Bank opens former employee's mail

PIPEDA Case Summary #2003-190

[Principle 4.7; section 5(3)]

Complaint

A former bank employee complained that his ex-employer improperly accessed his personal information when it (1) opened an internal piece of mail that contained his pay statement; and (2) opened a piece of mail addressed to him from an external organization, which contained his examination results.

Summary of Investigation

The bank acknowledged that after the complainant ceased to be an employee, two of its managers at the branch where the complainant had worked assessed mail addressed to him, based on the information on the envelope, to determine whether it was personal or business related. The bank indicated that, with respect to former employees, its general practice is to open mail if it appears to be business related and forward it unopened if it appears to be personal. Given that bank clients might write directly to a former employee, for example, enclosing applications and signed documents, the bank cannot take the chance of forwarding such personal information to the ex-employee.

The bank agreed that some of the complainant's correspondence was opened; however, the only specific piece of mail that one of the managers recalled opening was the complainant's pay statement. The manager in question had been responsible for the complainant's work and was authorized to view payroll profiles. Although the complainant had been a trainee, and his payroll was not included in the branch report, the manager would have still been able to access his pay information without opening the statement.

As there were problems with the complainant's pay at the time he left the bank, the manager decided to open his statement to ensure that there were no errors. The bank maintained that since the manager was authorized to access payroll information, the information in the payroll envelope would be information he would have been allowed to view in the course of his duties. The bank was of the view that this was not, therefore, an improper collection of the complainant's personal information.

The bank and the complainant disagreed over when the problems with his pay began. The complainant was of the view that his former employer did not know that there were problems with his pay until after it had opened his statement. The bank disputed this, and provided evidence to show that the complaints pre-dated the opening of the statement.

As for the second piece of correspondence, the managers did not recall opening this mail. However, one of them indicated that he might have opened it because he had sponsored the complainant to take a course. The organization that gave the course indicated that when an employer is paying for a course, it is customary for the students to give their employer's address. The evidence showed that the complainant had provided his employer's address on the exam. Although it was not possible to track the exact branch of the bank where the marks from the examination went (because the complainant had since given the organization a new address and the computers had been updated), they were sent to the bank.

All correspondence from the organization that gave the course is addressed to the student and marked "personal and confidential." However, the organization noted that when a student registers for a course, he or she must authorize the organization to disclose to his or her employer the results of any course taken. Results are provided to employers only in writing.

The bank's policy indicated that personal mail should not be delivered to the work place since many work units open mail. Company-initiated mail (such as pay deposit slips) is to be addressed to the employee and identified as "confidential." Such mail must be delivered to the employee unopened. The bank indicated that while the opening of the complainant's pay statement was an exception to its policies, it was done in the complainant's best interests.

Commissioner's Findings

Issued July 15, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Section 5(3) establishes that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Regarding the first count, the Commissioner noted that, in general, pay statements are provided in sealed envelopes to employees because it is understood that information about an individual's finances or income is highly sensitive. Such a practice is reflected in the bank's policy. This policy, however, did not state that pay statements might be opened to check accuracy.

The Commissioner considered that the complainant though an ex-employee would still expect that his pay statement would remain unopened until it reached him. Although the bank argued that it opened the statement in order to be of assistance to the complainant, the Commissioner reminded the bank that it had other options it could have pursued. For example, it could have left the statement unopened and let the complainant contact it if there was a problem. Alternatively, the manager could have contacted the complainant directly. Since he already had access to the complainant's payroll records, there was no need for him to have opened the statement.

The Commissioner therefore determined that by not following its own policy on opening pay statements, the bank failed to protect the complainant's personal information. Furthermore, the Commissioner was not convinced that a reasonable person would find the bank's purpose for opening the mail to be appropriate given the availability of options. He thus found the bank in contravention of Principle 4.7 and section 5(3).

The Commissioner concluded that the first count of the complaint was well-founded.

With respect to the second count, the Commissioner noted that many offices automatically open external mail addressed to employees. In the case of ex-employees, there would be a legitimate concern that such mail could contain the personal information of individuals or the business information of organizations. Given this, the Commissioner was of the view that a reasonable person would agree that the bank was obliged to open mail addressed to the complainant that originated from outside the bank. He therefore found the bank's actions with respect to the correspondence from an outside organization to be in compliance with section 5(3) of the Act.

The Commissioner thus concluded that the second count of the complaint was not well-founded.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: