Courier company discontinues practice of delivery to a neighbour
PIPEDA Case Summary #2018-005
March 29, 2018
Lessons learned:
- Organizations that offer courier services are responsible for obtaining consent for practices that involve the delivery of parcels to a neighbour where it is not possible to complete delivery to the address on the parcel.
- Organizations should generally seek express consent from individuals when the information is likely to be considered sensitive. It is important to keep in mind that non-sensitive personal information can be considered sensitive depending on the context.
- An organization that wants to use personal information originally collected by another organization can do so provided the original collector obtained consent from the individual for subsequent uses of the information. However, the organization must exercise due diligence and verify that the original collector did indeed obtain consent.
Complaint
The complainant alleged that a courier company (“the courier”) disclosed her personal information without her consent by delivering a package addressed to her to her neighbour.
Summary of investigation
The complainant found a notice posted on her door which explained that a package addressed to her had been delivered to her neighbour. The complainant knocked on her neighbour’s door and retrieved the package from an individual at her neighbour’s residence.
The package contained personal financial documents from a third-party financial institution (“the shipper”), and its label showed her name, address and unlisted telephone number. The complainant stated she did not know that she was going to receive the package.
In this instance, the courier explained it had attempted to deliver the complainant’s package at her address. When no one answered her door, the driver went to her neighbour and asked him to sign and accept the package on her behalf. The courier taped a notice to the complainant’s door to let her know that it had delivered a package intended for her to her neighbour.
According to the courier’s policies and procedures, when it is not possible to deliver a package to an addressee, a driver may, in certain circumstances, deliver it to a neighbour. The courier stated that many of their customers prefer to pick up a package from a neighbour to avoid having to go to a separate pick-up location.
The courier offered individuals who do not want “delivery to a neighbour” and who were aware that they were receiving a package, other options, such as rescheduling delivery or having their package delivered to a different location. However, since the complainant was not expecting the package in question and had no direct contact with the courier, she never had the chance to choose any of these options.
At the time of arranging delivery of the financial documents, the financial institution could also have opted out of “delivery to a neighbour.” However, the shipper did not select this option.
Given that the company did not obtain consent directly from the complainant, we examined whether the company had obtained consent via the shipper.
The company indicated that the shipper had agreed to the “delivery to a neighbour” practice via its terms and conditions. The company asserted that its agreements with shippers refer to the company’s terms and conditions, and that its shipping customers are typically well acquainted with the availability of shipping options, including “delivery to a neighbour.”
However, the company’s terms and conditions did not specifically point to the requirement for the shipper to obtain consent for its “delivery to a neighbour” practice or indicate that it relies on the shipper to have obtained such consent.
Furthermore, the company’s privacy statement did not explicitly mention the “delivery to a neighbour” practice. We noted that none of the references in the company’s terms and conditions clearly stated how to avoid “delivery to a neighbour.”
We asked the shipper whether they were aware of the company’s “delivery to a neighbour” practice. The shipper stated they were not aware that it was a common practice to leave a package with a neighbour.
Outcome
We found that the company had contravened the consent principle (Principle 4.3) in that it:
- was responsible for ensuring consent from the complainant in this case, and from individuals to whom packages are addressed more generally, for its practice of delivering packages to a neighbour;
- did not obtain consent from the complainant for this practice; and
- did not demonstrate due diligence to ensure that the shipper had obtained such consent.
With respect to package label information (i.e. an unlisted telephone number), we note that information that is otherwise non-sensitive could be more sensitive depending on the context, for example, depending on the relationship between the addressee and their neighbour. Similarly, the information within a package may at times be sensitive, as it was in this case, where a financial institution was delivering documentation containing the complainant’s financial information.
Furthermore, while a person may reasonably expect that their financial institution would send them sensitive financial documents via mail, in our view, they would not reasonably expect their financial institution to have that package delivered to their neighbour. In this case, given the circumstances, including the sensitivity of the contents of the package, the complainant should have been given an express choice of whether she was comfortable with having her financial documents delivered to a neighbour.
Our office has previously found that an organization that is the secondary collector of personal information can rely on the original collector to directly obtain the individual’s consent for subsequent uses of personal information as long as it exercises due diligence to ensure that such consent has been obtained by the original collector.
In this case, the courier did not take reasonable steps to ensure that the shipper had obtained adequate consent for its “delivery to a neighbour” practice. In our view, reasonable steps would have included ensuring that the shipper understands the nature of the practice and that it is responsible for obtaining valid consent for its practice.
Our Preliminary Report of Investigation recommended that the courier ensure it obtains valid consent for “delivery to a neighbour” by either obtaining consent directly or exercising due diligence to ensure that shippers are obtaining valid consent for this practice.
In response to our office’s recommendations, the courier committed to end the practice of “delivery to a neighbour.” Accordingly, we concluded that the matter was well-founded and conditionally resolved.
Update
As a result of this commitment from the courier, our office followed up and has confirmed that the practice of “delivery to a neighbour” has ended.
- Date modified: