|
The OIPC
has a long history of successfully mediating privacy
disputes in the public sector and we are applying that
experience to PIPA disputes. Summaries of recent PIPA
mediations follow.
Click here for the most current summaries.
-
Non-Profit Society Properly
Withheld Personal Information
A non-profit
society received a request for personal information from a
former board member. The responsive records also included
records of complaints both by and about the applicant
board member. Some personal information of the applicant
was released but other records were withheld or severed to
protect third-party personal information, including the
identity of certain third parties. The OIPC
explained to the applicant that, as the identity and
personal information of another individual must not be
disclosed under the Personal Information Protection Act,
the organization had acted appropriately. The applicant
was satisfied with the outcome.
A former
employee of a restaurant asked for his employee
information from the restaurant. Not being familiar with
the Personal Information Protection Act, the
restaurant ignored the request. After being contacted by
the OIPC, the organization was prepared to release all of
the applicant’s personal information but was not sure how
to proceed. The OIPC provided training and assistance,
and the records were released. The applicant was
satisfied with the outcome.
A member of a recreational
facility was involved in an altercation with another
facility user over the use of equipment and requested
access to all of his personal information held by the
facility. The records included email and other
correspondence of the applicant, staff of the facility and
other members. It also included incident reports relating
to the altercation. The applicant received copies of the
records, but some information was withheld under s.
23(4)(c) of the Personal Information Protection Act
on the ground that it was the personal information of
other individuals. Some of the information withheld
included information about the applicant that was
interwoven with other individuals’ information.
As a result of OIPC
mediation, the facility agreed to release more
information. In some
cases, this comprised the identities and other information
created by the staff of the facilities. In other cases,
it was possible to separate the personal information of
the applicant from the personal information of other
individuals. The applicant accepted that the remaining
information withheld was properly withheld.
A clerk at a retail outlet
asked for the complainant’s telephone number when she was
making a purchase. The clerk explained the benefits of
providing her telephone number (including being entered
into a draw for prizes) and assured her that her personal
information would not be sold. There was notice of
collection posted at the checkout desk explaining the
purposes for which the telephone number was being
collected. The complainant read the first part of the
notice and provided her telephone number. On a later
visit to the store, she read the notice carefully and
decided not to give out her telephone number and to
communicate her wish to have the store delete her
telephone number from its records. The focus of her
complaint was that the wording of the notice was
misleading and that, in accordance with s. 7(3)(b) of PIPA,
her consent had not been validly given.
The first part of the
notice indicated that the purpose of collecting the
telephone number of customers was for marketing. In the
second part, the retailer promised not to call customers.
In the third part, the notice indicated that the retailer
might send marketing material to customers through the
mail. The retailer said that its choice of words, the
structuring of the ideas and use of typefaces in the
notice attempted to communicate this information in a way
that would be most useful for customers.
Regarding the question of
whether the notice was misleading, there was no evidence
that the retailer was deliberately trying to mislead its
customers about how their telephone number would be used.
In applying the reasonable person test with respect to
whether the retailer provided “false or misleading
information”, the OIPC was of the view that a reasonable
person would not believe the retailer deliberately
provided false information or deliberately attempted to
mislead its customers. The retailer agreed, however, to
modify its sign to make the notification more clear.
The complainant accepted
the outcome of the complaint.
A complainant had tried to
purchase a few items from a corner store using
a major credit card. The checkout clerk asked the
complainant to provide more identification so she could
confirm that the complainant was the owner of the card, as
the store had considerable experience of credit card
fraud. The complainant refused to provide the additional
identification and complained to that the corner store was
attempting to collect personal information contrary to PIPA.
Section 11 says an
organization can only collect personal information for
purposes that a reasonable person would consider
appropriate in the circumstances. Section 7(2) says an
organization cannot, as a condition of supplying a product
or service, require an individual to consent to the
collection, use or disclosure of personal information
beyond what is necessary to provide the product or
service.
As for the appropriateness
of the collection, a reasonable person would consider it
appropriate for a retailer to confirm that a customer is
the authorized credit card holder before processing a
credit card purchase. In light of the possibility of
credit card fraud generally, it was reasonable for the
retailer to ask for more identification to ensure that the
customer is the authorized credit card holder. The OIPC
was of the view that there was no violation of s. 11.
As for the retailer
requiring further identification as a condition of selling
the goods, because verification of the identity of the
cardholder was reasonable, its collection and use of
identifying personal information did not go beyond what
was necessary to provide the products the complainant
wished to purchase.
The complainant was
satisfied with the outcome.
The
applicant held a time-share in a resort development that
had close to 20,000 time-share owners. He disagreed with
the operating organization’s decision to change the
conditions of the time-share to prohibit smoking in any of
the time-share units. He wanted to form an association of
time-share owners and asked the organization to disclose
the names and contact information of the lessees. The
organization denied access to the information, citing PIPA.
The OIPC
told the applicant and the organization that PIPA does not
permit the organization release the requested personal
information. The applicant had argued that Article 18 of
the time-share lease agreement provided implied consent by
each lessee for the operator to disclose their names and
contact information for the purpose of forming an
association. Article 18 required the organization to
assist in formation of any lessee association. The OIPC
felt Article 18 did not provide implied consent by lessees
to disclosure of their personal information, particularly
since the purpose of Article 18 could be achieved without
the release of the personal information the applicant
requested.
The
organization indicated that it might be prepared to assist
in the formation of a lessees' association by sending
notices to each lessee. The organization is required to
provide a budget to every lessee each year and it said
that it could include the notice with the budget
mail-out. The applicant would have to bear the costs of
printing the notices. The organization said the notice
would have to be in a form acceptable to the organization
and relate only to the formation of
a
lessees' association.
The
applicant was satisfied with this outcome.
-
Hotel Acknowledges Improper
Disclosure of Guest’s Personal Information
A man
complained that an employee of a hotel had inappropriately
disclosed his personal information by informing his former
wife of his stay at the hotel with
a
companion.
The hotel
manager was aware of the Personal Information
Protection Act and that the hotel has a privacy policy
in place. The manager acknowledged that the disclosure of
this personal information breached PIPA. He circulated a
memo to the hotel staff reminding them of PIPA’s
requirements and their obligation to keep guest
information confidential. He also offered, on behalf of
the
hotel, to reimburse the complainant the cost of his stay,
including the cost of his room and the meal he purchased
at the hotel.
The
complainant confirmed that he would accept this offer as
full settlement of his complaint under PIPA. The hotel
then sent a letter of apology and reimbursed the
complainant.
-
Physiotherapy Clinic’s Fee for
Copy of Patient’s Records Accepted
A woman
complained that a physiotherapy clinic breached s. 32(2)
of the Personal Information Protection Act by attempting
to charge her more than
a
"minimal fee" to provide copies of her personal
information held by the clinic. The clinic had quoted a
fee of $25 for the first five pages of records and $1 for
each additional page.
The
complainant accepted the OIPC’s view that the revised $15
flat fee that the clinic proposed was within a range that
could reasonably be considered “minimal” considering the
time the clinic expended in locating the records and in
attempting to determine the fee.
|
