants’ personal information without their consent
• Organizations that use portable electronic devices to store personal information must ensure that the devices are properly secured at all times. Devices with personal information on them must be encrypted, password protected and backed up.
  • PIPEDA Case Summary #2008-393 Laptop theft at bank and long delay before   informing victims were both avoidable
• Organizations that use mobile data terminal technology to communicate with vehicles are adequately safeguarding personal information if the mobile data terminal screen is not easily visible to clients.
  • PIPEDA Case Summary #2009-011 Transit driver objects to use of technology (MDT and GPS) on company vehicle
• Organizations that transfer information containing sensitive personal information via the Internet must employ sufficient safeguards such as data encryption.
  • PIPEDA Report of Findings #2013-001 Investigation into the personal information handling practices of WhatsApp Inc
• Organizations must keep abreast of technological advances to ensure that their technological safeguards, including encryption standards, are up to date.
  • Report of Findings - Report of an investigation into the security, collection and retention of personal information (2007) TJX Companies Inc/Winners Merchant International LP

When Breaches do Occur

• The mere occurrence of a data breach does not automatically mean the organization failed to meet its safeguarding obligation; rather, compliance will turn on whether the security safeguards in place at the time of the incident were reasonable and appropriate in the circumstances.
  • PIPEDA Report of Findings #2014-004 Online service provider that suffered a breach had appropriate safeguards in place
• Where safeguards have proven inadequate, organizations must take immediate steps to enhance safeguards through updated employee training, new or revised protocols, and strengthened procedures.
  • PIPEDA Report of Findings #2014-003 Insurance company overhauls its security safeguards following privacy breach
  • PIPEDA Case Summary #2007-372 Disclosures to databrokers expose weaknesses in telecoms’ safeguards
  • Incident Summary #2 CIBC’s privacy practices failed in cases of misdirected faxes
  • PIPEDA Case Summary #2006-332 Bank issues new guidelines and educates employees after customer information is faxed to the wrong individual
  • PIPEDA Case Summary #2006-360 Bank erroneously emails employees’ personal information to client
  • PIPEDA Case Summary #2008-395 Commissioner initiates safeguards complaint against CIBC
• In cases of suspected theft or fraud, an organization should inform police as soon as possible
  • PIPEDA Case Summary #2008-395 Commissioner initiates safeguards complaint against CIBC
• Organizations that have breached their privacy obligations should inform affected individuals without delay.
  • PIPEDA Case Summary #2008-393 Laptop theft at bank and long delay before informing victims were both avoidable
  • PIPEDA Case Summary #2008-395 Commissioner initiates safeguards complaint against CIBC

Storage of Personal Information

• Documents containing personal information must be stored in an appropriate location to prevent unauthorized access.
  • PIPEDA Case Summary #2005-304 Movie theatre chain strengthens personal information handling practices
  • PIPEDA Case Summary #2007-376 Condo security company did not misuse security camera system, but improved personal information safeguards
• Personal information, such as fingerprints and drivers’ licence numbers, should be encrypted, stored in a locked cabinet and accessible only to a limited number of authorized personnel.
  • PIPEDA Case Summary #2002-107 Individual complains about appropriate personal information safeguards and disclosure
  • PIPEDA Case Summary #2003-185 Railway’s reasons for collecting personal information deemed appropriate; safeguards, adequate

Individual Accountability

• When delivering private information individuals have some responsibility to take appropriate precautions, such as using a properly labeled cover sheet.
  • PIPEDA Case Summary #2003-251 A question of responsibility
• Organizations are responsible for protecting personal information through safeguards such as passwords, but there is some onus on the individual to protect his or her personal information.
  • PIPEDA Case Summary #2005-315 Web-centred company’s safeguards and handling of access request and privacy complaint questioned
  • PIPEDA Case Summary #2009-008 Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc
  • PIPEDA Case Summary #2003-254 Daughter racks up long-distance charges; mom blames phone company