Mass mailout results in disclosure of contest entrants e-mail addresses
PIPEDA Case Summary #2004-277
(Principles 4.3 and 4.7.1 of Schedule 1)
Eleven members of a loyalty program complained that the company that runs the program failed to safeguard their personal information, and as a result, disclosed it to other members.
Summary of Investigation
The complainants had entered a photography contest sponsored by the company. When they received an e-mail from the company regarding the contest — an e-mail that was sent to 618 participants, also program members — they noticed that their addresses appeared in the "to" field and that they were viewable by everyone who received the message.
The company did not dispute the allegations. It indicated that the sub-contractor, which was responsible for distributing the message on the company's behalf, had made an error when sending the message. The sub-contractor used a software application that allows a user to create an e-mail group name and to subsequently enter individual e-mail addresses into the group for the purpose of confidential, mass e-mail distribution.
The individual who had prepared the mass e-mail had never used this particular application. He tested it internally prior to sending the message. He had created a group and entered the 618 addresses. When he entered the group name in the "to" field during the test trials, only the group name appeared. All the member e-mail addresses remained confidential.
Our Office and the same individual conducted a test of the software, creating a group and entering a couple of e-mail addresses. When the e-mail was sent, only the group name appeared and not the individual addresses. It would appear then that the software application functioned properly during this particular test.
Following the incident, the company took a number of measures to address the situation:
- It issued an apology to the affected members.
- It informed the sub-contractor that it would not be permitted to distribute group e-mail communications for the company until further notice.
- Company employees were advised of the situation and given information to deal with customer or media inquiries.
Issued September 2, 2004
Application : Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; and Principle 4.7.1 stipulates that security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.
Although the investigation established that the sub-contractor had appropriate safeguards in place (the software application did allow for addresses to remain confidential), it would appear that either the employee did not correctly use the software or it did not function properly. The Assistant Commissioner therefore found that the company did not meet the requirements of Principle 4.7.1.
She concluded that the complaints were well-founded.
- Date modified: