The Office of the Privacy Commissioner of Canada published findings last week for a PIPEDA case in which an individual complained that a Canadian airline refused to give him access to his personal information.
It is interesting that the names of organizations are not published within the decisions and summaries of the Privacy Commissioners.
“An individual complained that an airline denied him access to his personal information. The airline had banned him from flying with it, and he had requested information concerning the events of a specific date that had led to the ban. He had also initiated legal proceedings against the airline.
The Assistant Commissioner conceded that the airline ultimately provided the complainant with his information. However, she was concerned that his requests for access to his personal information were not handled as requests under the Act, and the airline ignored its responsibility to respond in the manner stipulated by the Act. She asked the company to acknowledge its obligations under the Act to respond to such requests, notwithstanding any legal action that may be taking place concurrently. The airline refused, and the Assistant Commissioner decided to pursue the matter in accordance with the Office’s authorities under the Act.
At first, the organization refused to implement the Commissioner’s recommendations and the matter was referred to the Commissioner’s litigation counsel. Shortly after commencing an Application in the Federal Court per section 15 of the Act, the organization agreed to implement the recommendations, thus avoiding the need to follow through with the litigation.”
What I like about how the Privacy Commissioners write their findings, except for the lack of company name, is that they provide a discussion of how the action is in noncompliance with PIPEDA. The following is the discussion of how the airline broke PIPEDA requirements.
“Findings
Issued September 8, 2006
Application: Subsection 8(3) states that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request. Under subsection 8(5), if the organization fails to respond within the time limit, the organization is deemed to have refused the request. Principle 4.9 affirms that an individual shall be given access to his or her personal information. Paragraph 9(3)(a) allows an organization to withhold personal information if the information is protected by solicitor-client privilege.
In making her determinations, the Assistant Privacy Commissioner deliberated as follows:
The complainant twice requested his personal information, following his brother’s initial letter. It took the airline over a year to provide access. Although it appeared that the company responded to the complainant’s requests for his information, the Assistant Commissioner was of the view that the airline chose to focus on the legal claim that he had filed and disclosed information to him in the context of that process, not in response to his access requests, and not within the time limits under subsection 8(3). After reviewing the information withheld under paragraph 9(3)(a), the Office informed the airline that some of it did not fall under solicitor-client privilege and should be released, which the airline did.
The Assistant Commissioner conceded that the airline ultimately did provide the complainant with the personal information he had requested. Nevertheless, the Assistant Commissioner believed that the company did not process the complainant’s requests as requests under the Act, and thereby ignored its responsibility to respond to requests for access to personal information in the manner stipulated under Principle 4.9 and within the time frame outlined in subsection 8(3).
The Assistant Commissioner recommended that the airline review its procedures for responding to personal information access requests under the Act. She also asked that the airline confirm that it acknowledges its obligation under the Act to respond to such requests, notwithstanding any legal action that may be taking place concurrently. The airline outlined its position that, when litigation commences, there are well-defined rules and procedures that govern the discovery of documents in civil suits. In its view, the Act is not meant to usurp those rules.
While acknowledging its responsibilities under the Act, and its efforts to ensure compliance, the airline maintained that the complainant was trying to use the legislation to bypass established civil procedures and gain access to information gathered in contemplation of litigation.
The airline therefore chose not to implement the Assistant Commissioner’s recommendations.
The Assistant Commissioner concluded that the complaint was well-founded. The Office informed the airline that it would be pursuing the matter in accordance with its authorities under the Act and referred the case to her litigation counsel. Shortly after commencing an Application in Federal Court per section 15 of the Act, the airline agreed to implement the recommendations.”
A lesson from this is that, even though it is likely the Privacy Commissioner will not initially apply a fine, they *WILL* pursue litigation if a noncompliant company ignores their recommendations. Such litigation could be very costly, time consuming and take a significant amount of organizational resources.
While Canada does not typically publicize company names involved in non-compliance actions, if U.S. laws and regulations are in non-compliance, there can additionally be huge negative press and lost customers.
Tags: awareness and training, government, Information Security, IT compliance, PIPEDA, policies and procedures, privacy