Individual objects to temporarily assigned workers handling payroll information

PIPEDA Case Summary #2003-242

[Principles 4.7, 4.7.2, 4.7.3(b), and 4.7.4, Schedule 1]

Complaint

The complainant, who worked for a transportation company, objected to injured fellow workers, temporarily employed in the company's office, handling confidential payroll information. He argued that only authorized personnel should have access to such sensitive information.

Summary of Investigation

In its submission to this Office, the company explained that it provides a return to work program for injured bargaining unit workers, as required under the Canadian Human Rights Act and the Workplace Safety and Insurance Act, 1997. The program assists injured workers in their rehabilitation and return to work by allowing them to work temporarily in a company office before returning to their regular duties. These workers perform various duties on an "as needed" basis, including stuffing envelopes with employee pay stubs prior to delivery. The workers do not, however, have access to computer records or other forms of personal information.

At the time of the complaint, the workers were given no training regarding the sensitivity and confidentiality of the information they might be handling; nor were they required to sign any type of confidentiality agreement.

As a result of the complaint, the company developed a confidentiality agreement that all non-managerial employees having access to personal information will be required to sign. Managers who have access to employees' personal information receive a copy of the company's privacy policy and acknowledge their duties and obligations under this policy.

Findings

Issued December 4, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking or business. The Assistant Privacy Commissioner had jurisdiction in this case because a transportation company such as this one is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.2 states that the nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. Principle 4.7.3(b) indicates that methods of protection should include organizational measures, for example, limiting access on a "need-to-know" basis. Principle 4.7.4 states that organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.

The Assistant Commissioner deliberated as follows:

• Although the company's return to work program obviously benefited injured workers, the fact remained that, as part of their duties, these workers were handling highly sensitive information, namely, the payroll information of their fellow employees, without signing any agreements or receiving any training regarding confidentiality.
• This practice posed a serious risk that the workers could have accessed sensitive personal information to which they should not have been privy.
• In such a situation, a reasonable person would expect appropriate security safeguards to be in place to protect this information from all but a few authorized personnel.
• At the time of the complaint, the company had no confidentiality agreement or other appropriate safeguards in place.

The Assistant Commissioner therefore found that the company was not in compliance with Principles 4.7, 4.7.2, 4.7.3(b) and 4.7.4 of the Act.

Accordingly, she concluded that the complaint was well-founded.

Further Considerations

The Assistant Commissioner was pleased that, as a result of this complaint, the company established a procedure to safeguard the personal information of its employees by developing and instituting a confidentiality agreement. Employees required to sign this agreement will thus have an increased awareness of the importance of maintaining confidentiality. The complainant indicated that he was satisfied with the company's action.

The company's confidentiality agreement was an important first step to being fully compliant with the safeguard provisions of the Act. In addition, although the Assistant Commissioner was unable to dictate what specific personal information the company should allow its injured employees access to, she suggested that the company consider implementing the following recommendations:

1. In order to be fully compliant with the expectations in Principle 4.7.3(b), regarding organizational measures to limit access on a "need to know" basis, the company should refrain from giving its injured workers temporarily employed in the office access to such highly sensitive personal information as pay stubs. A more stringent control process, for example, making the handling of payroll information part of the permanent duties of a few authorized office personnel, should be established to appropriately safeguard such information.
2. With respect to Principle 4.7.4, which speaks to the requirement of making employees aware of the importance of confidentiality, employees who are required to sign the confidentiality agreement should receive training to ensure that they fully understand its meaning and implications.