Bank provides former employee with insufficient access to his personal information

PIPEDA Report of Findings #2013-004

July 18, 2013


An individual had been employed as a manager at a bank. After he resigned, he sought access to all his personal information held by the bank, including information created during a recent performance review of him by his peers in which he had actively participated. He was not satisfied with the documents the bank released to him.

His ensuing access complaint made to the Office of the Privacy Commissioner of Canada (OPC) was multi-faceted, indicating that, among other things, the bank had inconsistently applied exemptions under the Act to withhold information from him and that the production of records in response to his requests was insufficient.

At issue, in particular, was his personal information that could also be considered the personal information of third parties (i.e., other employees’ recorded opinions about him that were provided during a peer review program). The bank believed that Section 3 of the Personal Information Protection and Electronic Documents Act (PIPEDA) prioritizes privacy rights over an individual’s access rights. Thus, in the bank’s view, the privacy rights of the complainant’s peers, whose personal information was also at stake, were to be respected at the expense of the complainant’s access rights. Nevertheless, the bank did provide the complainant with a one-page summary of his peer review feedback, albeit in aggregate form.

In our analysis of this aspect of the complaint, the OPC balanced the private interests of the complainant against those of his peers as well as the public interest in the disclosure or non-disclosure of the disputed information. The OPC discussed the relevance of the Federal Court of Appeal case Information Commissioner v. Canada (Minister of Citizenship and Immigration), [2003] 1 F.C. 219 (“Pirie”). We also compared and contrasted this case with a somewhat similar access complaint recently investigated by the OPC, the findings of which were made under PIPEDA. In so doing, the OPC took into consideration the precise circumstances of the present case, including the purpose of the complainant’s peer review, the extent of his role in it and the assurances of confidentiality promised to his peers who contributed. In balancing these considerations, we concluded that the bank was justified in withholding the peer review notes from the complainant under subsection 9(1) of the Act.

Turning to the issue of due diligence in providing full access to personal information, we noted that the bank had conducted a thorough search of its records to find and collate the complainant’s personal information. However, the bank admitted that it did not conduct adequate reviews of the material it held, when providing the complainant with access to his personal information. Indeed, before our Office’s involvement, certain information had been erroneously withheld from the complainant. The OPC found that while the bank had detailed and comprehensive procedures in place for responding to access requests, they were not all followed in this case.

In our preliminary Report of Investigation, our Office made six recommendations to the bank. The bank provided a detailed response to the recommendations, which included a request for our Office to discontinue the complaint under subsection 12.2(1)(b) of the Act. Our Office declined to discontinue the investigation, and in light of the bank’s responses to the recommendations, the OPC found that the complaint was well-founded and resolved.

Lessons Learned

  • Organizations must, upon request, inform an individual of the existence, use and disclosure of their personal information and must give them access to that information.
  • Organizations should perform a thorough and fair review of documents containing a requestor’s personal information that are under consideration for access, subsequent to a request made under Principle 4.9. Any PIPEDA exemptions to access must be carefully considered and properly applied by the organization.
  • Certain types of information can be the personal information of two or more individuals simultaneously. In determining the right to have access to this information under PIPEDA, the interests of the individuals concerned should be balanced against each other along with the public interest for and against disclosure.
  • If an organization intends to ask our Office to discontinue an investigation into an individual’s complaint by invoking subsection 12.2(1) of the Act, it should bring this matter to our attention at the earliest opportunity.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the Act)

Summary of the Complaint

  1. The complainant claimed that his former employer, a Canadian bank, failed to provide him with access to his personal information when it allegedly: (i) destroyed (ii) redacted and (iii) withheld certain information from him in its possession.

Background

First access request and complaint
  1. The complainant was hired as a general manager.
  2. Subsequently, the complainant was invited to participate in the bank’s program designed to help facilitate his integration into his or her role and department (“the Program”).
  3. In the complainant’s case, the Program consisted of a series of interviews with his colleagues and peers conducted by a Human Resources (“HR”) representative. At these interviews – held in confidence – those interviewed provided the HR representative with their feedback and comments about the complainant.
  4. The feedback led the bank to assess the complainant’s performance and to discuss options with him for his continued employment. Ultimately, as a result of these discussions, the complainant opted to leave his employer. After he left, the complainant sought access to his personal information contained in his personnel file.
  5. Not satisfied with the information provided to him by the bank, he filed an access complaint with this Office.
  6. In its subsequent investigation of the complaint, our Office determined that the bank had released the personal information it held about the complainant in his personnel file, in accordance with the Act and the bank’s internal policy and procedures. As such, our Office deemed the complaint not well-founded and the file was closed.
  7. During the investigation, it became clear that the complainant’s interest in obtaining access to his personal information extended beyond the information contained in his personnel file. Towards the close of our investigation, the complainant was still of the opinion that he had not received access to all personal information held about him by the bank. He therefore submitted a second, more broadly-framed access request to the bank.

Summary of Investigation

Second access request and complaint
  1. In the second request, the complainant sought access to:

“all of my personal information, including opinions and assessments of others about me, in any format, including hand written notes and electronic records, that are active, deleted, or archived between the dates of [XX] through [XX].”

  1. The complainant identified many individuals employed at the bank who he believed were either authors or recipients of information about him.
  2. Furthermore, the complainant specifically asked that the bank include all information pertaining to his complaint to its Ombudsman’s office regarding his performance evaluation. He also asked for records supporting and accounting for his manager’s conclusions and assessment of his performance in his performance evaluation.
  3. The bank acknowledged the request. A few weeks later, the bank sought a 30-day extension of the time limit for its response, as allowed under subsection 8(4) of the Act.
  4. The bank subsequently responded to the complainant’s request providing him with some 78 pages of documents. The bank indicated that it had redacted some documents and withheld other documents in their entirety. In doing so, it stated that some information was not personal information as defined in subsection 2(1) of the Act. It also relied on subsection 9(1) (personal information of a third party) and paragraph 9(3)(b) (confidential commercial information) of the Act to redact and withhold information.
  5. Dissatisfied with the bank’s response to his second access request, the complainant filed a new complaint with our Office. It is this complaint which is the subject of the present report.
  6. In his second complaint to our Office, the complainant alleged that the bank had inconsistently applied exemptions under the Act to withhold information from him, that the production of records in response to his requests was insufficient and that information had been released to him only after this Office’s intervention.
Further disclosure of personal information by the bank
  1. After our investigation was opened, the bank undertook further reviews of the complainant’s personal information already in its possession. These reviews resulted in the bank providing the complainant with access to additional material in three separate releases. The bank sent some of the information in redacted form. It continued to deny the complainant access to certain records in their entirety.
  2. The following additional information was provided to the complainant, in redacted form, during the course of the investigation:

    First additional release: 24 pages were released to the complainant, of which the majority were copies of notes relating to discussions about the complainant, after the general results of the interviews with his peers were made known to him.

    The bank indicated that the content contained in this release included supplemental information relating to the complainant’s performance that would have been incorporated within his performance assessment and some references to the complainant that were overlooked during its initial review. The bank acknowledged that this information was missed as a result of human error.

    The notes were handwritten and on lined paper. The legibility and copy quality of the notes were poor. Some of the information was redacted. The bank advised the complainant that the redactions were made pursuant to subsections 2(1) and 9(1) and paragraph 9(3)(b) of the Act.

    Second additional release: 30 pages were released to the complainant, including handwritten notes and emails relating to internal discussions about the revising of the complainant’s performance review, the options regarding his continued employment with the bank, and “the various steps required in moving the process of these discussions along.”  The bank advised that certain information about its employees was redacted pursuant to subsection 2(1) and subsection 9(1) of the Act.

    The bank advised us that this information had previously been withheld from the complainant because it was “information belonging to [the bank] as it constitutes the process leading to [the complainant’s] final performance rating and formal offer of the options regarding his employment with [the bank].” The bank asserted that, in its opinion, this information did not constitute the complainant’s personal information.

    The bank maintained that while it was not legally required to provide the complainant with access to this information, it did so − in redacted form − in the spirit of resolving the matter with the complainant.

    The bank also noted that the substance of the discussions was already known to the complainant since he was an active participant in the process.

    Third additional release: 14 more pages were released to the complainant, comprising standard HR and tax related documents completed by the complainant when he was hired by the bank, and a one-page mid-year feedback document that had been misfiled. The bank apologized to the complainant for this error.

    The bank redacted certain information on the standard forms to protect the complainant’s personal information, e.g. his own SIN and date of birth.
Withheld material

The Program Notes

  1. In addition to the redacted material provided in its initial release and the three subsequent releases discussed above, the bank advised us that it was withholding access to 126 additional pages of information.
  2. The information withheld was linked to the complainant’s participation in the Program. On reviewing the withheld material, we counted 169 pages. The discrepancy between the number of pages was resolved when the bank confirmed that certain pages were double-sided and it had not counted the content on the reverse side of the documents as separate pages.
  3. The majority of the pages were notes made by a HR representative from interviews, during which the complainant’s colleagues and peers provided their feedback and comments about him. The pages also included an eight page “Appendix - detailed responses” which collated the relevant feedback raised in the interviews.
  4. Prior to his departure from the bank, the bank provided the complainant with a one-page document containing eight bullet points that summarized the feedback obtained in the interviews. The document stated that “There was consistency and similarity of feedback provided from participants, regardless of role…”
  5. The bank argued that it was required to withhold the specific comments made by each of the individuals interviewed under the Program, because the opinions, while they were the personal information of the complainant, were also the personal information of the individual interviewees and therefore exempt from disclosure under subsection 9(1) of the Act.
  6. The bank claimed that the context of the discussions, the nature of the comments, the references to specific experiences or circumstances, and the nature of language and syntax used − which it asserted were all inherent in the participants’ feedback − would likely reveal the identity of the participants. Moreover, it submitted that these elements, because of their very nature, could not be severed from the material.
  7. The bank pointed out that the Program was a process in which the complainant himself chose to participate, and where he invited his peers to provide their opinions about him. When he extended the invitation, he assured the participants that their individual opinions would only be provided to him “in the aggregate” and that he would not be able to attribute any particular opinion to any specific individual.
  8. Our Office reviewed an internal bank email sent by the complainant, which invited participants to provide their feedback about him and be part the Program. In part, the email states the following:

    “Given your role as a key stakeholder in my current role, you are being invited to participate and provide feedback/comments to help me in my long term success at [the bank]…. I would really appreciate your support in not only participating, but also in providing honest/candid feedback throughout the process. Please note that all responses remain anonymous, and will only be provided to me an [sic] aggregate fashion. Your help will greatly assist me in identifying areas of success and areas requiring further development.”

  9. The bank also submitted that the wording of subsection 9(1) of the Act provides for the paramountcy of the right of privacy over the right of access, when the same information is personal to more than one individual. The bank distinguished the Federal Court of Appeal’s decision in Information Commissioner v. Canada (Minister of Citizenship and Immigration), [2003] 1 F.C. 219 (“Pirie”) in which the Court ordered the respondent organization to provide the requester with access to his personal information, although it was deemed to be personal to more than one person.
  10. The bank noted that the decision in the Pirie case concerned the Privacy Act and not the Act, submitting that the Privacy Act does not prioritize one right over the other, whereas the Act establishes paramountcy in favour of the right of privacy of third parties.
  11. In addition, the bank remarked that the Privacy Act has a dual purpose with respect to rights: protecting an individual’s right of privacy and providing individuals with a right of access. However, the Act’s purpose clause (section 3 of Part 1) makes no mention of a right of access to personal information. Instead it speaks of the right of privacy of individuals and the need of organizations to collect, use or disclose personal information. Thus, the bank submits that the Act emphasizes the right to privacy rather than the right of access.
  12. The bank pointed out that this information was provided to the complainant in aggregate form. Consequently, the substance of the comments made about the complainant had already been provided to him.
  13. The bank explained that it was not seeking to deny the complainant access to this information because he had been given access to it in aggregate form. Rather it wanted our Office to understand that the complainant had received some information about the Program’s results, albeit not the original, non-redacted, Program notes. The bank continued to assert that it was not permitted, by operation of subsection 9(1) of the Act, to provide the complainant with information that would likely reveal the personal information of third parties. Yet, at the same time, it wanted to afford the complainant some means of verifying the accuracy of the information.
  14. The bank also asserted to this Office that the employees’ feedback about the complainant solicited during interviews with them, “belonged” to the bank and not the complainant, since it was information gathered as part of the process of getting to the final aggregate summary or opinion concerning his performance.

The complaint made to the bank’s Ombudsman Office

  1. The bank also withheld the complainant’s personal information pertaining to his complaint to the bank’s Ombudsman Office. In its reply to the complainant, it argued that as the information related to the conduct of others and consisted of personal information of third parties, it was exempt from access under subsection 9(1) of the Act.
  2. The bank subsequently clarified to this Office that the complainant’s complaint to its Ombudsman Office raised two separate issues:
    1. the complainant raised matters related to his performance evaluation; and
    2. the complainant made allegations against other employees.
  3. The complainant submitted his complaint when he was no longer an employee of the bank. As such, the Ombudsman’s Office determined that the matter was outside its mandate. It did not, therefore, open a file or commence an investigation into the matters, but referred the matter directly to the bank’s Human Resources.
  4. The bank explained that it does not investigate issues related to performance evaluations when it involves individuals who have already left the bank’s employment. The bank’s Human Resources did not, therefore, investigate the matter relating to the complainant’s performance evaluation.
  5. However, the bank’s Human Resources did investigate the complainant’s allegations made against other bank employees. It confirmed to the complainant verbally that it would look into his allegations and would update him with information it could share. Later, it confirmed, again verbally, that it had investigated the allegations and had found no evidence to support them.
Allegedly missing documents
  1. Notwithstanding the various disclosures made by the bank during our investigation, the complainant alleged that two documents were still missing. He provided two names.
  2. According to the complainant, the first document is comprised of feedback from peers within the local leadership team” while the second document is “a common tool used for the development of senior leaders with feedback from multiple sources.”
  3. The complainant alleged that he had been advised that both documents were altered by the bank so it could make its case for its “sudden job performance action”.
  4. We asked the bank why these documents had not been released. The bank responded that the documents did not exist. It also explained that it is a large institution and that different people sometimes call documents by different names.
  5. Further confusion arose, when we noted a copy of a bank internal email in which a bank human resources officer described the bank’s manager training process by using a name similar to one used by the complainant (above) in his allegation.  
  6. As part of our investigation, we interviewed a witness who the complainant believed would corroborate his claim that the bank had withheld or destroyed information about him. The witness did not corroborate the complainant’s allegation. Rather, the witness stated to us that when the bank received the complainant’s request for access to all his personal information, nothing was destroyed and everything was processed.
  7. Additionally, the bank’s Privacy Officer informed our Office that the complainant’s former manager had been asked by Human Resources to verify if she possessed any further files (paper or electronic) pertaining to the complainant. The former manager stated to the bank (through her assistant) that she reviewed her files a second time and that she could confirm that she had already provided Human Resources with all documents she had related to the complainant. We also received and reviewed a copy of an internal email, sent between bank employees, which appeared to corroborate this statement.
  8. Notwithstanding the above, the complainant continued to maintain that some of his personal information had been destroyed by the bank.
  9. Subsequent to the issuance of our preliminary Report of Investigation, the bank provided our Office with a more detailed response regarding its search for the two documents in dispute and why it was not able to locate them (see paragraphs 121-124 below). The bank also informed us that its investigation did not uncover any evidence to suggest that documents had been destroyed.
Other documents – Service Canada communication
  1. We noted that in the first additional submission sent to the complainant, there was a one-page Service Canada communication addressed to the bank. The communication referred to the complainant by name and requested additional information regarding the reason for the complainant’s departure. On this page, both the business contact information and personal information of the Service Canada employee and the text of the request, which referred to the complainant as “the employee”, were redacted. Neither the complainant nor this Office was provided with any record related to the bank’s response to Service Canada’s inquiry.
  2. The bank later clarified that the copy of the Service Canada communication sent to the complainant contained the notation “Mutual Agreement” in the top right-hand corner. The bank responded verbally to Service Canada on this basis. There was no written reply. The bank confirmed that there was no other record to provide to the complainant, or our Office.
Due diligence and delays in providing full access
  1. The bank acknowledged that it had not provided the complainant with access to all his personal information when it conducted its first review of the material in its possession.
  2. While the bank explained that it had conducted a thorough and comprehensive search for the complainant’s personal information in its possession, it recognized that it did not conduct adequate reviews of the information in responding to the complainant’s access request. Certain information had been inadvertently omitted due to both the volume of the material to be reviewed, and the fact that some of the information did not appear to pertain to the complainant (since it involved minor comments included in documents about other parties).
  3. The bank maintained that it has a robust procedure to handle employee access requests, but that human error can occur. It expressed regret that it had not provided the complainant with appropriate access to his personal information after its first review. It assured us that it has since re-acquainted the employees responsible for the incomplete reviews with their obligations under the Act in matters of responding to access requests.
  4. The bank provided a copy of its written procedures for responding to personal information access and correction requests. We examined one section, which includes numerous steps on how Employee Relations staff should gather requested information, organize it, review individual records to evaluate an individual’s right to access, highlight and discuss proposed redactions, redact records, prepare the records for disclosure and release them to the requester. The procedures appeared to be both detailed and comprehensive.

Application

  1. In making our determinations, we applied subsection 2(1), section 3, subsections 4(1)(b), 8(3), 8(4), 8(7), 9(1) and paragraphs 9(3)(b) and 12.2(1)(b) of the Act and Principle 4.9 of Schedule 1 of the Act.
  2. Subsection 2(1) defines “personal information” as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization”.
  3. Section 3 states that the purpose of Part 1 of the Act is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
  4. Subsection 4(1)(b) states that Part 1 of the Act applies to every organization in respect of personal information that is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
  5. Principle 4.9 of Schedule 1 of the Act stipulates, in part, that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.
  6. Subsection 8(3) states that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.
  7. Subsection 8(4) states, in part, that an organization may extend the time limit for responding to an access request by a maximum of thirty days if (i) meeting the time limit would unreasonably interfere with the activities of the organization, or (ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet.
  8. Subsection 8(7) states that an organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have. 
  9. Subsection 9(1) states that, despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.
  10. Paragraph 9(3)(b) states that an organization is not required to give access to personal information if to do so would reveal confidential commercial information.
  11. Paragraph 12.2(1)(b) states that the Commissioner may discontinue the investigation of a complaint if the Commissioner is of the opinion that the complaint is trivial, frivolous or vexatious or is made in bad faith.

Analysis and Findings

Preliminary Report of Investigation – our Recommendations
  1. Our Office sent a preliminary Report of Investigation to the bank that contained our analysis of the facts presented by the parties, applied against the Act’s provisions.
  2. As a result of the analysis, our preliminary report contained the following recommendations to the bank:  
    1. Provide the complainant with further access to his personal information directly related to the assessment of his final performance rating as well as the formal letter of options concerning his employment with the bank … subject to the appropriate redaction of third party information relating to the Program and personal information that does not pertain to the complainant (e.g. performance matters concerning other employees);
    2. Taking into account the above, provide the complainant with revised access to the 24 redacted pages released as part of the first additional release, ensuring that the legibility is improved to an acceptable standard;
    3. Provide our Office with access to the complainant’s non-redacted personal information contained in correspondence sent to, and received from, the bank’s Ombudsman Office. The bank should indicate to our Office what information it proposes to redact and the relevant exemption being claimed, before providing a copy of the redacted material to the complainant.
    4. Provide our Office with access to the complainant’s non-redacted personal information contained in correspondence submitted in response to the Service Canada communication. The bank should indicate what information it proposes to redact and the relevant exemption being claimed, before providing a copy of the redacted material to the complainant.  
    5. Perform another comprehensive search for any remaining personal information of the complainant held by the bank to which he has not already been granted access under the Act and provide our Office with a copy of said information, if any exists; and,
    6. Clarify the names of the two documents that the complainant claims are still outstanding …, and provide the complainant with non-redacted access to these records. If they no longer exist, the bank must provide a fuller and more satisfactory explanation as to what has happened to them and why.

    We asked the bank to respond to our recommendations within 30 days of the date of the issue of the preliminary report.

  3. Following an agreed extension to the deadline, the bank provided a detailed response to the preliminary report.
  4. The following paragraphs in this section of the Report of Findings incorporate our original analysis from the preliminary Report of Investigation, the bank’s subsequent response and our final analysis and findings on the matters raised.
Discontinuing the complaint
  1. As part of its response to the preliminary report, the bank argued that the complainant signed a release, as part of a settlement linked to his departure from the bank.
  2. The release acknowledged that all matters relating to the complainant’s employment had been settled. In signing the release, the complainant confirmed that he had the opportunity to seek legal advice and had agreed not to make any claim, or institute any complaint against the bank under “any federal… legislation, including those pertaining to…privacy regulations”.
  3. The bank stated that the complainant filed his two access complaints against the bank in bad faith and that our Office should consider discontinuing the complaint under subsection 12.2(1)(b) of the Act.
  4. The bank asserted that, despite this, it had acted in good faith in providing the complainant with access to his personal information. This included referring the complainant to his right of recourse to our Office, as it was required to do by subsection 8(7) of the Act.
  5. We reviewed the bank’s arguments and the release. In doing so, we took into account three factors:
    1. The bank raised the argument to discontinue late in our investigation. It had known of the existence of the release since it was signed and yet did not raise the issue until near the end of our investigation, after we had issued the preliminary report of investigation into the complainant’s second complaint;
    2. The bank itself indicated to the complainant that he could complain to our Office about its response to his access request and did not suggest to the complainant that such an action would be contrary to the release; and
    3. The release covered claims related “to the hiring of, the employment by, and the termination of the Employee’s employment by the Employer”. However, in this case, the complainant’s complaint was not, strictly speaking, about these matters, but rather was about the bank’s response to his access request.

    For these reasons, our Office declined to discontinue the investigation.

Due diligence and delays in providing full access
  1. When the complainant submitted his second access request to the bank, the bank acknowledged the request within a few days. It followed its acknowledgment with a letter notifying the complainant of its intention to take a further 30 days to respond to the access request, as provided for by subsection 8(4) of the Act. As noted above, the bank provided the complainant with 78 pages of his personal information within 60 days of his access request.
  2. However, as became apparent through our investigation and as the bank later admitted, while it conducted a thorough search of its records to find and collate the complainant’s personal information, and was satisfied there were no other records, it did not conduct adequate reviews of the information it held, when providing the complainant with access to its records.
  3. This lack of an appropriate review of the material collated and held by the bank was inconsistent with its own procedures for personal information access requests and is a contravention of subsection 8(3) of the Act. Although the procedures we reviewed appeared to be detailed and comprehensive, it is apparent that they were not followed in this case.
Basis for denial of access
  1. We examined the reasons cited by the bank for denying the complainant access to certain information, including its application of specific exemptions available under the Act.
  2. In reviewing the information provided to the complainant, we encountered some difficulties in determining what had been sent, redacted and withheld. This was due, in part, to the fact that the pages sent to the complainant were unnumbered, specific exemptions claimed under the Act were referred to in cover letters but not marked against the individual pages or content and the two parties used different terminology when referring to certain documents.
Information “belongs to [the bank]”
  1. The bank submitted that certain information it had withheld from the complainant, (i.e., the Program notes and the information it eventually provided in its third additional release) “belonged” to the bank and not the complainant.
  2. In making this argument, the bank cited the Federal Court of Appeal’s decision in Wyndowe v. Rousseau, 2008 FCA 39 (“Wyndowe”).
  3. On the basis of Wyndowe, the bank stated that the information related to the process of revising the complainant’s performance rating and developing the options made available to him regarding his employment with the bank was not the personal information of the complainant and, as such, he was not entitled to access it under the Act.
  4. We are of the opinion that the facts in Wyndowe are significantly different from the complainant’s case. Wyndowe involved the formulation of a medical opinion by a physician in the context of an independent medical examination. The information in this case, involved internal emails and notes which concerned the complainant’s performance and the bank’s determination as to how the complainant’s performance matters should be dealt with. The documents contained specific views and opinions about the complainant. The information directly concerned the complainant and was “about” him within the meaning of subsection 2(1).
  5. We disagree, therefore, with the bank’s use of Wyndowe to support its view that the information “belongs” to it. However, nothing ultimately turns on this issue because, as noted above, the bank ultimately provided copies of the documents concerning its internal discussions (redacted for third party personal information) to the complainant in its second additional release, despite its objections. With respect to the Program notes, our Office agreed in the preliminary report that these could be withheld under subsection 9(1) (see paragraphs 96 and 97 below).
Subsection 2(1) – ‘Business carve out’
  1. The bank relied on subsection 2(1) to redact certain information from material it provided to the complainant in its first and second additional releases. The bank stated that the redacted information (principally employee names) was not personal information under the Act. It will be recalled that subsection 2(1) defines “personal information” as information about an identifiable individual. However, it also excludes as personal information the name, title or business address, or telephone number of an employee of an organization.
  2. In our preliminary report, we argued that although some of the information redacted in this case included the name, title, business address or telephone number of bank employees, a contextual review of the redacted information suggested that it did not fall under the ‘business carve out’ contained in subsection 2(1). We explained that it should be considered personal information for the purposes of the complainant’s access request.
  3. In our view, the ‘business carve out’ in subsection 2(1) of the Act applies principally to cases where the collection, use or disclosure of the type of information described is for the purposes of enabling staff members of an organization to be contacted or for making contact with individuals outside the organization, such as the posting of a sales representative’s contact information on the organization’s website or its inclusion in a business directory relevant to the employee’s functions.
  4. In the case at hand, the names of the employees appeared in bank records, not for the purpose of being contacted, but in connection with their views and opinions about the complainant, for example, in the context of the Program, or in the context of human resources-related discussions that concerned the complainant. In these contexts, the names of employees were integral to the documents in which they were found and must be considered personal information. We decided that the names were not appropriately excluded under subsection 2(1) and therefore, constituted the complainant’s personal information.
  5. In its reply to our preliminary report, the bank presented further legal argument as to why it believed the plain meaning of subsection 2(1) of the Act specifically excludes the name, title, business address and telephone number of an employee of an organization from constituting personal information. In doing so, the bank claimed that the clarity of the language used in this subsection did not provide grounds for taking a contextual approach to the interpretation of the text.
  6. Although we continue to disagree with the bank’s position on subsection 2(1), nothing turns on this issue either, given our view (see paragraph 106 below) that the bank is nevertheless entitled to withhold the employee information in this case pursuant to subsection 9(1) of the Act (third-party personal information).
Subsection 9(1) – Third party personal information
  1. As noted above, the bank relied on subsection 9(1) of the Act to deny the complainant access to:
    1. the Program notes (126 pages withheld);
    2. information relating to bank employees contained in its first and second additional releases; and
    3. information related to the complainant’s complaint to the bank’s Ombudsman Office.
  2. Subsection 9(1) of the Act requires that an organization deny an individual access to personal information if doing so would likely reveal personal information about a third party. If the third party information is severable, then the individual may have access to the rest of the information once severance has been performed.
  3. The bank suggested that the individual’s right of access under the Act is of less importance than under the Privacy Act. However, we noted that the Supreme Court of Canada has emphasized that Parliament’s enactment of the Act recognizes that a corollary to the protection of privacy is the right of individuals to access information about themselves held by others [Canada (Privacy Commissioner) v. Blood Tribe Department of Health, [2008] 2 S.C.R 574 at para.13]. 
  4. In our preliminary report, we explained that the Federal Court of Appeal had considered the question of the approach to be taken under the Act, in the situation where information is personal to more than one individual. In Wyndowe, although no express mention was made of subsection 9(1), the Court directed the parties to resolve such an impasse by means of the balancing exercise which the Federal Court of Appeal in the Pirie decision had held was appropriate under the Privacy Act.
  5. The balancing exercise must take into consideration the private interests of the requester and the third parties as well as the public interest in disclosure or non-disclosure of the information (Pirie at paragraph 29).
  6. We pointed out to the bank that, in a recent finding under the Act, this Office applied this approach to a conflict over access to personal information. In that case, a former employee of a federal work, undertaking or business, sought access to the views or opinions expressed by colleagues and other third parties. These had been provided within the context of an investigation of an incident involving the complainant. The incident and its investigation ultimately led to the individual being dismissed. She sought access to her personal information as part of her efforts to be re-instated in her position.
  7. In the matter referenced above, our Office was faced with a situation in which the information sought by the complainant was both personal to her and to the individuals who had participated in the investigation. In determining the appropriate outcome, we sought to balance the public and private interests in access and non-disclosure of the information of all affected individuals. Two key factors in this recent case under PIPEDA were: (i) the employee’s strong private interest in knowing and being able to challenge statements that had led to her termination; and (ii) recognition of the reduced expectation of the privacy of employees in the workplace. After balancing the private and public interests, the Assistant Privacy Commissioner found that the former employee should have access to the information about her that had been provided by her former colleagues.
  8. However, two distinctions can be made between this earlier case and the present one: (i) the events of the earlier case occurred in the context of formal disciplinary processes following an incident involving the complainant; and (ii) in the earlier case, there were no formal assurances made that the information the investigation participants provided would be kept confidential, let alone by the individual in question.

    Balance of interests in relation to the Program Notes

  9. In this case, we considered the following factors related to the private interests of the complainant and third party interviewees, as well as the public interest in the disclosure or non-disclosure of the requested information:
    1. In this Office’s earlier finding, the investigation that gave rise to the access requests had led directly to the termination of the complainant; in that case therefore, the complainant’s interest in obtaining additional information concerning the individuals who had participated in the investigation was heightened by the direct impact the investigation had on her employment status. In this case, the Program was a process routinely undertaken for new managers within the bank in order to facilitate integration into the organization and was not disciplinary in nature; and
    2. In this case, the complainant sent an email to potential interviewees and selected the potential participants himself; his email contained a clear assurance of confidentiality to all prospective interviewees.
  10. In balancing these considerations, we concluded that the bank was justified in withholding the requested information under subsection 9(1) of the Act. We also considered whether redacting third party personal information from the notes could allow for their partial release and determined that such an exercise would render the records virtually devoid of content.

    Balance of interests in relation to employee information contained in the first and second additional releases

  11. The bank also relied on subsection 9(1) in exempting information relating to its employees contained in the first and second additional releases. The releases comprised documents concerning the assessment of the complainant’s final performance rating as well as a discussion of options concerning his employment with the bank.
  12. This information was not impacted by the promise of confidentiality made by the complainant. The balancing of interests therefore led us to the conclusion that the complainant’s private interest in accessing personal information directly related to the assessment of his final performance rating and of his employment status with the bank outweighed the private interest in non-disclosure of those employees involved in the relevant exchanges. We also recognized the public interest in allowing individuals to verify the accuracy of personal information used by organizations to make significant decisions relating to their employment status.
  13. As a result, we believed that the balancing exercise favoured the complainant and determined that the notes and emails relating to his performance rating and letter of options were not exempt under subsection 9(1).  
  14. To the extent however, that these documents incorporate third party personal information relating to the Program, we accepted that this information should be redacted, pursuant to subsection 9(1), in keeping with the results of the first balancing exercise performed above.
  15. In its response to our preliminary report, the bank rejected our Office’s application of a balancing of privacy interests under subsection 9(1) of the Act.
  16. The bank argued that PIPEDA significantly differs from the Privacy Act by specifically providing, in subsection 9(1) of the Act, for the paramountcy of the privacy of third parties over the rights of access of another. The bank pointed out that there are only two exceptions to this paramountcy: where the third party consents to access being provided to the individual who has submitted an access request, or where an individual’s life, health or security is threatened.
  17. The bank stated that, in its view, subsection 9(1) of the Act does not permit the balancing between two rights as grounds for permitting the disclosure of third party information. The bank claimed that the clarity of the language used in the subsection did not provide grounds for our Office taking a contextual approach to an interpretation of the subsection and interjecting a balancing exercise.
  18. In our first recommendation, we asked the bank to provide the complainant with “further” and “revised” access to his personal information, but “subject to the appropriate redaction of third-party information relating to the Program and personal information that does not pertain to the complainant (e.g. performance matters concerning other employees)” (see paragraph 64.a).
  19. Notwithstanding the bank’s objections, upon further review of the material provided to our Office, we are satisfied that the redactions applied by the bank accord with our recommendations and that the complainant has essentially obtained the substance of the views about him in the documents in question and there is nothing further that could be usefully provided.
Legibility
  1. In the second recommendation of our preliminary report (see paragraph 67.b), we asked the bank to provide the complainant with revised access to the 24 redacted pages released as part of the first additional release, ensuring that the legibility was improved to an acceptable standard.
  2. The bank confirmed that it sent the complainant a new, more legible, copy of the redacted information. However, the material was ‘returned to sender’ by Canada Post. Further attempts to contact the complainant based on contact details held in their old records were unsuccessful.
  3. Subsequent to this, our Office was able to contact the complainant who provided an up to date residential address. The complainant asked us not to share the address with the respondent. We therefore forwarded the copies with improved legibility directly to the complainant.

    The complaint made to the bank’s Ombudsman Office
  4. In our preliminary report, we commented that our Office had not been provided with correspondence pertaining to the complainant’s complaint to the bank Ombudsman. The bank had earlier indicated to the complainant that it was withholding information relating to this complaint since it contained third party information. As we had not seen the information alluded to, we were unable to assess: (i) to what extent it might contain personal information belonging to the complainant; (ii) if so, whether redaction of third party personal information might be possible; and (iii) whether the documents contained information belonging to both the complainant and third parties, in which case it would be necessary to conduct a balancing exercise similar to the ones conducted above.
  5. Our third recommendation therefore asked the bank to provide our Office with copies of the complainant’s non-redacted personal information contained in correspondence sent to, and received from, the bank’s Ombudsman Office (see paragraph 64.c).
  6. In response to our recommendation, the bank provided copies of four emails sent between the complainant and the bank’s Ombudsman Office.
  7. The bank explained that one of the emails from the complainant, included six attachments. The attachments comprised six emails sent to and from the complainant while he was an employee. The bank confirmed that three of the attachments had already been provided to the complainant. It believed that two of the other attachments did not contain the complainant’s personal information. It accepted that the sixth and final attachment contained an email which could be considered his personal information. Notwithstanding its argument about the application of the Act, the bank proposed to provide a copy of this email to the complainant, subject to redacting the names of bank employees.
  8. In reviewing the investigation records, we noted that the complainant had already sent our Office copies of the four emails during the course of the investigation. The submission by the complainant included the email, the original of which contained the six attachments.
  9. Therefore, it would appear the complainant is already in receipt of the emails and the attachments. As a result, we do not believe it is necessary for the bank to send a new copy of this information and consider the third recommendation satisfied.
Paragraph 9(3)(b) – confidential commercial information
  1. In the package of personal information sent to the complainant as part of the first additional release, the bank exempted certain records under paragraph 9(3)(b) of the Act.
  2. We reviewed the non-redacted version of records provided to the complainant by the bank. While the records were of poor quality and legibility, we noted that a small portion of the redacted content within the 24 pages provided to the complainant related to bank planning and process matters and did not relate to the complainant, or otherwise contain his personal information. Since we have concluded that the redacted planning and process matters in this instance did not contain the personal information of the complainant, it is not necessary to assess the merits of the bank’s claim that they constitute confidential commercial information under paragraph 9(3)(b) of the Act.
Other documents – Service Canada communication
  1. In our fourth recommendation (see paragraph 64.d), we asked the bank to provide our Office with access to the complainant’s non-redacted personal information contained in correspondence it submitted in reply to Service Canada’s communication.
  2. The bank responded that its reply to Service Canada was verbal; there was no written response. A copy of its verbal reply, i.e. “mutual agreement”, was handwritten on the top right-hand corner of the Service Canada communication. This comment was not redacted in the copy of the communication sent to the complainant as part of the first additional release.
  3. While we accept the bank’s explanation, it is clear to us that the original Service Canada communication copied to the complainant was heavily redacted, despite the fact that it referred to the complainant as an employee. It is not clear to us on what basis the bank was entitled to redact this information when it was clearly about the complainant’s departure from the bank and did not concern a third party. Therefore, to address this recommendation, we asked the bank to release a copy of the communication to the complainant, without the redaction of his personal information. The bank agreed to this. A revised copy of the communication was sent to the complainant through our Office.
Allegedly missing documents
  1. In our sixth recommendation, we asked the bank to provide clarification as to the names of the two documents the complainant claimed were still outstanding and to provide the complainant with non-redacted access to these records. In the event that the documents no longer existed, we asked the bank to provide a fuller account as to what happened to them and why (see paragraph 64.f).
  2. Responding to our preliminary report, the bank explained that it conducted an extensive search pursuant to the complainant’s access request. It searched its records based not only on the specific names of the documents requested, but also on the substance of the complainant’s request. It was not able to locate the existence of any documents by the two names mentioned by the complainant
  3. In reviewing the documents it held and the comments of the complainant, the bank believes that the complainant’s reference to one of the documents is feedback used to provide input into his performance review. Records responsive to this element of the access request were provided to the complainant in the bank’s correspondence as part of its initial release, first and third additional releases.
  4. With regards to the other document name given by the complainant, the bank believes that the complainant is referring to the material related to the bank’s Program. The bank surmised that the complainant may have thought that the name of this Program was the name he offered in his allegation since, in the past, he and other individuals had referred to the Program in this manner.
  5. Our Office is satisfied that the bank has conducted a reasonable search for the documents cited by the complainant. It has also accounted for the apparent confusion between the parties and also sought to provide the complainant with documents responsive to his request. It has therefore, in our opinion, addressed the final recommendation.

Conclusion

  1. Accordingly, we conclude that the complaint is well-founded and resolved.

 

Date modified: