Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Company’s disclosure of information about a debt owed is not covered under exemption to consent

PIPEDA findings #2016-013

December 29, 2016

Description

An individual complained that an organization disclosed his personal information, specifically information about a debt, to another organization on two occasions without his consent. Information about a debt owed by an identifiable individual constitutes personal information and is sensitive. It may only be disclosed by an organization without consent in very limited circumstances, which are outlined in subsection 7(3) of the Act, including 7(3)(b), for purposes of collecting a debt owed by the individual to the organization. In this case, the disclosure was not for purposes of collecting the debt. Therefore, consent was required. The fact that the information may have been disclosed in response to a direct question with the expectation that the discussion would remain private did not exempt the disclosure from the requirement to obtain consent. Our investigation found that the disclosures did not fall within the scope of the circumstances described in subsection 7(3). Further, our Office is of the view that the company’s claim that there was an “expectation of privacy” when the disclosures took place is not a substitute for obtaining the necessary consent from the individual whose personal information is disclosed, nor is simply being asked by another party to divulge someone’s personal information.

Takeaways

  • Subsection 7(3) provides details as to the limited circumstance in which personal information may be shared without consent.
  • The disclosure is not exempt from the requirement for consent, pursuant to paragraph 7(3)(b), unless the purpose of the disclosure is to collect a debt owed by the individual to the organization.
  • Relying on an expectation of privacy or answering a direct question are not valid exceptions to required knowledge and consent of an individual prior to the disclosure of his personal information.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act” or “PIPEDA”)

Overview

The complainant alleged that, on two occasions, a sports facilities company (the “company”) disclosed to representatives of a related sports association (the “association”) that he had an outstanding debt with the company, without his consent.

The company did not deny disclosing the information but argued that PIPEDA was not contravened as it had answered a direct question from the related association.

We did not accept the company’s justification for the disclosures, reminding it that PIPEDA requires the knowledge and consent of the individual whose personal information is disclosed, unless one of PIPEDA’s exemptions to obtaining consent can be relied on. The exemption of a disclosure occurring for the purposes of collecting a debt owed to the company, pursuant to paragraph 7(3)(b), does not apply to the circumstances of this case.

Thus, the complaint is well-founded.

Summary of Investigation

  1. The complainant was a member of a sports facilities company (the “company”). In 2014, his membership was suspended because he owed the company money arising from unpaid dues and outstanding amounts for goods and services purchased. The complainant was in negotiation with the company regarding the debt owed.
  2. The complainant was also a board member of a related sports association (the “association”) that was organizing a tournament to be held on the company’s premises.
  3. Prior to the tournament, a telephone call took place between a senior representative of the company and the office manager of the association. The object of the call was for the company to express its opposition to two particular individuals (including the complainant) scheduled to participate in the upcoming tournament on the company’s premises. During the call, the company asked that both individuals be removed from the tournament roster because they had been suspended from the company because of an outstanding debt with the company.
  4. The next day, a meeting was held to discuss the company’s decision to ban the complainant from its premises for the upcoming tournament. The meeting was attended by the complainant himself and a board member of the association, as well as by the company’s president and the same senior company representative who had divulged the complainant’s debt information on the telephone the day before. During the meeting, the company again disclosed that the complainant owed it a debt.
  5. For its part, the company has claimed to our office that information about the complainant’s debt was given on these occasions because the company was specifically prompted by the association to provide reasons why the complainant was not in good standing with the company. Moreover, the company has claimed that there was an expectation of privacy during these two discussions.
  6. Following these events, the complainant sent a settlement offer to the company, wherein he accused the company of contravening PIPEDA. He also detailed specific conditions to be met, including an amount to be disbursed for damages, in order to preclude any future litigation against the company. He has since informed our Office that he has revised these conditions and that he also seeks letters of apology from the two representatives of the company.
  7. The complainant also filed the current complaint with our office. In his complaint, he alleges that the company disclosed his personal information without his consent. Specifically, he alleges that during a telephone call and again in a meeting, representatives of the company informed members of the association that he had failed to pay an outstanding balance owed to the company, without his consent.
  8. Our office examined the company’s privacy policy, a confidentiality policy for board members and a code of ethics for board members, the latter being signed annually by board members. As well, the company advised us that all new members are required to attend an orientation session that includes a detailed review of the privacy policy.
  9. The privacy policy clearly indicates that “consent is required for the collection of personal information and the subsequent use or disclosure of this personal information” and contains a section on limiting collection, use and disclosure of personal information. Our office also reviewed the company’s confidentiality policy for board members since the two individuals who disclosed the complainant’s personal information were part of the company’s Board of Directors. This policy contains clear statements requiring board members to maintain the confidentiality of client records in accordance with the company’s privacy policy.
  10. It was confirmed to our office that both company board members involved in the alleged disclosure had attended the initial board member’s training session and had reviewed the confidentiality policy for board members.
  11. During the investigation, the company decided to again review its privacy policy with board members and planned to have “privacy and confidentiality” as a standing item on its meeting agenda in order to mitigate the recurrence of privacy complaints.
  12. Lastly, our Office was advised that the complainant was ultimately permitted to play in the tournament held on the company’s premises.

Application

  1. In making our determinations, we applied Principle 4.3 of Schedule 1 and paragraph 7(3)(b) of Part 1 of PIPEDA.
  2. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
  3. Paragraph 7(3)(b) states that an organization may disclose personal information without the knowledge or consent of an individual only if the disclosure is for the purpose of collecting a debt owed by the individual to the organization.

Findings

  1. At issue is whether there was knowledge and consent for the disclosure of the complainant’s personal information, specifically, his outstanding debt owed to the company to the association.
  2. Debt information about an identifiable individual constitutes their personal information. Further, this type of personal information is also generally considered sensitive personal information.
  3. Our investigation established that the company disclosed the complainant’s personal debt information to the association on two occasions. Further, it is clear that the company did not have the complainant’s consent to do so, as is required by Principle 4.3. The company’s claim that there was an “expectation of privacy” when the disclosures took place is not a substitute for obtaining the necessary consent from the individual whose personal information is disclosed, nor is simply being asked by another party to divulge someone’s personal information.
  4. Therefore, in our view, Principle 4.3 was contravened.
  5. PIPEDA contains certain exemptions from the requirement to obtain consent for the disclosure of personal information.
  6. Under paragraph 7(3)(b), PIPEDA provides an exemption to obtaining consent when the purpose of the disclosure is to collect a debt owed by the individual to the organization. However, in the present case, it is clear that the company’s purpose for disclosing the complainant’s debt information was not to collect the debt, but rather to prevent the complainant from participating in the tournament being held at the company’s premises. Therefore, the company cannot rely on paragraph 7(3)(b) to exempt itself from obtaining the complainant’s consent to disclose the complainant’s personal information.
  7. We were disappointed that, despite the company have a confidentiality policy in place, it was the president and another senior representative who were involved in the disclosure. In our view, two high ranking members of the company’s Board of Directors should strive to set an example for the rest of the company to follow. Having said that, the two individuals involved in this disclosure are no longer part of the Board of Directors at the company.

Conclusion

  1. Accordingly, we conclude that the matter is well-founded.
Date modified: