Thursday, July 21, 2005

Alberta Commissioner releases report concerning disclosure and security of personal information by a collection agency

On the privacy front, Alberta is apparently where it's at:

Commissioner releases report concerning disclosure and security of personal information by a collection agency

Commissioner Frank Work authorized an investigation under the Personal Information Protection Act ("PIPA" or "the Act") after receiving a complaint alleging that CBV Collection Services Ltd. ("CBV") contravened the Act.

The complainant reported that CBV faxed a form to the complainant's place of employment, and specifically to a non-confidential fax machine. In so doing, the complainant alleged CBV failed to adequately protect her personal information from possible disclosure to other colleagues and employees in her workplace

The investigator found that although CBV did have some policies and procedures in place to address information privacy and confidentiality requirements, a CBV employee acted to the contrary. As a result:

  • CBV disclosed the complainant's personal information when it faxed the form to the complainant's place of employment.
  • CBV contravened section 19 of the Act as the disclosure in this case was not for a reasonable purpose.
  • CBV contravened section 34 of PIPA by failing to make reasonable arrangements to mitigate the risks associated with sending personal information by fax.
  • In response to the incident and this Office's investigation, CBV revised its process and internal policy documents with respect to requesting verification of employment (VOE), particularly when doing so by fax, and developed a plan to communicate the new process to all offices across Canada. Among other things, the new process requires that:

    • A Collection Supervisor verify that a VOE is authorized in the circumstances.
    • The collector pre-arrange sending the VOE with the appropriate receiving party.
    • Fax transmissions must be sent to a confidential fax machine and must include a confidential cover sheet that does not state the name of the debtor.
    • The collector must confirm receipt of a fax or email within 30 minutes of sending it.

    The circumstances in this case illustrate that organizations need to be diligent in reviewing information privacy and confidentiality policies and procedures with their staff on an ongoing basis, and in following-up any failure to comply.

    With respect to transmitting personal information by fax, organizations must ensure their employees are aware of the potential risks involved, and implement appropriate measures to mitigate that risk."

Click here to download Investigation Report P2005-IR-006.

4 comments:

Monty Loree said...

VERY INTERESTING.. I host a Canadian credit repair blog. Credit Repair Blog and as well. Canadian Credit Repair

CBV collection services are my least favorite collection agency. They have been as rude as possible.

My question regarding PIPEDA and collection agencies since you're a lawyer.

There are two potential violations that I see over and over again on credit reports.
1) A consumer doesn't consent to a creditor disclosing the consumers information to a collection agency. (Unless there's a transfer of rights, or assignment of rights in the agreement)
2) A consumer doesn't consent that the collection agency disclose the consumer's information to the credit reporting agency.

My understanding that PIPEDA 4.3 Consent says that the consumer must give consent to all parties to collect and disclose information to other parties.

I spoke to the Privacy Commissioners office about it. They indicated that even though there weren't any official rulings on my question just yet, they weren't willing to deal with it.

It's my strong opinion that somebody needs to challenge the creditors and collection agencies and credit bureaus on these points.

I would be very interested your comments.

Monty Loree - President
Express Credit Repair

Anonymous said...

Wouldn't the parasites be the people getting loans or using credit and not paying it back?

As for the original inquiry about credit information access for collection agencies: I would suggest you READ contracts before you sign them with a creditor. If you can't pay for something, don't take it.

Anonymous said...

This morning, CBV called our company 12 times within a 10 minute period. They provided detailed information regarding the debt they were trying to recover to most employees at our place of business. I have faxed them pointing out the law (they are apparently allowed to call 3 times in a 7 day period. If they believe they have a debt to recover, they can launch a law suit. I find them to be extremely rude and somewhat vulger. I do not understand why they have not had their license revoked.Is there a class action law suit against this company. How does one go about this?

Anonymous said...

You cannot assume that people who apply for a loan/credit are intentionally trying NOT to pay it back. Every individual has INDIVIDUAL circumstance. Just as every credit application does. People get laid off, divorced, die, seriously hurt/disabled. Bad things happen to good people. But, if the world was a perfect place, would we need credit to begin with? And, even when "collections" get involved, all they care about is getting back their investment +, as most buy out the deliquent accounts at a discount, and "hope" to get it back +. To all the collection agencies, you can't get blood from a stone. Perhaps you should invest your time and money in low risk investments, instead of trying to intimidate a buck out of some person who already has enough to deal with. If they had the money, they would had kept to their original credit agreement.

For people with deliquent accounts, keep up on your credit report. That company you owed, who sold your account to the parasite, may have wriiten off your debt. Therefore, even if you pay the parisite, it will not "better" your situation, it'll just put $$$ in parisites pocket.