$BlogRSDUrl$>
linking INTEGRITYIntegrity - use of values or principles to guide action in the situation at hand.Below are links and discussion related to the values of freedom, hope, trust, privacy, responsibility, safety, and well-being, within business and government situations arising in the areas of security, privacy, technology, corporate governance, sustainability, and CSR. Inadvertant privacy breaches, 22.7.04
Privacy Commissioner of Canada - PIPED Act Case Summary #270
Bank agrees to modify automated message [Section 2; Principle 4.3, paragraph 7(3)(b)] Complaint An individual alleged that her bank improperly disclosed her personal information when it left an automated message on her answering machine stating that she was behind on making a payment on her credit card. She stated that she had not given her consent for the bank to leave a message that anyone in her family or a visitor could hear, and objected to this disclosure of her financial status in an unsecured and non-private forum. [...]
Findings
Application: Section 2 defines personal information as "information about an identifiable individual"; and Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. An exception to this requirement is provided under paragraph 7(3)(b), which states that an organization may disclose personal information without the knowledge and consent of the individual only if the disclosure is for the purpose of collecting a debt owed by the individual to the organization.
The Assistant Privacy Commissioner rejected the bank's contention that the information at issue was not personal information, as defined under section 2. She noted that although the message did not name the complainant, it was sent to her telephone number, which she had provided to the bank. The Assistant Commissioner noted that an individual does not have to be named for something to constitute his or her personal information; rather, as the Act says, he or she has to be simply "identifiable." In the same way that removing the name of a person from a description of an event does not render the person unidentifiable if other people know the circumstances of the event, the fact that the complainant was the only credit card holder (of this bank) in the household made her identifiable as the individual for whom the message was intended. Thus, the Assistant Commissioner concluded that the information at issue was the complainant's personal information.
In considering the exception to consent cited by the bank, the Assistant Commissioner deliberated as follows:
CommentsPost a Comment
Archives07.03 08.03 09.03 10.03 11.03 12.03 01.04 02.04 03.04 04.04 05.04 06.04 07.04 08.04 09.04 10.04 11.04 12.04 01.05 02.05 03.05 04.05 05.05 06.05 07.05 08.05 09.05 10.05 11.05 12.05 01.06 02.06 03.06 04.06 05.06 06.06 08.06 09.06 10.06 11.06 01.07 02.07 03.07 04.07 07.07 08.07 09.07 10.07 05.08 06.08 |