Investigation into a telecommunications company’s response to an individual’s request for access to information about disclosures of her personal information to other parties

PIPEDA Report of Findings #2016-008

July 14, 2016


In June 2014, the complainant sent a letter to a telecommunications company (“the telco”) requesting access to her personal information using an online access to information tool. As part of her request, she asked for any information about disclosures of her personal information, or information about her account or devices, to other parties, including law enforcement and other state agencies.

The telco responded by stating that “[It] is fully in compliance with subsections 9(2.1), (2.2), (2.3) and (2.4) of [PIPEDA]” and provided her with the wording of these subsections.

The complainant then filed a complaint with our Office, alleging that the telco’s response to her access request was incomplete. Specifically, she alleged that the telco refused to advise her of whether her personal information, or information about her account or devices, had been disclosed to other parties, including law enforcement and other state agencies.

Through our investigation, our Office found that the telco’s response did not meet its obligation under Principle 4.9 of the PIPEDA. As recommended by our Office, the telco provided the complainant with a response about the disclosure of her personal information to all other parties.

Accordingly, our Office concluded that this matter was well-founded and resolved.

Lessons Learned

How an organization responds to an access request from an individual seeking to be informed of the disclosure of their personal information, pursuant to Principle 4.9 of PIPEDA and in consideration of subsections 9(2.1) through 9(2.4) of PIPEDA

Chart on how an organization responds to an access request

How an organization responds to an access request from an individual seeking to be informed of the disclosure of their personal information , pursuant to Principle 4.9 of PIPEDA and in consideration of subsections 9(2.1) through 9(2.4) of PIPEDA

Question 1: Was there a disclosure of an individual’s personal information to other parties by the organization?

  • If no,
    • Response: An organization would have an obligation to respond to the access request and advise that it did not disclose the individual’s personal information.
  • If yes, go to question 2.

Question 2: Was it a disclosure of personal information to a government institution, as contemplated by subsection 9(2.1) of PIPEDA?

  • If no,
    • Response: An organization would have an obligation to respond to the access request and advise that it disclosed the individual’s personal information.*
  • If yes, go to question 3.

Question 3: Does the government institution object on lawful grounds to the organization responding to the individual’s access request?

  • If no,
    • Response: An organization would have an obligation to respond to the access request and advise that it disclosed the individual’s personal information.*
  • If yes,
    • Response: An organization is limited in the manner it can respond to the individual’s access request. Pursuant to paragraph 9(2.4) of PIPEDA, an organization must refuse the access request, inform the Office of the Privacy Commissioner, and not disclose any of the information specified in paragraph 9(2.4)(c) of PIPEDA.

 

* Assuming that no exemption under section 9 of PIPEDA applies.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

  1. The complainant alleges that the response of a telecommunications company (the “telco”) to her access request is incomplete. Specifically, she alleges that the telco refused to advise her of whether her personal information, or information about her account or devices, had been disclosed to other parties, including law enforcement and other state agencies. In essence, she alleges that the telco’s response stating that it was fully in compliance with the Act is insufficient to respond to her access request.
  2. The Office of the Privacy Commissioner of Canada (“our Office”) finds that the telco’s response did not meet its obligation under Principle 4.9 of the Act. As recommended by our Office, the telco provided the complainant with a response about the disclosure of her personal information to all other parties.
  3. Accordingly, our Office concludes that this matter is well-founded and resolved.

Summary of Investigation

  1. In June 2014, the complainant sent a letter to the telco requesting access to her personal information using the “Access My Information” toolFootnote 1. She requested the following:

    I am requesting a copy of all records which contain my personal information from your organization. The following is a non-exclusive list of all information that [the telco] may hold about me, including the following:

    • All logs of IP addresses associated with me, my devices, and/or my account (e.g. IP addresses assigned to my devices/router, IP addresses or domain names of sites I visit and the times, dates, and port numbers)
    • Listing of 'subscriber information' that you store about me, my devices, and/or my account
    • Any geolocational information that you may have collected about me, my devices, and/or associated with my account (e.g. GPS information, cell tower information)
    • Text messages or multi-media messages (sent and received, including date, time, and recipient information)
    • Call logs (e.g. numbers dialed, times and dates of calls, call durations, routing information, and any geolocational or cellular tower information associated with the calls)
    • Information collected about me, or persons/devices associated with my account, using one of your company's mobile device applications
    • Any additional kinds of information that you have collected, retained, or derived from the telecommunications services or devices that I, or someone associated with my account, have transmitted or received using your company's services
    • Any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies.
  2. The complainant received a reply from the telco in July 2014. In response to the complainant’s specific request for “[a]ny information about disclosures of [her] personal information, or information about [her] account or devices, to other parties, including law enforcement and other state agencies”, the telco stated “[It] is fully in compliance with subsections 9(2.1), (2.2), (2.3) and (2.4) of the [Act]” and provided her with the wording of these subsections.
  3. The complainant states that the telco’s response provides her with no way of knowing if her privacy has been violated, and if it has, whether it was justifiable under the Act.
  4. Accordingly, the complainant filed her complaint with our Office. The complainant requested that our Office review the telco’s actions to determine whether her personal information was disclosed under paragraphs 7(3)(c), 7(3)(c.1) or 7(3)(d) of the Act, and if so, also review all communications between the telco and the relevant government institutions or part of a government institution, to determine whether the telco acted in accordance with subsections 9(2.1), (2.2), (2.3) and (2.4) of the Act.

Information from the telco

  1. Our Office conducted a review of the telco’s application of paragraph 7(3)(c), subparagraphs 7(3)(c.1)(i) and (ii), paragraphs 7(3)(c.2) and (d), and subsections 9(2.1), (2.2), (2.3) and (2.4) of the Act to ensure its compliance with the Act.
  2. According to the telco, when it receives an access request from a customer wishing to know if information has been disclosed to law enforcement agencies or other state agencies, it tries to balance both its legal obligations under the Act and ensure that it does not provide too much information to the requestor, so as to jeopardize an active investigation of law enforcement. In light of this, the telco responds to such access requests from customers by indicating that it fully complies with the Act and provides the wording of the relevant provisions of the Act.
  3. Moreover, the telco advised that upon receipt of access requests from customers of this nature, it forwards the request to its internal team, which determines if any disclosure to law enforcement was made with regard to the customer’s information, as the result of a warrant, court order or production order. If a disclosure was made to law enforcement, the telco will seek permission from law enforcement agency to report this disclosure to the customer.
  4. If a customer is not satisfied with the telco’s initial response and presses the matter further with a second access request and if the law enforcement agency does not agree to such disclosure, the telco will advise the customer as follows:

    Upon receiving your initial request [the telco] searched internal records to determine if any requests for your information were made by Law Enforcement Agencies. If [the telco] found that your information was requested by a Law Enforcement Agency (LEA), [the telco] would have sought permission from that LEA to notify you. In accordance with subsection 9(2.1), (2.2), (2.3) and (2.4) of [the Act], [the telco] must comply with valid requests for information made by Law Enforcement Agencies.

    Our records reveal that either no such inquiry was made for [the telco’s] account number: [XXXXXX] or that an inquiry was made and [the telco] is not permitted by the LEA to advise of this disclosure.

  5. Alternatively, if a customer is not satisfied with the telco’s initial response and presses the matter further with a second access request and if the law enforcement agency does agree to such disclosure, the telco will advise the customer as follows (with required modifications):

    Upon receipt of your request [the telco] communicated with Law Enforcement Agencies in accordance with subsections; 9(2.1), (2.2), (2.3) and (2.4) to request permission to notify the customer of any requests made by Law Enforcement Agencies.

    In response to your request on disclosure, [the telco] was given permission to notify you of the inquiry made on [date] by the [name of law enforcement agency]. The following information was disclosed to the [name of law enforcement agency]:

    [personal information disclosed]

    [The telco] is in compliance with [the Act] and is committed to protect [sic] our customer’s personal information. For more information of [the telco’s] Privacy Policy, please visit our website at [hyperlink].

  6. The telco advised that it continues to update its template language for responding to access requests from customers wishing to know if information has been disclosed to other parties, as required.

Application

  1. In analyzing the facts, our Office applied Principle 4.9 of Schedule 1 of the Act, as well as paragraphs 7(3)(c), 7(3)(c.1), 7(3)(c.2) and 7(3)(d), and subsections 9(2.1), (2.2), (2.3) and (2.4) of the Act.
  2. Principle 4.9 states, in part, that upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. Specifically, Principle 4.9.1 states, in part, that an organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.
  3. Subsection 7(3)Footnote 2 states, in part, that an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is:

    (c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;
    (c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

    • (i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,
    • (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or
    • (iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

    (c.2) made to the government institution mentioned in section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as required by that section;
    (d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

    • (i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or
    • (ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs.
  4. Subsection 9(2.1) states that an organization shall comply with subsection 9(2.2) if an individual requests that the organization:

    (a) inform the individual about:

    • (i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), or
    • (ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or

    (b) give the individual access to the information referred to in subparagraph (a)(ii).

  5. Subsection 9(2.2) states that an organization to which subsection (2.1) applies:

    (a) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and
    (b) shall not respond to the request before the earlier of

    • (i) the day on which it is notified under subsection (2.3), and
    • (ii) thirty days after the day on which the institution or part was notified.
  6. Subsection 9(2.3) states that within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to:

    (a) national security, the defence of Canada or the conduct of international affairs;
    (a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or
    (b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.

  7. Subsection 9(2.4) states that despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization:

    (a) shall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);
    (b) shall notify the Commissioner, in writing and without delay, of the refusal; and
    (c) shall not disclose to the individual

    • (i) any information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,
    • (ii) that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), or
    • (iii) that the institution or part objects.

Analysis and Findings

  1. At issue is whether the telco’s response to the complainant’s access request was in compliance with the Act, in regard of the information to which the complainant sought access through her request.
  2. Although Principle 4.9 provides individuals with a right of access to their personal information and a right to be informed of the existence, use and disclosure of the individual’s personal information, section 9 sets out a number of mandatory and discretionary exceptions to this right.
  3. In particular, subsections 9(2.1) to 9(2.4) set out a scheme that organizations must respect when individuals seek information regarding disclosures of information made under paragraph 7(3)(c), subparagraphs 7(3)(c.1)(i) or 7(3)(c.1)(ii), paragraph 7(3)(c.2) or paragraph 7(3)(d). Specifically, the exception to the general rule of providing access pursuant to Principle 4.9 is set out under subsection 9(2.4).
  4. The purpose of the scheme under subsections 9(2.1) to 9(2.4) is to protect the integrity of lawful investigations. Accordingly, where an individual seeks either: (i) to be informed about a disclosure to which these provisions apply or the existence of any information that the organization has relating to such a disclosure, or (ii) access to such information itself, then the organization has an obligation to follow the process set out under subsection 9(2.2), which includes asking the relevant government institution whether it objects to the disclosure of the information sought, where the organization has made a disclosure to a government institution or a part of a government institution.
  5. Based on the wording of subsection 9(2.4), it is only in the event that the relevant government institution objects that the organization becomes subject to the obligations under subsection 9(2.4), which include refusing the request, informing our Office, and not disclosing any of the information specified under paragraph 9(2.4)(c).
  6. As such, in cases where there is no actual disclosure of information under paragraph 7(3)(c), subparagraphs 7(3)(c.1)(i) or 7(3)(c.1)(ii), paragraph 7(3)(c.2) or paragraph 7(3)(d), or where there is a disclosure but the relevant government institution does not object to complying with the request, then the organization must provide access to the information sought (or inform an individual of any disclosure of such information) unless another relevant exception under section 9 applies.
  7. Therefore, how an organization must respond to a request from an individual seeking to be informed of the disclosure of his or her personal information by the organization will depend on whether there was an actual disclosure, and if there was, whether it was a type of disclosure covered by subsection 9(2.1) and ultimately, whether the relevant government institution objects on lawful grounds to the organization responding to the individual’s request for access.
  8. Assuming that no other exception under section 9 applies, in cases where there was no disclosure of personal information by the organization, our Office’s view is that the organization would have an obligation to respond by informing the individual requestor that it did not disclose any of the requestor’s personal information. Conversely, in cases where there was a disclosure of personal information to a third party, but the disclosure is not the sort covered by subsection 9(2.1), then the organization would have an obligation to advise the requestor that such personal information was indeed disclosed.
  9. In cases where the request relates to a disclosure of information contemplated by subsection 9(2.1), then the manner in which the organization responds will depend on whether the relevant government institution objects. If it does not, then the organization must respond to the request pursuant to Principle 4.9. However, it is only where the relevant government institution objects that the organization is limited in the manner it can respond to the request, in accordance with subsection 9(2.4).
  10. In light of the above, our Office finds that the telco’s response to the complainant’s request, as provided to the complainant, did not meet its obligation under Principle 4.9 to inform the complainant of the disclosure of her personal information to third parties. Our Office’s investigation revealed that, in all cases, the telco routinely responds to access requests of the sort submitted by the complainant by stating that the telco is in compliance with subsections 9(2.1) to 9(2.4). In our Office’s view, this type of response is insufficient in that the telco would not be informing a requestor of whether personal information was actually disclosed, in cases where there is no disclosure covered by subsection 9(2.1). As well, 9(2.1) would not apply where there is no disclosure of information to speak of.
  11. However, our Office did not take issue with the telco’s standard second-stage response in cases where there is a disclosure of the type identified under subsection 9(2.1), and the relevant government institution objects. Our Office’s view is that such a response would be consistent with the restrictions set out under subsection 9(2.4). Our Office also does not take issue with the telco’s standard second-stage response where the relevant government institution does not object, since in such cases, the telco would actually be informing the individual that there was a disclosure of their personal information to an institution.
  12. That being said, our Office’s view is that the telco should cease sending requestors the initial response it currently sends, since in many cases, such a response would be insufficient and non-informative for the purposes of Principle 4.9.
  13. Our Office appreciates, however, that the current scheme under the Act raises the potential that one or more individuals could, over time and over multiple requests, reasonably infer whether information was indeed disclosed and whether an institution objected, as in such cases, the organization would have an obligation to provide a response that is consistent with paragraph 9(2.4). Although a proper response under subsection 9(2.4) would not disclose any information about a disclosure to a relevant government institution or whether that institution objected, such a response would clearly be different than the response provided in other scenarios. As such, individuals faced with a response that meets the requirements under paragraph 9(2.4) could nonetheless conclude that, notwithstanding the response provided, a disclosure did in fact occur and the government institution did in fact object. Without commenting on the practical likelihood of such a scenario, this does represent a ‘conceivable outcome’ of the current scheme outlined in the Act.
  14. Moreover, the telco’s response is also incomplete to the extent that the complainant’s access request was about whether the telco had disclosed her personal information to third parties, which also includes private and public sector entities not covered by subsection 9(2.1). Therefore, the telco had an obligation to provide a ’no’ response or a ‘yes’ response with details, with respect to whether it disclosed the complainant’s information to all third parties, including private sector third parties, which do not fall under the scheme of subsections 9(2.1) to 9(2.4), as well as other public sector third parties that are not covered by subsections 9(2.1) to 9(2.4). To this extent, our Office finds that the telco’s response to the complainant’s access request did not meet its obligation under Principle 4.9 to inform the complainant of the disclosure of her personal information to all third parties.

Preliminary Report of Investigation and the telco’s response

  1. Our Office issued a Preliminary Report of Investigation, which recommended that the telco:
    1. Provides a response to the complainant that directly addresses her access request as to whether her personal information, or information about her account or devices, had been disclosed to all other parties, depending on the scenarios set out above; and
    2. Ceases the practice of sending the initial reply (as outlined above) in response to individuals’ access requests about whether their personal information, or information about their account or devices, has been disclosed to other parties, and ensure that its reply is as outlined above.
  2. In response, the telco advised that it had reviewed its records and provided the complainant with a response that directly addresses her access request as to whether her personal information, or information about her account or devices, had been disclosed to all other parties, including private and public sector organizations.
  3. The telco further agreed to eliminate its two-step process for all future requests. Specifically, it advised that it amended its policy for responding to such access requests from customers and implemented a new template within its operations.

Conclusion

  1. Accordingly, our Office concludes that this matter is well-founded and resolved.
Date modified: