Inconclusive evidence of disclosure prompts fitness club to clarify privacy policy for clients and staff

PIPEDA Case Summary #2006-357

[Principles 4.1, 4.1.4, 4.5, 4.8, 4.10 of Schedule 1]

Two members of a fitness club, who were also friends, were involved in separate disputes with the club.  Each individual was warned that the club might send their accounts to a collections agency.   According to one of the members, the club’s manager told her that other members’ accounts, including that of her friend, had been sent to collections.  She informed her friend of the alleged disclosure, and both complained to our Office.  

The first complainant was concerned that the manager might disclose her personal information as well, and her friend, the second complainant, was upset that hers had already been disclosed without her consent.  The club manager denied the accusation, and countered that it was actually the first complainant who had mentioned the friend’s name, not her.

The Assistant Privacy Commissioner found the evidence to be contradictory and insufficient to support the complaints against the fitness club.  However, she was concerned about the club’s compliance with the Act and recommended changes to its privacy policy and procedures. The matter was resolved when the club incorporated her recommendations.

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

A member of a fitness club opted not to renew her membership.  After contacting the club via e-mail regarding the cancellation, a dispute arose between her and the club about her account.  She stated that the club’s manager telephoned her and threatened to send her account to collections, as she had done before with other accounts. According to the complainant, the manager also named another member (the second complainant) and said that her account had already been sent to collections.  This other member was the complainant’s friend.  In addition, the member claimed that the manager asked her if there was anyone else she wanted to know about.  The complainant became concerned that, if the manager was disclosing information about a third party to her, then her own personal information might also be at risk of being provided to others.

The fitness club manager, however, denied disclosing the second complainant’s personal information.  She contended that it was the member who raised the second complainant’s name during the telephone call, not her.  The manager provided the Office with electronic notes documenting their conversation, and stated that she recorded such notes during her telephone contacts with club members.  She added that, if required, she could modify the text of the notes later; however, she claims she did not alter the text in this case.  According to the notes, the manager told the member that her account balance had to be paid in 30 days or the file would be sent to collections.  She also informed her that every case was handled according to company policy and her case was no different.  The manager’s notes reflected that it was the member who had named the second complainant when stating that the manager had let everyone else off, including the friend.  According to the manager’s notes, she assured the member that her case was being handled like everyone else’s.

The second complainant, who was also a member of the fitness club, was involved in a separate dispute with the club over her account.  She reported that the manager informed her that, if she did not pay her outstanding account by a particular date, the account would be forwarded to a collection agency.

This member indicated that the first complainant telephoned to say that the fitness club manager told her about the member’s account having been sent to collections.  The first complainant also alleged that the manager asked if there was anyone else she wanted to know about.  The Office spoke with the second complainant’s daughter who heard about the conversation in question from the first complainant, who was a co-worker.  The daughter corroborated what the first complainant had told this Office.  She was unsure whether her mother had learned of the disclosure through her or through the first complainant.

Findings

Issued November 16, 2006

Application: Principle 4.1 states that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the principles of Schedule 1 of the Act.  Principle 4.1.4 requires that organizations implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures.

Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

Principle 4.8 obliges an organization to make readily available to individuals specific information about its policies and practices relating to the management of personal information. 

Principle 4.10 states that an individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

  • There were conflicting accounts of the conversation.  A fitness club member claimed that the club’s manager disclosed another member’s personal information, while the manager countered that it was the member who raised the other person’s name and that she did not discuss the individual’s information.
  • The club member whose information was alleged to have been disclosed was not a witness to the conversation in question.
  • The Assistant Commissioner noted that the evidence was contradictory and insufficient to support the allegation.  There was, therefore, no contravention of Principle 4.5.

The Assistant Commissioner concluded that, with respect to the disclosure, the complaints were not well-founded.

During the course of the investigation, it became clear that there were concerns regarding the fitness club’s compliance with the Act.  The Assistant Commissioner further deliberated as follows:

  • Our Office experienced difficulty in locating the privacy officer for the organization.  Initially the privacy officer was the manager who was at the centre of the complaint.  Later, this situation changed; however, the Office was informed by the club owner that no other staff member had been identified as a replacement.  The Assistant Commissioner was concerned that the requirements of Principle 4.1 had not been met. 
  • While the club had a privacy policy, it appeared that privacy training had not been provided to its staff at that location, in contravention of Principle 4.1.4.
  • The Assistant Commissioner saw no evidence that the club informed its clients about its privacy policy and practices, in other words, what personal information it collects, why, how such information is used and to whom it is disclosed.  Principle 4.8 was therefore not being met.
  • Furthermore, contrary to Principle 4.10, the club did not seem to tell its clients how to address any privacy concerns they may have with the organization.
  • In short, the Assistant Commissioner reasoned that the club appeared to have made very little effort to comply with the Act, apart from having a privacy policy in name only.
  • Prior to issuing her findings in this complaint, the Assistant Commissioner made the following recommendations:
    • that the fitness club inform the Office of the new privacy officer accountable for the organization’s compliance with the Act;
    • that the club ensure that staff are trained with regard to their responsibilities concerning the protection, collection, use and disclosure of personal information, including procedures on how to receive and respond to privacy complaints and inquiries;
    • that the club develop material that informs clients about its privacy policies and practices, including the name of its designated privacy officer, how to gain access to their own personal information, what kind of personal information the club holds, what it is used for, and what personal information is made available to related organizations, and;
    • that the club prepare easy-to-follow complaint procedures for clients and make them readily accessible.
  • After reviewing the club’s response to her recommendations, the Assistant Commissioner was satisfied that it was now in compliance with the Act.

The Assistant Commissioner concluded that the allegations with respect to accountability, openness and challenging compliance were well-founded and resolved.

Date modified: