Telecommunications company asked to adopt consistent retention practices
PIPEDA Case Summary #2002-73
[Principles 4.6 and 4.9, Schedule 1; sections 7(1)(b), 8(7), 9(3)(c.1) and 9(5)]
A former employee complained that a telecommunications company had refused him access to all of the information in his personnel file, and to the file pertaining to an internal investigation that the company had conducted in his regard. He also alleged that his personnel file was not complete and up to date.
Summary of Investigation
The complainant, a former customer service representative with the company, had been dismissed for cause following an internal investigation. He put in a written request for access to the investigation file and his personnel file. The company did subsequently disclose 93 pages of documentation, but denied him access to the investigation file. The company did not inform him of its reasons for refusing him access to the investigation file or of any recourse available to him to challenge the refusal.
The company's position was that its collection of the complainant's personal information without his knowledge and consent during its internal investigation was in conformance with section 7(1)(b) of the Personal Information Protection and Electronic Documents Act and that its subsequent refusal of access to the investigation file was likewise conformed to section 9(3)(c.1) of the Act. These are provisions according to which organizations are not required to provide access to personal information collected in the course of conducting investigations into breaches of agreements. Section 9(5) of the Act requires that an organization relying upon section 9(3)(c.1) to withhold personal information so inform the Commissioner, but in this case the company did not do so.
The complainant's position was that the company was also withholding other information that would be of value to him relative to a grievance that he had launched with respect to his dismissal. He identified several documents that he had previously seen that had not been included in the 93 pages he received, namely, a note of thanks for excellent service, a formal thank-you note from a customer, and a recent performance appraisal. These documents were subsequently disclosed to him during the course of the investigation, upon the intervention of staff from the Office of the Privacy Commissioner.
Issued October 7, 2002
Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because telecommunications companies are federal works, undertakings, or businesses as defined in the Act.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Section 7(1)(b) exempts an organization from the requirement for the individual's knowledge and consent if the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of a law and if it is reasonable to expect that the individual's knowledge and consent would compromise the availability or the accuracy of the information. Principle 4.6 states that personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Principle 4.9 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information, must be given access to that information, and must be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Section 9(3)(c.1) exempts an organization from the requirement to give access to personal information if the information was collected under section 7(1)(b).
The Commissioner was satisfied that the company's collection of the complainant's personal information had been for reasonable purposes related to an investigation into a breach of an employment agreement and that the complainant's knowledge and consent in the matter could have compromised the availability or the accuracy of the information. He found therefore that it had been appropriate for the company to rely upon section 7(1)(b) to collect the information without the complainant's knowledge and consent.
The Commissioner determined furthermore that the company properly exercised its discretion to rely on section 9(3)(c.1) in denying the complainant access to the investigation file.
The Commissioner concluded that this aspect of the complaint was not well-founded.
The Commissioner found the company had denied the complainant access to some of the personal information in his personnel file, contrary to the provisions of Principle 4.9. He was mindful, however, that three documents at issue had been subsequently disclosed to him.
The Commissioner concluded that this aspect of the complaint was well-founded.
The Commissioner determined that the company's practices with respect to the retention of personal information were inconsistent. The company lacked a policy and procedures, and in default, granted its managers considerable discretion with respect to which documents should be held on file. He found the complainant's expectation that there be a degree of consistency regarding retention practices perfectly reasonable.
The Commissioner concluded that the complaint was well-founded with respect to the requirement of Principle 4.6 that personal information be complete and up-to-date for the purpose of maintaining an employee's personnel file. He recommended that the company establish policies and procedures specifying what information is to be collected and retained, and the length of time it is to be held.
Despite having found that the telecommunications company had properly invoked the exemption provisions at issue in the complaint, the Commissioner expressed concern that the company had been clearly non-compliant in respect of certain other provisions of the Act. Specifically, the company had not informed the complainant in writing of its reasons for refusing him access or of the recourse available to him under the Act. Nor had the company notified the Commissioner in writing of its decision to deny access on the basis of section 9(3)(c.1).
The Commissioner recommended therefore that the telecommunications company
- henceforth exercise due diligence in advising individuals of the reasons for denying them access to their personal information and of their right of recourse under the Act, in accordance with section 8(7); and
- that it notify him in future as required by section 9(5) when it has decided to withhold personal information on the basis of section 9(3)(c.1).
- Date modified: