PIPEDA Case Summary #2015-014: Pension and benefit provider agrees to revamp authentication and address-change procedures after misdirected mailings
An employee complained that her pension and benefit provider improperly disclosed her unique identifier, failed to keep her address accurate, and did not implement adequate safeguards. An individual with the same name was mistakenly given the complainant's ID number, leading to her address being changed. Consequently, five mailings containing sensitive information were sent to the wrong address, and the complainant lost her life insurance coverage due to missed forms. The provider corrected the error and reinstated coverage.
- Disclosure of unique identifier to a third party without consent.
- Failure to maintain accurate client address information.
- Inadequate safeguards against unauthorized disclosure and modification of personal information.
- Improper authentication of caller identity.
Complaint well-founded and conditionally resolved.
The provider contravened PIPEDA principles by disclosing the complainant's ID number to a third party without consent and by failing to adequately authenticate the caller. The provider also failed to detect and correct the inaccurate contact information sooner. The complaint was resolved conditionally based on the provider's commitment to implement changes to its policies and practices.
AI-generated summary for reference only. Always verify against the official decision ↗
The provider agreed to reinstate the complainant's cancelled insurance retroactively, to revamp its authentication and address-change procedures, and to undergo a third-party privacy audit.
- Principle 4.7 PIPEDA
- Principle 4.7.1 PIPEDA
- Principle 4.6 PIPEDA
- Principle 4.6.1 PIPEDA
- Principle 4.3 PIPEDA
This summary is informational only and not legal advice.