Reports and Publications
ARCHIVED - Annual Reports to Parliament
[Back to Table of Contents] [Part One] [Part Two] [Part Three]
Annual Report to Parliament 2003-2004
Part Two - Report on the Personal Information Protection and Electronic Documents Act
The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities.
Since the Act took effect on January 1, 2001, it has applied mainly to the commercial activities of what are known as federal works, undertakings or businesses, such as transportation and telecommunications companies, banks and broadcasters. It also applies to the personal information of employees in those companies, and it applied to personal information that is sold, leased, or bartered across provincial or national boundaries by provincially regulated organizations.
As of January 1, 2002, the personal health information collected, used or disclosed by these organizations is also covered.
On January 1, 2004, PIPEDA extended to cover the collection, use or disclosure of personal information in the course of all commercial activities in Canada, except in intraprovincial collection, use and disclosure where there is substantially similar legislation.
PIPEDA now also covers all cross border collection, uses and disclosures and federal works, undertakings and businesses.
Top of PageTable of ContentsInvestigations and Inquiries
This Office received 302 complaints under PIPEDA between January 1 and December 31, 2003, which is approximately the same number as in 2002. As in previous years, complaints were filed against a variety of organizations and dealt with allegations that individuals' privacy rights had been violated. Once again, the largest number of cases, 42%, were filed against organizations in the banking sector; the telecommunications and broadcasting sector accounted for 26% of cases. The percentage of complaints against transportation companies rose slightly to 19%. Credit reporting agencies accounted for a further 4% of the total, and the remaining 9% involved rewards programs, internet service providers and aboriginal band councils.
The number of cases finalized in 2003 rose to 278, a 58% increase from the previous year. Complaints were concluded as follows:
Top of PageTable of ContentsDefinitions of findings under the PIPEDA
Not Well-founded: This finding means that the investigation uncovered no or insufficient evidence to conclude that an organization violated the complainant's rights under PIPEDA.
Well-founded: This finding means that an organization failed to respect a provision of PIPEDA.
Resolved: This finding means that the allegations are substantiated by the investigation; however, the organization has taken or has committed to take corrective action to remedy the situation, to the satisfaction of this Office.
Settled during the course of the investigation: This disposition is used when the Office has helped negotiate a solution that satisfies all involved parties during the course of the investigation. No finding is issued.
Discontinued: This means that the investigation was terminated before all the allegations were fully investigated. A case may be discontinued for any number of reasons — for instance, the complainant may no longer be interested in pursuing the matter or cannot be located to provide additional information critical to reaching a conclusion.
No jurisdiction: This means that it has been determined during investigation that PIPEDA does not apply to the organization or to the activity that is the subject of the complaint.
Early resolution: This is a new type of disposition, which the Office will begin using in 2004. It will be applied to situations where the issue is dealt with before a formal investigation is undertaken. For example, if an individual files a complaint about an issue that the Office has already investigated and found to be compliant under PIPEDA, we would explain this to the individual. This disposition would also be used when an organization, upon learning of the allegations, addresses the issue immediately and to the satisfaction of the complainant and this Office.
Top of PageTable of ContentsSelect Cases under the PIPEDA
SAFEGUARDING OF PERSONAL INFORMATION
Wedding bell blues
She was only trying to be helpful. That is what the bank employee in this case undoubtedly believed when she gave the fiancée of a customer a copy of his student loan application, containing information about his loans and credit card, from the previous year. She thought it could assist him in filling out another form for the new school term. She also probably thought it was not a big deal to leave his banking file out on her desk, where the fiancée could see it, while she went to search for a document.
It was, in the end, a very big deal. The young woman knew that her boyfriend had a student loan, but she did not know the full amount of his debt — until she saw it in the file. As a result, she called the wedding off.
The employee acknowledged her error. She thought the fiancée was acting as the boyfriend's agent because the woman, who had attended the bank to drop off some documents for him, referred to herself as his "go-between." The employee stated that in the future, she would ensure that she had a signed document indicating that someone was acting on another's behalf before discussing any personal information.
Actions taken by the OPC
We noted that despite the "go-between" comment, the bank employee did not have the student's authorization in writing, contrary to the bank's own policy. Without documentary evidence that the student authorized the disclosure, we found that the bank had contravened the requirement for consent under the Act, and concluded that the complaint was well-founded.
Although it was a one-time incident, it was an example of the serious ramifications that privacy disclosures — however inadvertent or well-intentioned — can have.
More than just fruits and vegetables
An individual had hoped to conduct some business at her bank's kiosk located in a nearby supermarket. While she waited for service, she noticed a computer terminal in an open area. The monitor was live, and assuming that it was for the public to use to obtain general banking information, she typed in her name and address as prompted. The computer displayed information related to her accounts with the bank, including credit card numbers, limits, and balances. She had not been asked for any password or user identification.
Later, when she was sitting with a bank employee, she was able to see him entering his password, which she claimed appeared on screen in clear text, when he logged onto another computer. (She stated that the screen was positioned such that she could see it.) Concerned about the bank's apparent lack of safeguards, she brought her concerns to our attention.
The kiosk branch in question comprised an ABM for public use, an enclosed business office with a computer terminal for employee use only, and one other computer terminal situated in an open area. This terminal was also intended for employee use, but there was no sign posted to that effect. On the day in question, two employees were working. One was away at the time of the incident, and the other was busy with a customer in the enclosed office.
According to the bank, this incident was a simple case of employee error. The last employee to use the open-area computer had forgotten to log off — an infraction of the bank's own security policy and procedures.
The bank took two remedial measures as a result of the complaint. First, it sent advisories to employees of in-store offices, placed a message on its intranet site, and included some formal guidelines in training manuals for new employees. Second, it installed a new computer system with a password-protected screensaver that activates automatically if the keyboard remains untouched for 15 minutes.
As for the allegation that she could discern the password used by the bank employee, the bank said that, with the computer system in use at the time, passwords appeared on screen in the form of symbols, not in recognizable clear-text characters. The bank suggested that the complainant had either mistaken the employee's user ID or other log on information for his password. It also suggested that she perhaps had recognized the password by looking at the keyboard while the employee was typing rather than from the computer screen.
The complainant countered that it did not matter how she had recognized the characters. Bank employees logging on to computers should not allow customers to see either the computer screen or the keyboard.
Actions taken by the OPC
We considered this complaint well-founded. We noted that the bank had created a considerable risk of unauthorized access to customers' personal information when it installed in open areas of its kiosk branches computers that were often left unattended. In considering whether the bank had instituted appropriate safeguards to mitigate this risk and protect the information, we determined that:
- The bank's primary safeguard at the time of the incident was an instruction in a security manual to the effect that employees should log off when about to leave a computer unattended.
- A bank employee's failure to follow this instruction resulted in the complainant gaining unauthorized access to sensitive personal information.
- Although no improper disclosure to a third party occurred, the same neglect by the employee had created a significant potential for such a disclosure.
In the circumstances, the safeguard upon which the bank relied was ineffective and inappropriate. We therefore found the bank in contravention of the requirement under PIPEDA for appropriate safeguards.
As for the remedial measures taken by the bank, we felt that, although the automatic shutoff was an improvement, this measure would not prevent access during the 15-minute time delay and therefore could not be considered an adequate safeguard. A safeguard was needed that would protect sensitive personal information at all times.
As for the second remedial measure, we noted that even though the employee in this incident knew the rule he had neglected to follow it. Taking the human factor into account, we were not convinced that a reinforced instruction was likely to provide any more effective protection than the original form of instruction. Indeed, we were concerned that relying on the new 15-minute cut-off would actually make employees complacent and less likely to follow the rule of logging off manually.
In spite of the remedial measures, we felt there continued to be an unacceptable potential for unauthorized access to customer information via the computers placed in areas open to the public.
We recommended that the bank:
- Review its information security policy and procedures specific to the operation of its kiosk branches and take appropriate measures to ensure that access to any computers whereby customers' personal information may be obtained is restricted to authorized bank employees; and
- Take appropriate measures to ensure that customers are prevented from seeing passwords and other identifiers used by employees to log on to computers.
The Office is currently following-up with the organization to ensure that recommendations have been implemented.
Lost and found
An employee of a company complained to us when a co-worker found a letter concerning the complainant in a reference binder. The binder in question was reserved for employee use and was accessible to anyone on the work site. The letter summarized a meeting the complainant had, some six years earlier, with his superiors regarding problems he was having at work. In the letter was a recommendation for a new posting, as well as certain measures to help him with a number of personal problems he was having at the time. Two letters, relating to two other employees, were also found at the same location. These documents concerned personal problems that these individuals had been having at work.
The company could not explain how these letters ended up in a reference binder, suggesting that the binders had been misplaced or moved and then reopened several years later. We noted that the way the company handled documents containing the personal information of employees had completely changed over the last several years.
Actions taken by the OPC
In our view, such highly sensitive personal information, referring to an employee's personal problems, required special protection. Although our investigation could not determine how these letters ended up in the binder, we concluded that there had been gaps in the company's safeguards to protect the personal information of employees. We also noted that such documents had been kept far longer than necessary to fulfil the company's stated purposes.
While we concluded that the complaint was well-founded, we were pleased that the company sent the complainant a letter of apology during the investigation.
IDENTIFYING THE PURPOSE OF THE COLLECTION OF PERSONAL INFORMATION
The baggage we carry
All she wanted was to find her missing baggage. She certainly did not expect that to do so, she would have to provide the airline that misplaced it with her SIN, her date of birth, and her occupation on the baggage claim form.
Though not happy about giving this information, the complainant in this case did eventually complete and submit a baggage declaration form so that the airline would pursue the matter. None of the items of personal information requested on the form were designated as optional. The form did identify two purposes for collecting the information — tracing baggage and serving as the basis of a claim.
Actions taken by the OPC
What the form did not identify, but our investigation revealed, was that the information collected would be filed in a tracing system used by air transport organizations worldwide and therefore accessible to other parties. In addition, the form did not specify that serving "as the basis for a claim" actually meant not only processing a claim, but also investigating the credibility of the claimant.
Our Office learned that the tracing system included an investigation component whereby the airline, following an unsuccessful trace, could crosscheck for prior claims and any suspicious informational inconsistencies possibly indicating fraudulent intent on a claimant's part. The airline acknowledged that most of the personal information it collected from its form was used as much for the purpose of claims verification as for the purpose of tracing baggage. The airline maintained that not all the information on its form was mandatory. Claimants had discretion to decline to provide an item if they did not feel comfortable in doing so. However, the form itself did not indicate that any of the information it requested was optional, nor did it appear that the airline made a practice of informing claimants that they had any discretion in the matter.
In discussions with the airline, our Office took the following position:
- it is not appropriate for an organization to require the provision of a SIN as an identifier;
- an individual's occupation is not an appropriate item to request as a means of verifying a claim nor is "company name";
- date of birth and several of the other items of personal information requested on the claims form should be designated as optional; and
- the form should be revised so as to specify that collected personal information is recorded in a tracing system available to other users, and clarify that claims verification is one of the purposes.
While the airline agreed to revise its form as proposed, to remove SIN from it, and to designate date of birth, passport number, and passport name as optional, it was reluctant to make further concessions.
In our findings, we determined that the airline had not stated its purposes for collecting personal information in such a way that the customer could reasonably understand how the information was to be used or disclosed. In our view, the airline should have clarified that tracing baggage would involve putting personal information into a tracing system and creating a potential for disclosure to other users of that system. We also stated that the airline should have clarified that serving as the basis of a claim meant verifying the claim as well as processing it. The vaguely stated purposes did not, therefore, constitute a reasonable effort on the company's part to inform individuals of the purposes for which their personal information was to be used or disclosed.
As for the counter agent who had initially collected the complainant's personal information, we determined that she had made no effort to explain to the complainant what was to be done with the information. Although the agent might well have assumed that the complainant would understand that it would be used to trace her baggage, we believed that the agent should have at least informed the complainant of the means by which the information was to be recorded and by which the tracing would be done — that is, the worldwide tracing system.
Noting that knowledge is required as a basis for consent, we stated that the airline should have first informed the complainant of the specific reasons for collecting her personal information. As the company had not done so, it had no valid basis for consent.
Finally, with respect to the fact that the company had required the complainant to complete the entire form as a condition for pursuing the missing baggage, we noted that the purposes for which the information was collected had not been properly specified, as required under PIPEDA. We also determined that the airline's collection of SIN, birth date, occupation and company name was excessive and we were satisfied that a reasonable person would not have considered it appropriate to collect such information in the circumstances.
We therefore concluded that this was a well-founded complaint and recommended that the airline:
- follow through with the undertakings previously agreed to;
- designate "business address," "business telephone," "e-mail," and "frequent flyer ID" as optional;
- remove "occupation" and "company name" from the form;
- group all optional items on the form under one heading so that passengers may choose to complete some, all or none of the items;
- specify, at the items "prior address" and "prior telephone number," that these requests are made solely for the purpose of verifying the claim; and
- instruct its baggage claims agents to explain to the individual the use to be made of personal information collected at the time missing baggage is first reported; to specify that the information is to be filed in the tracing system and made available to other users of the system; and to limit initial information requests to those items that are justifiable in terms of the strict purpose for the initial collection — that is, tracing baggage reported as missing.
The Office is currently following-up with the organization to ensure that recommendations have been implemented.
UNAUTHORIZED USE OF PERSONAL INFORMATION
The cart before the horse
This Office learned that one branch bank manager had instructed her employees to conduct credit checks on customers, without their knowledge and consent, to determine who might be eligible for overdraft protection. Customers were then later informed that they had been pre-approved for the service. If they accepted, they were asked to sign an authorization for a credit check that had already been performed.
By the time we became aware of it, the bank had already initiated corrective action. During a regular "spot check" conducted by the bank to ensure compliance with bank policies, a deviation in policy at this particular branch was noted. The policy in question stated that employees must obtain a customer's consent to a credit check when offering him or her overdraft protection. The branch manager was notified, and she corrected the situation immediately.
The bank stated that the manager had misread the consent language for accounts. She mistakenly believed that she could use the consent language referring to a credit update to justify pre-screening for the overdraft protection.
As there was no dispute that the branch manager had authorized the collection and use of customers' personal information without their knowledge and consent, we found the bank in contravention of the consent requirement under PIPEDA. However, as the bank had a proper policy in place, and discovered and corrected the deviation in policy even before the Office became interested in the matter, we concluded that the complaint was resolved.
The ex-wife, her lawyer, the daughter and the collection agent
One individual complained that a bank, through a collection agency working on its behalf, had been telling his family members and his ex-wife's lawyer about his financial woes. Our investigation established that the collection agent handling the file had indeed contacted the complainant's daughter, his former wife, and her lawyer. In fact, there were a number of telephone conversations between the agent and these individuals. Some calls were placed by the agent; others, by the individuals to the agent. All calls coming into and going out of the agency, as well as summary notes of the calls, were logged into the agency's electronic tracking system. The information in this system could only be altered within two hours after it was originally logged.
Actions taken by the OPC
We could find no evidence that the agent had disclosed specific information regarding the complainant's financial situation, or made any threats about seizing his property, as he alleged.
The bank audits the agency to ensure that its privacy practices are in keeping with those of the bank. The agent, a long-time employee of the company, had signed a number of confidentiality and ethics statements with the agency.
In our findings, we noted that, although PIPEDA allows an organization to disclose personal information without knowledge and consent to collect a debt owed by the individual to the organization, it does not confer a carte blanche upon an organization to disclose however much information it wishes in pursuit of a debt.
In this case, we established that the only information provided to the ex-wife was a reference to an outstanding debt. Her lawyer declined to provide written confirmation of what the agent disclosed to her. The daughter and the agent contradicted each other's testimony, and we could find no documentary evidence showing that there had been any excessive disclosure of the complainant's personal information. Given this, we concluded that the complaint was not well-founded since the agent's actions were consistent with the exception to consent in the pursuit of a debt.
Two employees of a company protested when their employer decided to use statistical data about their work to measure job performance. The information in question — volume, duration, and type of call received by telephone operators — had long been collected to measure and manage workload at the office level. However, when the company began using this information to manage individual performance, the complainants, who were telephone operators, argued that the company was collecting and using statistical data about them without their consent.
We learned that the company had informed its employees of this policy change via group presentations, e-mail, and team and one-on-one meetings. The collection and use of statistics were also discussed in the company's privacy brochure for employees.
The employees received a monthly report containing their individual statistics as compared with predetermined targets or expectations. They also could receive a report containing statistics per shift.
Actions taken by the OPC
We found that the company's purpose, namely to monitor and evaluate the job performance of its employees, was appropriate, and that the company had adequately informed employees of this purpose. As for whether an employer required an employee's express consent to collect and use such information for performance-management purposes, we determined that when an individual agrees to work for a company, he or she is giving implied consent to the conditions of employment. Performance evaluation is one such condition, and one to which the complainants had given their implicit consent when they began working with the company. We concluded that the complaint was not well-founded.
Credit report check-up
When a couple checked their credit report, they noticed that the credit agency had disclosed their credit information to a particular credit grantor. They had never had any direct dealings with this credit grantor, and were suspicious that the grantor had accessed their credit file on behalf of its parent company. The parent company was also the wife's former employer, and the adversary in a dispute.
The couple complained to the credit agency, and was told that their concerns would be investigated and the results made known to them. However, when they called three weeks later for an update, a different representative told them that no internal investigation had been initiated.
This same representative told them that they should look into the matter themselves since the parent company in question was not a client of the agency, and the agency therefore had no jurisdiction to investigate. Yet a third representative subsequently promised that the agency would investigate. Skeptical of this promise, the couple complained to us.
Actions taken by the OPC
Our investigation confirmed that the third representative had initiated an investigation. The owner of the parent company admitted to the agency that he had obtained the couple's credit information without their consent through his company's subsidiary. He knew he had broken the rules. But he stated that the circumstances relating to his company's dispute with the wife over possible wrongdoing on her part had compelled him to take such action.
The credit grantor's standard contractual agreement with the agency stipulated that it could only order consumer credit reports for permissible purposes and that it must first obtain all consumer consents required under the applicable provincial credit reporting legislation. The agreement also stated that the agency could immediately terminate or suspend service if it reasonably believed that its client had breached any condition.
The agency did not terminate or suspend service to the offending credit grantor, but rather placed it on a year's probation. The agency assured the Office that this punitive measure would include audits and monitoring of the client's credit information applications. It also promised that further failure to comply would result in termination of the contract.
After completing its investigation, the agency did not inform the complainants of the results for some eight weeks. The agency notified the complainants that the unauthorized credit inquiries had been removed from their files because the client had been unable to prove a legitimate purpose or valid consent. The agency apologized to the complainants for any inconvenience caused.
On the matter of consent, we determined that the credit agency disclosed the couple's personal information without their consent. The issue we had to consider was whether the agency could reasonably be held responsible in the circumstances.
It was clear to us that the agency had not known that the complainants' knowledge and consent were lacking. It was also clear that the agency had presumed, on the basis of a contractual agreement, that the company's purpose was permissible and that consent had been obtained. Therefore, in our opinion, the agency's disclosure had been made in good faith and on reasonable presumption of consent, given the obligations set out in the contract, and thus did not in itself offend the Act.
However, when it came to the agency's investigation and the follow-up to its investigation, we were more critical. Under the Act, an organization must investigate all complaints it receives and take appropriate measures if the investigation shows the complaint to be justified. The agency had found the complaint to be justified and had eventually taken certain measures against its client, but the measures taken — notably, that of putting the client "on probation" — fell short of being appropriate for the following reasons:
- In the first place, the evidence strongly suggested that the measures against the credit grantor had been taken only at the Office's prompting.
- Secondly, it was reasonable that one immediate measure an organization should take at the end of its investigation was to inform the complainant of the results. It appeared, however, that the agency only notified the couple of the results after this Office suggested that it was the appropriate thing to do.
- Thirdly, and most importantly, the measures taken by the agency had not been appropriate in relation to the seriousness of the offence. The agency's agreement warned of "suspension" or "termination" of services for clients reasonably believed to be in breach, but the agency had imposed "probation." We did not believe that this sanction conveyed a strong enough message to the company that its actions were unacceptable. We noted that punitive measures regarding such privacy breaches should reflect due regard for the integrity of personal information in its care — and ideally should serve as a deterrent to further similar breaches.
We made the following recommendations:
- The agency should consider imposing and enforcing tougher penalties for client organizations in breach of contract relating to access to consumers' personal information. Penalties could begin with suspension of services, followed by a probationary period involving frequent and rigorous audits.
- The agency should develop and strictly apply a policy stipulating the timing and method of informing a complainant of the results of an internal complaint investigation.
The Office is currently following-up with the organization to ensure that recommendations have been implemented
USE OF SOCIAL INSURANCE NUMBERS
To SIN or not to SIN
A customer objected to a bank using social insurance numbers (SINs) to confirm the identity of credit card applicants with the credit bureaus. The complainant believed that the bank was doing this without properly informing applicants, and obtaining their consent. She also felt that the language of the credit card contract did not clearly indicate that customers had the option of not providing their SINs. Instead, she said the language left the impression that if you did not provide your SIN, you would not get the card.
The bank maintained that its purpose for using the SIN, which was to accurately match the credit history file of creditors was a legitimate one. The bank told us that providing the SIN for this purpose was optional. A customer could refuse to provide it, or ask the bank to remove it from its records.
Both the electronic and the hard copy versions of the application form included a statement about the SIN being used for identification purposes. But neither form mentioned that its provision was optional. In fact, both forms stated that all information must be provided, and that signing the form or clicking the appropriate box indicated agreement to all terms by the applicant.
Actions taken by the OPC
Since the bank had not made a reasonable effort to ensure that the customer was properly informed that providing a SIN was optional, we found that the bank was not obtaining valid, meaningful consent from applicants.
The bank acknowledged that the language on its forms was a problem, and agreed to make changes indicating that the provision of the SIN for credit history file matching purposes was optional. While we were pleased with the bank's undertaking, we stressed that the SIN is not a piece of identification and should not be used as such.
Use of SIN in the private sector
This complaint was representative of the many complaints our Office received in 2003 regarding the use of the SIN for identification purposes by private-sector organizations.
The legislated uses of the SIN have expanded since its creation in 1964 as a client account number in the administration of the Canada Pension Plan and various employment insurance programs. The federal government, in an effort to prevent the SIN from becoming a universal identifier, issued a policy limiting the collection and use of the SIN to specific acts, regulations and programs.
The following summarizes the extent to which the collection of SINs is permissible in the private sector:
- Employers are authorized to collect SINs from employees in order to provide them with records of employment and T-4 slips for income tax and Canada Pension Plan purposes.
- Organizations such as banks, credit unions, brokers and trust companies are required under the Income Tax Act to ask for customers' SINs for tax reporting purposes (e.g., interest earning accounts, RRSPs, etc.).
- No private-sector organization is legally authorized to request a customer's SIN for purposes other than income reporting. In the case of a financial institution, there is no legal requirement for the organization to collect the individual's SIN, and no obligation for the individual to supply it, if a customer's account is not of a type that earns interest (e.g., if it is a credit account as opposed to a savings account).
- There is no law prohibiting an organization from asking for a customer's SIN, or a customer from supplying the SIN, for purposes other than income reporting.
While there is no legislation that prevents organizations from asking for the SIN for other purposes, such as identification, organizations that are subject to PIPEDA must clearly indicate to the customer that provision of the SIN is optional and not a condition of service.
USE OF WEB MONITORING TOOLS
The way the "cookie" crumbled
An individual was unhappy with one organization's Web site. He told us that he was unable to access the site because he had configured his browser to disable "cookies." He also claimed that the company's Web site was collecting the personal information of visitors without their knowledge and consent because it did not inform visitors that it placed a cookie on their computers' hard drives.
The organization used both permanent and temporary cookies on its Web site. Cookies collect and store a variety of information. Permanent cookies are stored indefinitely on a user's hard drive unless manually deleted, while temporary cookies are automatically deleted from the user's browser upon logging off a site. Web browsers typically allow users to disable permanent or temporary cookies. The complainant, who had disabled permanent cookies, was unable to proceed through the site in question because it was coded in such a way that it would not let him in until a cookie had been stored on his computer. The company acknowledged that this was caused by an "application glitch" and took steps to ensure that visitors who had programmed their computers to refuse permanent cookies could still use the site.
Actions taken by the OPC
EMPLOYEE MEDICAL INFORMATION
The Personal Information Protection and Electronic Documents Act applies to the personal, including medical, information of employees in federal works, undertakings, or businesses. In 2003, the Commissioner received a number of complaints from employees alleging that their employers were collecting too much medical information or inappropriately disclosing it. The following are summaries of some notable cases. Also included at the end is an overview of our Office's position to date.
Diagnosis: Too much information
Several employees of a company complained when their employer required them to provide medical diagnoses for sick leave. These individuals had exceeded the number of days allowed every year for uncertified sick leave, or had what their employer considered a suspicious leave pattern.
The complainants had no problem with their employer asking whether or not they were under a doctor's care, what if any restrictions they might have, and whether they were taking any medications that might affect their ability to work safely. What they did not like was their employer forcing them to provide a diagnosis of their illness to justify their sick leave.
The company countered that it needed the diagnosis information for two purposes. One reason involved "at risk" employees. These individuals work in safety-sensitive positions, often in isolation, with long shifts, and physically demanding duties. The company maintained that an employee's physician may not be aware of the employee's job requirements. It believed the company's health and safety officer would be in a better position to judge if it was safe for the employee to return to duty. However, the company could not provide any evidence that it routinely used diagnostic information for such a purpose. Indeed, in one case, it allowed an "at-risk" employee to return to duty even though his doctor had not provided the company with a diagnosis.
The other reason for requiring a medical diagnosis concerned "suspicious absences." An absence was considered suspect if taken immediately prior to or following vacation leave or during a period when the company had previously refused time off. If the company found the absence questionable, it reserved the right to demand a medical certificate with a diagnosis from the employee.
Following discussions with the Office, the employer decided it would no longer require employees to submit a diagnosis for suspicious absences and to re-examine the requirement for diagnoses in respect of "at risk" employees.
Actions taken by the OPC
In our determinations, we commented that while it was appropriate and reasonable for the employer to require medical certificates when the employees' absences exceeded the allowable limit for uncertified sick leave, a medical certificate without a diagnosis should have been sufficient. As the employer ultimately acknowledged, it was not necessary to require employees to provide diagnostic information in cases of suspicious absences.
In our opinion, the company did not satisfactorily demonstrate the need to inquire into the nature of the illness to ensure the complainants' fitness to resume regular duties or to otherwise accommodate their return to the workplace.
Indeed, in the circumstances of these complaints, namely, where the employees had exceeded their allotted annual uncertified sick leave or their absence was suspect, we found it unnecessary and inappropriate for the company to have demanded this information. We therefore concluded that the complaints were well-founded.
We recommended that the company drop its requirement for mandatory inclusion of diagnoses in the medical certifications of employees designated "at risk" and limit its collection of employees' diagnostic information to cases of clear necessity in the fulfillment of legitimate purposes. We also recommended that the company amend its sick leave policy accordingly.
Finally, we recommended that the organization review its decision to deny medical leave to individuals who refused to provide a medical diagnosis when they had exceeded their allotted annual uncertified sick leave.
The Office is currently following-up with the organization to ensure that recommendations have been implemented.
Diagnosis: Purposes reasonable
The need for diagnostic information, and to whom medical information is disclosed, were the subjects of complaints made by an individual against her former employer.
At the start of an extended sick leave, the complainant submitted a completed medical form to her employer containing a specific diagnosis from her doctor. Although she provided this information, she objected to the requirement for the diagnosis. She believed that her employer should be content with a general description, such as "illness," "injury," or "work-related."
To her surprise, a few months after submitting the form, the complainant received a letter from the provincial Workers' Compensation Board, rejecting her claim for compensation for lack of evidence. The Board determined that her disablement was not work-related. The letter referred to information that a WCB adjudicator had received from the complainant's employer. The complainant had not made a direct claim from the WCB, and believed that the information given by her employer was not relevant to the actual disability. She therefore believed that her employer's disclosures, made without her knowledge and consent, were inappropriate and unjustified.
The investigation established that her employer notified the WCB of an alleged work-related disablement and initiated a claim for compensation on the complainant's behalf. A WCB adjudicator obtained a copy of the complainant's original medical form and questioned the employer regarding the disablement. The employer's representative, a human resources coordinator, confirmed that the complainant had previously missed work for a similar reason. She stated that she believed the previous absence had been due to personal, not work-related, reasons. She could not say, however, whether the current absence was work-related or not.
Regarding the collection of medical information, the company contended that its request for specific diagnoses was necessary to manage both a short- and long-term disability plan for employees. Eligibility for benefits under the long-term plan is determined on the basis of short-term benefits drawn over a certain number of days for the same disablement.
The employer noted that its purposes for collecting the information are identified on its short-term disability policy and on its medical form. It maintained that the collection of information was limited to what was necessary for these identified purposes. Furthermore, the company noted that since the medical form contains a consent statement and is signed by the employee, employee consent is being obtained.
As for the disclosures to the WCB, the company pointed out that these were not only appropriate, but required by provincial workers' compensation legislation to which the company is subject. The legislation requires that subscribers immediately notify the WCB of any work-related disablement or allegation of such. It also authorizes the WCB to make inquiries about claims and obligates subscribers to respond to such inquiries.
Actions taken by the OPC
We determined that the company's purposes for collecting diagnostic information, namely, to manage the disability program for employees, were reasonable and legitimate. We also found that these purposes were appropriately identified, that the collection was limited to what was necessary for the fulfillment of the purposes, and that the individual's consent was obtained.
With respect to the disclosure, which was clearly done without the complainant's knowledge or consent, we determined that the disclosures in question had been required by legislation and therefore allowed under a paragraph in PIPEDA that provides for disclosure without knowledge or consent if it is required by law.
We concluded that these complaints were not well-founded. Nevertheless, during the investigation, it was noted that the company lacked policy, procedures, guidelines, and staff training materials relating to employee information. It was therefore recommended that the company implement appropriate polices and practices, specific to the handling of employee personal information, in accordance with the accountability principles set out in PIPEDA.
Diagnosis: Reasonable in the circumstances
An employee who wanted to be accommodated in another position for medical reasons felt that his employer was attempting to collect too much information from him. When he went on leave, his employer asked him to authorize his doctor to fill out a form indicating his prognosis, limitations, treatments and abilities. The doctor provided a diagnosis and information about treatment, but did not fill out the portion concerning limitations or abilities. The doctor provided three similar reports over a period of time, all indicating that the prognosis was unknown.
Eventually, the doctor cleared the complainant to return to work on a part-time basis. The doctor supported the complainant's request that he be transferred to a different work environment. The complainant wanted operational duties, as opposed to office ones.
But the company had not received a request from him to this effect. So the occupational health services nurse asked the doctor for more information about the medical condition. She also wanted to know whether the complainant was able to do physical work since he had been injured some years prior, which had resulted in him being transferred to an office job.
The complainant then made a formal request for a transfer on medical grounds. The company wanted additional medical information. It also indicated that an independent medical evaluation might be required. When the company refused the complainant's request, his doctor wrote to the employer in support of the complainant. The company replied that it wanted to consult a specialist before reconsidering the request. The complainant and his union objected, arguing that the company should accept the medical evaluations of the complainant's physician. In the end, the complainant returned to his desk job.
The company had a formal policy on extended sick leave. Under this policy, the employee was requested to sign a consent form authorizing the physician to disclose medical information related to the employee's illness to the company's occupational health professionals and to discuss the matter directly with them. The form contained the purposes for collecting the information — namely, consideration for eligibility benefits and establishment of fitness to work. The form asked for information about the employee's medical condition, treatment and prognosis, including diagnosis.
The company's occupational health services staff were the only employees to see this information. They were bound by their respective codes of conduct to maintain confidentiality. They provided managers only with information relating to the abilities and limitations of the employee. Detailed information about the company's policy was available to all employees via the company intranet and in a brochure.
The company also had policies and procedures in place to safeguard employee medical information. Such information was kept in a file separate from the personnel file, and stored in secure areas. Computerized information was also protected.
Actions taken by the OPC
We determined that, in light of the company's liability to continue paying the complainant during the first six months of his absence and its obligations under Canadian human rights legislation to accommodate employees with disabilities, the purposes for collecting diagnoses were legitimate and appropriate.
In considering how well the company limited its collection of personal information, we noted that the guidelines of the Canadian Human Rights Commission indicate that an employer has the right under the Canadian Human Rights Act to seek enough information to determine if it has an obligation to accommodate an individual with a disability and that this may involve consultation with a medical specialist. We were satisfied that the medical documentation that the employer was seeking was clearly linked to the company's obligations to accommodate the complainant and was not excessive.
We were also satisfied that the company had appropriate policies and procedures in place that outlined the purposes for collecting health information, how it is handled and by whom, and the respective roles of the employer, employee and the health services department. This information was also made available to employees in a variety of formats, thus satisfying the company's obligations under PIPEDA to not collect personal information indiscriminately, and to specify the type of information collected as part of their information-handling polices and practices.
We therefore concluded that this complaint was not well-founded.
Summary of the Office's position to date on employee medical information
Employers collect employee medical information for a number of reasons. Such reasons must be appropriate and legitimate in the circumstances and must be clearly identified. The information collected must be limited to these purposes.
By far, the most contentious issue raised by employees in past year was the requirement to provide diagnoses. In cases where diagnostic information was sought, our Office recognized that an employer may need to collect such information in certain limited circumstances. Thus far, we acknowledge that it may be needed to determine an employee's fitness to work and to accommodate an employee with a disability. It may also be required to determine an employee's eligibility for benefits. The Office, however, did not consider it reasonable to require a diagnosis in the case of suspicious absences or when an employee had exhausted uncertified sick leave.
The Office was clear that employee medical information, especially diagnostic information, must be handled with strict safeguards in place. Specifically, medical information must be kept separate from the employee's personnel file, in a secure location. Where diagnostic information is provided, it should only be handled by qualified medical personnel, not human resources specialists. Managers should only be provided with limited information, such as the expected date of return. Supervisors do not generally need, as a matter of course, the specifics of the employee's illness.
Such measures, of course, speak to the need for clear policies and procedures. Under PIPEDA, organizations are required to establish and make available policies and procedures for the handling of personal information in their care.
It should also be noted that there may be other pieces of legislation, such as labour law, workers' compensation, or human rights laws, that have a bearing on the amount of information collected, used or disclosed by the employer.
The bottom line? Organizations must ensure that they:
- only collect employee medical information for reasonable purposes;
- identify these purposes;
- obtain meaningful consent; and
- limit their collection, use, and disclosure practices to these purposes.
Top of PageTable of ContentsIncidents under PIPEDA
The Office also conducted thirteen incident investigations. Incidents are matters that this Office learns of from various sources including the media and organizations which have themselves identified a problem. Usually a victim is not identified and a complaint has not been filed with the Office.
Through media reports, our Office learned that police had found the financial records of bank customers in a suspect's apartment. The man allegedly obtained the documents from dumpsters at branches of three banks.
Representatives from the three banks retrieved the documents, and analyzed them with a view to determining their origin, identifying affected customers, and taking the appropriate corrective action.
The first bank identified the personal information of 40 customers from seven branches. It determined that the documents were likely retrieved from the garbage. While the bank has a policy with regard to the destruction of personal information, garbage disposal arrangements vary from branch to branch. Some branches contract an outside shredding service, while others require staff to physically destroy documents, either by shredding or manually ripping up, before disposal.
The bank checked the accounts, and notified all affected customers by telephone that no unusual activity had been detected. It committed to continue monitoring their account activity and asked the affected customers to do the same. The bank also gave customers the option of closing their existing accounts and opening new ones. The bank reissued its policy and procedures on the disposal of personal information, and branches were advised to reiterate the policy and procedures to staff. The bank is considering a nation-wide supplier program for locked bins and regular destruction of confidential documents.
With respect to the second bank involved, the personal information of 44 customers was retrieved. The bank concluded that the documents were taken from internal and external garbage bins as well as internal recycling and shredding receptacles. Branches have receptacles at each desk and teller wicket, which are emptied into a confidential shredding bin on a daily basis.
The bank contacted all affected customers by telephone and in writing, informing them about the ongoing police investigation. The bank offered specific advice and extra protection according to the level of risk for identity theft that their situation presented. It also advised them to monitor their accounts for unusual activity, report any missing mail, and properly safeguard their financial records. The bank issued a reminder to branch staff in the affected region regarding the proper garbage disposal policies. The policy is to be reviewed by branch staff monthly. In addition, customer garbage receptacles have been removed and only built-in wall receptacles will be used.
With respect to the third bank, 575 customers in the area were affected. Four reports were recovered that contained multiple customer names, accounting for 438 of these customers. The personal information of the remaining customers was found in a variety of documents that pertained to individual customers.
The bank believed that some of the documents were taken from the garbage as they were soiled or manually shredded. Other documents were in good condition, and the bank was unable to conclusively determine whether they came from the garbage or whether the suspect stole them from shredding boxes inside the branch. These boxes are unlocked and located close to financial and business advisor workstations.
The affected customers were grouped according to whether the information disclosed about them placed them at higher, moderate or lower risk of identity theft and fraud. Branch representatives contacted customers by telephone and told them what specific information had been disclosed. The bank invited customers in the higher and moderate risk categories to meet with a branch representative in order to review their accounts for unusual activity and open new accounts. The bank also advised them to contact their credit bureaus or HRDC if a document containing their SIN was disclosed to mitigate the risk. The bank told all customers to monitor their account activity.
The bank reviewed proper procedures with the managers of the four affected branches. It also commissioned a working group to review branch procedures and practices for the destruction of confidential records and to recommend any required changes.
This incident yielded no complaints to our Office from affected individuals.
Bank computers containing client personal information sold
The media reported on a story about a computer re-seller who had purchased two computers from a bank and then posted them on an online auction site only to discover that the computers contained the personal financial information of the bank's customers. He subsequently contacted the bank.
It turned out that when the re-seller had gone to collect the computers he had bought, an employee of the company contracted to wipe off and dispose of the bank's computer equipment inadvertently took the two computers from a pallet of servers that had not yet been cleaned.
The bank identified 350 customers whose personal information was on one or both of the computers. A variety of personal financial information was found. The bank contacted the affected customers by telephone and participated in news media interviews to convey its message that the situation was under control and that customer accounts were secure. The bank also audited the contractor involved and identified a number of gaps. The bank reviewed the disposal process and drafted a new disposal guideline.
Our Office received no complaints from affected individuals regarding this incident.
The Office responds to thousands of inquiries from the general public and organizations seeking advice and assistance on issues about privacy in the private sector.
The majority of calls and correspondence during the last half of 2003 concerning PIPEDA were from businesses, large and small, that required guidance in gearing up for the implementation of the Act on January 1, 2004.
We also heard from individuals who called or wrote to express dissatisfaction with organizations, claiming that they either mismanaged their personal information in some way, refused them access to or corrections of their personal information, or did not have appropriate safeguards to protect personal information.
(January 1 to December 31, 2003)
|Telephone inquiries received||9,288|
|Written inquiries received (letter, e-mail and fax)||4,134|
|Total number of inquiries received||13,422|
Top of PageTable of ContentsPrivacy Practices and Reviews
Audits and Compliance Reviews under the Personal Information and Electronics Document Act (PIPEDA)
The Office's mandate to conduct audits of private sector organizations is derived from section 18(1) of PIPEDA. The Personal Information Protection and Electronic Documents Act (PIPEDA) enables the Commissioner to audit the compliance of private sector organizations if there are reasonable grounds to believe they are in contravention of the Act. Under PIPEDA the Commissioner may only undertake such an audit where there are "reasonable grounds" to believe that an organization is contravening a provision of the Act.
To date, no compliance audit of a private sector organization has been undertaken by the Office pursuant to section 18(1) of PIPEDA. Such evidence of non-compliance with PIPEDA that has come to the Office's attention has been through complaints and inquiries. Most of the compliance issues brought to our attention deal with discrete incidents that lend themselves to remedy within the framework of the complaint and inquiry processes.
That said, in the upcoming year our Office plans to review completed investigations under PIPEDA to follow-up on those well-founded complaints where remedial action was recommended. The aim of this exercise will be to determine whether recommendations made by the Commissioner are being adopted. It is expected that this will be accomplished through correspondence. The Office will conduct further inquiries where there is evidence of non-compliance.
Top of PageTable of ContentsIn the Courts
Under section 14 of the Personal Information Protection and Electronic Documents Act (PIPEDA), an individual complainant has a right, following the Commissioner's investigation and report, to apply to the Federal Court of Canada for a hearing in respect of any matter referred to in the Commissioner's report. These matters must be among those clauses and sections of PIPEDA listed in section 14. Under section 14 the Commissioner may also apply directly to the Federal Court in respect of a Commissioner-initiated complaint.
Section 15 of the Act also allows the Commissioner to apply to appear in Federal Court in the circumstances described below. The Commissioner may, with the consent of the complainant, apply directly to the court for a hearing in respect of any matter covered by section 14; appear before the Court on behalf of any complainant who has applied for a hearing under section 14; or, with the leave of the Court, appear as a party to any section 14 hearing.
Between January 1, 2001 and December 31, 2003 there were 20 Applications filed in Federal Court in relation to PIPEDA. The majority of these were discontinued, dismissed or settled prior to any pronouncement by the Court. Following are a selection of PIPEDA applications which raised issues of interest.
Mathew Englander v. Telus Communications Inc. and Privacy Commissioner of Canada
Federal Court Files No. T-1717-01 and A-388-03
Mr. Englander argued that Telus uses and discloses customers' names, addresses and telephone numbers in its white pages directories and otherwise, without customers' knowledge and consent, as well as inappropriately charging customers for choosing to have their telephone number "non-published". He claimed that these actions by Telus contravene subsections 5(1) and (3) of the Act, as well as several clauses of Schedule 1 of the Act.
On the question of consent, the Commissioner found that the company did obtain valid consent through implication and was in compliance with the regulations regarding publicly available information. He focused on the company's questioning of customers regarding how their information should appear in the white-pages directory and determined that the question itself implied the eventual appearance of the information in publicly available directories. Since information subsequently published in other formats merely reflects what is published in the white pages directory, it too is considered publicly-available information for purposes of the regulations under the Act and may be collected, used or disclosed without consent.
As to charging fees for the non-publication of customers' information, the Commissioner noted CRTC Telecom Order 98-109, which states that telecommunications companies can charge no more than $2.00 per month for non-published telephone service. He determined therefore that the company in question did have the authority to charge its monthly fee of $2.00 for non-publication, and that doing so was not unreasonable.
The Privacy Commissioner was granted leave to intervene in the appeal on the issues that: (1) according deference to the finding of the Privacy Commissioner and (2) the jurisdiction of the CRTC to make privacy related Orders does not restrict the Federal Court's jurisdiction under PIPEDA.
This was the first application for judicial review to be filed in the Federal Court under PIPEDA. The Application was dismissed in June 2003 at the Federal Court level.
Mr. Englander filed an appeal in the Federal Court of Appeal on 28 August 2003. No hearing date has yet been set.
Ronald G. Maheu v. IMS Health Canada et al.
Federal Court Files No. T-1967-01 and A-31-03
Mr. Maheu complained that IMS Health Canada was improperly disclosing personal information by selling data on physicians' prescribing patterns without the consent of the physicians.
The Commissioner focused on the question of whether the information was personal information within the meaning, scope and purpose of PIPEDA and found that "personal information" is not so broad as to encompass all information associated with an individual. Based on this interpretation, the Commissioner found that prescription information, whether in the form of an individual prescription or in the form of patterns discerned from many prescriptions, is not personal information about a physician. Instead, he conceptualized this information as being about the professional process that led to the issuance of the prescription and concluded it must therefore be understood as work product.
The Commissioner submitted written arguments on the original Application. These arguments focused only on according deference to the Privacy Commissioner and took no position as to the appropriate outcome on the facts.
The Commissioner was also involved with the procedural appeal, appearing in order to assist the Court with respect to the proper interpretation of PIPEDA. The Commissioner explained that an individual may file a complaint concerning an organization's information practices regardless of whether that organization collects, uses or discloses personal information about the individual complainant.
Mr. Maheu applied for a hearing in the Federal Court in November 2001.
IMS brought a motion seeking either to strike out the Application on the grounds that it was brought for an improper purpose or to have Mr. Maheu post security for costs. The Court ordered Mr. Maheu to post security for costs in the amount of $12,000 and noted that there appeared to be reason to believe that Mr. Maheu was using the Act for a collateral and improper purpose given that his own personal information was not at issue. The Federal Court granted Mr. Maheu's appeal of this Order in January 2003. This decision was appealed in turn by IMS but after a hearing in November 2003 that appeal was dismissed.
The original Application in the Trial Division was discontinued in March 2004 as part of a settlement reached between Mr. Maheu and IMS.
Diane L'Écuyer v. Aéroports de Montréal and Privacy Commissioner of Canada
Federal Court Files No. T-2228-01 and A-259-03
Madame L'Écuyer had submitted requests for access to information held by her employer. The employer refused her requests by letter, and copied the letter to three other persons — two union representatives and the coordinator of employee relations at the airport. Accordingly, she filed a complaint that her employer had, without her consent, disclosed her personal information to third parties.
Regarding the disclosure to the union representatives, the Privacy Commissioner was of the opinion that there could be implied consent for the employer to copy those parties only if the complainant had indicated that they had been copied on the original access requests. The Commissioner found that in this case no such implied consent existed, and that a reasonable person would have considered the disclosure to the union representatives to be unacceptable.
As for the employee relations coordinator, the Commissioner took note of the direct involvement of the individual in these access requests and therefore determined that it had been appropriate for the employer to inform him of its decision to refuse access. This portion of the complaint was therefore considered to be not well founded.
The Commissioner applied for and was granted leave to intervene in the appeal. In November 2003 the Commissioner submitted a factum arguing that: (1) both the Commissioner and the Court have the jurisdiction to consider privacy issues notwithstanding the fact that they are work-related; and (2) while implied consent may be appropriate in some union-involved complaints, it was not in this one and therefore the consent of the Applicant to the use and disclosure of her personal information was required.
Madame L'Écuyer filed her original Application in Federal Court in December 2001 asking that the organization correct its practices to conform with PIPEDA. The Privacy Commissioner was not involved in this Application. In May 2003 a decision was released, with the Court finding that the issue arose from the administration of a collective agreement and therefore was not within the jurisdiction of the Court or the Privacy Commissioner.
Madame L'Écuyer filed an appeal on 5 June 2003. The appeal was heard in June 2004 and was dismissed on the facts. The Court confirmed the trial finding the Mme. L'Écuyer had consented, at least implicitly, to the disclosure in question. The Court found it unnecessary to address the jurisdictional aspects of the appeal.
Privacy Commissioner of Canada v. Aéroports de Montréal
Federal Court File T-336-02
An employee of an airport filed two separate complaints to the effect that her employer had refused several requests she had made for access to her personal information. In refusing access, the airport management cited two exceptions provided under PIPEDA, specifically s. 9(3)(a) solicitor client privilege and s. 9(3)(d) information generated in the course of a dispute resolution process.
With regard to s. 9(3)(a), the Commissioner noted that the complainant had not requested access to any lawyer's file, but rather to documents related to complaints and disciplinary measures concerning herself. He determined that the airport management had not been justified in invoking solicitor-client privilege to protect the information simply on the grounds that it had been gathered to respond to complaints and grievances or that lawyers had been consulted on the various files.
With regard to s. 9(3)(d), the Commissioner noted that the purpose of this exception is not to protect information gathered in the course of administrative processes for resolving complaints or grievances. In the Commissioner's view, a formal dispute resolution process implies the desire of parties to meet for the purpose of negotiating a resolution acceptable to each, which was not the case with the parties in question. Hence, he did not accept the employer's interpretation that the process was one of formal dispute resolution or that the information at issue had been gathered strictly for that purpose. He determined that the employer had been wrong in applying section 9(3)(d) to refuse the complainant access to her personal information.
When airport management persisted with their refusal to provide access even after the Commissioner's report was issued, the Privacy Commissioner obtained the complainant's consent as required by s. 15 of PIPEDA and filed an Application in Federal Court.
The Aéroports, in the course of litigation, agreed with the Privacy Commissioner that the individual should be granted access to her personal information and released to the complainant all the available information to which she was entitled under PIPEDA. Accordingly, the Commissioner discontinued the Application in April of 2002.
Erwin Eastmond v. Canadian Pacific Railway and Privacy Commissioner of Canada
Federal Court File No. T-309-03
Mr. Eastmond complained that his employer was collecting the personal information of employees without their consent. Specifically, he was concerned that digital video recording cameras installed at the company yard could collect personal information of employees.
In making his determination, the Privacy Commissioner applied s. 5(3) and explained that when using this section one must consider both the appropriateness of the organization's purposes for collection and the circumstances surrounding those purposes. To that end, he fashioned a four-point test for assessing reasonableness, namely: (1) is the measure demonstrably necessary to meet a specific need? (2) Is it likely to be effective in meeting that need? (3) Is the loss of privacy proportional to the benefit gained? and (4) Is there a less privacy-invasive way of achieving the same end? Considering the company's stated purposes against this backdrop, the Privacy Commissioner did not believe that a reasonable person would consider these circumstances to warrant such an intrusive measure as digital video surveillance. As such, he concluded that the company's use of this type of surveillance for their stated purposes was not appropriate and that the company had contravened s. 5(3) of PIPEDA.
The Privacy Commissioner was added as a party pursuant to s. 15(c) of PIPEDA, however she took no position as to the appropriate outcome on the merits. Instead, she argued that the Court should accord some deference to the expertise of the Privacy Commissioner and should adopt the four-point test to determine the appropriateness of the collection of the information by CP Rail. A supplementary factum was filed in December 2003 addressing both the Privacy Commissioner and Court's jurisdiction over the issues, notwithstanding that they arose in a collective bargaining employment situation.
Mr. Eastmond filed an Application in Federal Court in February 2003. Among other things, the Application requested that the Privacy Commissioner send a certified copy of the Commissioner's Record of investigation to the Applicant and to the Registry. Upon objection on behalf of the Privacy Commissioner to this request, the Court decided in June 2003 that the Federal Court Rules do not allow an Applicant to request material in the possession of the Privacy Commissioner.
The Application was heard in April 2004 and on 11 June 2004 the court released its decision. On the question of jurisdiction, the Court found that the Privacy Commissioner did have jurisdiction, the essence of this dispute did not arise from the collective agreement, and that it was not Parliament's intention to exclude unionized workers from the scope of PIPEDA. On the question of deference it was established that although this was a proceeding de novo, the Privacy Commissioner was entitled to a degree of deference in light of her expertise. Finally, the court adopted the Commissioner's four-point test for s. 5(3), with the caveat that the specific factors considered in this case might not be appropriate in all cases. Using that test, the court concluded that a reasonable person would consider the organization's purposes for collecting the images through the medium of a digital video camera to be appropriate in the circumstances, and therefore that CP Rail had not contravened PIPEDA.
Robert Lavigne v. Canadian Union of Postal Workers
Federal Court File No. T-500-03
After determining that day and month of birth was being used as a seniority "tie-breaker", Mr. Lavigne complained that CUPW was using his personal information in a way that was inconsistent with the purposes for which the information was originally collected. The Office determined that it did not have jurisdiction to accept Mr. Lavigne's complaint because CUPW was neither a federal work, undertaking or business nor was there disclosure across borders for consideration.
The Privacy Commissioner was not formally involved in the proceeding. However, the Application raised interesting procedural issues about what constituted a "complaint" for the purposes of s. 13 and 14.
Although no complaint was accepted and no Commissioner's report issued, Mr. Lavigne filed a section 14 Application in Court, asking the Court to rule on the merits of the complaint and seeking damages from CUPW. CUPW brought a motion to strike the Application while Mr. Lavigne sought leave to convert the Application into an action. The Federal Court granted CUPW's motion and the Application was struck in August 2003 with costs to the Respondent.
Yukon Hospital Corporation v. Privacy Commissioner of Canada
Federal Court File T-1451-03
The Office of the Privacy Commissioner received a complaint from an employee alleging that the Whitehorse General Hospital had refused a request for access to her personal information in its possession. The Hospital was accordingly notified that a complaint had been received and that an investigation was being commenced.
The Hospital took the position that in order for PIPEDA to apply, the hospital must either engage in commercial activities or operate a federal work, undertaking or business. It was their opinion that neither of these applied, and therefore that the hospital was not subject to PIPEDA. In contrast, the Commissioner took the position that intra-territorial enterprises in the three territories fall within the definition of "federal work, undertaking or business" by virtue of s. 2(1) definition of "federal work, undertaking or business", specifically subsection (i) "outside the exclusive legislative authority of the legislatures of the provinces" and thus that employees of organizations such as the Whitehorse General Hospital fall within the jurisdiction of PIPEDA. As such, the Office intended to continue with its statutorily mandated investigation.
The Commissioner was required to respond to the judicial review application directed at the Office's assertion of jurisdiction.
The Hospital filed an Application under s. 18.1 of the Federal Court Act, requesting judicial review of the Privacy Commissioner's decision that the Whitehorse General Hospital was subject to PIPEDA and the subsequent decision to proceed with an investigation.
Ultimately, the complainant reached a settlement with the Hospital, part of which was the withdrawal of her complaints to the Office of the Privacy Commissioner. When her complaints were withdrawn, the Application for judicial review was formally discontinued in February 2004.
Blood Tribe Department of Health v. Privacy Commissioner of Canada
Federal Court File No. T-2222-03
A complaint was filed with the Office of the Privacy Commissioner alleging (among other things) that the Blood Tribe Department of Health denied an individual access to her personal information and did not provide reasons for the denial. Although the Commissioner needs access to all documents in order to ensure that exemptions claimed have been properly applied and to guard against abuse, in the course of the investigation, the Blood Tribe Department of Health refused to provide the Privacy Commissioner with access to solicitor-client privileged documents. As a result of the refusal, the Office of the Privacy Commissioner issued an Order for the production of records pursuant to sections 12(1)(a) and (c) of PIPEDA.
The Commissioner was required to respond to the judicial review application directed at the Office's assertion of jurisdiction.
The Blood Tribe Department of Health filed an Application for judicial review, under s. 18.1 of the Federal Court Act, of the decision of the Office to issue the Order for production. The Application was filed in Federal Court in October 2003 but incorrectly named the Respondent. The Notice of Application has been amended and was properly served on 3 June 2004. The Application is now progressing normally.
Canada (Attorney General) v. Canada (Information Commissioner), 2004 FC 431,  F.C.J. No. 524
Although the Privacy Commissioner was not involved in the following proceedings, this was an important decision for the Office given that both the Information and Privacy Commissioners have the same investigative powers set out under their parallel Acts.
In March 2004 the Federal Court dismissed 25 applications for judicial review which had been filed by the government in an attempt to limit the investigative powers of the Information Commissioner.
The government had challenged the Information Commissioner's authority to investigate, arguing that the Prime Minister's Office and Ministerial offices are separate and distinct from the Privy Council Office or a Minister's department. The Court found that it was premature to rule on whether the records were subject to the Act and that the Commissioner should have been allowed to complete his investigation and report before such issues were raised. In so finding, the Court recognized the importance of the Commissioner's investigative role and independent review where rights of access are in dispute.
The government has appealed only one narrow legal point of the ruling dealing with whether the Information Commissioner has the right to see a legal memorandum.