Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Report of Findings #2011-007
Report of Findings
Car company fails to correct errors in customer file or provide appropriate access
The complainant alleged that the respondent, a car manufacturer, failed to provide him with access to his personal information.
The complainant also alleged that the respondent held inaccurate information about him in its database. Although he leased only one car, the company’s records indicated he was the leaseholder of additional vehicles. As a result, the complainant believed that the inaccurate information was reported to a credit reporting bureau and that his credit score was affected by the car company’s numerous inquiries related to vehicles he does not lease.
Despite repeated requests by the complainant, the car company did not correct the erroneous information.
The complainant alleged that the respondent used inadequate safeguards to protect his personal information.
During the investigation, we learned that, due to a system error, the complainant’s account was automatically merged with the account of another individual on the database system. As a result of the inappropriately merged accounts, the car manufacturer clearly held and reported inaccurate information about the complainant.
As well, the company failed to release the information relating to the vehicles that were improperly entered into the complainant’s account and did not provide him with access to all of his personal information.
It also took an unreasonable length of time to rectify the error. The system errors led to inaccuracies in the complainant’s file for over two years.
In the preliminary report, we recommended the organization:
- provide the complainant with access to all the personal information to which he was entitled to at the time of his initial request;
- implement a procedure by which its customer databases are periodically verified;
- review its safeguard procedures with customer service representatives; and
- provide the complainant with a letter of apology.
The respondent implemented all of our recommendations and we concluded that the complaint was well-founded and resolved.
- An organization’s response to a request for access to personal information under the Act must be complete and must be sent within the timelines provided under the Act. Where an organization refuses access or withholds personal information, the organization must provide reasons for doing so.
- Organizations that maintain databases of customers’ personal information and accounts must ensure that the records are accurate, complete and up-to-date, particularly where customers have identical names, and should address any concerns raised about the accuracy of personal information in a timely and effective manner.
- Organizations should take additional precautions in authenticating customers where the ownership or accuracy of an account may be flagged as being in dispute.
Report of Findings
Complaint under the Personal Information Protection and Electronic Documents Act (the Act)
1. The complainant alleges that an international car manufacturer (the “car company”) did not provide him with access to all his personal information held by the company, following his access request of September 8, 2009. Specifically, he is concerned that the car company’s response of September 17, 2009, was not complete.
2. The complainant alleges that the car company’s database holds inaccurate information about him. He leases one vehicle from the car company. However, he complains that despite numerous attempts on his part to have the information corrected, the car company’s records wrongly indicate that he is the leaseholder of additional vehicles. He also alleges that this inaccurate information was reported to a credit reporting bureau (the “bureau”), and he believes that his credit score remains affected by numerous inquiries by the car company related to vehicles he does not lease.
3. The complainant alleges that the car company does not use adequate security safeguards to protect personal information as required under the Act. Specifically, he states that he has received the leasing, vehicle and account details of other individuals.
Summary of Investigation
4. In December 2007, the complainant leased one of the car company’s Model A Sedans from a local retailer, for a three-year term. He maintains that, shortly thereafter, he noticed an error in the mileage allotment affecting the “Excess Kilometres Charge” on the lease and contacted the retailer to have the matter addressed. The retailer’s solution to this error was to discharge the lease and issue a second lease with the correction. The new paperwork was in place by January 25, 2008, to the complainant’s satisfaction.
The complainant’s representations
5. In February 2008, the complainant received a telephone call from the car company regarding a lease-end survey. He informed the caller that his lease was not ending and that it was valid until December 2010.
6. The following month, the complainant received another telephone call from the car company regarding a lease-end survey. The complainant again informed the company that his lease was not ending, and he asked for a supervisor to call him. According to the complainant, no supervisor contacted him.
7. These two calls from the car company were followed by a third call requesting an appointment for a lease-end inspection of a Model B Hatchback. The complainant told the caller that he did not lease such a vehicle and requested that a supervisor contact him. He states that no supervisor did so. The following day, the complainant contacted the sales coordinator at the local retailer and asked her to look into the matter.
8. The complainant asserts that the car company’s telephone calls regarding his lease coming to an end raised his suspicions. In April 2008 he obtained a copy of his credit report from the bureau.
9. The investigator notes that the bureau’s report contained three “hard inquiries” by the car company on December 11, 2007, December 21, 2007, and March 11, 2008. The first two inquiries appear to be related to his original (closed) lease and the reissued lease for his Model A Sedan. The reason for the third inquiry was unclear. A business typically makes a hard inquiry when an individual applies for a credit card, loan or other service.
10. The bureau’s report also included four vehicle-liability entries placed by the car company’s financial services unit for lease accounts opened in February 2005, March 2007, and two in December 2007. The complainant identified the first entry as one for the Model B Hatchback, the second entry as one for a Model C Sedan and the last two were linked to the original and reissued leases for his Model A Sedan.
11. During April 2008, the complainant met with sales staff at the automobile retailer’s local office. The sales staff contacted the car company on behalf of the complainant, and they were assured that the matter would be looked into.
12. The complainant claims that, on April 30, 2008, the local retailer’s sales manager informed him that the problem arose from an error in the car company’s computer system, which was hosted in the United States. The sales manager added that this would take a couple of weeks to rectify. He explained that the car company would confirm to the complainant in writing that there was an error in his credit file and that he did not lease all of the vehicles listed therein.
13. Two weeks later, a customer service representative (CSR) from the car company told the complainant that there were two vehicles associated with his telephone number: the vehicle that the complainant was leasing and another that he was not leasing (the Model C Sedan). The complainant explained the situation to the CSR, and the CSR told him that e-mails had to be sent to the United States, where the database was managed. The complainant asked to speak to the CSR’s manager.
14. The CSR’s manager informed the complainant that e-mails had already been sent to the United States and that she was awaiting a response. She confirmed there was only one automobile associated with the complainant’s file. She also assured the complainant that a letter would be mailed to him as soon as she received confirmation that the database error had been addressed.
15. In a letter dated May 14, 2008, the car company confirmed to the complainant that it was working with the credit bureau to ensure that only his current leasing account was reported. The letter noted the model of vehicle he was leasing, and stated that any other active leases appearing on the complainant’s credit report were being reported in error and would be removed.
16. The complainant related that on May 28, 2008, he received another call from the car company about a lease-end inspection for a vehicle he does not lease. The complainant also noted at that time that his credit report had yet to be corrected.
17. In follow-up correspondence dated June 9, 2008, the car company apologized for reporting inaccurate account details to the credit bureau and assured him that the situation had been rectified. The car company acknowledged the time and effort the complainant had spent addressing the matter, and as a gesture of goodwill, gave him some product gift certificates. Based on the car company’s assurances, the complainant believed the matter to be resolved.
18. Just over fourteen months later, another one of the car company’s local retailers wrote to the complainant. The letter stated that the lease on his vehicle was scheduled to mature shortly. The complainant was invited to meet with the retailer to review his lease-end options. The letter contained no vehicle description.
19. In a further letter dated August 28, 2009, the car company asked the complainant to provide insurance details for the Model C Sedan. Confused, the complainant called the car company and was told that while there was no record of a Model C Sedan on his file; there was a Model D SUV “attached” to his file. Again, the complainant does not own or lease a Model D SUV.
20. According to the complainant, whenever he contacted the car company by telephone, each CSR would typically ask him which of his vehicles he was calling to discuss.
21. On September 8, 2009, the complainant made an access request to the car company for “all account information related to myself and held by the car company.”
22. The car company responded to the access request promptly, enclosing copies of “…all personal information we have related to both yourself and your lease….” According to the complainant, this package contained references only to the vehicle he actually leases – the Model A Sedan - and not the other vehicles that had been erroneously associated with his lease account. The complainant expressed his disappointment that the databases were not thoroughly searched. He requested a return call but did not receive one.
23. The complainant continued to encounter problems with the operation of his lease account. He received a “Lease End Statement” dated February 2, 2010 for the Model C Sedan. The statement indicated that he owed money to the car company. This was followed one month later, by a collection notice from the car company regarding the same vehicle. The notice named the complainant as the delinquent account holder and arrived in the mail unsealed.
24. On March 11, 2010, the complainant filed a complaint with this Office.
25. On May 5, 2010, the complainant stated that he was contacted by a customer service representative in the car company’s financing branch who was trying to collect on a payment for the Model C Sedan. From this conversation, the complainant was able to obtain a partial address, city and date of birth for another individual. He expressed concern that this information, coupled with the individual’s name, vehicle details and account number was a serious breach of that individual’s personal privacy.
The respondent’s representations
26. The car company confirmed that the complainant was the lessee of a Model A Sedan. The complainant was not the lessee of the Model B Hatchback or the Model C Sedan. The car company stated that there was account activity in the complainant’s file related to these leases. It explained that the lease of the Model C Sedan belongs to an individual who has the same name as the complainant. The car company confirmed that this other individual resides in a different city and has a different date of birth.
27. The car company provided a printout of account activity for the complainant’s current Model A Sedan lease account and the closed account (the result of the mileage error on the original lease). The documentation indicates that the car company first began looking into his complaint about the leases in 2008, when the local retailer contacted the car company on the complainant’s behalf. The retailer reported that the complainant was receiving telephone calls about a lease-end inspection of a Model B Hatchback. The entry also stated that the complainant’s account was tied to two other accounts that did not belong to him.
28. Notes left by some customer service representatives on the account activity for the complainant’s account indicates that the complainant was not to be informed of the details of other accounts, presumably for the other incorrect account holders with the same name.
29. The car company pointed out that the lease for the Model D SUV vehicle had not been merged with the complainant’s account. The inaccuracy arose only from the customers having the identical name and not from a system merge. Details of this vehicle were not placed on the complainant’s credit bureau file.
30. The complainant’s account activity report shows that 11 days after the car company started looking into the matter, an urgent note was sent to the data quality analyst in the United States to have the complainant’s account “unmerged” from another customer’s. According to the notation, the complainant had two accounts with the car company while “all of the remaining accounts” belonged to another person with the same name.
31. The account activity indicates that the car company advised the credit bureau of the error on May 28, 2008. In June, the credit bureau notified the car company that the erroneous accounts had been removed from the complainant’s credit report.
32. Later that same month, the car company contacted the complainant to report that the credit bureau had updated its information. The car company pointed out that a “system error” had caused other accounts to be brought up during an earlier telephone call between it and the complainant. The company added that the problem was still being looked into and that it would be resolved shortly.
33. Between June 25, 2008, and January 5, 2009, a series of “unmerge,” “address change” and “credit bureau reporting status” entries appear on the complainant’s account activity report. In February and March 2009 the file was flagged internally for collections.
34. In June 2009 there were address verifications and the activity report indicates that the complainant reported receiving a notice for the Model C Sedan which he did not lease. The car company then contacted its data quality analyst in the United States on June 15, 2009. The car company needed her assistance in locating eight accounts with an account holder in one province, whose former address was in another province, in order to find out to whom the notice should have been sent. These accounts had all previously been “unmerged” from the complainant’s accounts.
35. On September 9, 2009, the account activity reflects the complainant’s request for a lease-payoff quote. The activity report indicates that two such documents were generated, and the complainant provided this Office with copies of both. However, one was issued for an incorrect vehicle.
36. The car company provided the following details [abridged] about its database merge process and how incorrect merges are typically resolved:
[The car company’s] account merging process is both manual and automatic. When the [name and key identifying information] an individual are the same in two accounts, those accounts will automatically merge into a single account.
In cases where two accounts have the same name (and perhaps other similar data) but the remaining data is different, the accounts may be manually merged following a file review. Accounts may also be merged manually at the request of the individual account holders.
As a matter of practice, to ensure manual merges are completed with the correct data, [the car company’s] data quality analysts take steps to verify that the two accounts belong to the same individual. The merge process is monitored and examined by the [the car company’s] data quality analysts.
In rare circumstances, such as the system error involving the complainant, when an automatic merge of two accounts is done incorrectly, a new account is created for one of the account holders to correct the error. The relevant data is then manually placed into the new account.
37. In the case of the complainant, the car company informed us that “a highly atypical system error incorrectly led to an automatic merging of the complainant’s account with the account of another individual.” The car company added that it “cannot conclusively determine the specific cause of the system error involving the complainant....”
38. In its representations, the car company states:
“…[the car company] has reviewed its records in respect of the Complainant, as well as records of the individuals with the same name as the Complainant, and confirms that the errors in all such records have been rectified. In [the car company]’s experience, the circumstances that gave rise to the errors referenced in the complaint are highly atypical for [the car company], and stemmed from a combination of several [company] customers with identical names and a system error that resulted in the inadvertent merger of certain customer records. The car company confirms that the system error resulting in the merger of such records has since been addressed.”
39. We asked the car company about its security safeguards protecting individuals’ personal information. Its information-handling practices include extensive physical, organizational and technological measures. These include specific requirements for contractual controls for any transfer of personal information to any third party supplier or provider. Security measures are implemented appropriate to the sensitivity of the information in question.
40. The car company informed us that its Privacy Officer holds a senior management position within the organization and has overseen the development and implementation of a comprehensive set of privacy policies and procedures.
41. The car company’s information systems (IS) department is charged with ensuring the security of the car company’s electronic data holdings, including personal information. The IS department works closely with the car company’s Privacy Officer, who reviews all system-related information security plans throughout the organization’s network to ensure alignment between security and privacy practices.
42. While the complainant indicated that he had received vehicle-specific information from the car company related to other individuals, the car company confirmed that, to the best of its knowledge, the complainant’s personal information had not been disclosed to others. No evidence was provided to suggest otherwise.
43. The car company also confirmed that the accounts that had been merged with the complainant’s accounts related to only one individual who has the identical name. The complainant received vehicle-specific information only with respect to that individual.
44. The complainant believes that the car company’s reporting of additional accounts to the credit bureau has negatively affected his credit score. He claims that his current credit score with the credit bureau is much lower than his score with another credit bureau. However, the complainant could provide no evidence of his credit score before the car company’s reporting of multiple accounts was detected.
45. With the complainant’s consent, this Office discussed the matter with the credit bureau. The credit bureau advised that it is impossible to get a snapshot of the complainant’s score at a particular time in 2008 and compare it to a score today. Therefore it is impossible to determine whether the car company’s reporting activity affected the complainant’s score at the time.
47. The credit bureau confirmed that the car company was correctly reporting at the time of our discussion. The credit bureau pointed out that other credit bureaus use different calculations; therefore the credit scores from different agencies may not be similar. The credit bureau emphasized that any inaccurate reporting that occurred and was corrected two years ago would not negatively affect an individual’s score now.
48. In analyzing the facts, we applied Principles 4.9, 4.9.5, 4.6., 4.7 and 4.7.1 of Schedule 1 of the Act.
49. Principle 4.9 states that, upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
50. Principle 4.9.5 states that when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
51. Principle 4.6 states that personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
52. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
53. Principle 4.7.1 adds that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Further, organizations shall protect personal information regardless of the format in which it is held.
September 7, 2011
54. On March 24, 2011, this Office issued a preliminary report of investigation, in which we noted that the car company’s actions were not in compliance with various provisions of the Act and we made recommendations to the car company, with a view of helping the organization meet its obligations. The car company responded to the recommendations.
55. The following is the original text [abridged] from the preliminary report of investigation.
56. The complainant expressed dissatisfaction that, in response to his access request, he received only the information related to the vehicle he currently leases. The car company did not release information related to the other vehicles about which he was contacted. He wanted the information in order to ascertain why the car company was associating his account with other vehicles. However, the Act entitles the complainant to access only his own personal information, not that of others.
57. The car company acknowledged that the complainant did not lease a Model C Sedan, Model B Hatchback or a Model D SUV. The first two vehicles should have been attributed to the accounts of another individual with the same name through the correction of the account merger error. The third vehicle appears to have been the result of a simple customer mix-up by the car company, although the reason why this happened has not been made clear to us. Notwithstanding the above, the leasing contracts and information for all of these vehicles is the personal information of third parties. It is not surprising, then, that the package the car company sent to the complainant did not clarify the matter for him.
58. This Office noted, however, that the complainant was not given access to all of his personal information. For example, he did not receive access to his personal information contained in the account activity reports, even in a redacted form. Neither did he receive access to the credit bureau form used by the car company to rectify the incorrect reporting to the credit bureau. This form and most of the activity reports, all generated by the car company, were dated well before the complainant’s access request of September 8, 2009.
59. The car company’s covering letter responding to the access request did not advise the complainant of any personal information being withheld from him under the Act nor its reasons for withholding any such information. As a result, the car company failed to comply with Principle 4.9.
60. This Office’s investigation revealed that the car company’s customer database had merged the complainant’s account with two other accounts belonging to an individual with the same name, which were subsequently reported to the credit bureau as being the complainant’s. From February 2008 until March 2010, the complainant attempted to resolve the matter. The merged information persisted on the car company’s customer database until this Office became involved. During the period when the complainant’s personal information was merged with other accounts, he received communications from the car company containing the vehicle-leasing information of another individual with the same name.
61. The car company advised us that the complainant’s account underwent an incorrect automatic account merge. In order for such a merge to occur, several identifiers should have been the same across different accounts. However, we noted that, in this case, only the individuals’ names were the same. The car company explained its lack of adherence to procedure as an “atypical system error.”
62. The length of time taken to rectify the problem of the merged accounts represents a contravention of Principle 4.9.5 of Schedule 1 of the Act. As once becoming aware of the inaccuracy of the complainant’s personal information, the respondent did not “amend the information as required” in a timely or an effective manner.
63. In our view, it is clear that the car company held and reported inaccurate information about the complainant. Despite its assurances to the complainant in June 2008 that it would correct the errors, it was not until two years later when he filed a complaint with this Office that the matter was addressed and, according to the car company, rectified. In light of these facts, the car company did not meet the requirements of Principle 4.6.
64. While we acknowledge the complainant’s concern about his credit score, there is no way of ascertaining whether his present score has suffered as a direct result of the car company’s inaccurate reporting in 2008.
65. The respondent provided this Office with a copy of its procedures for protecting personal information which included a section on its use of appropriate physical, organizational and technological safeguards to protect its customers’ personal information. Upon initial review by our Office, the procedures appeared to be adequate.
66. However, the car company identified an “atypical” system error that merged the complainant’s lease account with the accounts of another individual with the same name. It was unable to adequately account for the merger and remained confused as to why it had happened. In addition, this error does not explain why the complainant was later told there was a Model D SUV attached to his account if this vehicle was leased by yet another individual with the same name.
67. What is evident is that these errors led to inaccuracies in the complainant’s file that persisted for over two years. While our investigation did not reveal any unauthorized disclosure of the complainant’s personal information to a third party, the problems persisted and led to the complainant repeatedly receiving personal information belonging to another individual, without that individual’s knowledge or consent.
68. Indeed, as recently as May 2010, it appears that a customer service representative of the company’s financing branch informed the complainant that money was owed on the lease pertaining to the Model C Sedan. The complainant was also able to obtain a partial address, city and date of birth for the other individual.
69. The car company appears to have eventually addressed the system merger error that led to the problem experienced by the complainant. It is not clear what steps the company will be able to take to prevent future occurrences of the unauthorized disclosure of customers’ personal information to other customers with identical names.
70. The above incidents point to the fact that the car company’s procedures for the safeguarding of its customers’ personal information were breached and that merging accounts, even if erroneous, can also lead to client authentication problems for its customer service representatives.
71. In addition to the above, we also made the following wider comments in the preliminary report of investigation, regarding the importance of maintaining accurate customer records.
Maintenance of customer database by a parent company based outside Canada
72. We would be remiss if we did not mention the additional ramifications of maintaining inaccurate records, particularly with regard to personal information transferred from a company in one country, to its parent company based in another country.
73. The car company practice of maintaining its customer database on servers in the United States effectively places the accuracy of its Canadian customers’ personal information within the hands of its parent company and the said information, whether accurate or inaccurate, within the reach of American authorities.
74. This makes it all the more imperative for the car company to conduct regular due diligence on the accuracy of its database, and to work with its colleagues in the U.S. to ensure that the correct information is attributed to the correct customer. When information is identified as incorrect, the inaccuracies should be addressed and reported to the U.S. operation as soon as possible. Failure to do so in a timely and effective manner has implications for its customers, for instance if inaccurate information is used by the company to make decisions about a customer, or if the customer’s information is disclosed for any reason to any lawful Canadian or U.S. authorities.
Recommendations from the Report of Investigation
75. In the Report of Investigation, we recommended that the car company:
- Provide the complainant with access to all the personal information to which he was entitled at the time of his initial access request of September 8, 2009. If access is not provided, the car company must set out the specific reasons and provisions within the Act for withholding access;
- Implement a procedure by which its customer databases are periodically verified to ensure the accuracy of account merges, particularly those of customers having identical names;
- Review its safeguard procedures to remind customer service representatives of the need to take additional precautions in authenticating customers, where the ownership or accuracy of an account may be flagged as indispute, and;
- Provide the complainant with a letter of apology. This letter should explain how the inaccuracies occurred and outline the steps taken to correct them. It should also verify that although inaccuracies were reported to the credit bureau, the car company advised the credit bureau of the inaccurate reporting and the credit bureau subsequently made the necessary corrections. The letter should also confirm that the complainant’s own leasing details were not divulged to other individuals.
The car company’s responses to the recommendations
76. On April 21, 2011, the car company responded to all of our recommendations.
77. With regard to recommendation a), the car company agreed to provide the complainant with a copy of all of the personal information held by the company, to which he is entitled, within 15 days of the date of their letter. The personal information provided will include the personal information contained in its account activity reports and the credit bureau form (referred to in paragraph 58 of this Report).
78. In response to recommendation b), the car company stated that it currently has a procedure in place designed to ensure the accuracy of account merges which it disclosed to this Office in August 2010. Notwithstanding the existing procedure, the car company confirmed that it had already commenced a thorough review of the procedure, including the verification process referenced in the report of investigation, and would enhance the current procedures as required. The car company anticipated that the review would be complete by late June 2011, with recommended enhancements and procedural revisions implemented by late October 2011.
79. The car company explained that its review of its current account merge procedures and process will include a review of associated safeguarding procedures. Revisions to the operating procedures will include appropriate training of the personnel responsible for administering the car company’s customer database. The car company committed to comply with recommendation c) through the revision of its safeguarding procedures and the associated training, within 180 days of their April 21, 2011 letter.
80. Finally, the car company agreed to issue the complainant a letter of apology in compliance with our recommendation d), at the same time that access is provided to the complainant of his personal information held by the company agreed to in recommendation a).
The car company’s compliance with the recommendations
81. On May 16, 2011, the car company’s external legal representative confirmed that his law firm provided the complainant with a copy of additional personal information held by the respondent, and an apology letter, as required by the recommendations in paragraphs 75 (a) and (d) above.
82. However, it transpires that in sending the complainant a copy of the additional personal information held by their client, the law firm failed to redact the personal information of another individual with the same name as the complainant, from a form originating from a credit-reporting bureau.
83. The car company’s external legal representative notified this Office, as soon as the omission was discovered. The legal representative confirmed that it prepared the package of materials (over 35 pages) on behalf of its client, but failed to note and redact two account numbers and a social insurance number from the form, as it made a mistaken assumption that the information belonged to the complainant.
84. The legal representative confirmed that he contacted the complainant to explain what happened and requested the return of the form. This was received in due course and a new redacted copy of the form was sent to the complainant. The legal representative also confirmed that he notified the affected individual to explain the incident, make an apology and confirm the return of the form from the complainant.
85. In this instance, the legal firm was clearly acting for the respondent. The legal firm itself acknowledged: “As part of our standard protocol when we assist clients in the preparation of responses to access requests, we reviewed this package with a view of, among other things, (i) ensuring that the documentation was complete and responsive to the request and (ii) removing and/or redacting any personal information of third party individuals.”
86. We note the legal firm’s insistence that it accepts full responsibility for the inadvertent disclosure of the other individual’s account numbers and social insurance number to the complainant. This was an unfortunate event, taking into account the previous problems encountered by the complainant over the issue of mistaken identities.
87. Notwithstanding the above, we would like to draw the car company’s attention to Principle 4.1.3 of Schedule 1 of the Act,which holds that an organization is responsible for the personal information in its possession or custody, including personal information which has been transferred to a third party for processing.
88. The law firm, acting on behalf of the car company, appears to have taken prompt and appropriate steps to address the incident. We note the legal firm’s affirmation that this was an isolated incident and that it has adopted measures to ensure that future responses to access requests are verified by two lawyers, before they are issued.
89. Going forward, we would encourage the car company to – in its efforts to comply with our recommendations - review its own procedures for the outsourcing of access requests and identify whether enhancements are required to ensure similar incidents do not occur in the future.
90. On a final note, we would ask the car company to notify this Office when it has complied with its commitments to implement recommendations b) and c).
91. Accordingly, the access, accuracy and safeguards complaints are deemed well-founded and resolved.
Postscript to Report of Findings
On October 19, 2011, the car company confirmed that it had complied with recommendations b) and c) outlined in paragraphs 78 and 79 of our Report of Findings:
With respect to the undertaking in recommendation b), the car company stated that it had completed a review of its merge verification process and additional controls had been introduced.
With respect to the undertaking in recommendation c) a complete reviewof its account merge process and safeguards had been conducted. Additional controls in the form of a revised authentication procedure with additional safeguards for merged accounts, was reviewed with its customer service representatives and implemented.
Broader privacy training for customer service representatives and other personnel was also scheduled for November 2011.