Alleged disclosure of personal information to a third party without consent

PIPEDA Case Summary #2003-145

[Principle 4.3]

Complaint

An employee of a railway company complained that his employer disclosed his personnel file without his consent.

Summary of Investigation

The complainant, although an employee of a railway company, is under the management of a separate company. The railway and this organization have an agreement in place governing, among other things, the management of the railway employees. One aspect of the agreement allows the managing organization to have access to the personnel files and training records of the railway employees for management purposes, including the investigations of incidents. The agreement stipulates that the organization shall comply with the Personal Information Protection and Electronic Documents Act.

The complainant was the subject of an investigation. Meetings with the complainant were held during the course of the investigation. At one point, the complainant was presented with papers from his personnel file with the railway. The complainant objected, stating that he had never given anyone permission to view his file or to disclose it to the management organization.

The railway company maintained that the contractual relationship with the other organization allowed for the sharing of its employees' personal information and this was done in accordance with the Act.

The railway company stated that the protection and confidentiality of employee information are covered under the agreement. The railway also explained that the information provided to the organization is limited to personnel and training records, and does not include claims and medical files. Furthermore, the railway company noted that the number of individuals from the managing organization who have direct access to railway employee information is limited to a small number.

Commissioner's Findings

Issued April 1, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a railway company is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

The agreement entered into by the railway and the managing organization covered the provision of personnel files and training records to the managing organization. The Commissioner determined that, since the managing organization was acting on the railway's behalf in managing the railway employees, the provision of personal information by the railway to the other organization and its subsequent access to this information did not constitute disclosure under the Act. Since there was no disclosure, the Commissioner found that the railway had not contravened the requirement for consent, as stipulated in Principle 4.3.

The Commissioner concluded that the complaint was not well-founded.