Tuesday, April 05, 2005

PIPEDA Case Summary #289: Stolen laptop engages bank's responsibility

A new finding released by the Office of the Privacy Commissioner of Canada deals with the theft of a bank laptop containing personal information. A laptop was stolen from a bank employee's car in an underground parking garage. The info was on the laptop so that a financial advisor could market additional services to the complainant. After the laptop was stolen, the bank proactively notified the individuals whose information was compromised.

One affected individual complained that the bank violated PIPEDA's "use" and "safeguard" principles. Oddly, the Assistant Commissioner found that the bank had his implied consent to "use" the information, but then criticised the bank for not following the Commissioner's guidelines for getting adequate consent. No surprise, the bank fell down on the job of safeguarding personal information.

Commissioner's Findings - PIPEDA Case Summary #289: Stolen laptop engages bank's responsibility - February 3, 2005 - Privacy Commissioner of Canada:

"Application: Principle 4.5, which states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law; and Principle 4.7, which stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

On the matter of inappropriate use of his personal information, the Assistant Privacy Commissioner noted that the reason the complainant's personal information was on the laptop was that the bank intended to market other bank products and services to him. The bank had sent the complainant two privacy notices that described this practice and offered clients the opportunity to have their names suppressed from the bank's marketing lists. As the complainant had not requested suppression, it would appear that the bank had his implied consent to include his name on such a list, and was acting in accordance with Principle 4.5. When the complainant informed the bank after the theft of the laptop that he wanted his name removed from the list, the bank suppressed it.

She therefore concluded that the use complaint was not well-founded.

As for the safeguards, the Assistant Commissioner noted that, with respect to laptop computers, the bank had policies and procedures in place that required passwords and safe physical storage of the computers. Although these policies and procedures appeared to meet the requirements of Principle 4.7, the financial planner in this instance did not follow the bank's recommendations regarding physical security, and left the laptop unattended on the seat of her vehicle. The Assistant Commissioner therefore found the bank in contravention of Principle 4.7.

The Assistant Commissioner concluded that the safeguard complaint was well-founded.

Further Considerations

In reviewing the bank's privacy policy, the Assistant Commissioner noted that it requires the customer to obtain and complete the appropriate form to have his or her name suppressed from the bank's marketing lists. In previous complaints dealing with the issue of opt-out consent to use personal information for secondary purposes (such as marketing), the Office determined that the organization must provide for an immediate and convenient method whereby customers can opt-out, such as a 1-800 number or a check-off box. The Assistant Commissioner commented that requiring a customer to fill out an application form did not meet the reasonable expectations of most individuals, namely, that an immediate, easy and inexpensive means of withdrawing consent to the optional collection, use and disclosure of their personal information be provided. She therefore recommended that the bank review its opt-out procedures with a view to ensuring that they fully meet the guidelines established by this Office and report back to her on its progress in this regard."

No comments: