Common menu bar links

Home > Resources > Reports and Publications

Institutional links

Got Spam? Learn how to protect yourself Securing Personal Information: A Self-Assessment Tool for Organizations Privacy For Small Business Online Tool Privacy Quiz for businesses Research funded by the OPC Privacy Breach? Information for Organizations How to lodge a Privacy complaint
Reports and Publications
OPC Guidance Documents Annual Reports to Parliament Audit Reports Accountability Reports Other Publications

Annual Reports to Parliament

Resource Centre

[Back to Table of Contents][Part One][Part Three]

Annual Report to Parliament 2002-2003

Part Two - Report on the Personal Information Protection and Electronic Documents Act

Introduction

The Personal Information Protection and Electronic Documents (PIPED) Act sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.

Since the Act took effect on January 1, 2001 it has applied mainly to the commercial activities of what are known as federal works, undertakings or businesses, such as transportation and telecommunications companies, banks and broadcasters. It also applies to the personal information of employees in those companies, and it applies to personal information that is sold, leased, or bartered across provincial or national boundaries by provincially-regulated organizations. As of January 1, 2002, the personal health information collected, used or disclosed by these organizations is also covered. On January 1, 2004, the PIPED Act will cover the collection, use or disclosure of personal information in the course of all commercial activities in Canada, except in provinces which have enacted legislation that is deemed to be substantially similar to the federal law.

The second full year under the PIPED Act proved to be an interesting and challenging one for our Office on several fronts. We began to accept and investigate complaints that concern the personal health information of individuals. We also made further inroads into a myriad of issues, including consent and marketing, credit scoring, the recording of telephone calls and security clearances.

We also undertook a number of communications activities to raise awareness of privacy issues and federal privacy laws. From April 1, 2002 to March 31, 2003 the former Commissioner and senior staff delivered 49 speeches at conferences and special events; we issued more than 25 news releases and media advisories on key privacy issues; we responded to hundreds of media requests for information and interviews; we disseminated more than 23,000 of our publications to members of the public, businesses and other organizations across the country; and we received an ever-increasing number of hits to the Web site, averaging approximately 50,000 hits per month.

The PIPED Act requires the Commissioner to submit an Annual Report to Parliament on the activities of the Office in the previous year. The current Report covers the period from January 1, 2002 to December 31, 2002 for the PIPED Act.

Investigations and Inquiries

During the 2002 calendar year, the Office received 300 complaints under the PIPED Act from individuals alleging that their privacy rights had been violated by a wide range of different organizations. Approximately 37% of the cases dealt with practices in the banking sector, followed by 19% with the telecommunications and broadcasting sector, 15% with transportation companies, and 13% with the nuclear sector. The remaining complaints, 16%, were filed against a variety of other types of organizations, including Internet service providers, credit bureaus and aboriginal band councils.

The former Commissioner issued findings for 162 complaints under the PIPED Act in 2002 and they were concluded as follows:

Not well-founded 61
Well-founded 45
Resolved 41
Discontinued 15

In addition to this, the Office also conducted five incident investigations. Incidents are matters that the Commissioner becomes aware of from various sources, including the media. Usually a victim is not identified and a complaint has not been filed with the Office.

What follows in this Report is a sampling of some of the year's more notable cases. More detailed summaries of all findings under the PIPED Act are available on our Web site, at www.priv.gc.ca. These findings are posted in order to provide guidance to organizations and the legal community on the application of the Act.

Definitions of Findings under the PIPED Act

Not well-founded: This means that there is no evidence to lead the Privacy Commissioner to conclude that the organization violated the Personal Information Protection and Electronic Documents (PIPED) Act.

Well-founded: This means that the investigation revealed that the organization failed to respect a provision of the Personal Information Protection and Electronic Documents (PIPED) Act.

Resolved: This means that the organization has taken corrective action to remedy the situation, or that the complainant is satisfied with the results of the inquiries made by the Office of the Privacy Commissioner of Canada.

Discontinued: This category applies to investigations that are terminated before all the allegations have been fully investigated. A case may be discontinued for any number of reasons, such as the complainant no longer being interested in pursuing the matter.

Summary of select cases under the PIPED Act

A case of mistaken identity

A complainant who wrote to the Office said she was notified by a friend that a notice in the newspaper indicated that the police were looking for her. To her horror, the complainant found herself looking at her own image in a photograph accompanying the Crime Stoppers "Crime of the Week" article. The article described a recent theft of two cheques from an elderly woman and identified the depicted person as a suspect in the crime. The image had been captured from a video surveillance camera at a bank. The camera had been pointed at the teller's wicket where the thief had cashed the stolen cheques.

As it turned out, the complainant had indeed visited the same bank and the same teller's wicket on the day in question, but not to cash a cheque. She had gone there simply to pay a bill. It was clear that she was not the actual perpetrator of the crime.

It was the same bank, the same wicket, the same day, but not, as our investigator learned, the same time.

On the day in question, the clock on the bank's journal roll (its computerized record of transactions) had been 12 minutes slower than the clock on the video camera. When the bank's security staff later forwarded the videotape to the time of the cheque-cashing as indicated by the journal roll, the image that appeared was not that of the actual cheque-casher. Rather, it was the image of the woman who had preceded the cheque-casher at the teller's wicket by some 12 minutes - the complainant.

Thus, the photographs that the bank subsequently gave to the local police, and the police in turn to the Crime Stoppers organization, depicted the wrong person.

A week after the original "Crime of the Week" article, Crime Stoppers ran a retraction in the same local newspaper. On the same day, the newspaper itself ran a front-page story, clarifying that the complainant had been a victim of mistaken identity. The complainant also received formal apologies from the bank, the police, and Crime Stoppers. The two latter organizations further admitted that they had both failed to follow normal verification procedures, and both have since collaborated in instituting measures to prevent similar occurrences. The bank also instituted procedural changes to verify the time on surveillance tapes and journal rolls.

However, the complainant was not entirely satisfied. After her initial shock and distress, she became even more concerned about the effect the incident was having on her reputation when she learned that many people had indeed recognized her image from the article. This was of particular concern because her work depended upon her ability to visit clients' homes and offices. She was also concerned that her image may have appeared in other Crime Stoppers notices. Our Office was able to reassure the complainant that her photograph had been used in only the one newspaper article.

As to the disposition of her formal complaint to the former Commissioner, we considered the matter in relation to the bank's obligations under the PIPED Act to ensure the accuracy of personal information.

We determined that the personal information at issue - the photograph of the complainant - had been wholly inaccurate in a situation where accuracy had been crucial to the purpose of solving a crime. On that account alone, the bank should have made sure that the information it disclosed was as accurate as possible. It had not done so, and therefore was in clear contravention of Principle 4.6 of the Act. In the letter of findings to the complainant, the former Commissioner wrote:

"...an organization must take due account of the potential adverse consequences of inaccurate information for the individual. I have determined that your personal information inaccurately disclosed by [the bank] was used to make a decision about you - specifically, an erroneous decision to the effect you were to be sought as a prime suspect in a crime. This was a decision, moreover, that caused you substantial notoriety, embarrassment, and worry about your reputation and your livelihood. Being well aware that the police would likely use your personal information to make a decision about your status as a suspect, the [bank] should have taken due care to ensure that the information was accurate so as to minimize the possibility of a wrong decision with adverse consequences for you."

The former Commissioner determined that this complaint was well-founded.

U.S. security measures affect Canadian pilots

The aftermath of September 11, 2001 continues to be felt by average Canadians. One individual directly affected by new security measures, a commercial airline pilot, was confronted with a difficult choice: forfeit his privacy rights or risk losing his job. In the past, when he needed to take aircraft training required to keep his licence, his employer simply sent him to a flight school in Florida. This changed after the September 11 terrorist attacks. American flight schools were now obliged to have their foreign students - including Canadian commercial airline pilots - sign an authorization form. The form would allow the U.S. government to collect and disclose personal information about the students. However, it did not adequately explain the purposes for, nor did it appear to set any limits on, this collection and disclosure.

When his employer asked him to sign the form, the pilot was incensed. After all, he had already undergone an extensive background check by the Government of Canada. He disliked the prospect of a foreign government sifting through his background Ð especially when it was not clear what information would be collected and to whom it would be disclosed.

No one seemed comfortable with the form - the Canadian Government, the airline, the union - but there was no immediate solution on the horizon. The federal Government had asked the United States to accept Canadian background checks on commercial pilots. But at the time of the complaint, the United States had not yet made a decision.

The airline was troubled by the wording of the form, but was in a difficult situation. By law, its pilots require the training. The nearest alternative was a flight school in Europe - a more costly prospect than sending its pilots to Florida. Furthermore, since the pilot and co-pilot must train together, the airline would be in an awkward position if one pilot was willing to sign the form and the other was not.

The pilot's union protested the requirement to sign the form. It negotiated an agreement with the airline which stated, among other things, that the decision to sign the form was voluntary, and that the company would provide alternative training for dissenting pilots.

The pilot decided not to sign the form. Although his employer obtained a temporary extension of his licence until a resolution could be found, it did not make alternative training arrangements for him. Unless the U.S. government agreed to Canada's request, or the former Privacy Commissioner made his findings, the airline was not going to change its decision. The pilot's extension eventually ran out.

We were highly critical of the authorization form. It was entirely objectionable on many fronts and we concluded that the practices it authorized completely failed to meet the fair information principles that are the cornerstone of Canada's privacy legislation.

In making these determinations, we relied on the "reasonable person test" outlined in section 5(3) of the PIPED Act to assess the airline's purposes. We acknowledged that, on the surface, the airline's reasons for making its pilots sign this form appeared reasonable. Below the surface, however, the purposes ceased to be acceptable. We thought very little of the airline putting cost and convenience ahead of the pilot's right to refuse consent to collection and disclosure practices that were clearly in contravention of Canadian law. It was noted that the airline had options but that it had chosen not to exercise them.

In finding that the airline's purposes did not meet the expectations of section 5(3), in the letter of findings, the former Commissioner commented on this timely example of the difficulty of balancing national security requirements with the fundamental right of privacy:

"I agree that the circumstances that many countries, most particularly the United States, currently find themselves in warrant some security measures. Of course it is reasonable to demand that pilots receive security clearance in order to fly, and that is why Canada has in place security measures that Canadian commercial pilots must undergoÉ But would a reasonable person consider it appropriate to require these same pilots to then consent to unacceptable collection and disclosure practices at the request of a foreign government? I think not. Indeed, I suspect most reasonable Canadians would find this encroachment on Canadian rights to be highly objectionable. Furthermore, most Canadians would likely expect employers to provide reasonable options for employees and would demand that their government raise an alarm bell with the United States."

After receiving the letter of findings, the airline agreed with the former Commissioner's recommendation and arranged to provide training at an alternative location for the pilot and others who refuse to sign the form.

Bank's disclosure to individual's employer inappropriate

An individual went to his bank on personal business - to dispute a charge for cheques. He was not satisfied with the bank's response he was given and a scene ensued.

The branch manager came onto the scene and decided his staff should not have to deal any further with the customer. The firm that employed the customer happened to do a lot of important business with the bank. Before terminating the bank's relationship with the customer, the branch manager thought he should discuss the matter with the customer's employer.

The complainant was astounded when his employer confronted him about what had occurred at the bank earlier that morning.

One of our first tasks was to determine what exactly had been disclosed in the telephone conversation between the bank manager and the employer. In the absence of any evidence that they had discussed the complainant's financial affairs, it appeared that the actual disclosures about had been limited to three simple facts: (1) that he had an account with the branch; (2) that his account was to be terminated; and (3) that there had been a scene with the teller.

In the bank's view, none of this should have been considered the complainant's personal information. The bank pointed out that the scene itself had been acted out in a public place, and in a small community, where a person does his banking is hardly a matter of secrecy. The bank took the position that the disclosures in question fell into the category of "normal public discourse," comparable to "small-town gossip." The bank even suggested that it had a right to make such disclosures for the sake of extending "business courtesy" and protecting its own business interests. Citing section 5(3) and Principle 4.3.5, the so-called "reasonableness" provisions of the PIPED Act, the bank also suggested that the complainant had not had a reasonable expectation of privacy, and that reasonable people would have considered the disclosures appropriate in the circumstances.

Although we were not unsympathetic to the bank and were willing to concede the reasonableness of the bank's position up to a point, the former Commissioner had to draw the line somewhere. In the letter of findings to the complainant, the former Commissioner commented as follows:

"In my view, ...the reasonableness of the situation ends exactly at the point where the [bank] manager, in the full knowledge that you had been acting on your own behalf at his branch that morning, nevertheless picked up the telephone at his office during business hours to inform your employer. This was not casual or inadvertent disclosure. This was not small-town gossip. This was a deliberate act of disclosure of personal information to a third party by a person who was acting in an official capacity and who had no right to make such disclosure. Moreover, the Act puts the rights of individuals above such notions as Ôbusiness courtesy' and makes no distinction as to the size of one's community. Would any reasonable person anywhere expect his bank manager to disclose information about his personal banking affairs to his employer? The answer to this question is obviously no."

Credit score fraud

In the course of investigating complaints about credit reporting and scoring, we learned a great deal about the workings of the credit-granting industry at large.

In two particular cases, individuals had made formal requests under the PIPED Act for access to certain personal information on file with their banks. Specifically, each requester had wanted to know his credit score. The banks in question had refused access, each invoking the exemption provided in section 9(3)(b) of the Act. This provision says in effect that an organization does not have to give access to personal information if doing so "would reveal confidential commercial information."

The requesters, believing to the contrary that credit scores were personal information to which they were fully entitled to have access, filed complaints with the Office. Our main task in each case was to decide whether the exemption cited by the bank was valid.

A credit score is a numerical indication of credit-worthiness, generated by means of an algorithmic model. For most people familiar with the notion, the term "credit score" mainly conjures up the vision of credit-reporting agencies. These agencies are in the business of providing banks and other credit-granting institutions with background credit information, sometimes including credit scores, on prospective clients. In considering an application for credit, a credit-granting institution will often obtain the applicant's credit history from a credit-reporting agency. In some cases, the institution will also request a credit score for the applicant. Credit-reporting agencies do not themselves generate credit scores, but rather provide scores that another company generates from the agency's information.

Up to a point, the complainants had good grounds for their position. In prior cases, we had already considered the matter of access to personal credit information, at least as far as credit reporting agencies were concerned. We had already concluded that credit scores are personal information according to the definition in the Act, and that individuals do in principle have a right of access to them. We had determined that credit-reporting agencies in particular are required to comply with Principle 4.9 of the Act by giving individuals access on request to personal information in their credit files. We had further determined that banks, if they have obtained an individual's credit information from a credit-reporting agency, must likewise give the individual access on request to the information, including any credit score provided by the agency.

But the more recent cases were not nearly as straightforward. The special problem they presented was that the credit scores sought by the complainants were not the usual agency-provided credit scores. They were in fact scores that the banks themselves had generated and assigned internally.

It is perhaps less widely known that banks, too, have credit scores, distinct from those provided by credit-reporting agencies. Banks generate their own internal credit scores by means of their own internal credit-scoring models, very different from those associated with agencies. Whereas agency scores are generated by means of standardized models based almost exclusively on credit information, a bank develops its own customized models, unique to the bank and incorporating not only credit information on the individual, but also many other elements pertaining to the bank's own strategic business priorities. Because banks regard and treat their internal credit-scoring models as proprietary confidential commercial information, such models are much more problematic in terms of the Act.

By citing section 9(3)(b), the banks in question were not suggesting that an internally generated credit score was itself confidential commercial information. Rather, they were saying that the model used to generate such a score was confidential commercial information. And they were saying in effect that internal credit scores, if made available to individuals, would reveal the model by which the scores had been generated.

We accepted the banks' arguments that an internal credit-scoring model constituted confidential commercial information. But we were far less persuaded of the more crucial proposition - that releasing the credit scores would somehow reveal the credit-scoring model itself. How could merely letting a person know his credit score possibly lead to his knowing the inner workings of such a complicated, technical and algorithmic apparatus as a credit-scoring model?

As it turned out, it was not the average customer that the banks feared. It was fraudsters intent on "cracking" a bank's internal credit-scoring model for nefarious purposes. According to the banks, fraudsters could employ devious means to acquire a number of credit scores and then would extrapolate the model from the scores. Either the fraudsters would be working for the banks' credit competitors, trying to gain competitive advantage. Or they would be operating on their own behalf, trying to procure credit for themselves on false pretenses.

In their submissions to the Office, the banks presented an independent forensic analysis of the risk of fraud contingent upon the availability of credit scores. This analysis concluded that, if credit scores were readily available, the integrity of a bank's internal credit-scoring model could be compromised on the basis of a relatively small number of credit scores generated by the model.

The fraud scenarios outlined by the banks struck us as farfetched. To be fair, however, we sought the advice of an expert in the field of algorithms. This expert confirmed that access to customized credit scores would definitely make it easier to approximate a bank's internal credit-scoring model.

We were still doubtful. In particular, we were mindful that section 9(3)(b), by using the phrase "would reveal" rather than "could reveal", set a very high standard for the withholding of personal information. On the word of the algorithm expert, we were willing to concede that a model could be approximated from knowledge of a certain number of scores, but we remained unpersuaded that it would ever happen. The banks' submissions had failed to convince us that fraudsters would actually go the lengths described to deceive a bank. We found it particularly difficult to accept the apprehension, evidently shared by all banks, that even one's competitors in the credit-granting community would as a matter of course resort to such tactics in order to "crack" one another's models for the sake of competitive advantage.

Nevertheless, the fact remained that two banks had strongly expressed what we took to be genuine belief and fear that their internal credit-scoring models would inevitably be revealed and fraudulently manipulated if individuals were given access to credit scores. However unlikely it seemed to us, it was undeniably a prospect that the banks took very seriously. Moreover, it was a prospect that we were unable to wholly refute.

In the end, the former Commissioner decided to give the banks the benefit of the doubt. He did so primarily out of consideration for his responsibility to achieve a balance between the privacy rights of individuals and the legitimate informational interests of organizations. Seeing little informative value in a credit score on its own and no significant harm ensuing to Canadians' privacy rights from the inability to obtain internal credit scores, we thought it only fair in the circumstances to accept the banks' position.

The former Commissioner found that the banks had appropriately cited section 9(3)(b) to refuse the complainants access to their internal credit scores.

Customers beware: Your conversation may be recorded

The practice of taping customer telephone calls - common among many organizations Ð was the subject of two complaints. These cases illustrate two very different approaches taken by organizations to inform customers of the practice and obtain their consent. In both cases, as in those involving secondary marketing, reasonable expectations played a role in the former Commissioner's findings.

In the first case, an individual called his bank in the intended role of guarantor of his daughter's loan application. At the end of the conversation, he learned that his call had been tape-recorded. He had not been informed, either by the customer service representative or via a recorded message, that his call would be taped. Nor was he asked, upon learning that the call had been recorded, if he agreed.

The bank had an interesting take on the issue of consent in this case. In its view, only one party had to consent to calls being recorded. It therefore required its customer service agents to sign a consent form for the taping of these calls.

The bank's purpose for recording the call was that it needed confirmation of the customer's records and evidence that the customer had consented to the product or service. In its view, the taped call is the equivalent of a signed form and is used for record-keeping purposes.

We agree that information exchanged during the conversation should be recorded in some way. However, the reasonable expectations of the customer should also be considered, and most individuals would want to know beforehand that their call is going to or may be taped. In this case, the bank clearly did not meet those expectations and did not have the father's consent to record his call, thus contravening the consent principle of the PIPED Act.

In the other complaint, an individual also alleged that his bank had recorded his telephone conversations without his knowledge and consent. This individual had taken the bank to court over liability for certain withdrawals made on his bankcard. During this process, the bank introduced a tape-recording of a telephone conversation between him and a bank employee.

The bank argued that it had this individual's consent to tape his calls. It referred to an agreement, signed by him when he opened his account, that acknowledged the bank's practice of recording telephone calls. There were also the privacy brochures given to him - five in all - which specified the bank's purposes for collecting personal information. The complainant, however, did not read any of this information.

Then, there was a conversation between a bank employee and the complainant (also taped), in which the employee explained the bank's practice of recording conversations. To the complainant, "recording" did not necessarily mean electronic recording, and so he stood by his original complaint.

The former Commissioner determined that the bank had made a reasonable effort to inform the complainant of its practice and purpose and that it had his consent to record his calls by way of the agreement form that he had signed. We then found that the bank had complied with the relevant provisions of the Act.

Clearly, organizations such as this one, which have made the effort to inform customers and to obtain their consent, have the reasonable expectation that customers will read what is put in front of them.

Nevertheless, the bank in the second case was keen on improving its practices regarding the taping of telephone calls. In response, the Office developed a "best practices" guideline for recording customer telephone calls. Essentially, the guideline states that the taping of telephone calls involves the collection of personal information - a practice that should meet fair information principles. In other words, conversations should not be taped unless it is for a purpose that a reasonable person would consider appropriate in the circumstances. The customer must be informed of the purpose for taping the call and must consent, except in certain limited cases where consent is not required, before the taping begins. The customer should also be offered an alternative, such as not taping the call, visiting a retail outlet, writing a letter, or conducting the transaction over the Internet.

A tape recording captures more than just the specifics needed for the purpose of the call. It records comments, accents and attitudes - information that may not be relevant to the material required. For these reasons, it is important for organizations to be open with customers - to advise them that they record, explain why they record, and offer them options if they do not want to be recorded.

In both complaints, we provided the banks with our "best practices" guideline and both organizations undertook improvements to their recording practices. In the first case, the bank now notifies customers at the beginning of a call that the conversation is being taped and provides them with alternative means of communicating their information should they not wish to proceed with the call. In the second case, the bank introduced a recorded message to inform all callers that conversations would be tape-recorded.

ISP holds e-mails "hostage"

A customer had complained when she learned that her Internet service provider (ISP) was continuing to receive and store her incoming e-mails while her account was suspended. This is in fact standard industry practice. Many ISPs use continued receipt and storage of e-mails as leverage in collecting on overdue payments.

In this case, the former Commissioner determined that the ISP had not properly informed the complainant of purposes related to the use of her personal information during an account suspension and had thus used her personal information without her informed consent for purposes other than those for which the information had been collected. On this basis, we concluded that the complaint was well-founded.

But this case left the Office highly concerned about the practice at issue, which we knew to be widespread in the industry. In the letters of findings, the former Commissioner commented as follows:

"...As Privacy Commissioner, I am concerned about the implications of storing and withholding potentially important messages without informing the intended recipient of their existence or the sender of their non-delivery. As an occasional sender of e-mails myself, rather than be falsely led to believe that a certain message had gone through unimpeded, I would much prefer to have it returned with a notification of non-delivery so that I could try to reach the intended recipient by other means. Indeed, returning the message with a notification strikes me as the most appropriate and responsible course of action for an Internet service provider to take in such circumstances."

 

To answer the above question, then, what an ISP should do in cases of account suspension is what we recommended as best practices in the case in question, as follows:

  • Cease collecting, storing, and denying access to, e-mails addressed to holders of accounts under suspension.
  • Adopt instead the practice of deflecting such e-mails back to senders with notification to the effect that the messages could not be delivered.
  • Make provision for giving the holder of a suspended account access to any e-mails already received by the company, but still unretrieved by the customer, at the time the suspension took effect.

Make sure to check those Government authorities

An individual's holiday memories were marred when he found out that the airline he had used for his trip released his itinerary to his boss. His employer, a federal Government department, was conducting an investigation into his use of sick leave. It approached the airline and requested confirmation of his travel itinerary.

The airline hesitated. Citing its responsibilities under the PIPED Act, it asked the department for proof that the individual had consented to such a disclosure. If that was not possible, the airline suggested that a specific exemption or exception under the Act would be needed before it would comply with the request.

In response, the department cited a directive under the authority of a specific federal statute, indicated that the information was needed to administer federal public servants' employment legislation, and asked the airline to disclose the itinerary. Satisfied that the department's request fit the exemption provided in section 7(3)(c.1)(iii) of the Act, the airline duly released the information. This section allows an organization to release information about an individual to a Government institution for the purpose of administering a law.

There was just one problem. The department did not quote the correct directive as its lawful authority. Even though it later acknowledged its mistake, the department maintained that it nevertheless had the authority to collect the information Ð just under different legislation.

We agreed that the department had lawful authority. We were concerned, however, that the department had initially made an error and that the airline had not verified whether the cited directive was correct or not. Although the airline made the disclosure in good faith, an organization has a duty to be vigilant about checking authorities cited by Government organizations before releasing personal information. In his letter of findings the former Commissioner stated:

"...where requests for disclosure of personal information are concerned, I consider it incumbent upon any private-sector organization not to take the submissions of any government institution at face value, but rather to be vigilant about checking authorities cited."

Fees for access: Should you have to pay for your own information?

Responding to requests for access to personal information may entail some costs for organizations. Should it also entail costs for the individual? In fact, there is a provision in the Act that allows organizations to charge a fee in responding to requests. But how much is reasonable? This question was addressed in two cases where the complainants accused organizations of charging excessively high fees.

The complainants were involved in disputes with their respective banks concerning money they had borrowed. Both individuals requested their personal information. The banks responded by demanding fees of $150 and $200 respectively to cover the costs of processing the documents in question. The first individual wanted to know what he would get for his money and when told what this would be decided to file a complaint. The second individual is on a fixed income and could not afford to pay for his personal information.

These cases are good examples of the private sector adjusting to the expectations of the Act. The banks were reminded that Principle 4.9.4 of the PIPED Act stipulates that an organization must respond to an individual's request at minimal or no cost to the individual. As a result, one bank released the information free of charge, while the other asked for a nominal fee of $10.

Additionally, the bank's position in the first complaint seemed to be based not only on cost-recovery but also on its desire to have the complainant meet with it to discuss the dispute that had prompted the access request in the first place. We emphasized to the bank, however, that the Act does not require an individual to explain why he or she wants access to personal information or require that he or she enter into any discussions with an organization. In other words, personal information cannot be held for ransom.

Based on the findings in these cases, the bottom line for organizations when it comes to fees is this: cost-recovery does not apply to access to information requests.

A security clearance becomes a job requirement

Protecting nuclear sites from terrorist attacks is a grave concern, particularly in the wake of September 11, 2001. The federal agency that oversees the operations of all nuclear facilities in Canada responded to the terrorist threat by instructing its licencees to implement enhanced security measures. One of the new measures in place is to limit entry to nuclear facilities to persons with the proper security clearance. If a licencee fails to comply, the federal agency will revoke its operating licence.

A company's nuclear products division informed its employees of the new security requirement and asked them to consent to a security clearance check. Along with a consent form, each employee received an information package that specified the type of information to be collected, the purpose, and the organization that would carry out the collection. Employees were also told that the organization collecting the personal information was bound by a confidentiality agreement.

In order to be granted a security clearance, employees with at least ten years of service were required to pass a criminal records check. Employees with less than ten years of service had to pass a full background check that included employment history, professional qualifications, and personal references, as well as a criminal records check.

Some employees were unhappy and complained to the Office. They felt they did not really have a choice - if they refused, they faced job loss. If they consented but failed the security check, they would lose their current positions and be reassigned, possibly to lower paying jobs. Under those circumstances, they felt their consent was coerced.

The former Commissioner had to determine whether the company was collecting personal information with the employees' knowledge and consent as required under Principle 4.3 of the PIPED Act. Clearly, the employees knew of the collection. But was their consent voluntary? In the letters of findings, the former Commissioner assessed the issue as follows:

"[The company] expressly asked you for your consent, and it is entirely up to you whether to give it or not. That there may be unpleasant consequences in either case does not alter the fact that you do have a choice in the matter. Refusal to give consent to the collection of personal information may very often entail unpleasant consequences for the individual. But in this case, as in most decisions in life where the prospect of unpleasant consequences is a factor, the pressure you may feel to consent to the collection does not amount to duress. Under the Act, the key consideration is not whether there may be unpleasant consequences to an individual's refusal to give consent, but rather whether the collection is itself reasonable."

Was it reasonable for personal information to be collected for the purposes of a security clearance as stipulated by section 5(3) of the Act? The former Commissioner concluded that it is entirely reasonable for the federal agency to impose an enhanced security requirement upon its licencees, given the greatly enhanced concern about possible acts of terrorism at nuclear facilities. Had the company not complied, it would have lost its licence to produce nuclear fuels and would no longer have been able to conduct its nuclear products business, leading to substantial financial losses and staff lay-offs. Under these circumstances, we determined that it was entirely reasonable for the company to comply with the order and thus collect personal information from employees to conduct security clearance checks.

Aeroplan: Opt-out consent is not enough

When Air Canada mailed out privacy brochures to 60,000 Aeroplan members, several members complained to the Office.

The individuals who complained to the Office did not mind that the company had made the effort to seek their consent to information-sharing practices under the Aeroplan program. What they did object to, however, was having the onus put on them to tell Air Canada if they did not consent to the practices outlined in the brochure. Nor did they appreciate that the company was presuming, in the meantime, that they did consent.

The former Commissioner concluded that Air Canada was not in compliance with the PIPED Act and that the complaints were well-founded.

The 60,000 brochures accounted for only about one per cent of Aeroplan's total membership at the time. In the letters of findings, the former Commissioner remarked that the Act required organizations to observe every individual's privacy rights and did not allow for token compliance. Since Air Canada had in effect left 99% of Aeroplan members in the dark about its information-handling policy and practices, the former Commissioner found its attempt at seeking consent to have been entirely inadequate.

Even if all plan members had been consulted, the brochure itself failed to seek consent in an appropriate form. It described five ways in which Air Canada was intending to share Aeroplan members' personal information under the program. Each description was accompanied by a check-off box, and the plan member was instructed to check the box only if he or she did not consent to having personal information shared in the manner described. Any plan member checking off one or more of the five boxes was then expected to mail the brochure back to the company by way of expressing non-consent. Conversely, any plan member who did not return the brochure was considered to have consented to all five information-sharing situations.

This form of consent has come to be known as "negative" or "opt-out" consent. It correlates to the "negative option" marketing practices that consumers have been so quick to condemn in the past. In effect, such practice is based on presumption - the individual is presumed to agree to a proposition unless he or she takes the initiative to refuse it.

Like most other people involved in the protection of privacy, and indeed like most informed consumers, we hold a very low opinion of the negative option as it is used by organizations in their handling of personal information. The Office considers opt-out to be a weak form of consent - one that unfairly puts the onus of initiative on the wrong party and reflects at best a mere token observance of what is perhaps the most fundamental principle of the Act. We would prefer that organizations adopt an exclusively "positive" or "opt-in" approach - a much more respectful approach whereby individuals would be deemed to have consented only if they have expressed a definite "yes" to a proposition.

On the other hand, the Office is also well aware that opt-out is a form of consent expressly permitted by the Act in certain circumstances - notably, where the personal information is of a demonstrably non-sensitive nature. The problem here is that the Act itself refrains from precisely defining the notion of sensitivity. Although it does instruct that an individual's financial and medical information is almost always to be considered sensitive, it also goes on to suggest that any information can be sensitive, depending on the context. In the Aeroplan complaints, therefore, the Office's task was essentially one of assessing the context. In other words, the former Commissioner had to determine whether the circumstances justified Air Canada's recourse to opt-out consent.

In the letters of findings, the former Commissioner made a point of stating that the intention is always to keep strict limits upon the circumstances in which opt-out could be deemed appropriate. It was also made clear that the Office intends to be guided in all such deliberations by due consideration for both the sensitivity of the information and the reasonable expectations of the individual. It was on these considerations that the Aeroplan privacy brochure ultimately failed.

The language of the brochure failed to demonstrate that any of the information-sharing situations described was strictly non-sensitive in nature or context. Two of the situations were of a particularly high order of sensitivity. The other three seemed by their descriptions to allow for considerable marketing to individuals on the basis of information customized according to potentially sensitive criteria. As it was put in the former Commissioner's letters:

"Although in my view the practice of sharing plan members' information for purposes of offering special promotions and products remains unobjectionable in itself, I am satisfied that a reasonable person would not expect such practice to extend to the Ôtailoring' of information to the individual's potentially sensitive interests, uses, and preferences without the positive consent of the individual."

The former Commissioner concluded that it had been inappropriate for Air Canada to seek negative or opt-out consent to Aeroplan's information-sharing policies and practices as described in the brochure.

To its credit, Air Canada took the Commission's findings and recommendations very seriously. With some guidance from the Office, in a process that we found to be both positive and productive, the company undertook to rethink and rewrite its information-sharing policy under Aeroplan. We have reviewed the finished product, and have verified that the policy now addresses our concerns in the following ways:

  • It explains to Aeroplan members, in clear and understandable terms, the purposes for the collection, use, and disclosure of personal information under the program.
  • It explains clearly that Aeroplan does not collect any details of the transactions whereby members accumulate points under the program.
  • It specifies that Aeroplan does not provide individualized profiles of members to partner companies or other third parties, and further clarifies that any information provided to partners can be used only for purposes related to the Aeroplan program.
  • It explicitly and clearly states that members who wish to have their personal information used only for redemption of Aeroplan points can so stipulate, and it identifies an easily-executable procedure for members to exercise this option.

As for the matter of consulting the full Aeroplan membership, Air Canada also set out a very specific plan whereby all active members of the program would receive a copy of the revised policy with their next account statements. Moreover, the policy was to be made available on the Aeroplan Web site.

We were satisfied that Air Canada had responded appropriately to our recommendations, and pleased with the spirit of co-operation the company has shown.

A case of deception

It is one thing to do a poor job of informing individuals of the purposes for which their information would be used, as three of the above-mentioned organizations did. It is quite another to deliberately misinform, as we found to be the case in a complaint against a market research firm.

This firm mails questionnaires for what it calls "consumer product surveys" to households across Canada. The questionnaires ask about household preferences among various categories of products. The literature accompanying each questionnaire explains the purpose of the survey strictly in terms of "fact-finding," seeking householders' "opinion" and understanding consumer "preferences and attitudes," all with a stated view to improving the quality, life and value of products.

However, the surveys were truly intended for the purpose of selling products to the survey respondents. What the survey firm mainly intends to do with the personal information it collects in the questionnaires is compile customized mailing lists, which it will then give to the third-party companies that have commissioned the given survey. These commissioning companies will then attempt to sell products to the survey respondents by directly marketing them according to the information they have provided in the questionnaires.

The PIPED Act says that an organization has to identify its true purposes for collecting personal information. It also says that consent to the collection of personal information must not be obtained through deception.

If an organization intends to give information it collects to direct marketers, it has to say so, in no uncertain terms and in a manner that people can reasonably understand. In the survey literature in question, there is neither an explicit statement nor even a reasonably understandable implication to the effect that personal information of individual respondents will be disclosed to third parties.

The questionnaire does ask for the respondent's consent to further mailings and offers, but says nothing about where such communications would come from. In the absence of any indication that the survey firm intends to share the respondent's mailing address with other possible mailers, the most reasonable inference would be that any further mailings would come from the same source as the original - that is, from the survey firm itself.

Furthermore, the consent mechanism is a problem in itself. Given that many of the survey questions are highly sensitive in nature (notably, several have to do with personal health and finances), the "opt-in" form of consent should be used in the circumstances. But the consent mechanism has two check-off boxes, one for "yes" and the other for "no", and is thus ambiguous as to the form of consent intended. What happens in fact, however, in the not-infrequent cases where the respondent checks off neither box, is that the individual is presumed to give consent to further mailings. Thus, the survey firm is using the "opt-out" form of consent in a situation that clearly calls for "opt-in."

The survey literature also does mention that companies have commissioned the survey. However, it does not name the commissioning companies. Nor does it in any discernible way suggest that these anonymous companies are direct marketers, or that what they have in effect commissioned from the survey firm is the collection of prospective customers' personal information on their behalf. Indeed, there is nothing in the literature that gives the individual householder any substantial grounds to believe that the survey is anything other than what it purports up front to be Ð that is, strictly a fact-finding, opinion-seeking market study aimed at product improvement.

On the basis of such a description, respondents might reasonably expect that the survey's sponsors would receive results in the form of aggregated, anonymized analytical data. But respondents are given no legitimate reason to expect, and every good reason to resent, that as a result of their participation in the survey they may soon be subject to intrusive and unwanted direct-marketing efforts by third-parties who have been made privy to their sensitive personal information.

It may seem paradoxical to some that, despite the overwhelming case against the survey firm on these and other counts, what troubled us most was evidence of the firm's compliance with the Act.

The firm does, in fact, have an official written privacy policy pertaining to its household surveys posted on its Web site. This policy does a relatively good job of identifying the true purposes for collecting the survey information. However, not only is this policy not included or otherwise reflected in the survey literature mailed to households, but it is not made reasonably accessible to householders. The survey literature does not even mention the existence of the Web site, let alone that of the policy.

What troubled us specifically were the implications of the vast discrepancy in compliance between the Web site and the survey literature. In the letters of findings, the former Commissioner raised the concerns as follows:

"Why would [the firm] make reasonably clear in a remote and unadvertised privacy policy, but not at all clear in survey materials actually provided to individuals, that respondents' personal information would be disclosed to third parties for marketing purposes? Why in the survey materials would [the firm] explain the purposes of its surveys only in such limited terms as fact-finding, opinion-gathering, and product quality improvement, and relegate to a document that no one would ordinarily ever see the further purpose of direct marketing by third parties? Indeed, why would [the firm] take pains to formulate a more or less compliant privacy policy and then not draw attention to that policy when it truly mattered, in effect hiding the policy from customers?
"In brief, I find it difficult to comprehend this discrepancy, except in terms of deception. [The firm] has suggested that its survey materials serve to produce a reasonable expectation of disclosure to, and direct-marketing by, third parties. I cannot see, however, that any previously unsuspecting person could reasonably infer such a purpose from the scant, vague, and misleading indications provided. Rather, in my considered view, far from being conducive to a reasonable understanding of how personal information will be used or disclosed, the survey materials serve only to deceive individuals as to the true purposes of the surveys and to detract from the fairness of [the firm's] collection of personal information."

An advocacy group's expectations about consent

The PIPED Act states, at Principle 4.3.5 of Schedule 1, that the reasonable expectations of the individual are relevant in matters of consent. But it does not elaborate.

Rather, it leaves us the difficult task of interpreting this provision. In the circumstances of any consent-related complaint, it is often up to the Commissioner to determine the reasonableness of a complainant's expectations and the extent of their relevance. Fortunately, fairly early in the life of the Act, a body of complaints arose that we found useful in formulating a general position on what an individual may reasonably expect in matters of consent.

An individual filed complaints on behalf of an advocacy group against two banks, a telecommunications company, and a company that ran a frequent-buyer program. All the complaints were basically the same Ð that the organizations in question were not obtaining valid informed consent from individuals to disclosures of their personal information for marketing purposes.

The complaints consisted of two main allegations. The first was that the organizations were not making reasonable efforts to inform clients that their personal information was to be disclosed to third parties for secondary marketing purposes - that is, purposes additional to those for which the information needed to be collected in the first place. The complainant's contention was that, if individuals were not being properly informed of secondary purposes, the organizations had no valid basis for presuming the individual's consent to such purposes. The second main allegation was that, despite their reliance on the "opt-out" form of consent, the organizations were not providing reasonable opportunities for individuals to opt out of third-party marketing.

As interesting as the allegations themselves were their underlying assumptions, which the advocacy group had presented in a position statement supporting the complaints. To us, these assumptions clearly represented "expectations" on the complainant's part. Before determining whether or not the organizations in question were in compliance with the relevant consent provisions of the Act, we thought it prudent to consider whether the group's expectations regarding consent were themselves reasonable in relation to the Act.

After analyzing them, the former Commissioner concluded that the group's expectations were entirely reasonable. Notably, the former Commissioner found it reasonable to expect the following from organizations that use or disclose personal information for secondary purposes:

  • It is notenough to identify purposes in privacy policy documents and make such documents generally available. An organization should bring its secondary purposes directly to the attention of the individual at the time of collecting personal information. During an application or a subscription process, for example, the individual should be presented with the necessary information and should not be referred to sources not immediately at hand. (These expectations are supported by Principles 4.2.3 and 4.3.1 of the Act, which instruct that identification of purposes and seeking of consent be direct and coincident with the collection of personal information.)
  • Purposes should be stated in clear, plain language understandable to the ordinary consumer and in adequate detail for the consumer to appreciate the nature and extent of the intended collections, uses, and disclosures. (These expectations are supported by Principle 4.3.2, which instructs that purposes be stated in such a manner that the individual can reasonably understand how personal information will be used or disclosed.)
  • If purposes are identified in writing, the individual should not be required to read fine print in dense passages.

Where an organization intends to presume the individual's consent to secondary purposes, the organization should provide a convenient opportunity for the individual to opt out. The opportunity and the procedure for opting-out should likewise be brought to the individual's attention at the time of collecting the personal information. The opting-out procedure should be easy, immediate, and inexpensive.

On this basis, and upon investigation of the actual policies and practices of the organizations, the Commissioner concluded that two of the complaints were well-founded and two were not. The former Commissioner found that the telecommunications company was not making any disclosures of the kind alleged, since it was prohibited from doing so by the CRTC. One bank was indeed disclosing personal information for secondary marketing purposes as alleged, but the former Commissioner found it to be making reasonable efforts on the whole to inform account applicants of the practice, obtain their consent to it, and provide them with an opt-out opportunity.

In the well-founded cases, the non-compliance of the frequent-buyer program was largely a matter of inconsistency in enrolment procedures. The case of the second bank, however, was much more serious. This bank's efforts at obtaining informed consent from account applicants did not in any respect meet the requirements of the Act or the reasonable expectations of the individual. In the letter of findings, the former Commissioner commented on the various materials used by the bank to communicate purposes, and on the nature and extent of the failed compliance in this case:

"The wording ... is so broad in each case as to virtually preclude understanding, unless the individual is to understand that the bank intends to use personal information however it may see fit and disclose it to whomever it may see fit. This would hardly be a purpose that any reasonable person would expect or consider appropriate in any circumstances."

By positive contrast, it should be noted that, in the case of the first bank, the former Commissioner complimented the bank on its approach to obtaining informed consent from account applicants. For those applying in person at branches, this bank's application procedure involved sitting the individuals down, providing them with the appropriate privacy information on the spot, drawing their attention specifically to statements of secondary marketing purposes, asking whether they consented or not to specific marketing practices, and recording and abiding by their responses. We regard such procedure as exemplary, amounting to the positive form of consent that we prefer.

Consent to secondary purposes

What follows is a summary of the deliberations to date in cases relating to consent to secondary purposes.

  • Positive or opt-in consent is always to be preferred as the form of consent that is strongest, most respectful of individuals, and best in keeping with the spirit of the Act. Organizations are encouraged to adopt this form of consent exclusively.
  • Positive or opt-in consent to secondary purposes is a requirement in situations where the personal information is sensitive in itself or where there is a significant potential for the information to be rendered sensitive in the context of the information-handling activities.
  • Since the Act indicates that personal information of a financial or medical nature is almost always to be considered sensitive, these types of information will almost always be deemed to warrant positive consent. However, since the Act also stipulates that any personal information may be sensitive in a given context, no further attempt should be made to precisely define the notion of sensitivity. Rather, the context should be considered in each case, with a view to determining the potential for sensitivity.
  • Two prime considerations in determining the potential for sensitivity of personal information are the intent to disclose the information to third parties and the intent to categorize or otherwise process the information according to personal criteria.
  • Negative or opt-out consent, also known as presumed consent, despite being the weaker and less preferable form, is recognized under the Act as being acceptable in certain circumstances. The scope of circumstances in which this form of consent is allowable will remain limited.
  • An organization's use of the negative or opt-out form of consent to secondary purposes will be deemed justified only under the following conditions:
    • The personal information must be of a demonstrably non-sensitive nature and context and must be identified by item or type.
    • If the information is to be disclosed to third parties, the parties must be identified by name or type.
    • The organization must state its purposes in full accordance with Principles 4.2, 4.2.3, 4.3.1, and 4.3.2 and with the individual's reasonable expectations as deemed relevant in Principle 4.3.5. Specifically, the identified purposes must be brought directly to the individual's attention, either orally or in writing, at the time the personal information is collected (e.g., during the subscription, application, or enrolment process); in clear, specific, unambiguous terms; in a format easy to read (where text is used); and in a manner conducive to the individual's understanding of how exactly the personal information is to be used or disclosed.
    • The organization must provide an appropriate "opt-out" mechanism - that is, a convenient opportunity and procedure for withdrawal of consent. The mechanism must be brought to the individual's attention at the time the personal information is collected and should be inexpensive, easy to execute, and immediately effective in withdrawing consent. Where feasible, it should include a toll-free number.

Incidents under the PIPED Act

Checking up on telephone calls

A journalist contacted the Office about a survey being conducted on behalf of a telephone company by a research firm. It appeared as though the company was gathering information from customers about their telephone calls.

The research firm had a contract with the telephone company to carry out random checks for quality assurance purposes. The telephone company provided the firm with the phone number of customers who had made calls seeking assistance by dialing "0" or "411." The firm was not given the names of the customers or other identifying information. The company has a non-disclosure contract with the research firm, which requires the firm to destroy the information it collects once the results of the survey are compiled.

The former Commissioner was satisfied when it was determined that the telephone company was complying with a CRTC requirement to conduct regular quality of service measurements of the accuracy of Directory Assistance services.

Dumpster find

A bank alerted the Office that confidential client documents had been found in a dumpster located near a branch that had closed some time earlier. The building had been leased to a new tenant and was being renovated. Apparently the renovators found the documents during the reconstruction and disposed of them. Upon hearing of the matter, the media retrieved some of the documents from the dumpster.

The bank took prompt action as soon as it became aware of the situation by recovering all of the documents from the dumpster and the journalists; then it verified that no other bank documents remained in the building. The bank also informed each of the affected customers, either in person or in writing, of the incident and of the steps it had taken to recover the documents. In addition, the bank apologized to each customer and assured each one that all of their information had been recovered.

It was determined that the branch in question was amalgamated with another, and a private company on contract to the bank was tasked with sorting through and processing records. The bank has established procedures for this, but the private company did not follow these properly, with the result that some documentation was not appropriately classified and was disposed of incorrectly. The bank subsequently clarified procedures with the private company.

The former Commissioner was satisfied that the bank acted promptly and appropriately in dealing with this sensitive situation.

Complaints Received by Sector

January 1, 2002 to December 31, 2002

piechart

Inquiries under the PIPED Act

January 1, 2002 to December 31, 2002: 8,381

We will attempt to provide a breakdown of these inquiries by subject in future Annual Reports.

Privacy Practices and Reviews

The Personal Information Protection and Electronic Documents (PIPED) Act enables the Commissioner to audit the compliance of private sector organizations if there are reasonable grounds to believe that they are in contravention of the Act or are not following a recommendation set out in Schedule 1 (ten principles). The Privacy Practices and Reviews (PP&R) Branch will conduct such compliance reviews and audits under section 18 of the PIPED Act, following accepted standard audit objectives and criteria. During the period under review, there were a number of issues that were brought to the Commission's attention that were successfully resolved without the necessity of conducting an audit. For example, Office of the Privacy Commissioner staff met and advised representatives of an industry association on the viability of obtaining direct consent and the proposed contents of such a consent form. We provided guidance to a business with respect to the use of the SIN as an identifier and the use of opt-out consent. As well, we provided a comprehensive review and analysis of a corporate privacy policy.

Apart from those issues, the former Commissioner was not aware of any other concerns that would provide sufficient grounds to initiate an audit under the law.

Nevertheless, the PP&R Branch has been involved in consulting with and providing advice to private sector organizations that come under the jurisdiction of the PIPED Act. It has also assisted those organizations that are not currently governed by the Act but that are preparing for January 1, 2004, when the Act will begin to apply to them.

In the Courts

Under section 14 of the Personal Information Protection and Electronic Documents (PIPED) Act, an individual complainant has a right, following the Commissioner's investigation, to apply to the Federal Court of Canada for a hearing in respect of any matter that is referred to in the Commissioner's report. These matters must be among those in the listed Schedule clauses and sections of the PIPED Act.

Section 15 of the Act allows the Commissioner to apply to appear in Federal Court. The Commissioner may, with the consent of the complainant, apply directly to the court for a hearing in respect of any matter covered by section 14; appear before the Court on behalf of any complainant who has applied for a hearing under section 14; or, with the leave of the Court, appear as a party to any section 14 hearing.

Following is a list of all PIPED Actapplications in the courts from January 1, 2001 to December 31, 2002:

Mathew Englander v. Telus Communications Inc.

Federal Court File No. T-1717-01

This is the first application for judicial review to be filed in the Federal Court under the PIPED Act. Mr. Englander argues that Telus uses and discloses customers' names, addresses and telephone numbers in its white pages directories and otherwise, without customers' knowledge and consent,and inappropriately charges customers for choosing to have their telephone number "non-published." He claims that these actions by Telus contravene subsections 5(1) and (3) of the PIPED Act, as well as several clauses of Schedule 1 of the PIPED Act.

Status

This Application was dismissed on June 2, 2003.

Ronald G. Maheu v. the Attorney General of Canada and IMS Health Canada

Federal Court File No. T-1967-01

Ronald Maheu applied for a hearing in the Federal Court arguing that IMS Health Canada improperly discloses personal information by selling data on physicians' prescribing patterns without their consent.

Status

Mr. Maheu filed an Amended Notice of Application in March 2002. IMS brought a motion seeking either to strike out the Application on the grounds that it was brought for an improper purpose or to have Mr. Maheu post security for costs. The Court ordered Mr. Maheu to post security for costs in the amount of $12,000 and noted that there appeared to be reason to believe that Maheu was using the Act for a collateral and improper purpose given that his own personal information was not at issue. On appeal, the former Commissioner appeared to assist the Court with respect to the proper interpretation of the PIPED Act, explaining that an individual may file a complaint concerning an organization's information practices regardless of whether that organization collects, uses or discloses personal information about the individual complainant. The Federal Court agreed with this position and granted Mr. Maheu's appeal on January 3, 2003. This decision is currently being appealed, and the original Application continues to proceed in Trial Division.

Diane L'Ecuyer v. Aéroports de Montréal

Federal Court File No. T-2228-01

Diane L'Ecuyer complained that Aéroports de Montréal had sent copies of a letter of response to access requests she had made to two union representatives and an employee relations co-ordinator and had, therefore, disclosed personal information without her consent. The former Commissioner investigated her complaint and, among the findings, recommended that individuals must be allowed to judge for themselves whether or not to share such a response with others.

Status

Madame L'Ecuyer applied to Federal Court on December 18, 2001, seeking an Order that the organization correct its practices to conform with the PIPED Act and that the organization publish a notice stating any action taken or proposed to be taken to correct its practices. On May 13, 2003 the Trial Division released its decision, finding that the issue arose from the administration of a collective agreement and therefore was not within the jurisdiction of the Privacy Commissioner. Madame L'Ecuyer filed an appeal of that decision on June 5, 2003 and the Privacy Commissioner is preparing to apply for leave to intervene in that appeal.

Nancy Carter v. Inter.net Canada Limited

Federal Court File No. T-1745-02

Nancy Carter contacted the Office with concerns about the practice(s) of her Internet Service Provider (ISP). During a billing dispute with the complainant, the ISP had suspended her access to e-mail, but continued to keep the account active and accepted new e-mails into the mailbox. The claimant argues that she was therefore denied access to her personal information contrary to the PIPED Act, and lost a valuable business opportunity as a result. She is seeking damages under the PIPED Act.

Status

A settlement was reached in this case and accordingly a Notice of Discontinuance was filed on June 5, 2003.

Sylvain Gagné v. Bell Canada

Federal Court File No. T-1971-02

Sylvain Gagné complained to the Office that (a) that he had been denied access to some of his personal information and (b) of the improper disclosure of the personal information of others. Although the former Commissioner found the denial of access complaint to be not well-founded, agreeing that exemptions under 7(1)(b) and 9(3)(c.1) had been correctly applied, the complaint about the disclosure of personal information was well-founded and the former Commissioner issued recommendations as to change of practices.

Status

The Notice of Application was filed in Federal Court on November 25, 2002, requesting a variety of relief, including access to the withheld documents, damages to those affected, and Orders enforcing the Office's recommendations.

Bell Canada has now agreed to follow the Office's recommendations, and thus a Notice of Discontinuance was filed on March 14, 2003.

Dale Stuart v. the Toronto Dominion Bank

Federal Court File No. T-290-02

Dale Stuart believed that information about his banking affairs had been disclosed by employees of the TD Bank to his employer without Mr. Stuart's knowledge or consent.

Status

This application was discontinued by Mr. Stuart on December 2, 2002.

Yukon Hospital Corporation v. Attorney General of Canada

Federal Court File No. T-1814-02

This action was initiated in response to the former Commissioner's determination that he had jurisdiction under section 4(1)(b) to conduct an investigation of a complaint filed against the Yukon Hospital Corporation.

Status

A complaint was filed with this Office under the Privacy Act. Although the Yukon Hospital Corporation is governed by the PIPED Act, the complaint was originally made under the Privacy Act. After discussions with the Applicant to this effect, the former Commissioner withdrew his decision to investigate the complaint. Court proceedings were discontinued on February 21, 2003.

Keith Vanderbeke v. Royal Bank of Canada

Federal Court File No. T-2185-02

Keith Vanderbeke contacted the Office complaining that the Royal Bank of Canada had denied him access to three documents pertaining to a commercial mortgage for which he personally was the guarantor.

Status

In the application, the claimant is specifically seeking (among other things) interpretive Orders relating to the PIPED Act: an Order that a private corporation may be an "identifiable individual" under the PIPED Act with attendant access rights; and an Order that private corporation banking documents should be considered personal documents where a natural person has provided a personal guarantee to the creditor. It is uncertain whether this aspect will be allowed to continue because, among other things, the of the Application apparently brought pursuant to section 14 of the PIPED Act improperly seeks review of the former Commissioner's findings. Under section 14 of the PIPED Act, the only proper respondent is the Royal Bank of Canada.

[Back to Table of Contents][Part One][Part Three]

 



Date Modified: 2004-04-01
Return to Top of Page
Top of Page
Important Notices