Manager’s remark reveals employee’s salary – consent was necessary despite existing public disclosure requirement

PIPEDA Case Summary #2010-004

[Principles 4.3 and 4.3.5; Paragraph 7(3)(h.1); Subsection 2(1); Subsection 1(c) of the regulations]

Lessons Learned

  • Unless a specific exemption applies, consent must be obtained from the individual prior to disclosing their personal information.
  • The reasonable expectations of the individual are relevant when considering whether proper consent has been obtained or not. For example, existing policies, practices, regulations or laws may forbid or constrain such disclosures, resulting in an expectation of privacy in the circumstances.
  • The collection, use and disclosure of publicly accessible personal information appearing in a registry collected under a statutory authority (and to which a right of public access is authorized by law) requires specific and separate consent when the purpose for which the information appears in the registry does not relate directly to that for which the information is being collected, used or disclosed.

The following is an overview of the investigation and the Commissioner’s findings.

Summary of Investigation

In the reception area of his place of work, an individual overheard a superior loudly uttering to another person what the individual’s wage was and how his job performance did not measure up. Two other employees attested to hearing the remark and provided us with sworn affidavits in support of their statement. When the individual complained to this Office about the disclosure, the employer did not dispute the allegation at first.

This Office considers the organization a “federal work, undertaking or business” (under subsection 2(1) of PIPEDA). It receives most of its funding from a federal government department for the services it provides to a First Nations community.

The organization’s own personnel policy requests that employees refrain from the general discussion of personal information with any person, including fellow employees. Moreover, employees are obliged to act in accordance with any federal or provincial laws (e.g., the Act) that may in fact exceed the confidentiality obligations of the personnel policy. Despite this obligation, we observed that the respondent was insufficiently aware of its obligations under the Act concerning personal information protection.

Consequently, at the time, the Assistant Commissioner made several recommendations to the organization concerning privacy policies and procedures, and staff training. The organization agreed to implement these to align itself with the accountability principles of the Act.

However, the respondent then disputed the disclosure allegation and submitted a sworn affidavit to that effect. The organization believed that the individual’s consent would not have been required for the following reasons:

  1. The daily wage amount allegedly uttered by the superior in the office’s reception area was inaccurate. It was in fact more than the individual’s actual daily wage.
  2. The individual had already given his implicit consent since his salary is publicly disclosed in audited financial statements, which are distributed to community members as well as being available in the community library. The federal funding department requires this level of transparency for its financial reporting requirements. The organization believed that since the individual had not previously taken issue with his salary being disclosed in this way, he had implicitly given his consent to any disclosures of his salary information.

Findings

Issued (July 26, 2010)

Application: Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate. Principle 4.3.5 states in part that in obtaining consent, the reasonable expectations of the individual are also relevant. Paragraph 7(3)(h.1) states that for the purposes of Principle 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose information without the knowledge and consent of the individual only if the disclosure is of information that is publicly available and is specified by the regulations. Subsection 1(c) of the regulations specifies, for the purposes of paragraphs 7(3)(h.1), personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry. 

In making her determinations, the Commissioner deliberated as follows:

  • Despite the superior’s later denial, the version of events as put forth by the complainant and witnesses is credible. Further, even if the disclosed amount did not correspond exactly to the complainant’s actual wage, the information could still be considered personal for the purposes of the Act.  A Federal Court ruling from 2008 defines “personal information” as follows: “Information will be about an ‘identifiable individual’ where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information (Gordon v. Canada (Health), 2008 FC 258 (CanLII).
  • The superior verbally identified the complainant to others present, clearly associating a daily wage with a statement about his job performance. Even if that wage information was not entirely accurate, it still constitutes the individual’s personal information in the sense of being directly and purposefully associated with him. The Commissioner noted that, likewise, opinions about identifiable individuals are also considered personal information under the Act, even though they may not always be based in fact.

No implied consent and an expectation of privacy

  • Regarding whether consent was necessary to disclose the information, the Commissioner disagreed with the view that the employee had given his implied consent in the past, simply because he had not taken issue with his salary being disclosed in financial statements. She noted that there was no evidence to support the assertion that he had provided a blanket implicit consent to cover all purposes for which his salary information could be disclosed by his employer.
  • Moreover, the complainant has a continued and reasonable expectation of privacy outside of the financial reporting process, given that the organization’s own personnel policy manual instructs employees to treat information (e.g., salary) from employee files as strictly confidential. The policy also disapproves of the general discussion of sensitive personal information with any person. In light of this, under Principle 4.3.5, the organization should have considered the reasonable expectations of the individual before discussing his wage information out loud with others, without his consent.

Disclosure purposes and the need for consent

  • The Commissioner continued that examining the particular purposes for the disclosures of the complainant’s wage information is a key consideration in her determinations:
  • Paragraph 7(3)(h.1) provides an exemption to obtaining consent for disclosing information that is both publicly available and is specified by the regulations. In the regulations, subsection 1(c) specifies personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry.
  • If we consider the organization’s audited financial statements as a publicly available registry collected under a statutory authority and to which a right of public access is authorized by law (in this case, federal financial administration law), this part of the subsection could apply here.
  • However, the second part of subsection 1(c) cannot apply.
  • On one hand, the purpose for the salary information appearing in the financial statements/registry is to meet federal government department’s financial reporting requirements. On the other hand, one would be hard pressed to invoke the same purpose to justify the superior officer verbally disclosing the complainant’s wage information in front of his co-workers in the workplace—and in conjunction with a comment about the complainant’s poor job performance.
  • Thus, as the alleged disclosure does not relate to the purpose for the information being disclosed in the financial reports, as is required under subsection 1(c) of the regulations, this class of information is not relevant to this case. (Further, the Commissioner determined that none of the classes of information from the regulations pertained to the circumstances of this complaint.) As a result, she found that the exemption for consent provided by paragraph 7(3)(h.1) could not apply and that, therefore, the complainant’s consent was required for the disclosure, pursuant to Principle 4.3. 

Conclusion

The Commissioner noted that the respondent had implemented the Assistant Commissioner’s recommendations. Therefore, she concluded that the complaint was well-founded and resolved.

Date modified: