Published on September 25, 2022
COVID-19 Test Company Stops Unsolicited Emails After OPC Investigation
After the Office of the Privacy Commissioner (OPC) of Canada investigated, a health services company stopped sending marketing emails to travelers arriving in Canada. The OPC announced its findings on its website on August 4, 2022. A case summary was published on May 10, 2022.
A traveler complained to the OPC about the health services company, Biron Groupe Santé (Biron), that was responsible for administering mandatory COVID-19 tests to travelers going through Montreal-Trudeau Airport. Biron collected email addresses from travelers receiving the testing. It then used those emails to send unsolicited advertisements of its other services.
The OPC investigated Biron’s actions as a possible violation of the Personal Information Protection and Electronic Documents Act (PIPEDA). Biron claimed that it had established a business relationship with those who used its services, and that it could assume that it had their implied consent to send them promotional emails.
The OPC rejected these arguments, pointing out that the service was mandatory and that Biron was the only company offering this service at that airport. This, combined with the fact that the company was collecting sensitive health information, should have indicated to Biron that the relationship between it and the testees was not one where implied consent for secondary marketing purposes would be found.
Biron ceased its marketing activities and deleted information collected through the COVID-19 testing program from its marketing database. As such, the OPC found the matter to be settled.
In the past, the OPC has called for amendments to federal private-sector privacy law to allow the levying of fines for contravention of the Act. The current Bill C-27, An Act to enact the Consumer Privacy Protection Act, if passed, would provide for this. As well, Quebec privacy law will allow for monetary penalties starting in 2023.
Though it may be appropriate to rely on implied consent to use personal information in some circumstances, charities and not-for-profits should take into account all the facts relating to how they collected the personal information, as well as the reasonable expectations of affected individuals for the use of their personal information, before using it.
Alberta Credit Union Required to Notify Customers of Employees’ Unauthorized Access
Privacy breaches can be a threat even from within an organization, as demonstrated by a February 2022 decision from the Office of the Alberta Privacy Commissioner (“APC”).
Between November 2020 and February 2021, four employees of Servus Credit Union Ltd. (“Servus”) accessed names, addresses, dates of birth, social insurance/security numbers, and employment/financial information of customers and colleagues (78 in total) without an authorized purpose. The breach was discovered through an internal audit.
In its Breach Notification Decision from February 2022, the APC found that there was a “real risk of significant harm to the individuals affected by this incident.” These two conditions: (1) real risk, and (2) significant harm, must be found for the APC to find a violation of Alberta’s Personal Information Protection Act (PIPA). For significant harm to be established, the breach “must be important, meaningful, and with non-trivial consequences or effects.” For real risk to be found “[t]he likelihood that the significant harm will result must be more than mere speculation or conjecture. There must be a cause and effect relationship between the incident and the possible harm.”
The APC found that the unauthorized access to financial and contact information could lead to the harms of identity theft or fraud. The unauthorized access to employment information could lead to the harms of personal hurt, humiliation or embarrassment, as well as reputational/relationship damages. The APC considered these harms to constitute “significant harm” within the meaning of PIPA. Servus did not dispute this.
However, Servus denied there was a real risk of harm from the breaches, stating, “[t]here is a low likelihood for harm as the reason for access was curiosity and not malicious intent. In addition, we have confirmed that no information was transferred to personal devices.” The APC rejected this argument on the grounds that a reasonable person would be concerned that the likelihood of significant harm is increased because this was a deliberate breach of privacy. Though no information was transferred to personal devices, there was no evidence that the personal information had not been disseminated or disclosed. The chance of real risk was further heightened by the fact that those responsible for the breach had accessed the personal information of their coworkers, individuals to whom they had a personal connection.
As the incident resulted in a real risk of significant harm to the affected individuals, the APC decided that the organization was required to notify them in accordance with PIPA.
As Servus had already contacted the affected individuals and provided written notice of the violation, no further action was required.
This decision demonstrates that organizations must be vigilant against internal privacy breaches. The common conception of a privacy breach is one that originates from outside an organization, but violations of privacy law by employees can be just as harmful. For more information, see Online Privacy and Cybersecurity Issues for Charities and NFPs, by Esther Shainblum.
Saskatchewan Should Enact Privacy Legislation Similar to B.C. or Alberta: Commissioner
Saskatchewan’s privacy commissioner decided it does not have jurisdiction to investigate a situation in which a private non-profit organization disclosed a street worker’s personal information without their consent, because it was not caught within the scope of existing privacy legislation in the province.
On September 6, 2022, the Saskatchewan Office of the Information and Privacy Commissioner (“SPC”) published its report, Ministry of Social Services, Street Worker’s Advocacy Project, concerning a complaint from a client (the “Complainant”) regarding a non-profit, the Street Worker’s Advocacy Project (SWAP). The Saskatchewan Ministry of Social Services (the “Ministry”) sent an access of information request to SWAP, which was granted. The relayed information included personal details about the Complainant, who then submitted a complaint to the Ministry, but did not receive a response. She then submitted a complaint to the SPC, alleging a breach of privacy by SWAP in their disclosure of her personal information.
The SPC found that, the matter was outside the SPC’s jurisdiction because SWAP was neither a government institution within the meaning of The Freedom of Information and Protection of Privacy Act (FOIP) in Saskatchewan or a health trustee within the meaning of The Health Information Protection Act (HIPA).
The SPC concluded that Saskatchewan’s privacy law regime should be updated to reflect the Personal Information Protect Act of British Columbia or Alberta, in which non-profit organizations are partially — in the case of Alberta — or fully subject to provincial privacy legislation.
As we have mentioned in previous publications, even if a charity or not-for-profit is not subject to specific privacy legislation, violations of privacy can give rise to damage awards, tort claims and class action litigation. For this reason, charities and not-for-profits should follow privacy best practices to mitigate the risk of a privacy breach and to meet stakeholder awareness and expectations around privacy, transparency and accountability.
