Commissioner Frank Work authorized an investigation under the Personal Information Protection Act (“PIPA” or “the Act”) after receiving a complaint alleging that CBV Collection Services Ltd. (“CBV”) contravened the Act.
The complainant reported that CBV faxed a form to the complainant’s place of employment, and specifically to a non-confidential fax machine. In so doing, the complainant alleged CBV failed to adequately protect her personal information from possible disclosure to other colleagues and employees in her workplace
The investigator found that although CBV did have some policies and procedures in place to address information privacy and confidentiality requirements, a CBV employee acted to the contrary. As a result:
- CBV disclosed the complainant’s personal information when it faxed the form to the complainant’s place of employment.
- CBV contravened section 19 of the Act as the disclosure in this case was not for a reasonable purpose.
- CBV contravened section 34 of PIPA by failing to make reasonable arrangements to mitigate the risks associated with sending personal information by fax.
In response to the incident and this Office’s investigation, CBV revised its process and internal policy documents with respect to requesting verification of employment (VOE), particularly when doing so by fax, and developed a plan to communicate the new process to all offices across Canada. Among other things, the new process requires that:
- A Collection Supervisor verify that a VOE is authorized in the circumstances.
- The collector pre-arrange sending the VOE with the appropriate receiving party.
- Fax transmissions must be sent to a confidential fax machine and must include a confidential cover sheet that does not state the name of the debtor.
- The collector must confirm receipt of a fax or email within 30 minutes of sending it.
The circumstances in this case illustrate that organizations need to be diligent in reviewing information privacy and confidentiality policies and procedures with their staff on an ongoing basis, and in following-up any failure to comply.
With respect to transmitting personal information by fax, organizations must ensure their employees are aware of the potential risks involved, and implement appropriate measures to mitigate that risk.