Auto body shop implements privacy policy and undertakes changes to privacy practices

PIPEDA Case Summary #2007-366

[Principles 4.1, 4.1.4, 4.3 and 4.3.1]

Following an automobile accident, the complainant had had some body work done to her car.  When a warranty issue arose, the body shop called her dealership to find out whether the work it had completed was covered.  During investigation we learned that it ought to have followed the established process in the province, whereby the body shop makes the repairs determined by the provincial auto insurance organization. 

The Assistant Privacy Commissioner determined that some information was collected by the auto body shop without the complainant’s knowledge or consent, though it could not be determined with certainty that the document that was faxed to the auto body shop was the complainant’s bill of sale.  She also found that the shop had failed to implement privacy policies and practices.  She recommended that the company ensure that it has customer consent in advance of the collection and use of their personal information and that it develop and implement a privacy policy that is available to employees and customers.  The auto body shop accepted the recommendations.

The following is a detailed overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

Upon completion of the work to her car, the complainant questioned some of the work that was done as she believed that it was under warranty.  When she followed up on the warranty issue with her dealership, she learned that the auto body shop had requested a copy of her bill of sale, and that the dealership faxed a copy of it to the auto body shop.  (The complainant was not interested in pursuing a privacy complaint against the dealership.)

The dealership confirmed to us that it had received a call from the auto body shop, wanting to verify that the complainant had purchased paint protection and rust protection as the shop was reapplying these to her car.  The representative of the dealership to whom we spoke indicated that the auto body shop should not have verified whether the complainant had purchased this particular protection.  We were told that it was up to the provincial auto insurance organization to determine what work is to be done on an individual’s vehicle.

The insurance process for repairs is as follows: after reporting damage to a vehicle, the affected party needs to obtain an estimate at one of public insurance organization’s claim centres.  An estimator will examine the damage and list what needs to be replaced or repaired.  The estimator will give the customer a repair form in order to have the car fixed.  The customer then provides the form to his or her car repair shop of choice.

The auto body shop provided the Office with a list of documents that it had in its possession concerning the complainant.  The bill of sale was not among them.   

During the investigation, we also learned that the auto body shop did not have a privacy officer or a privacy policy in place.

Findings

Issued January 19, 2007

Application: Under Principle 4.1, an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the principles set out in Schedule 1 of the Act.  Principle 4.1.4 requires organizations to implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization’s policies and practices; and (d) developing information to explain the organization’s policies and procedures.  Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.  Principle 4.3.1 stipulates that consent is required for the collection of personal information and the subsequent use or disclosure of this information.  It notes that, typically, an organization will seek consent for the use or disclosure of the information at the time of collection. 

In making her determinations, the Assistant Commissioner deliberated as follows:

  • On the matter of collection, it could not be established with certainty that the auto body shop had the complainant’s bill of sale in its possession.  The car dealership in question confirmed that the auto body shop had called about the complainant’s warranty, specifically, to verify whether she had purchased paint protection and rust protection.  The car dealership representative did not recall whether he faxed the bill of sale or not, though he did recall sending a document to the auto body shop and confirmed that the bill of sale would contain the information the shop was seeking. 
  • The Assistant Commissioner therefore concluded that some information about the complainant was collected by the auto body shop from her car dealership.  There was no evidence to suggest that the auto body shop had obtained her consent to this collection. 
  • The auto body shop was of the view that it was assisting the complainant and the public auto insurance organization.  However, the Assistant Commissioner noted that its actions were unnecessary since there was a formalized process in place wherein an estimator working on behalf of the provincial public insurance organization would determine what work needed to be done.  The auto body shop was solely responsible for repairing the vehicle, and any questions concerning the work to be completed or warranty issues were supposed to be referred back to insurance body.  In the Assistant Commissioner’s view, the auto body repair shop’s actions were not in keeping with Principles 4.3 and 4.3.1.
  • As for its accountability under the Personal Information Protection and Electronic Documents Act, the investigation established that the auto body shop had failed to institute a privacy policy, as required under Principles 4.1 and 4.1.4.  Such a policy, the Assistant Commissioner stressed, was a key component in the protection of its customers’ personal information, in that it provides guidance to employees and information to customers concerning the company’s personal information handling practices.
  • The Assistant Commissioner therefore recommended that the auto body repair shop ensure that it has, in advance of the collection and use of personal information, the consent of its customers; and develop and implement a privacy policy that is available to employees and customers.
  • The shop sent memoranda to staff, reminding them to ensure that they obtain customer consent prior to any collection of personal information.  The shop also advised the Assistant Commissioner that it was in the process of developing a privacy policy that would be disseminated to all staff and available to customers, upon request.
  • Based on these actions, the Assistant Commissioner was satisfied that the shop was now meeting its obligations under the Act.

Accordingly, the Assistant Commissioner concluded that the complaint was well-founded and resolved.

Date modified: