Airline agrees to amend privacy policy

PIPEDA Case Summary #2004-262

[Principles 4.1.3 and 4.5]

Complaint

An individual complained that an airline improperly disclosed her personal information, regarding a flight she had taken, to another company on contract with the airline to conduct surveys on its behalf.

Summary of Investigation

The individual first complained to the airline after she had received a phone call from a company indicating that it was conducting a survey for the airline, of customers who had recently flown with the airline. The company had the complainant's name, telephone number, flight number and date of her trip. In its response to the complainant's concerns, the airline told her that the firm that had contacted her was on contract with the airline to provide a service on its behalf. The airline also mentioned that it had a confidentiality agreement with the company, stating that personal information provided by the airline would not be distributed to any third party. If the complainant did not want to be notified again, she was asked to write to the airline, and it would ensure that she would not be contacted again.

The investigation confirmed that the airline and the company had a business relationship and that there was a confidentiality agreement between the two, outlining the principles of confidentiality to be applied to the information provided by the airline. The script used by the firm also stated that it was conducting a survey on the airline's behalf of customers who had recently flown with the airline.

The airline's privacy protection policy made no mention of the use of personal information for research or survey purposes, nor was there any provision allowing customers the opportunity to opt out. During the course of the investigation, however, the airline agreed to amend its policy to include a clause stating that the airline may provide customers' personal information to a company it contracts to perform certain functions on its behalf, such as a survey. The airline will also offer customers the choice of withdrawing consent for such a purpose. The complainant indicated to the Office that she was satisfied with these measures.

Findings

Issued February 27, 2004

Application: Principle 4.1.3 of Schedule 1 to the Act specifies that an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. That organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

The Assistant Privacy Commissioner deliberated as follows:

  • The investigation confirmed that the consulting company was acting on the airline's behalf when it contacted the complainant and that, based on the confidentiality agreement between the two organizations, it was required to respect the confidentiality provisions set by the airline.
  • Given this, the Assistant Commissioner found the airline was respecting Principle 4.1.3.
  • The airline collected the complainant's personal information for the purpose of her trip.
  • When it provided her personal information for the survey, it should first have informed her about the possibility of her personal information being used for this new purpose. She should also have been given the opportunity to withdraw consent.
  • Given this, the Assistant Commissioner found the airline in contravention of Principle 4.5.

However, as a result of the complaint, the airline agreed to change its privacy policy to inform customers that it may provide their personal information to another party contracted to perform functions on its behalf, such as a survey, and that they have the option of withdrawing their consent. The Assistant Commissioner was pleased that the airline had taken the opportunity to improve its privacy policies and practices.

She thus concluded that the complaint was resolved.

Date modified: