The Office of the Information and Privacy Commissioner has found that Pierson’s Funeral Service contravened the Personal Information Protection Act (PIPA) by providing personal information of the Complainant and his deceased wife to a service provider in the United States, without consent, and without notifying the Complainant.
The Complainant reported that he used Pierson’s services after his wife passed away. Within a month of his wife’s passing, the Complainant received a “solicitation for information” from a company in the United States.
The investigation also determined that there was no evidence that Pierson’s failed to make reasonable arrangements to protect personal information in its custody. However, it was determined that Pierson’s did not make reasonable security arrangements to protect personal information collected, used and/or disclosed by its service provider, from such risks as unauthorized access, use, disclosure, destruction, disposal, etc.
Section 6(2) of PIPA requires organizations that use service providers outside of Canada to include in their policies and practices information regarding:
- the countries outside Canada in which the collection, use, disclose or storage is occurring or may occur, and the purposes for which the service provider outside Canada has been authorized to collect, use or disclose personal information.
The new section 13.1 requires an organization that uses a service provider outside Canada to collect or transfer personal information with consent, must, notify the individual of
- the way the individual may obtain access to written information about the organization’s policies and procedures and practices with respect to service providers outside of Canada, and the name of someone who can answer the individual’s questions about the collection, use, disclosure or storage of personal information by the service provider outside of Canada.
Pierson’s agreed to implement the recommendations made in the investigation report.