Telecommunications firm adopts additional accountability measures to ensure a consistent approach in handling access requests

PIPEDA Report of Findings # 2012-010


(Principles 4.1.4 (c), 4.9 and 4.9.4; Subsections 8(3), 8(4), 8(5) and 8(8))

Lessons Learned

  • Organizations must process access requests, within the time limits set out in the Act, even when there are ongoing discussions with individuals to settle underlying business disputes.
  • When individuals submit access requests to an organization, it should consider overriding its regular deletion/retention practices until such time as the individuals have exhausted any recourse under the Act to get access to their personal information.
  • Organizations must take steps to:
    1. ensure that when they create or revise privacy policies and procedures, the content within each is consistent; and
    2. provide up-to-date and tailored privacy education and training to those employees expected to implement privacy policies and practices, so they  fully understand what is required and can apply the policies and procedures on a practical level.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

1. The complainant alleges that the respondent, a telecommunications firm, failed to provide her with access to her personal information.

2. Specifically, the complainant requested access to all notes and transcripts of recorded conversations between February and March 2010 relating to her account dispute with the firm.

Summary of Investigation

The complainant’s representations

3. In July 2008, the complainant enrolled for internet and wireless services with the firm.

4. In December 2008, the complainant contacted the firm to notify them of an address change. The complainant also decided to switch to paperless billing and was advised that she would receive a monthly e-mail providing her with her billing details.

5. The complainant alleges that over the next year, the firm continuously failed to send her the e-mail invoices for her internet and wireless services. In addition, the complainant claims that during that time, she also experienced problems with both a high volume of dropped calls and an inconsistent internet connection.

6. Due to the problems with her billing and the firm’s services, the complainant cancelled her internet and wireless services in February 2010. The complainant alleges that when she notified the firm of her decision, she was informed that she would be charged an early cancellation fee, but that her deposit would be returned to her.

7. However, when the cancellation process was completed and all requirements were met, the complainant received a final bill containing a discrepancy between the amount quoted upon cancellation and the amount charged.

8. On March 22, 2010, after receiving her final bill, the complainant wrote to the firm’s Chief Privacy Officer (“CPO”). She requested the notes and transcripts of the telephone conversations between herself and the respondent regarding her account dispute, for the months of February and March 2010.

9. The complainant alleges that the firm did not respond to her access request.

10. In July 2010, the complainant indicates that she received a letter from a collection agency, stating that her account had been referred to collections and that she now owed more. The complainant contacted the collection agency and informed them that she had already contacted the firm to dispute the final bill.

11. The complainant states that she sent a second letter to the firm’s CPO via registered mail. In her second request, she asked for the transcripts of the recorded conversations she had in which she was quoted a lower final early cancellation fee.

12. The complainant states that, in September 2010, a representative from the firm informed her that it would be too costly to transcribe the telephone recordings. Instead, the representative offered to lower the amount due on the complainant’s final bill. The complainant accepted a final payment amount of $177.02 and was assured that the respondent would remove any derogatory remarks and comments from her file with the collection agency. The complainant paid the outstanding balance through telephone banking three days after her conversation with the firm.

13. However, the complainant was contacted by another collection agency in January 2011 and informed that she owed the respondent $452.00. The letter from the collection agency advised that if the outstanding amount was not paid within seven days, it would result in further action against her.

14. In February 2011, the complainant made a third access request for the transcripts of the telephone conversations she had with the firm in February and March 2010.

15. The following month, the firm sent a letter of apology to the complainant. It advised her that her account balance had been waived and the account had been removed from collection, with all derogatory remarks removed from her credit bureau report.

16. The complainant filed a complaint with our Office on April 7, 2011.

The telecommunications firm’s representations

17. The firm acknowledged that the complainant disputed a cancellation fee and that she had made an access request on March 22, 2010, for all notes and recorded conversations regarding her account for the months of February and March 2010.

18. The firm informed our Office that its staff contacted the complainant in order to negotiate a final payment with respect to the dispute. These negotiations continued for months and as a result, the firm states that its staff mistakenly believed that since they were working with the complainant towards a settlement, it was not necessary to provide her with the notes and transcripts she requested.

19. The firm also confirmed that in February 2011, the complainant made another request for the transcripts relating to her telephone calls (which they qualified as the “second” request). It made no reference to the complainant’s access request of July 2010, which the complainant stated was sent to the firm via registered mail, after she received another letter from the collection agency.

20. The firm stated that its practice is to provide customers who have submitted access requests with copies of their account notes within 30 days, free of charge. Delays or extensions to the 30 day timeline are communicated to the customer. Call recordings (i.e. transcriptions of calls related to the question or issue raised by the customer) are also provided to customers, free of charge, within 30 days of receiving an access request. Actual audio recordings of calls are retained for up to six months. If an audio recording of a call is subject to an access request, the recording is typically retained for six months after the transcript or recording is sent to the customer.

21. The firm stated that as it has a six month retention period for audio recordings of calls, by the time the complainant’s February 2011 access request had been received, the transcript material she had requested had already been purged.

22. During the investigation, we reviewed the firm’s Access to Personal Information Policy (the “Policy”). The content of this Policy confirms the 30 day timeline for responding to access requests and that delays and extensions should be communicated to customers. It also indicates that audio recordings of calls are retained for six months.

23. However, the Policy fails to indicate that when an audio recording is the subject of an access request, it should be retained for an additional period beyond the firm’s normal six month retention schedule. This particular instruction is only found in the firm’s internal Personal Information Access Request Procedure (the “Procedure”). The Procedure provides clarification to employees by stating that:

“Source Record Retention

Typically account notes are retained for years and recorded calls are retained for up to six months. However, recorded calls that have been the subject of an access request must be retained for at least six months after the associated transcript has been mailed to the customer.”

24. The firm also stated that its practice is to provide customers with access to their personal information, even when there is ongoing discussion to settle an underlying business dispute. However, this is not stated expressly in the Policy or Procedure submitted by the firm to our Office.

25. According to a document entitled “PIPEDA Call Recording Transcript Request Flow Chart” (the “Flow Chart”), the firm’s staff are required, prior to providing the call recordings, to contact the customer:

“…in an attempt to resolve/address any outstanding concerns associated with the request for the call recording.”

26. The Flow Chart further states that:

“If the customer still requires the transcript, the OOP [Office of the President] Advisor will begin the process to request the transcription of the call.”

Later on it states:

“If the customer no longer requires a transcript, the OOP Advisor will close the escalation form and note the account accordingly to advise the request is no longer needed.”

27. The firm confirmed that in this instance, its staff deviated from the practice stipulated by the company’s Policy and Procedure documents. This resulted in the records being purged prior to the completion of the access request.

28. The firm also acknowledged that its Policy was not sufficiently clear to its staff with regard to the longer retention period for audio recordings which are the subject of an access request. The firm informed our Office that it would be taking immediate action to clarify to its staff that as soon as a customer requests a copy of their audio recording, or a transcript of said recording, the audio recording must be located and retained until the customer has received the transcript, or has stated that they no longer require the transcript.

Application

29. In making our determinations, we applied subsections 8(3), 8(4), 8(5), and 8(8) of Part 1 of the Act and Principles 4.1.4 (c), 4.9 and 4.9.4 of Schedule 1 of the Act.

30. Subsection 8(3) states that, when a request under Principle 4.9 of Schedule 1 is made in writing, an organization shall respond to the request with due diligence and in any case not later than thirty days after receipt of the request.

31. Subsection 8(4) allows an organization to extend the 30 day time limit for an additional 30 days if meeting the time limit would unreasonably interfere with the activities of the organization, or undertaking any consultations necessary to respond to the request would make the time limit impractical to meet. If this is the case, the organization shall, no later than 30 days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner regarding the extension.

32. Subsection 8(5) states that if an organization fails to respond within the time limit under subsection 8(3) or within the extended time limit under subsection 8(4), it will be deemed to have refused the request.

33. Subsection 8(8) states that despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse they may have.

34. Principle 4.1.4 states that organizations shall implement policies and practices to give effect to the principles, including…(c) training staff and communicating to staff information about the organization’s policies and practices.

35. Principle 4.9 states that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

36. Principle 4.9.4 states in part that an organization shall respond to an individual’s access request within a reasonable time and at minimal or no cost to the individual.

Analysis and Findings

37. Our investigation determined that the complainant made an access request on March 22, 2010, for all notes and transcripts of recorded calls made between herself and the telecommunications firm in February and March 2010 in relation to her account dispute. The firm acknowledged receipt of this request.

38. Access to the information requested was not provided within 30 days and the firm did not send the complainant notice of an extension. Further, by the time the complainant made her last access request in February 2011, the audio records had been purged, contrary to the firm’s own internal policies.

39. The firm failed to respond to the complainant’s access request within 30 days, contrary to subsection 8(3). It also failed to issue a notice to the complainant of its intention to seek an extension to the time limit, as required under subsection 8(4). As a result, the firm is deemed to have refused the complainant’s access request under subsection 8(5) of the Act.

40. The refusal to give the complainant access to her personal information, as requested, in a diligent and timely manner, also contravened Principles 4.9 and 4.9.4 of Schedule 1 of the Act.

41. By deleting the records that the complainant had requested, the firm also contravened subsection 8(8), outlining its obligation to retain information that is the subject of an access request for as long as is necessary to allow the complainant to exhaust any recourse under Part 1 of the Act.

42. The evidence provided to this Office by the firm indicates that they have access to information policies and procedures in place. However, the firm admitted that its staff deviated from its access Policy, Procedure and Flow Charts when it entered into negotiations with the complainant in order to resolve her account dispute. The firm’s staff erroneously believed that transcripts of the call recordings were no longer required by the complainant as the parties were in settlement negotiations. As a result of this error, the audio recordings were destroyed upon the expiration of their six month retention period.

43. On reviewing the evidence presented to us, we noted that the firm did not actually contact the complainant to engage in settlement negotiations within 30 days of the access request. Therefore, even if the firm’s belief had been correct, they still did not contact the complainant within a time period where the negotiations could, in their view, have discharged them of their access obligations under the Act.

44. The firm stated that it was prepared to amend its documents to clearly indicate that audio recordings must be retained once an access request for them has been made. It further agreed that such recordings should not be purged until after the customer has received a copy of the transcript.

45. However, the firm’s proposed changes were not sufficient to address the alleged staff error that occurred in this case. In particular, despite the firm’s contention to the contrary, its access Policy and Procedure did not clearly indicate that access requests must be processed even when there is ongoing discussion to settle an underlying business dispute.

46. In fact, its Flow Chart instructed employees to contact customers who made access requests, in an attempt to resolve the customers’ concerns about the call(s) at issue, and, if the customers no longer required the transcripts, to note this on their files. This instruction could be erroneously interpreted by the firm’s employees to mean that if a customer’s underlying concerns were resolved, then they did not need to fulfil the access request.

47. When the complainant sent a second access request to the firm (which was also not responded to), a representative contacted her to inform her that it would be too costly to process her request. In our view, this action highlighted the need for the firm to clarify its policies and procedures regarding access requests and ensure that its employees are fully aware of them.

48. In bringing these matters to the attention of the firm, we reminded the organization of this Office’s Case Summary #2010-003: Poor response to customer’s access requests causes unnecessary deletion of his personal information. This particular summary was issued as a result of a very similar incident with the firm that occurred when a customer submitted an initial access request which was ignored. A second access request was submitted by the customer several months later which required a time extension to complete. However, the customer lost permanent access to certain of his personal information (audio recordings) when it was deleted by the organization in accordance with its standard retention policy. This did not take into account the time lag between the first and second customer access requests.

49. It is clear from this complaint, and the very similar one discussed in Case Summary #2010-003, that in spite of the firm’s internal policies and procedures, information on the application of its Policy, Procedure and Flow Chart documents has not been adequately communicated to staff.

50. This is particularly disappointing when this Office considers that, in response to our findings in the investigation featured in Case Summary #2010-003, the firm agreed to take steps to ensure reliable communications between its employees on access matters, and to ensure accurate record-keeping of the organization’s receipt and processing of access requests. While the firm updated its access Policy, Procedure and Flow Chart documents, additional steps need to be taken to ensure its employees fully understand and apply the organization’s practices on a consistent basis.

51. In April 2012, our Office published, in conjunction with the Offices of the Information and Privacy Commissioners of Alberta and British Columbia, new Guidelines entitled “Getting Accountability Right with a Privacy Management Framework”Footnote 1 (the “Accountability Guidelines”).

52. In Section 2 entitled “Program Controls”, the Accountability Guidelines state that such controls help ensure that what is mandated in an organization’s governance structure is actually implemented within the organization. Part d) goes on to emphasize the importance of adopting appropriate training and education requirements and that for those employees who handle personal information directly, additional training is needed that is specifically tailored to their roles. Such training also needs to be recurrent and the content needs to be periodically revisited and updated to reflect changes.

Our recommendations to the telecommunications firm

53. On May 31, 2012, we issued a preliminary Report of Investigation with the following recommendations:

  1. that the firm amend its Policy, Procedure and Flow Chart documents to make clear that an access request must be responded to within the timelines set out in the Act, even when there are ongoing discussions to resolve a dispute with a customer;
  2. that the firm amend its Policy document to ensure that it is consistent with its Procedure document in respect of the need to retain audio recordings for an additional six months after a customer has received the records he/she requested;
  3. that the firm submit copies of its revised Policy, Procedure and Flow Chart documents to our Office for review; and
  4. that the firm submit to our Office for review, a clear and detailed training and communications plan on how it will educate its employees on the handling of access requests, so that it can ensure internal compliance and meet its legal obligations under the Act.

The response to the recommendations

54. The firm accepted all four of our recommendations. In doing so, it acknowledged that its previous efforts to make its internal access policy and procedures clearer to its employees had failed.

55. In reply to recommendation (a), the firm confirmed that it had amended its access Policy, Procedure and its Account Notes Request and Call Recording Transcript Request Flow Charts to clarify that staff must respond to an access request from a customer, within the timelines set out in the Act, even when there is an ongoing discussion to resolve a dispute with the customer.

56. In response to recommendation (b), the firm confirmed that it had amended its Policy document to state that requests for records with regard to audio recordings should be retained for an additional six months after a customer has received the records that he/she asked for in an access request.

57. The firm provided our Office with copies of its revised Policy, Procedure and two Flow Charts, as required by recommendation (c). We reviewed these and noted that the changes stated by the firm in paragraphs 52 and 53 had been made.

58. With regard to recommendation (d), the firm indicated that access requests are handled within the Office of the President (“OOP”). It confirmed that it had created a special training plan to address the kind of problem experienced by the complainant.

59. It provided us with a copy of a memorandum that was issued by the CPO to the OOP executives and managers emphasizing the need for ongoing training and compliance. The memorandum included a copy of our Office’s preliminary Report of Investigation and highlighted our Office’s concerns about the firm’s actions in this case and the need for better internal communications between teams handling access requests.

60. The CPO also provided us with a copy of a presentation that he made on June 29, 2012, to the OOP executives and managers on the subject of account notes and call recording requests. The content of the presentation was consistent with the recommendations made by this Office on the importance of complying with the access request timelines set out in the Act and the need to retain call records beyond the date of responding to the original request.

61. Furthermore, the firm confirmed that the CPO’s memorandum, presentation, the PIPEDA access policy and procedures documents and a copy of the preliminary Report of Investigation for this case would be included in “Welcome” materials provided to all new OOP employees responsible for privacy matters, as part of their work commencement training materials.

62. We note that the changes made by the firm seek to address the training and education requirements identified within the April 2012 Accountability Guidelines.

Conclusion

63. Accordingly, we conclude that the access complaint is well-founded and resolved.

 

Date modified: