Frank Work, Information and Privacy Commissioner, received privacy complaints against EPCOR, an electric utility company. The Complainants said EPCOR contravened the Personal Information Protection Act (“PIPA” or the Act) by collecting personal information in excess of what was necessary to manage customer accounts.
Complainants were especially concerned about the collection and use of social insurance numbers, and other personal information for authenticating callers over the telephone.
The investigation found that:
- The company did not adequately notify customers as to the purposes for which social insurance numbers were used; and did not obtain the appropriate form of consent for these purposes
- The company was collecting personal information beyond what was required for their business purposes
- That although security practices were in place, adjustments to access protocols were needed to safeguard and ensure the confidentiality of social insurance numbers by the company
EPCOR had instituted new privacy procedures prior to January 1, 2004, but readily acknowledged the need for changes to its procedures in response to customer concerns. EPCOR has also committed to undertake a privacy audit and work with the Office of the Information and Privacy Commissioner to ensure full compliance with the recommendations of the investigation.