Telecommunication company called upon to better inform customers on reasons for retaining personal information after credit verification

PIPEDA Report of Findings #2013-006

[Subsection 5(3) and Principles 4.2.5 and 4.5.3)]

May 17, 2013


An individual filed a complaint with our Office regarding a telecommunications company. The complaint was two-fold. The individual complained that the organization was unnecessarily retaining personal information she had submitted in order to verify her credit. She also expressed concern that her request to have this personal information deleted from the organization’s records had been denied.

A few years ago, upon setting up an account with the organization, the individual provided a date of birth and driver’s license information for the purposes of credit verification. Several years later, while still receiving services from the organization, the individual requested that the organization delete the personal information from its records. The organization denied this request.

At issue was whether the organization was retaining personal information that was no longer necessary to fulfil the purposes for which it was collected.

Our Office found that the individual’s personal information was still necessary to fulfill a purpose identified in the organization’s Privacy Policy, namely, collecting payment for products and services.

As a result, the complaint was deemed not well-founded with respect to this allegation.

In reviewing emails sent from the organization to the individual, our Office found that the individual was not provided with an adequate explanation as to why her request to delete her personal information was denied.

Following our involvement, the organization provided the individual with an apology and a more detailed explanation. The organization also sent out a memo to its customer service representative team, reminding staff that, in response to a similar customer request, such a full explanation should be provided.  The memo also reminded the team that they should consult with the organization’s Privacy Office, if necessary.

The complaint was deemed well-founded and resolved with respect to this issue.

Lessons Learned

  • Personal information that is no longer required to fulfill identified purposes should be destroyed, erased, or made anonymous. However, while one purpose for collecting information may be fulfilled, there may be another purpose that has not been fulfilled. In these cases, an organization may retain personal information until the remaining purposes have been fulfilled.
  • Those collecting personal information should be able to explain to individuals the purposes for which the information is being collected, including the reasons why the personal information is being retained where one of the original purposes of collection has been fulfilled.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act)

Summary of the Complaint

1. The individual alleges that a telecommunication company is retaining her personal information, namely, her date of birth and driver’s license information, unnecessarily after the credit verification stage, and has denied her request to have this personal information deleted from its records.

Summary of Investigation

2. The individual opened an account for cable television and Internet services and provided her date of birth and driver’s license information to the organization. She indicated that she was aware that this information was collected to set up her account and verify her credit.

3. Several years later, as a result of privacy breaches unrelated to the organization but reported in the media, the individual wrote to the organization and requested the deletion of her personal information from its records.

4. In an email from a Customer Service Representative (“CSR”), the organization acknowledged the individual’s security concerns but advised that the personal information was required prior to activation of accounts for the purposes of credit evaluation. The e-mail explained that only the last 4 digits of the driver’s license could be viewed by CSRs.

5. The individual escalated her concerns by contacting the organization’s Privacy Office. In an email from an employee of the organization, the organization confirmed that it had investigated the matter and found that collecting two pieces of identification together with a customer’s date of birth was not contrary to the Act. Accordingly, the organization again denied the individual’s request to have her personal information deleted from its records.

6. The individual filed a complaint with this Office. At the time, she continued to receive cable television services with the rental of a digital box.

7. In its representations to this Office, the organization provided copies of its authentication procedures, credit verification procedures and the terms of service for the individual’s specific account.

8. The individual advised that she is aware of the organization’s Privacy Policy, which states that the organization collects customer information for several purposes, including obtaining credit information and collecting payment for products and services.

Application

9. In making our determination, we applied subsection 5(3) of the Act, which states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

10. Principle 4.5.3 of Schedule 1 of the Act states that personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous.

11. We also applied Principle 4.2.5 of Schedule 1 of the Act, which states that persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected.

Findings

12. At issue is whether the organization is retaining personal information that is no longer necessary for the fulfillment of the purposes for which it was collected.

13. The organization’s position is that it justifiably denied the individual’s request to have her personal information deleted as such personal information is still necessary for the fulfillment of certain purposes identified in its Privacy Policy, namely, to collect payment for products and services.

14. This Office has previously found that a reasonable person would consider it appropriate for an organization to collect two pieces of identification and date of birth for the purposes of authenticating identity, evaluating credit, protecting its rented assets, preventing fraud and collecting payment, in accordance with subsection 5(3) of the Act.

15. Although this previous matter dealt specifically with the issue of whether the organization required, as a condition of service, the individual to provide more information than necessary for the rental of a digital cable box, the reasoning applied in that case can be applied to the present matter.

16. While the individual’s personal information, namely, one piece of identification and date of birth, was collected to open her new account with the organization and to verify her credit, this same personal information was also collected in order to allow the organization to collect payment for products and services, as provided for in the organization’s Privacy Policy.

17. It is consistent with the organization’s Privacy Policy that it retains the personal information in question for as long as the individual remains a customer of the organization to ensure that services obtained in advance are paid for and rented assets are returned, following the termination of services.  This is in accordance with Principle 4.5.3 of Schedule 1 of the Act.

18. In reviewing the organization’s emails sent to the individual, we find that the individual was not provided with an adequate explanation as to why her request to have her personal information deleted was denied.

19. The organization has advised that it is willing to provide the individual with an apology and a more detailed explanation for denying her request to delete her personal information from its records. In accordance with Principle 4.2.5 of Schedule 1 of the Act, such an explanation would make reference to the specific purposes for which the information was collected and continues to be retained.

20. The organization has also undertaken to send out a communication to its CSR team reminding them that, in response to a similar customer request, such a full explanation should be provided, and they should be consulting with the organization’s Privacy Office, if necessary.

Conclusion

21. We conclude that the complaint is not well-founded with respect to the allegation that the organization is retaining personal information that is no longer necessary for the fulfillment of identified purposes.

22. We also conclude that the organization did not adequately provide the individual with an acceptable explanation for denying her request to delete her personal information.  We note the organization’s willingness to provide the individual with an apology and a more detailed explanation, in addition to notifying its CSR team that a full explanation should be provided in response to similar requests, in consultation with the organization’s Privacy Office where warranted. Accordingly, this aspect of the complaint is well-founded and resolved.

 

Date modified: