Commissioner Frank Work authorized an investigation under the Personal Information Protection Act (“PIPA” or “the Act’) after receiving a complaint alleging that SAS Institute Canada (“SAS”) Inc. collected personal credit information in contravention of the Act.
The complainant had applied for a job with SAS as an Administrative Assistant/Receptionist. During the recruitment process, she signed a consent authorizing the organization to obtain a credit inquiry report; however, she subsequently complained that the organization’s collection of her personal credit information was not reasonable.
She was also concerned about the security of her personal information held by the organization contracted by SAS to conduct background checks.
SAS advanced the following purposes for collecting the complainant’s personal credit information during the recruitment process:
- To assess the applicant’s suitability to manage petty cash.
- To minimize the risk of employee corporate credit card fraud.
- To validate employment history by identifying past employment listed in a credit report but not described on the applicant’s resume.
The investigator found that the personal credit information collected by SAS was not reasonably required to establish an employment relationship because:
- The organization had less intrusive and likely more effective means to assess the complainant’s ability to manage petty cash, including contacting previous employers;
- The complainant had not yet applied for a corporate credit card, and so the information was not required at this stage to minimize the possibility of fraud; and,
- The organization had less intrusive and more effective means to validate the complainant’s employment history.
The investigator found that the organization’s purposes of collecting personal information to assess suitability to manage petty cash and validate employment history were reasonable; however, the extent of the collection was excessive for meeting those purposes. Further, the organization’s collection of personal information to minimize the risk of corporate credit card fraud was not a reasonable purpose considering the complainant had not yet applied for a corporate credit card.
The investigator also found that SAS had implemented reasonable measures to ensure that personal information collected on its behalf is safeguarded as required under the Act.
Prior to this investigation, SAS had taken steps to bring its practices into compliance with privacy legislation; however, the organization agreed to refine its hiring practices and implement the following recommendations:
- Review the responsibilities of a position when hiring to ensure that credit information is reasonably required to determine a candidate’s suitability.
- Where credit information is reasonably required, clearly state the purpose(s) for collection.
- Where credit information is reasonably required, clearly state in all job postings/advertisements that a credit check may be required of the successful candidate.
SAS was cooperative throughout this investigation and demonstrated a commitment to ensuring the protection of privacy.