Federal (Canada) Privacy Decisions

A customer complained that his cell phone service provider disclosed his personal information to an imposter and inadequately responded to his request for access to his data. The Office of the Privacy Commissioner of Canada (OPC) found that the provider contravened PIPEDA by allowing an employee to disclose sensitive account details without proper authentication. The OPC also found that the provider initially failed to meet the 30-day deadline for responding to the customer's access request, but this aspect was later resolved. The OPC recommended the company review its privacy management programs.

• Disclosure of personal information without consent
• Failure to properly authenticate a caller
• Adequacy and timeliness of response to access request
• Effectiveness of employee training and adherence to procedures

A complainant alleged that a telecommunications firm failed to provide her with access to her personal information, specifically notes and transcripts of recorded conversations relating to her account dispute. The investigation found that the firm failed to respond to the access request within the statutory time limits and deleted records that were the subject of the request, contravening PIPEDA. The firm accepted recommendations to amend its policies, procedures, and provide enhanced training to staff, leading to the resolution of the complaint.

• Timeliness of response to access requests
• Retention of personal information subject to an access request
• Adequacy of privacy policies and staff training