Hotel check-in/check-out times are personal information and must not be disclosed without consent

PIPEDA Report of Findings #2013-007

August 7, 2013


An individual complained to our Office that a hotel had disclosed personal information about him to his employer that contributed to his employment being terminated. The complainant claimed that a detective from his employer’s private police service had contacted the hotel to request the check-in and check-out times for two of his recent stays. The complainant noted that he regularly stayed in hotels for his work, and he believed that his employer had requested this information as part of an investigation into whether employees were claiming overtime unnecessarily. An employee of the hotel disclosed the requested information over the phone, and this information was later used in a process that resulted in the individual’s employment being terminated.

In our investigation, we determined that check-in and check-out times were personal information in this case as they related to an identifiable individual. Further, it was determined that none of the exceptions for disclosure without consent under the Act applied. Therefore, our investigation concluded that the personal information of the individual was disclosed without consent, in contravention of the Act.

The hotel’s General Manager undertook a review of the hotel’s policies related to disclosure of guest information to third-parties. The existing policy was revised to more clearly describe staff responsibilities related to this matter to suggest that, where possible, all disclosure requests go through management, and to clarify the circumstances under which guest information can be released to law enforcement. This policy was then re-issued to all staff and posted in key areas. As such, the Office concluded that this complaint was well-founded and resolved.

Lessons Learned

  • Information about an identifiable individual is considered “personal information”.
  • In this case, hotel check-in and check-out times were considered personal information.
  • Before disclosing personal information, organizations should ensure that either proper consent has been obtained or at least one of the Act’s provisions for disclosure without knowledge and consent can be properly applied to the situation.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the Act)

  1. The complainant alleges that the hotel disclosed his personal information to a third party without consent. More specifically, he alleges that details about two stays at the respondent’s hotel were disclosed to his former employer in relation to a matter that led to his employment being terminated.

Summary of Investigation

Information from Complainant
  1. The complainant states that in April 2009, he discovered that the hotel had disclosed to his then-employer the times at which he checked in and checked out of the hotel during two particular stays earlier that year.
  2. The complainant provided to this Office a copy of a page from the notebook of a detective from his employer’s private police service. Among other information, the page contained the contact information for the hotel, as well as notations of the check-in and check-out times and room numbers for two of the complainant’s stays at the hotel.
  3. In a telephone conversation with our Office, the complainant stated that he was often required to travel for his job. He believes that his employer was calling hotels about check-in/check-out times as a means to check whether employees were claiming overtime unnecessarily.
  4. The information disclosed by the hotel was subsequently used in a disciplinary matter between the complainant and his employer, which led to the complainant’s termination.
Information from Respondent
  1. The respondent provided representations to our Office in May 2011. They stated that to the best of their recollection, they received a call from local police who were “investigating something criminal.” They state that they provided police with the information they requested – check-in and check-out times, and potentially the name of the complainant’s supervisor. They did not recall the release of any further information.
  2. The respondent also stated that they subsequently received a call from the complainant’s employer’s private police service, asking the same information – check-in and check-out times – which was again disclosed.
Information from Third Party
  1. The complainant’s employer confirmed to this Office that the respondent voluntarily provided the requested information to their police service, and that they had not sought a warrant or court order for the production of this information. Police in the hotel’s city had not been asked to seek any information from the hotel on behalf of the employer related to this matter.
  2. For the sake of clarity, it is here noted that this complaint does not relate to the collection of personal information about the complainant by the employer, and our investigation considers only the alleged disclosure by the hotel.

Application

  1. In making our deliberations, we applied Principle 4.3 of Schedule 1 of the Act, and subsection 2(1) and paragraphs 7(3)(c.1) and 7(3)(d) of the Act.   
  2. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
  3. Subsection 2(1) of the Act reads, in part, “‘personal information’ means information about an identifiable individual ....”
  4. Paragraphs 7(3)(c.1) and (d) of the Act read:

    For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
    (c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

    (i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,
    (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or
    (iii) the disclosure is requested for the purpose of administering any law of Canada or a province.

    ...

    (d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

    (i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province, or a foreign jurisdiction that has been, is being, or is about to be committed, or
    (ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs.

Findings

  1. In our findings on this case, we focus on the alleged disclosure of information to the complainant’s employer’s private police service. Our Office has been presented with no corroborating evidence that the hotel disclosed information to their local police service. In our opinion, it is likely that this fact was misremembered by the respondent (particularly given that more than two years had elapsed between the alleged disclosure and the time that the hotel was asked to recall the incident). This does, however, speak to the importance of documenting the circumstances of, and rationale for, any disclosures of personal information.
Were check-in/check-out times “personal information” in this situation?
  1. Subsection 2(1) of the Act defines personal information as “information about an identifiable individual.” The information allegedly disclosed by the hotel – check-in and check-out times – clearly related to the complainant, whose identity was known to both the disclosing and receiving parties. As such, it is our view that the disclosure of check-in/check-out information would, in these circumstances, constitute the disclosure of personal information.
Did a “disclosure” of personal information take place?
  1. In their submission to this Office, the hotel did not contest the fact that the complainant`s check-in and check-out times had been disclosed to the individual’s employer’s private police service. As such, we are satisfied that such a disclosure did take place.
  2. Neither the complainant nor respondent in this case has suggested that express consent was granted for this disclosure.
Can the respondent rely on an exception in subsection 7(3) of the Act for disclosure without knowledge or consent?
  1. Subparagraph 7(3)(c.1)(iii) of the Act allows the disclosure of personal information without the knowledge or consent of the individual if it is “made to a government institution or part of a government institution that has made a request for the information identified its lawful authority to obtain the information and indicated that ... (iii) the disclosure is requested for the purpose of administering any law of Canada or a province.
  2. In our view, this exception does not apply for at least two reasons. First, no evidence is provided to suggest that the private police service identified its lawful authority to the respondent (even assuming such an authority exists, which is itself unclear). Instead, evidence, including representations from the individual’s employer, suggests that the respondent was simply asked to provide the information, and voluntarily complied.
  3. Further, the disclosure was not requested for the purpose of administering a law of Canada or a province. Instead, the individual’s employer was seeking information for the purpose of investigating employee misconduct. While excessive overtime claims may amount to “fraud” in some cases, there is no evidence that the individual’s employer was conducting a criminal investigation. In fact, the individual’s employer stated in its representations that they were “not pursuing criminal charges.”
  4. Paragraph 7(3)(d) of the Act allows the disclosure of personal information without the knowledge or consent of the individual if it is “made on the initiative of the organization to an investigative body ...”. We note that the individual’s employer’s private police service is not listed in the Regulations Specifying Investigative Bodies associated with the Act.
  5. As such, in our view there are no exceptions in subsection 7(3) of the Act that would have allowed disclosure without consent.
  6. Thus, the complaint, with regard to disclosure without consent, is well-founded.

Conclusion

  1. In this Office’s initial discussion with the respondent, it was determined that a policy was in place limiting the disclosure of guests’ personal information to both third parties and law enforcement. However, this policy may not have been clearly elucidated.
  2. In July 2013, the hotel hired a new general manager. Following a discussion between this individual and our Office, the hotel immediately undertook a review of its policy related to disclosure of guest information. This resulted in the policy being amended to more clearly describe staff responsibilities related to this matter, and to suggest that where possible, all disclosure requests should go through management. It also clarified the circumstances under which guest information can be disclosed to law enforcement.
  3. The new general manager also worked through his management team to re-issue the policy, ensuring that all staff had read and understood its contents. The policy was further posted in key information areas, and marked as a matter of importance.
  4. Accordingly, the consent matters alleged in the complaint are deemed well-founded and resolved.

 

Date modified: