Commissioner Frank Work authorized an investigation under the Personal Information Protection Act (PIPA) into the disclosure of employee home addresses and Social Insurance Numbers (SINs) by law firms on both sides of a business deal involving a purchase of nine oilfield service companies by Builders Energy Services Ltd.
Shtabsky and Tussman LLP, acting for the vendor company, disclosed the personal information to Stikeman Elliott LLP, who acted for the purchaser. Stikeman Elliott then proceeded to post the personal information on SEDAR, a non password-protected Internet site that publicly disseminates securities information. The complainant is a Builders Energy Services employee who noted his personal information posted on the Internet in the days following the conclusion of the business transaction.
Both law firms advised that the personal information was included in the Purchase & Sale materials inadvertently.
The Commissioners’ investigators found that:
- The disclosure of the home addresses and SINs was not necessary for the purposes of negotiating or concluding the business transaction;
- The disclosure of the information by Shtabsky & Tussman to Stikeman Elliott was in contravention of the Act;
- The disclosure of the information by Stikeman Elliott onto the Internet was in contravention of the Act;
- Builders Energy Services remains accountable for the contravention of Stikeman Elliott as its contractor.
This report outlines organizations’ privacy obligations when personal employee information is collected, used and disclosed during the course of a business transaction. It recommends that both law firms:
- Conduct comprehensive privacy training for lawyers and staff;
- Review their processes when representing clients on business transactions where personal information may be collected, used and disclosed, particularly those controls that are in place when material contracts are being posted on SEDAR.
It was further recommended that all parties enact privacy policies and appoint local privacy officers who will be accountable for privacy compliance.