Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2005-304
Movie theatre chain strengthens personal information handling practices
(Principles 4.1, 4.1.4(c), 4.3.2, 4.3.3, 4.5, 4.5.2, 4.7, 4.8, 4.8.1 of Schedule 1)
An individual made several allegations against a movie theatre chain over its handling of personal information of customers who use its viewer assist equipment. Specifically, the complainant alleged:
- that the company was unnecessarily collecting and using the personal information of individuals who use the company’s viewer assist equipment;
- that it failed to safeguard the personal information collected;
- that the company’s staff were not conversant with their responsibilities under the Personal Information Protection and Electronic Documents Act (the Act); and
- that the organization was not open about its privacy policies.
Unable to resolve his concerns with the company directly, the complainant came to the Office.
Summary of Investigation
A number of years ago, the company installed equipment in its theatres to help disabled people view movies. The complainant, who is an advocate for disabled people, and reviews captioned movies, was given a pass for free access to movies shown in the company’s theatres.
Collection and Use Complaint
The complainant stated that when he attended one of the company’s movie theatres and asked to be given accessibility equipment, he would be required to provide his name, address, and telephone number, in order to obtain the equipment. This information would then be recorded on a sheet of paper. At one theatre, he alleged that he was asked to fill in the information sheet himself. At some theatres, he was asked to provide identification, while at others, he was not.
He objected to supplying any type of information to obtain the equipment, and to providing identification in support of the information given. He was of the view that the organization should lend the equipment to patrons without collecting or using any personal information as the equipment cannot be used elsewhere and is relatively inexpensive. He also felt that the company was not being consistent in asking for identification.
The company stated that its policy is to ask persons using the equipment to provide their name, telephone number, and address. This information is then to be confirmed against some type of identification. The information on the piece of identification is not recorded, but only used to verify the individual’s name. According to the company, the information is collected to identify guests with custody of the equipment and is used to allow the company to follow up with the guest in the event that the equipment is returned damaged, or not at all, as well as to provide a disincentive to any mistreatment of the equipment. The company believed that this collection and use of personal information protects it against loss, damage or theft.
The complainant alleged that the information on the sheets was available to anyone filling out the sheet or having access to the clipboard that holds the sheets. In one instance, he noted that he was handed a loose leaf binder, which he could peruse. He was able to read the personal information of other persons who had signed in. He also noted that the desk where the binder was kept was left unattended.
In response, the company stated that normally personal information is recorded by an employee and that customers should not be completing their own sheets. As an interim measure, the company reminded its theatres and managers of the importance of privacy and security of guests? personal information, and instructed them to have staff cover up any previous guest’s information.
The company is planning to implement a new procedure whereby the guest’s personal information is recorded on a separate sheet of paper. The type of identification used to verify the guest’s information will be recorded, but not the number. The sheet of paper will also describe the purposes for collecting the personal information, and will clarify that the piece of identification used to verify information is not to be kept by staff members during the guest’s visit.
The sheet of paper is to be retained by guest services behind the counter, inaccessible to other users, for the duration of the guest’s visit. Any subsequent guests that request the equipment are to be given a blank information sheet, and will therefore not have access to a previous user’s personal information.
- A memorandum to all employees outlining the basic principles of the Act and the importance of compliance;
- Contact information for the company privacy officer, including an e-mail address and toll-free number; and
- Instructions to disseminate privacy compliance information to all staff.
The company’s privacy officer had also met with managers across the country to discuss privacy compliance issues. The company established a privacy compliance committee that meets regularly to discuss privacy issues that have arisen and to review and revise the company’s general practices and procedures to address those issues.
During the investigation, the complainant also raised concerns about the length of time the organization was keeping the personal information it collects from accessibility equipment users. It appeared that different theatres had different retention schedules. The company has since reviewed its policies and determined that keeping the information was unnecessary as the information was only required until the equipment was returned. The company has a new policy in effect. When equipment is returned, the individual sheet of paper, or a torn-off portion containing the guest’s personal information, will be returned to the guest as a form of receipt. The company will not retain any of the guest’s personal information.
Issued June 7, 2005
Application: Principle 4.1 states that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles; Principle 4.1.4(c) stipulates that organizations shall implement policies and practices to give effect to the principles, including training staff and communicating to staff information about the organization’s policies and practices; Principle 4.3.2 provides that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed; Principle 4.3.3 stipulates that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes; Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes; Principle 4.5.2 suggests that organizations develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made; Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information; Principle 4.8 establishes that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information; and Principle 4.8.1 indicates that organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization's policies and practices without unreasonable effort.
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
Collection and Use
- In answering the question of whether it was reasonable for the company to make the provision of personal information a condition for the supply of its accessibility equipment, the Assistant Commissioner considered the company’s purposes, namely, to ensure that it could follow up with a customer if the equipment was not returned or was damaged.
- She considered it reasonable to want the items returned in working condition. To ensure that the customer is accountable, the company asked for the customer’s name, address and telephone number, as well as a piece of identification for verification purposes (the number is not recorded).
- The Assistant Commissioner was satisfied that the company was not asking for more personal information than required to meet its legitimate purposes, and was therefore not contravening Principle 4.3.3.
- The Assistant Commissioner also noted that a theatre employee had told the complainant the reason for the collection. On one occasion, by the complainant’s own admission, an employee told him that the information was required "because of all the money that had been spent on the equipment." The same employee also directed the complainant to the company’s web site for more detailed information.
- The Assistant Commissioner felt that this constituted a reasonable effort to explain the purpose for the collection, and she therefore found the company in compliance with Principle 4.3.2.
The Assistant Commissioner concluded that the collection and use complaint was not well-founded.
- The company admitted that, although its policy was that guest personal information should not be accessible to others, there may have been occasions where such information could have been obtained because it was not properly safeguarded, as required by Principle 4.7.
- The company changed its procedures to protect personal information, which the Assistant Commissioner considered was sufficient and in keeping with Principle 4.7.
The Assistant Commissioner concluded that the safeguards complaint was resolved.
- The Assistant Commissioner noted that the company has a designated privacy person, who is accountable for the company’s compliance with the Act.
- As for the complainant’s alleged difficulties in obtaining information about the company’s privacy policies from staff members, the Assistant Commissioner recognized that the company employs relatively young people and that staff turnover is high.
- Recognizing that this was an area of weakness, the company took steps to improve employee privacy education and managers? knowledge of their privacy responsibilities.
The Assistant Commissioner therefore concluded that the accountability complaint was resolved.
- As for making its policies and practices readily available, the company did direct the complainant to its web site for more information. It stated that it would also have supplied the policy by other means. The company will have a copy of the policy on site, and will continue to make it available in an alternative format if requested.
- On the whole, the Assistant Commissioner found that the company was meeting its obligations under Principles 4.8 and 4.8.1.
She thus concluded that the openness complaint was not well-founded.
- As there was evidence that different theatres had different retention schedules for customer personal information, the Assistant Commissioner found that the company was keeping information unnecessarily, contrary to Principles 4.5 and 4.5.2.
- However, the company has since implemented a new policy and will no longer retain any personal information once the borrowed equipment has been returned, and will give the sheet containing the information back to the customer.
The Assistant Commissioner therefore concluded that the retention complaint was resolved.