Do your Employees understand your Organizational Privacy Commitments?

If not, you could attract negative attention from the regulators…

Earlier this month, the Office of the Privacy Commissioner of Canada (OPCC) published PIPEDA Case Summary #2016-007 involving an investigation of a debt collection agency, when a complainant alleged that despite numerous requests, the agency refused to provide access to the individual’s personal information.

The agency was attempting to collect on a debt but the complainant disputed its existence. The complainant faxed a letter to the agency requesting any and all information related to the alleged debt account. Having received no response, the individual contacted the agency by phone a few days later, followed by another fax.  The complainant ended up sending four written requests for access to personal information.

The agency clearly had some difficulty confirming the complainant’s correct mailing address. Although it was not clear during the investigation whether the agency had responded to the original access request within the 30 days required by PIPEDA, it was clear that it failed to respond to the additional requests for access from the individual.

Finally the agency sent the information to the individual by registered mail as requested by the OPCC. Although the individual refused to sign for the package, the agency was nonetheless deemed to have ultimately provided access to personal information. Thus, this complaint was determined to be well-founded and resolved.

The OPCC highlighted that the agency’s privacy policy clearly identified who within the agency is responsible for privacy compliance and oversight, even though the individual’s access requests were apparently not routed through that person as it should have been. The agency fully acknowledged that, in this case, it had not followed its own procedures to respond to the access requests. Consequently, the agency sought to revise its procedures and offer refresher training to its employees and management on matters relating to personal information access requests.  The OPCC suggested that, in the future, the agency also endeavor to keep clear written records of how and when it complies with the access requests it receives.

Lessons Learned from this Privacy Investigation

This simple case is a great example of how important it is for employees to know and understand their organization’s privacy-related policies and procedures, and the need to escalate complaints and access requests. Records demonstrating that privacy complaints and personal information access requests are being dealt with appropriately also help to establish due diligence and a commitment to privacy best practice.

Also, organizations need to keep in mind that if they use templates or samples to develop their own privacy policies and documentation, it is critical that they carefully assess the written commitments they will make and ensure they can live up to them. Privacy-related procedures need to be customized and evaluated – you are better off not having written privacy documentation than introducing standards that the organization doesn’t abide by!

For assistance with meeting your employee training obligations or for guidance on privacy documentation or record keeping, contact PRIVATECH.