Gaps in Microsoft's Accountability Impede Response to Customer's Privacy Complaint

PIPEDA Report of Findings #2014-009

February 10, 2014

---

An individual complained to our Office that Microsoft Corporation ("Microsoft") did not comply with his request to change an email address associated with his Microsoft Account and have the old email address deleted from its records. He further alleged that when he tried to raise the issue with Microsoft, he was unable, even after significant effort, to reach an individual who could adequately respond to his privacy concerns.

As part of our Office's investigation into the identified issues of consent and challenging compliance, we also analysed Microsoft`s privacy accountability framework to determine why the organization was unable to address the complainant`s concerns.

Issues and Analysis

Consent

The complainant initially contacted Microsoft customer support to request a change to the email address associated with his Microsoft Account. However, due to a previously undetected technical design issue, Microsoft was unable to disassociate the complainant's email address from his Microsoft Account and delete that email from its records. Microsoft did not, therefore, comply with the complainant's request to withdraw his consent for the use of his email address and continued to use that email address without his consent.

Challenging Compliance

In attempts to resolve his privacy issue, the complainant spent many hours over a period of more than two months conversing with about a dozen customer service representatives ("CSRs") via various Microsoft support channels. None of these CSRs, not even those specifically designated by Microsoft to address only privacy-related matters, recognized that the complainant's issue was privacy-related. We therefore found that Microsoft did not investigate or take appropriate measures to resolve the complainant's privacy issues. We further found that several representatives were unable to direct the complainant to the individual(s) at Microsoft responsible for ensuring Microsoft's compliance with Canadian privacy laws.

Accountability

During the course of our investigation, in an attempt to better understand why Microsoft had failed to address the complainant’s privacy issues, we examined Microsoft’s privacy framework through the lens of guidance we issued in conjunction with the Offices of the Information and Privacy Commissioners of Alberta and British Columbia: Getting Accountability Right with a Privacy Management Program. We observed that while Microsoft had clearly dedicated significant resources and thought to the implementation of its privacy management program, certain gaps in that program related to the Customer Service & Support function contributed materially to Microsoft's inability to adequately address the complainant's issues. For example, Microsoft CSRs had not received sufficient training to enable them to recognize privacy issues and refer them to the Privacy Response Center, which Microsoft had designated to handle such issues. Nor had the CSRs at the Privacy Response Center received any formal privacy training from Microsoft over and above that received by CSRs in general. Further, our investigation found that it was not general practice for the Privacy Response Center to escalate unresolved privacy issues to Microsoft's Privacy Office, and the Privacy Office did not proactively monitor Privacy Response Center operations. As such, the Privacy Office was not in any practical sense accountable for the Privacy Response Center's handling of customers' privacy issues.

Outcome

Upon learning of our investigation, Microsoft was very responsive and ultimately resolved both the complainant's original issue as well as the accountability concerns we identified during the course of our investigation. Microsoft implemented technical solutions to resolve the underlying system design issue, augmented the number of online access points to the Privacy Response Center, developed new specialized privacy training for CSRs, and systemically increased Privacy Office engagement in resolution of privacy issues raised through Customer Service & Support channels.

Ultimately, we were satisfied with Microsoft's fulsome response to both the issues raised by the complainant and those identified by our Office during the course of the investigation. We deemed the complaint to be well-founded and resolved.

The Commissioner determined that it would be in the public interest to publicly name Microsoft in this case. This summary can serve as a reminder that all companies, even large companies who dedicate a significant budget to privacy programs, need to maintain privacy policies and practices, not just at the design phase but throughout their dealings with individuals.

REPORT OF FINDINGS

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

1. The complainant alleged that, contrary to the Act:
   1. he was unable to withdraw his consent to the use by Microsoft Corporation (“Microsoft”)^{Footnote 1} of his personal information, and that as a result, Microsoft continued to use such information without his consent; and
   2. he was unable to challenge Microsoft's compliance with the Act, and more specifically that Microsoft was unable to provide the contact information of the person(s) accountable for its compliance with the Act.
2. Our investigation also revealed certain gaps in Microsoft's privacy accountability framework which are addressed in this report of findings and have all been resolved by Microsoft.

Summary of Investigation

The Complainant's Allegations

3. The complainant noted that his Windows Live ID account (now called by Microsoft, and hereinafter referred to in this report as, the "Microsoft Account"), which he had opened years earlier, was linked to his work email address. He decided that he did not want his work email address associated with his Microsoft Account. As he was unable to effect the change himself, he contacted Microsoft customer support for assistance. The complainant provided our Office with details of his discussions with Microsoft, along with electronic copies of his online written correspondence with Microsoft.
4. The complainant alleged that he was told by Microsoft that his work email address could not be disassociated from his Xbox Live billing account, associated with his Microsoft Account, and thus that his personal information could not be deleted from Microsoft's records unless he first cancelled his Xbox Live account, which would result in the forfeiture of his credits and subscriptions associated with that account.
5. The complainant also alleged that he was unable to obtain from Microsoft the contact information of any person(s) accountable for Microsoft's compliance with the Act, receiving the following responses to his various requests in this regard: (i) that there was no such person, (ii) that he could search "bing.com", and lastly, (iii) that he could send a letter to Microsoft's legal department.
6. He further alleged that he spent many hours of his own time over a period of greater than three months (commencing October 15, 2012), participated in over a dozen support phone calls and several online support chat sessions (including via the "web form" referenced in the Microsoft Online Privacy Statement), communicated with many different Microsoft customer support representatives, and received repeatedly conflicting, circuitous or incorrect advice.
7. Microsoft did not dispute the complainant's allegations but provided further relevant details during the course of our investigation, through written representations and on-site interviews with various Microsoft personnel involved in privacy management. Those details are reflected in the facts outlined below.

Microsoft's Response to the Complainant's Request that his E-Mail Address Be Deleted

Interaction with Customer Service and Support Group CSRs

8. All of the complainant's interactions with Microsoft prior to Microsoft receiving notification of this investigation were with customer service representatives ("CSRs") from Microsoft's Customer Service and Support group.
9. The Customer Service and Support group is responsible for delivery of service and support to Microsoft customers regarding a wide array of issues (e.g. technical, billing and privacy) in respect of Microsoft's various product and service offerings, including Xbox. It delivers this support through many channels including online chat, telephone, answers.microsoft.com and the Privacy Response Center which addresses issues raised by individuals via Microsoft's online "Privacy Web Form". The complainant dealt with each of these channels.
10. Several CSRs attempted to assist the complainant, using Microsoft's standard process for changing the email address associated with an Xbox Live account. There was, however, a technical design issue (discussed further in paragraph 46, below) preventing that process from effecting the change.
11. During the course of the complainant's interactions with the Customer Service and Support group, CSRs suggested that in order to disassociate his email address from the account he would have to cancel his Xbox Live account, which would have resulted in the complainant forfeiting any value remaining in that account.
12. None of the CSRs with whom the complainant dealt referred the complainant to the Privacy Response Center, which Microsoft has designated to handle privacy-related requests that cannot be resolved by CSRs via standard processes (discussed in greater detail in paragraph 36, below). This was true even though the complainant made it clear that he wanted assistance with respect to his "privacy" issue and the deletion of his "personal information".

Interaction with Privacy Response Center CSRs

13. After more than two months dealing with the Customer Service and Support group CSRs and after submission of his complaint to our Office, the complainant discovered and used the "Privacy Web Form" in Microsoft's Online Privacy Statement, which submitted his request to the Privacy Response Center.
14. The Privacy Response CenterCSRs with whom the complainant dealt were also unable to resolve his request and redirected him back to standard Customer Service and Support group channels even though he made it clear that this was a privacy issue which he had been unable to resolve via those same customer service channels. The following is an excerpt from an email conversation representing his second attempt to have the Privacy Response Center resolve his privacy issue:

    Complainant's second request:

    Hello [to Privacy Response Center CSR 1],

    I have tried all the suggestions you have provided, including being forced to publish my support request on a public forum (as indicated above). I can also supply chat transcripts indicating that your front-line support cannot deal with this issue.
    This is my last attempt to have this resolved - Xbox support tells me it's a billing issue, billing tells me it's a Live ID account issue, the Live ID account people tell me it's a billing issue.
    Nobody is taking ownership, and I'm being bounced around to seemingly random departments without success.
    The issue is simple - my personal information is incorrect and I want to update it. I'm being denied the opportunity to do so by way of deflection to various departments. [emphasis added]
    Please let me know how I should proceed.

    Response [from a second Privacy Response Center CSR]:

    I apologize for the inconvenience caused to you. With regards to your issue, I would like to inform you that Microsoft has a Billing team dedicated to assist you with billing issues. Please contact the Microsoft Billing Department at 866-672-4551. The Representatives are available from Monday to Friday: 5:00 A.M.-10:00 P.M. and Saturday and Sunday 5:00 A.M.-5:00 P.M. Pacific Time.
    For further assistance, Xbox has a dedicated support team to assist you with these types of questions.
    Hence, I request you to contact the Xbox Support Team directly by calling 1-800-4-MY-XBOX (800-469-9269). Support is available from 6:00AM - 10:00 P.M. Pacific Time, 7 days a week including holidays.
    I hope the above information is helpful. If you have any additional questions, please feel free to contact us.

Requests for Privacy Contact Information

15. During the complainant's dealings with various CSRs, several representatives were unable to respond to his request for contact information for the Privacy Officer or a person responsible for personal information compliance at Microsoft.
16. Microsoft does include contact information (i.e. address and phone number) for its Privacy Office in the Canadian English and Canadian French versions of its Microsoft Online Privacy Statement and Microsoft.com Privacy Statement.

Microsoft's Privacy Framework

17. During the course of our investigation, we asked Microsoft to provide details of its Privacy Management Framework so that we could better understand the context behind Microsoft's response to the complainant's privacy request.
18. Microsoft explained that its privacy policies, standards and procedures are not generally designed to adhere to the privacy legislation of any specific jurisdiction but are intended to meet the most stringent requirements of privacy legislation globally to support the global nature of Microsoft's products and services.
19. Microsoft further explained that ultimate responsibility for privacy related compliance rests with its Trustworthy Computing group and with its Legal Regulatory Affairs team in its Legal and Corporate Affairs group. Microsoft indicates that given the breadth and scale of its organization, the implementation of Microsoft's privacy standards and procedures, including resolution of customer privacy issues, is handled in the first instance by its various business groups. Microsoft claims that this approach ensures that individuals implementing Microsoft's privacy standards and procedures are knowledgeable regarding the underlying product or service as well as privacy requirements.
20. Overall, there are more than four hundred (400) Microsoft employees who serve as Privacy Managers, Privacy Leads or Privacy Champions, with privacy commitments in their performance plans. One hundred and twenty (120) of these are IAPP Certified Information Privacy Professionals ("CIPPs") and sixty (60) have full-time privacy responsibilities.
21. Each business group generally has:
    
    Privacy Managers: one or more CIPPs with full-time responsibility for privacy,
    Privacy Leads: several employees who, while having other primary responsibilities (e.g. project management), receive specialized privacy training and spend approximately 25% of their time on privacy, and
    Privacy Champions: employees who have some form of privacy commitments in their performance plans.
22. Since the middle of 2013, all Microsoft employees receive privacy training as part of Microsoft's Standards of Business Conduct course. Each business group's employees may also receive further courses that are tailored to their specific roles within the company. All Customer Service and Support employees and vendors, including customer service representatives, are required to take a Privacy for Customer Service Support training session. Employees with privacy commitments are strongly encouraged to take more detailed privacy training introducing the employee to specific privacy requirements at Microsoft, as well as additional in-depth privacy training to ensure that they are fully capable of implementing Microsoft's privacy policy and standards. Further training is provided in relation to specific issues or requirements on an ad hoc basis as required.
23. There were three Microsoft teams with significant involvement in resolution of the complainant's privacy issue, each of which will be discussed in greater detail below:
    1. the Privacy Office, within the Trustworthy Computing group,
    2. the Customer Service & Support group, including the Privacy Response Center, and
    3. the Xbox product group, Interactive Entertainment Business.

Trustworthy Computing group and the Privacy Office

24. The Trustworthy Computing group is responsible for delivering secure, private, and reliable computing experiences based on sound business practices (per Microsoft Trustworty Computing).
25. The Privacy Office, led by the Chief Privacy Officer and comprised of approximately 20 full-time CIPPs, is a division of Trustworthy Computing and is responsible for the development, documentation and implementation of Microsoft's overarching privacy policy, standards, procedures and supporting documentation.
26. One such procedure dictates the internal process for escalation of, and response to, priority privacy issues (hereafter referred to as the "Escalation Response Procedure"). Pursuant to this process, issues are managed on a priority basis through cross-functional engagement under close monitoring by the Privacy Office.
27. At the time of the complainant's issue, outside of the Escalation Response Procedure, the Privacy Office had limited direct involvement in, or responsibility for, the resolution of privacy issues arising from customer service interactions, like those involving the complainant (Resolution of customer privacy issues by the Customer Service and Support group and its Privacy Response Center sub-group are discussed in detail below.).

The Customer Service and Support Group

28. All Microsoft Customer Service and Support group full-time employees have minimum data protection commitments in their performance plan, and approximately 75 have expanded privacy commitments (as Managers, Leads and Champions).

A. Vendors

29. All front-line consumer-related customer service functions (i.e. interaction between CSRs and customers) are provided by external "Vendors", or sub-contractors, located in various locations around the world.
30. Customer Service and Support group Vendors employ thousands of customer service representatives and receive tens of millions of requests annually. A very small percentage of these requests relate to privacy issues.
31. Microsoft extends its privacy policy and standards to Vendors, like those providing customer service and support, via the Vendor Privacy Assurance program ("VPA") and other contractual data privacy and security requirements. The VPA provides for minimum safeguards, privacy training requirements, knowledge testing and monitoring by the Vendor and Customer Service and Support group, and penalties for non-compliance.
32. Minimum Safeguards: Customer Service and Support group Vendors must maintain an information security program that is aligned with ISO 27001 standards and perform annual third-party audits to assess compliance. Microsoft also reserves the right to audit the organization's information security safeguards.
33. Training: Each customer-facing Vendor CSR was required to complete and pass Microsoft's Privacy for Customer Service and Support training course and further security-related training. CSRs must repeat a training course each time it is updated. Microsoft may also require CSRs to complete further training on an ad hoc basis to address specific privacy issues. Each Vendor must attest that all new and existing employees have completed the required privacy training.
34. Testing and Monitoring: The Vendor is required by Microsoft to assess CSRs' capabilities through various checks which Microsoft has described in detail to this Office. The Customer Service and Support group also directly monitors Vendor CSR test results and performance, and provides feedback to Vendors based on resulting observations.
35. Penalties for non-compliance: Microsoft can and does impose penalties, up to and including contract termination, for non-compliance with VPA program requirements. Microsoft provided examples to this Office of incidents whereby such penalties were imposed for non-compliance with privacy-related requirements.
36. Microsoft provides CSRs with resources (e.g. online tools and processes) to assist with the resolution of standard frequently-occurring privacy-related issues. For example, one such process relates to changing the email address associated with an Xbox Live account (i.e. the process which CSRs attempted to implement, without success, in response to the complainant's request). Another outlines how to effect a customer's request for deletion of his or her personal information.
37. Customer Service and Support group processes dictate that if a CSR identifies an issue as being privacy-related but does not have a standard pre-defined process for resolution thereof, he or she should direct the customer to resubmit the request to the Privacy Response Center via the Privacy Web Form, which was at the time of the complaint, accessible exclusively via a link in Microsoft's Online Privacy Statement. That privacy statement is available, in turn, via a direct link from multiple Microsoft services and web pages.

B. Privacy Response Center

38. Requests received via the Privacy Web Form are directed to the Privacy Response Center, a sub-group within Customer Service and Support group, comprised of a small number of dedicated Vendor CSRs. Privacy Response Center CSRs handle only Privacy Web Form requests.
39. Privacy Response Center CSRs receive the same formal privacy training as Vendor CSRs. Microsoft indicates that Privacy Response Center CSRs gain further privacy-related knowledge and experience by virtue of: (i) their full-time focus on privacy submissions, and (ii) review of privacy-related Knowledge Base articles and associated written explanations which Microsoft brings to their attention from time to time.
40. Privacy Response Center CSRs "triage" Privacy Web Form submissions as they come in to determine if they are privacy-related. The vast majority of these are deemed by the Privacy Response Center to be non-privacy related. Non-privacy related submissions have included, for example, questions about where customers can locate product activation keys and requests for information about software licensing.
    
    At the commencement of this investigation, Privacy Response Center CSRs would redirect requests it deemed to be non-privacy-related to other Customer Service and Support group channels and attempt to resolve the submissions which were deemed to be privacy related. Those submissions which the Privacy Response Center was unable to resolve would be redirected to Privacy Managers within the relevant Business Group or, in very limited circumstances, to the Privacy Office for further action.

Xbox Product Group (“Xbox”)

41. Xbox is responsible for the design, delivery and maintenance of Xbox products and services.
42. Xbox has several full-time Privacy Managers responsible for ensuring compliance with privacy standards and processes. Xbox Privacy Managers assist the Customer Service and Support group with resolution of non-standard Xbox-related privacy issues upon request. They will also lead the Escalation Response Procedure for the resolution of more serious Xbox-related privacy issues.

Changes implemented by Microsoft during the Course of this Investigation

43. While Microsoft's Privacy Office initially had no involvement in attempts to resolve the complainant's privacy issues, we appreciate that they were very responsive to both the complainant and our Office upon learning of the complainant's issue.

Actions Taken to Resolve Microsoft Account Issue

44. Upon learning of our investigation, Microsoft initiated its Escalation Response Procedure. The Privacy Office then engaged with Xbox to resolve the complainant's specific privacy issue, as well as any underlying design and/or privacy process issues which may have led to the complaint. The Escalation Response Procedure was led by a Privacy Manager within the Xbox Product Group.
45. In reviewing the issue raised by the complainant, Xbox discovered that there was an underlying technical design issue preventing the simple and complete disassociation of the complainant's work email address from his Xbox Live account. While Microsoft provided a full explanation of the technical issue to our Office, the details thereof are not material to our consideration of the privacy issues under investigation and have not been included in this report of findings. Because the complainant's request was novel (Microsoft has advised that it was not previously aware of the technical issue in question), Microsoft's standard process for changing the email address associated with an Xbox Live account, as referenced in paragraph 36 of this report, was not effective in changing the subscription name (i.e. the complainant's work email address) displayed on his subscriptions page.
46. Microsoft contacted the complainant to notify him that it was not necessary, and not Microsoft's policy, that he cancel his Xbox Live account or forfeit value in that account in order to change his subscription name.
47. In March 2013, Xbox manually changed the complainant's Xbox Live subscription name so that it was no longer his work email address.
48. Microsoft has since implemented a technical solution such that the Xbox Live subscription name will no longer be set to an email address. This action will ensure that all future Xbox Live users, globally, do not experience the same technical issue as the complainant.
49. Microsoft has also implemented a technical solution to replace all "names" of subscriptions of Canadian customers which were automatically set to be email addresses.
50. Microsoft notes that since implementation six to ten years ago of the code that resulted in the technical issue described in paragraph 46 above, it has implemented a new corporate-wide privacy management process with a view to catching such issues before they reach production. The Xbox Privacy Management group is now involved at all stages of product design and development, and ultimately signs-off on the final product as meeting Microsoft privacy standards prior to release.

Actions Taken to Improve Customer Service & Support Group and Privacy Response Center Response to Privacy Related Issues

51. The Privacy Office has developed a special "eLearning" training module (video, supporting documentation and follow-up testing) to sensitize CSRs to terminology or customer questions that reveal the existence a privacy issue that should be referred to, and addressed by, the Privacy Response Center. Microsoft asserts that this will assist in ensuring that privacy requests are appropriately redirected by CSRs to the Privacy Response Center.
52. Microsoft has increased the number of access points for the Privacy Web Form to encourage and facilitate customers submitting their privacy-related issues directly to the Privacy Response Center. The form is now available in several locations on the microsoft.com website, including via the "Contact Us" page and the "Privacy Settings" page.
53. Microsoft has advised that it is, as a result of issues that came to light during the course of our investigation, also developing additional formal privacy training (relating to, for example, identifying and escalating certain types of privacy issues) specifically for Privacy Response Center CSRs. Microsoft expects to implement such training early in 2014.
54. During the course of this investigation, Microsoft identified that it would be beneficial for the Privacy Office to become more involved in oversight of the Privacy Response Center's resolution of privacy issues. As a result, the Privacy Office has taken on accountability for the end-to-end Privacy Response Center process and now partners with the Customer Service and Support group in the delivery of Privacy Response Center functions. More specifically, the Privacy Office has dedicated full-time permanent resources to oversee and proactively engage with the Privacy Response Center by: (i) assisting in the resolution of privacy issues, (ii) performing quality assurance audits, and (iii) identifying and implementing process improvements. The Privacy Office has also specified a broad range of privacy issues that should now be escalated by the Privacy Response Center to the Privacy Office. Monthly statistics provided by Microsoft demonstrate what we deem to be a significant and material increase in the number of privacy issues escalated to the Privacy Office.
55. The Privacy Office also recently completed a short-term review of submissions in the Privacy Response Center queue (i.e. including those submissions deemed by the Privacy Response Center to be non-privacy related) and determined that such issues were being triaged appropriately.
56. In April 2013, Microsoft and the complainant came to an arrangement whereby the complainant considered the matter resolved to his satisfaction and requested to withdraw the subject complaint. Nevertheless, we determined that our investigation had uncovered issues that warranted completion of the investigation and issuance of this report of findings.

Application

57. In making our determinations, we applied Principles 4.1, 4.1.2, 4.1.4, 4.1.4(b), 4.1.4(c), 4.3, 4.3.8, 4.10 and 4.10.4 of Schedule 1 of the Act.
58. Principle 4.1 states that an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the Principles of Schedule 1 of the Act.
59. Principle 4.1.2 states that organizations shall make known upon request the identity of the individual(s) designated to oversee compliance with the principles of the Act.
60. Principle 4.1.4 indicates that organizations shall implement policies and practices to give effect to the principles, including (b) establishing procedures to receive and respond to complaints and inquiries, and (c) training staff and communicating to staff information about the organization's policies and practices.
61. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.8 further states, in part, that an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
62. Principle 4.10 states that an individual shall be able to address a challenge concerning compliance with the principles to the designated individual or individuals accountable for the organization's compliance. Principle 4.10.4 further provides that an organization shall investigate all complaints and that if a complaint is found to be justified, the organization shall take appropriate measures, including, if necessary, amending its policies and practices.

Analysis

Consent

63. We recognize that the CSRs with whom the complainant dealt misunderstood the nature of his issue and did not appreciate the privacy implications of Microsoft's inability to address his request. Nevertheless, Microsoft did indicate to the complainant that in order to disassociate his work email address from his Microsoft Account and have Microsoft delete the email from its records, he would have to cancel his Microsoft Account and forfeit the value therein.
64. We therefore find that Microsoft's continued use of the complainant's work email address after receipt of the complainant's express request that they cease doing so was a contravention of Principle 4.3.8 and 4.3 of Schedule 1 of the Act.
65. We acknowledge that upon learning of our investigation, Microsoft took the steps necessary to comply with the complainant's request.
66. We also appreciate that Microsoft, upon determining the underlying technical barrier to complying with the complainant's request, implemented a broad-based solution (as discussed in paragraphs 49 and 50 of this report) to ensure that the technical issue in question would not arise for other customers in future.

Challenging Compliance

67. Prior to submitting his complaint to our Office, the complainant spent what we deem to be an inordinate amount of time and effort, trying via various customer service channels without success, to have his privacy issue resolved. Ultimately, our investigation revealed that Microsoft did not investigate and take appropriate measures to resolve the complainant's privacy issues until after receiving notification of our investigation into the matter. We therefore find that Microsoft contravened Principle 4.10.4 of Schedule 1 of the Act.
68. Furthermore, our investigation revealed that when the complainant sought, explicitly in his various discussions with CSRs, to address his complaint directly with the individual(s) accountable for Microsoft's compliance with the Act, he was unable to do so. We find that Microsoft, in failing to identify and provide contact information to the complainant for its Privacy Officer or Privacy Office, contravened Principles 4.1.2 and 4.10 of Schedule 1 of the Act.
69. We acknowledge that upon receiving notification of this investigation, Microsoft's Privacy Office, in conjunction with the Xbox product group, did investigate and resolve the complainant's privacy issue.
70. As an additional point, we are pleased to see that Microsoft has improved the visibility of its Privacy Web Form by making it available via links in various locations across its websites. While the Web Form was accessible via Microsoft's Online Privacy Statement, the complainant did not discover it until two months into his Microsoft complaint process. In our view, improved visibility of the Web Form will increase the likelihood that customers will address their privacy issues to the Privacy Response Center in the first instance.

Accountability

71. Our investigation identified that while Microsoft had clearly dedicated significant resources and thought to the implementation of its privacy management program, certain gaps in that framework were ultimately responsible for Microsoft's failure to comply with its requirements under the Act.
72. In April 2012, our Office published along with the Offices of the Information and Privacy Commissioners of Alberta and British Columbia, Guidelines entitled "Getting Accountability Right with a Privacy Management Framework" (the "Accountability Guidelines"). We will reference certain relevant aspects of the Accountability Guidelines in our analysis below.
73. While not one of the numerous CSRs with whom the complainant dealt was able to resolve his privacy issues, we appreciate that it was not within the scope of their responsibilities to do so. Microsoft's internal protocols provided that CSRs should have referred the complainant to the Privacy Response Center, which Microsoft designated to handle privacy-related customer issues. Given the high volume of requests fielded by Microsoft CSRs and the fact that a relatively small number of those requests relate to privacy, we accept that it would be impractical for all CSRs to develop and retain the knowledge and expertise necessary to effectively address complex privacy-related issues.
74. That being said, in our view, for the Privacy Response Center to be effective in its designated role:
    1. CSRs within other customer service channels should be able to recognize privacy issues and know to refer such issues to the Privacy Response Center, and
    2. Privacy Response Center CSRs should have sufficient knowledge, expertise and resources to address complex privacy issues.

Referral of Privacy Issues to the Privacy Response Center

75. Each of the CSRs with whom the complainant dealt failed to refer his privacy issue to the Privacy Response Center. They either did not recognize his issue as being privacy related or were not aware that such issues should have been referred.
76. As set out in the Accountability Guidelines, "Program Controls" help ensure that what is mandated in an organization's governance structure is actually implemented within the organization. The Accountability Guidelines further emphasize the importance of adopting appropriate training and education requirements that are tailored to specific needs.
77. In our view, CSRs should have been provided with at least the training and knowledge necessary to identify privacy issues and refer them to the Privacy Response Center. Based on the information provided by Microsoft regarding its privacy training, and the fact that CSRs consistently failed to refer the complainant's privacy issue to the Privacy Response Center, we find that Microsoft's mandated training was inadequate under Principle 4.1.4(c) of Schedule 1 of the Act.
78. That being said, our view is that the new privacy training instituted by Microsoft (as described in paragraph 52 of this report) will assist CSRs with the identification and appropriate referral of privacy issues in future cases.

Privacy Response Center's Ability to Address Privacy Issues

79. The Privacy Response Center was also unable to resolve the complainant's privacy issue, and in fact, does not appear to have recognized the issue as being privacy-related. We note that the Privacy Response Center received no formal privacy training over and above that mandated by Microsoft for other Vendor CSRs whose privacy responsibilities were much more limited. We acknowledge that CSRs would have gained a certain level of experience with privacy issues through their exposure to such issues in the Privacy Response Center. In this case, however, such experience does not appear to have provided CSRs with the knowledge necessary to handle the complainant's privacy issue appropriately. In our view, to comply with Principle 4.1.4(c), Privacy Response Center training should have been tailored to address the breadth and depth of privacy issues which Privacy Response Center CSRs would inevitably face.
80. We recognize that the complainant's issue was, in fact, a complex one which the Privacy Response Center could not have resolved without assistance from Microsoft's Privacy Office and the Xbox group. The issue was, however, never escalated by the Privacy Response Center to the Privacy Office. Even if the Privacy Response Center had recognized the issue as being privacy-related, it was not general practice to escalate such issues to the Privacy Office (except for those issues deemed serious enough to be handled via Microsoft's Escalation Response Procedure).
81. Furthermore, the Privacy Office did not proactively monitor Privacy Response Center operations, and was not in any practical sense accountable for the Privacy Response Center's handling of customers' privacy issues. As a result, Microsoft's Privacy Office did not become aware of the complainant's issue until our Office notified them of the subject complaint.
82. As mentioned in the Accountability Guidelines, compliance with privacy laws requires organizations to have a governance structure in place, with processes to follow and the means to ensure that they are being followed. The Accountability Guidelines also state that an organization needs to establish internal reporting mechanisms to "ensure that the right people know how the privacy management program is structured and whether it is functioning as expected". Reporting mechanisms should provide for escalation of privacy issues when, for example, there is a security breach or a customer complaint. In this case, we are of the view that the reporting and escalation mechanisms were insufficient to alert the Privacy Office to the complainant's complaint or to the fact that it was being mishandled by the Privacy Response Center.
83. In our view, the deficiencies in Privacy Response Center training, absence of an established Privacy Response Center practice for escalation of unresolved privacy complaints and lack of support/oversight by the Privacy Office to the Privacy Response Center were foundationally responsible for Microsoft's inability, and ultimate failure, to recognize, investigate and take appropriate measures to resolve the complainant's privacy issue. We find that these gaps in Microsoft's privacy management program constitute a contravention of Principles 4.1.2, 4.1.4, 4.1.4(b) and 4.1.4(c) of Schedule 1 of the Act.
84. We accept, however, that the substantial changes implemented by Microsoft in response to our investigation (i.e. new escalation protocols, increased Privacy Office oversight, new in depth privacy training) will enhance its ability to ensure that customers' privacy issues and requests are appropriately addressed.

Conclusion

85. Therefore, with respect to:
    1. the complainant's allegation relating to Microsoft's inability to delete his personal information and its resulting continued use of his personal information without consent,
    2. the complainant's allegation relating to his inability to challenge Microsoft's compliance with the Act, and
    3. the issue of Accountability identified during the course of our investigation,
    we find this complaint to be well-founded and resolved.