1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Workplace Performance Concerns Lead to Privacy Violation

A recent Order of the Office of the Information and Privacy Commission of Alberta (OIPC) provides guidance on potential privacy traps when managing performance issues in the workplace.

Two coworkers of the complainant were concerned about the complainant’s workplace performance. The reasons are opaque but there may have been health issues such as substance abuse requiring rehabilitation. The coworkers who were friends of the complainant emailed and texted the parents of the complainant. At least one of the coworkers also provided information to the employer apparently at the request of the employer.

Ultimately, the adjudicator concluded that the coworkers were acting in a personal capacity when communicating with the parents (this was more by luck than design in one case). But, the employer was found to have violated the Alberta Personal Information Protection Act (PIPA) by failing to have a policy or otherwise notifying the complainant on the circumstances in which it might collect performance-related personal information from coworkers.

Were the communications to the parents in the course of employment?

If the coworkers communicated personal information about the complainant to her parents, this would have violated PIPA, as a disclosure without consent. The organization argued that the coworkers were not acting on behalf of the employer when they wrote to the complainant’s parents and disclosed information about her performance at work and their concerns about the complainant’s personal life. One of the emails was sent using the coworker’s work email address. However, the adjudicator concluded that this was not determinative since the coworker said that she was writing from that email account so that it would appear legitimate and provided her personal email account address as contact information.

The text messages were more complicated. The coworker sending those messages initially conveyed personal information about the complainant. However, in subsequent messages, this coworker relayed information about the steps the employer intended to take to address the complainant’s work performance and that the employer wanted to arrange a meeting with the complainant, the complainant’s mother and the coworkers. Ultimately the adjudicator concluded that the personal information that was disclosed in the text messages was done in the context as a friend of the coworker and not as a representative of the employer. As for the subsequent texts, the adjudicator concluded it was possible that the coworker was acting as an employee of the employer (with or without authority) but at that point the discussions were about a meeting and did not reveal further personal information.

Was providing the information to the employer done in the course of employment?

The adjudicator accepted that a coworker might provide personal information about another employee in their personal capacity rather than in the course of their employment. The adjudicator concluded that the key issue was the circumstances in which the information was provided. The adjudicator concluded that “[w]hen the information is provided in the workplace, and especially where it is solicited by someone in the organization that has the ability to deal with performance issues (as the employer does here), it seems to be reasonable to assume that the information is being provided as an employee, and not in a personal capacity.”

Did the employer violate the complainant’s privacy?

The adjudicator accepted that the complainant’s personal information at issue was information that would be useful in managing the employment relationship with the complainant and, therefore, the information was employee personal information. This was significant because there is more latitude to use and disclose employee personal information without consent. However, in order to use or disclose employee personal information without consent, the employer must provide reasonable notice to the individual. The notification must be given before the information is used and disclosed.

The adjudicator accepted that reasonable notice could include a policy on how an organization deals with performance or disciplinary issues or when feedback may be requested from coworkers, provided the policy was brought to the attention of employees. Alternatively, in this case, the employer could have approached the complainant first to discuss the performance concerns and advising the complainant that the employer may need to seek input from the coworkers. The employer failed to do so.

Key Takeaways

Employers should make sure that employee privacy policies or codes of conduct contain explicit reference to the need to gather information from coworkers in some cases in order to manage performance issues and how the employer will respond to unsolicited performance concerns by coworkers. This case did not involve an investigation into a harassment or other violation and so the exceptions for investigations did not apply.

This case also provides another reason to educate employees on obligations under personal information legislation. One could easily imagine other scenarios in which well-intentioned employees may be found to be acting in the course of their employment when communicating with family members or other friends of a coworker.

, ,

Workplace Performance Concerns Lead to Privacy Violation

A Cautionary Tale Regarding Consent and In-Store Tablets

The Office of the Privacy Commissioner (OPC) recently released a case summary with implications for retailers attempting to obtain consent for privacy-compliance or anti-spam compliance purposes.

Consistent with guidance by the Canadian Radio-television Telecommunications Commission (CRTC) with respect to Canada’s Anti-Spam Legislation, the OPC is taking a harder line with respect to the business records that an organization must retain in order to establish that an individual gave consent. The bottom-line is that the practice of obtaining consent by either having the individual or the salesperson check a box is vulnerable to challenge. Organizations should only use methods of obtaining consent that involve corroborative evidence.

Background

The complaint arose out of a dispute with respect to whether an individual had applied for a co-branded credit card with a retailer. While shopping in a retail store, the complainant was approached to join a loyalty program. The individual provided the salesperson with his driver’s licence as part of the registration.

Later, the individual received a credit card and learned that a credit check had been conducted on him. After obtaining access to the information held by the bank that provided the credit card, the complainant discovered that much of the information on the application was inaccurate and asserted that he had not provided that information to the salesperson. He also argued that he did not check the box on the tablet to permit a credit check.

The OPC concluded that the bank could not establish that it had obtained consent and that the information collected from the complainant was accurate. There was no evidence that the complainant ever saw the tablet screen, provided the information in the application, understood that the information would be used for a credit check or that the individual actually clicked the consent box on the tablet.

No Recognition of Canada Evidence Act

Certainly, the circumstances of this case were suspicious. However, bad facts can make for bad legal interpretations. That seems to be the case here. The OPC appears to believe that organizations must retain independent proof that consent has been obtained. This is similar to guidance form the CRTC’s guidance that oral consent to receive commercial electronic messages must be backed up with an audio recording or third party verification.

This guidance fails to directly engage with the laws of evidence within which both the Personal Information Protection and Electronic Documents Act and Canada’s Anti-Spam Legislation exist.  The Canada Evidence Act specifically contemplates that the business records, including electronic business records, are admissible for the proof of what is recorded in them. While other evidence may raise concerns regarding their accuracy or veracity, as in the case before the OPC, they are not inherently inadequate as the OPC and CRTC seem to suggest. In an informal administrative process such as the one before the OPC, the OPC may be free to ignore the law of evidence. However, this would not be the case before the Federal Court.

The real issue should have been that the organization was unable to establish that it audited compliance of the salespersons such as through secret shoppers or that the organization confirmed the individual’s consent by sending the individual a copy of the application once completed.

Conclusion

Be forewarned: organizations should have some means of corroborating their records when obtaining oral consent from individuals in retail stores in order to avoid problems with the OPC and the CRTC. To access the OPC’s decision, click here: PIPEDA Case Summary 2016-12.

A Cautionary Tale Regarding Consent and In-Store Tablets

New Guidance on Disclosure Exceptions for Investigations and Fraud

On March 17, 2017, the  Office of the Privacy Commissioner of Canada (OPC) published guidance on two new exceptions in PIPEDA permitting disclosure without consent. The guidance is very helpful to interpreting these new provisions and the OPC’s expectations of organizations. However, as expected, there is an undercurrent to the guidance suggesting that that the OPC would like to restrict organizations from setting up systematic information-sharing programs. This is very unfortunate given that these provisions are directly connected to improving confidence in the digital economy. Systematic sharing of information, particularly for fraud detection, suppression and prevention should be able to be accomplished if PIPEDA is truly technologically neutral. Without these tools, the OPC is incentivizing organizations to use much less transparent methods, such as predictive analytics.

Background

The Digital Privacy Act, 2015, amended Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to lower the threshold for when an organization could share personal information without the knowledge or consent of the individual for the purposes of an investigation into a breach of an agreement or a contravention of the laws of Canada. In addition, the Digital Privacy Act, 2015, added a new exception to PIPEDA to permit the disclosure of personal information without the knowledge or consent of the individual for the purpose of the detection or suppressing fraud or preventing fraud that is likely to be committed.

7(3) […] an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

(d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

(d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;

The OPC did not support these amendments. Even before these amendments were passed and came into force, the OPC was sounding alarms that it would interpret these provisions narrowly.  In particular, the OPC was concerned about two issues:

First, the triggering threshold for a permitted disclosure was changed. Under the previous provisions, organizations had to have reasonable grounds to believe that the information related to a breach of an agreement or contravention of law. Following the amendments, an organization only had to determine that the disclosure was reasonable for the purpose of investigating a breach of an agreement or a contravention of a law or reasonable for the purpose of detecting, suppressing or preventing fraud.

Second, the range of purposes were too broad in the OPC’s view. In particular, the OPC was concerned about the possibility of oversharing under the fraud exception.

OPC Guidance

The OPC’s guidance is an attempt to ensure that organizations interpret these provisions narrowly. Although the OPC does not state expressly state that organizations cannot participate in systematic programs to attempt to detect or prevent fraud or breaches of agreements, it is clear that the OPC would prefer that these exceptions be used in isolated circumstances. This is particularly evident in the OPC’s statement that organizations must be able to establish on a case-by-case basis the reasons why it determined that disclosure was appropriate.

The OPC recommends that organizations prepare policies and procedures and to make those available to individuals. The OPC reminds organizations that individuals have the right to make an access request and obtain an account of the third parties to which information has been disclosed. The OPC would also like to see organizations report publicly on the number and type of disclosures made. It should be noted that there is no legislative basis that would require such reporting.

To satisfy the OPC’s concerns about indiscriminate use of these provisions, organizations should develop polices and procedures to ensure that the preconditions to disclosure are met and should make these policies and procedures available on demand.

Although the OPC seems to suggest that organizations should include disclosure of the use of these exceptions, it does not appear to be legislatively required to advise individuals in a privacy notice that the organization may use a lawful exception to disclose information without consent. Any such disclosure would have to be at a very high level unless the organization was participating in a systematic program to share information. What could an organization meaningfully say in the case of a disclosure under the investigation exception? Nevertheless, there are clear benefits to at least mentioning the possibility of these types of disclosures to prevent later accusations that the organization failed to be transparent.

Recommendations

When developing a policy or procedure for disclosures relating to an investigation into a breach of an agreement or the contravention of a law of Canada, organizations should require that, at a minimum, the following criteria (and the common criteria set out below) are met before disclosure:

  • If the investigation relates to a law, it is a law of Canada. The law should be specified and documented. A breach of a foreign law is not covered by this exception.
  • If the investigation relates to a breach of an agreement, the agreement is documented and in force at the time of the alleged breach.
  • The breach or contravention has already taken place, is ongoing or is about to happen. This suggests that the organization must document must be some credible evidence of a breach of the agreement or a contravention of a law of Canada.
  • The investigation is a bona fide formal or systematic inquiry to determine the facts. It cannot be a fishing expedition or gossip.

The following are the minimum criteria for disclosures relating to detecting or suppressing fraud or of preventing fraud:

  • If the disclosure relates to detecting or suppressing fraud or preventing fraud that is likely to be committed.
  • In the case of preventing fraud, the risk of fraud is probable and not merely possible .
  • The type of fraud that is in issue should be documented.

The following common criteria apply to disclosures under either provision:

  • If the organization has received a request for disclosure under these provisions, the request provides sufficient information to ensure that the rationale for disclosure is documented in the request. Requests should not be taken at face value.
  • The disclosure will be made from one organization to another organization. These provisions do not permit disclosure to law enforcement or family members.
  • The disclosure is reasonably related and proportionate to the investigation of the breach of an agreement or a contravention of law or to the activities of detecting or suppressing fraud or preventing fraud that is likely to be committed. Organizations should document their rationale for why the information is necessary to assist in the investigation or is rationally connected to and effective the detection, suppression or prevention of fraud.
  • Obtaining the consent of the individual would compromise the investigation or the fraud detection, suppression or prevention purposes. The rationale for the organization’s decision should be documented.

For the text of the OPC’s Guidance, see: Applying paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA

,

New Guidance on Disclosure Exceptions for Investigations and Fraud

Private Right of Action under CASL coming July 2017

Canada’s Anti-Spam Law came into force on July 1, 2014.  Since then, all eyes have been on the Canadian Radio-television and Telecommunications Commission (CRTC) for decisions concerning CASL violations.  In the cases made public to date, monetary penalties or settlement payments have ranged from $48,000 to $1.1 million.  Canadian and foreign companies have learned some things in the past two years about how CASL applies to their business, and many have taken steps to put in place policies and procedures to avoid violations.

Whatever steps you have taken to date, 2017 will be the time to revisit CASL compliance

On July 1, 2017, the private right of action (PRA) comes into force under CASL.  An individual or organization who is affected by a contravention may litigate to enforce the new private rights directly.  While CASL does not expressly provide for class actions, it is broadly expected that such actions will be launched to permit large numbers of applicants (for example, the recipients of alleged spam) to pursue compensation as a group.

Where the court finds a violation, it may order not only compensation for the applicant’s damages, but also monetary payments up to the following amounts:

  • for sending commercial electronic messages contrary to CASL – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred
  • for altering the transmission data of a commercial electronic message – a maximum of $1 million for each day that the conduct occurred
  • for installing apps or other computer programs contrary to CASL – a maximum of $1 million for each day that the conduct occurred
  • for scraping, generating or otherwise accessing electronic addresses contrary to PIPEDA – a maximum of $1 million for each day that the conduct occurred
  • for sending commercial electronic messages with false or misleading information, including sender, locator or subject matter information, contrary to the Competition Act – $200 per contravention, to a maximum of $1 million for each day that the conduct occurred

When the court sets the amount to be paid, it must consider the purpose of the payment order – which “is to promote compliance…and not to punish”, the nature and scope of the violation, the history of compliance, any financial benefit or compensation from the conduct, ability to pay, and “any other relevant factor”.

CASL also provides for extended liability.  Directors, officers, agents or mandataries of a corporation may be liable if they directed, authorized, assented to or participated in the contravention.  Where an employee’s conduct in the course of his or her employment breaches CASL, the employer may be vicariously liable.

Revisiting CASL

CASL provides that where a person establishes that they exercised due diligence to prevent a violation, they cannot be found to have contravened CASL.  Despite this provision, a number of well-meaning businesses have been found offside CASL’s provisions, have made significant penalty or settlement payments, and in some cases have received negative media coverage for their failure to meet CASL requirements.

In July 2017, the risk exposure will increase.  Now is the time to revisit your CASL compliance.

  1. Discuss with your Board and Senior Management team why you need to revisit CASL in 2017.
  2. Make sure that you have a CASL Compliance Policy and Procedure that covers your operations, and that is easy for employees to understand and use.
  3. Ensure that existing and new employees have access to – and receive appropriate training in – the Policy and Procedure.
  4. Conduct an audit under the Compliance Policy and Procedure, including how consent is obtained and documented; whether unsubscribe requests are fulfilled quickly; whether CASL-compliant message templates are consistently used; how complaints are addressed (etc.).
  5. Consider whether you need to check in with service providers (to send messages or install apps or other computer programs) about their CASL compliance.
  6. Consider whether service provider contracts include the appropriate clauses to address CASL compliance, liability, and indemnification.

See also:

Lessons Learned: E-Learning Company Faces $50K Spam Fine

CRTC Enforcement Advisory – Records to Show Consent

Privacy Law and Anti-Spam – Guidance from the Office of the Privacy Commissioner

Canada’s Anti-Spam Law: Not just for Canadians

CASL Applies to Software January 15 2015

New CASL Compliance and Enforcement Guidelines

 

, ,

Private Right of Action under CASL coming July 2017

Lessons Learned: E-Learning Company Faces $50,000 Spam Fine

The Canadian Radio-television and Telecommunications Commission (CRTC) has issued its first Compliance and Enforcement Decision* under Canada’s Anti-Spam Law (CASL).  The Commission confirmed the staff finding that Blackstone Learning Corp. had committed 9 violations of CASL by sending almost 400,000 emails in 2014 without proper consent.  However, the Commission reduced the administrative monetary penalty originally set in the notice of violation from $640,000 to $50,000.  While it is open to Blackstone to appeal the decision, meaning that we may not have heard the last of this case, the Commission’s decision provides useful commentary on its approach to CASL compliance and enforcement.  The following are lessons learned under two headings: implied consent, and what we will refer to as “sender conduct”.

Email addresses posted online – ripe for the picking as “implied consent”?

Not so fast, cautions the CRTC.  While addresses that have been “conspicuously published” online or otherwise may qualify for implied consent, this “does not provide persons sending commercial electronic messages [CEMs] with a broad licence to contact any electronic address they find online”.  The CASL conditions attached to “conspicuous publication” set a higher standard than that.  As a starting point, the person who receives the email message must have posted his address himself, or authorized it to be posted.  Often, an employer will post contact information including an employee’s email address, which for the purposes of CASL implies that CEMs can be sent IF there is no indication otherwise, and IF the messages are relevant to the person’s business role or function.

As the CRTC points out, if a business chooses to advertise through a third party (our example: an online service provider listing) and includes an employee’s contact information along with the ad, this can be the basis for implied consent to contact the employee in relation either to the ad or to the employee’s role, because the account holder (the employer) caused the publication.  Implied consent stops there:  if the listing service goes on to copy or sell the list of addresses on its own, new senders can no longer count on the “conspicuous publication” implied consent, because the account holder did not authorize any further publication.

Lesson learned:  Implied consent is evaluated on a case-by-case basis.  Under CASL, the onus is on the sender to prove consent.  The CRTC “stress[es] the importance of detailed and effective record-keeping for this reason.”

What is a “reasonable” monetary penalty under the CASL regime?  How important are the sender’s conduct and circumstances?

CRTC staff set out an administrative monetary penalty (AMP) of $640,000 in the notice of violation issued to Blackstone.  Having determined that Blackstone did commit the CASL violations, the Commission considered whether the AMP was reasonable.  CASL sets out a number of factors to be taken into consideration.

  • purpose of the penalty: the Commission stated that the amount must be representative of the violations, and have enough of an impact on a person to promote changes in behavior, in effect a second chance. An amount high enough to put a person out of business would mean he would no longer have that second chance.  An AMP of $640,000 would be too high.
  • nature and scope of the violations:  while almost 400,000 non-compliant messages were sent, were disruptive to the recipients, and prompted at least 60 complaints to the Spam Reporting Centre, the violations took place over only 2 months, and suggests that an AMP of $640,000 would be too high.
  • ability to pay:  based on the evidence, an AMP of $640,000 would significantly exceed Blackstone’s ability to pay.
  • other factors – cooperation and self-correction:  Blackstone’s failure to cooperate with the investigation increased the need for a penalty to ensure future compliance. However, the Commission saw some possibility of “self-correction” going forward, which suggested that a lower AMP would be appropriate.

The Commission decided on the amount of $50,000.  The Commission noted that Blackstone did not have the benefit of more recent CASL guidance which is now available to everyone online.  This should be read as a thinly-veiled direction to others:  the decision cites The Commission’s Guidance on Implied Consent for CASL and also the Department of Industry’s Fightspam information website for businesses and individuals.

Lesson learned:  the Commission expects organizations to do their homework, to cooperate with investigations, and to self-correct when they discover mistakes.

We have been assisting many organizations in Canada and other countries to adapt their practices to comply with CASL.  Let us know if we can help you.

*A number of organizations have been subject to CASL enforcement since the Act came into force in July 2014; some of these cases have not been made public, and others have been publicly available only through brief settlement summaries.  This is the first Commission decision reviewing a Compliance and Enforcement Sector notice of violation.

,

Lessons Learned: E-Learning Company Faces $50,000 Spam Fine