Company accused of failing to safeguard information of online contest entrants

PIPEDA Case Summary #2002-52

[Principle 4.5.2, 4.5.3, 4.7, and 4.7.1, Schedule 1]

Complaint

An individual complained that a company was not using appropriate security safeguards to protect information collected from participants in online contests.

Summary of Investigation

Several participants in online contests run by the company in question received telephone calls from a person or persons falsely claiming to represent the company. In an internal investigation, the company could not determine exactly how unauthorized persons had obtained personal information collected from contest entrants, but believed it possible that the computer database in which the information was stored might have been compromised. An inspection by an outside firm could not confirm how or even whether the database had been compromised, but did give rise to several recommendations towards improving the company's informational security. The company has adopted all recommendations and has taken specific measures to physically secure contest participants' personal information from unauthorized access.

At the time of the complaint, the company had no policies for the retention and disposal of personal information. On the advice of the Commissioner's Office, the company has also agreed to implement such policies.

Commissioner's Findings

Issued June 13, 2002

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because the company was a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.5.2 states that organizations should develop guidelines and implement procedures regarding personal information retention, including minimum and maximum retention periods. Principle 4.5.3 states that personal information no longer required to fulfil identified purposes should be destroyed, erased, or made anonymous and that organizations must develop guidelines and implement procedures to that end. Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that the security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.

The Commissioner noted that the fact of unauthorized access was undisputed, even if the fact of a compromised database could not be established for certain. Regardless of how the unauthorized access might have occurred in the circumstances, he had no doubt that the company previously had not had appropriate safeguards in place for protecting contest participants' personal information. He found therefore that the company had failed to meet its obligations under Principles 4.7 and 4.7.1.

The Commissioner also determined that the company had not previously had retention and deletion policies in place. He found therefore that the company had failed to meet its obligations under Principles 4.5.2 and 4.5.3.

The Commissioner concluded that the complaint was well-founded.

Further Considerations

In his letter of findings, the Commissioner was pleased to note that the company had meanwhile taken appropriate steps to bring its policies and practices into compliance with the relevant provisions of the Act.