A transportation company disclosed an employee's personal information without consent

PIPEDA Case Summary #2003-228

[Principles 4.3, 4.5 and 4.7]

Complaint

An individual employed by a transportation company complained that a work colleague had apparently found a letter concerning this individual in a reference binder reserved for employees. The letter concerned a discussion the individual had with superiors regarding shortcomings in this individual's work.

Summary of Investigation

The investigation confirmed that the letter in question had been found in a binder on a shelf at the workplace, available and accessible to all employees. It was while sorting through the binder that the work colleague found letters containing personal information of three of the company's employees.

The company confirmed that documents containing employees' personal information are generally destroyed once the appropriate steps are taken and no particular follow-up is needed. Unable to explain why these documents were found at the workplace, the company suggested that the binders could have been misplaced during the relocation of a project or that certain binders were not moved and were re-opened a few years later.

Findings

Issued November 4, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking or business. The Assistant Privacy Commissioner had jurisdiction in this case because the transportation company is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3 of Schedule 1 of the Act states that all individuals must be informed of any collection, use or disclosure of their personal information and consent to it, except where appropriate. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected. It also stipulates that personal information shall be retained only as long as necessary for the fulfillment of those purposes. Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information.

Following the investigation, the Assistant Commissioner found that the company violated principles 4.3 and 4.5, since a copy of the letter was found at the workplace, accessible to all employees. The company also violated principle 4.7, since the personal information in the letter required special protection due to its very sensitive nature. The investigation revealed shortcomings in the security safeguards to protect these types of documents.

The Assistant Commissioner did, however, praise the company's move to send a letter to the individual during the investigation expressing its regret that the incident had occurred.

The Assistant Commissioner found that the case was well-founded.