Roofing company takes measures to ensure sub-contractors follow its privacy policy

PIPEDA PIPEDA Case Summary #2015-015

November 10, 2015

Lessons Learned

  • Organizations are responsible for the protection of personal information collected, used or disclosed by sub-contractors who act for them in business transactions. For additional information on privacy and outsourcing, see “Fact Sheets: Privacy and Outsourcing (Private Sector)”.
  • To formalize a sub-contractor’s obligations in this respect, such as its obligation to protect customers’ personal information under PIPEDA, an agreement should be drawn up and signed between the organization and the sub-contractor.
  • Uses and disclosures of customers' personal information should not go beyond the purposes for which the information was originally lawfully collected, except with the separate consent of the individual or in situations where disclosure can be made without an individual’s knowledge or consent pursuant to subsection 7(3) of PIPEDA

Complaint

An individual complained that an estimator working for a roofing company from which he had requested an estimate disclosed his personal information to someone at another roofing company. The information allegedly disclosed concerned the individual’s personal financial situation and the history of his contractual dealings with the roofing company.

Summary of Investigation

The complainant had the roof of his home re-shingled by a roofing company (the “first roofer”), but was unsatisfied with the work. He later began court proceedings against the first roofer.

In the meantime, he asked a second roofing company (the “second roofer”) to provide him with an estimate of the cost to fix the perceived problem. To provide the estimate, the second roofer  engaged an estimator, on a sub-contract basis. In all dealings with the individual, the estimator said that he was working on behalf of the second roofer. For example, the estimator’s business card displayed the name and contact information of the second roofer.

The estimator was to: (i) provide a quote to the individual for the second roofer’s services; and (ii) facilitate the individual’s requests regarding any sales-related matters.

Upon receipt of the estimate, the individual signed — but subsequently cancelled — a contract to hire the second roofer.

 Later, in the court proceedings against the first roofer, the individual became aware of the existence of past correspondence between the first roofer and the estimator in which the estimator had disclosed details of, and opinions regarding, his dealings with the individual. The correspondence included statements from the estimator expressing his belief that the individual had: (i) cancelled his contract with the second roofer under false pretenses; (ii) only entered into the contract so that he could use it against the first roofer; and (iii) claimed he had financial difficulties so as to be let out of that contract.

Purposes and privacy

Although the individual acknowledged that he had shared with the first roofer the name of the estimator (as well as the names of two additional roofing companies he had consulted about remedial work on his roof), he maintained that he had done so only to facilitate a discussion concerning the issues with his roof. However, he believed that the information contained in the correspondence he saw went beyond this. The individual thus alleged that the second roofer, and more specifically its estimator, had disclosed his personal information without his knowledge or consent.  

The individual’s contract with the second roofer stated that he consented to the collection and use of his personal information for the purposes of: (i) receiving the products and installation services described therein; and (ii) addressing any related warranty claims. 

The second roofer had in place a privacy policy that required it to obtain customers’ consent for the collection, use and disclosure of their personal information.

Outcome

In our Office’s view, the estimator was acting as the second roofer’s agent. The second roofer was therefore responsible for the personal information handling practices of the estimator in this case.

We also accepted that there had been a disclosure of the individual’s personal information without his knowledge and consent, in contravention of Principle 4.3 of PIPEDA.

The second roofer implemented our Office’s recommendation of establishing an agreement under which sub-contractors commit to adhere to the company’s privacy policy. The sub-contractors are also to be trained in this respect.

Because of the measures taken by the second roofer during the course of our investigation, we found the matter to be well-founded and resolved.

Date modified: