The BC Privacy Commissioner recently issued two decisions which address “employee personal information”, as well as some other issues of interest under the BC Personal Information Protection Act (“PIPA”).
Twentieth Century Fox Film Corporation decision In the Twentieth Century Fox Film Corporation(2) decision, the Complainant worked in the film industry and complained to the BC Privacy Commissioner about the following practices by Twentieth Century Fox and a company it had incorporated to produce the Fantastic Four film (together, “Fox”):
- Fox’s requirement that applicants for its film crew provide information to prove residency in BC during the year immediately before filming; - Fox’s refusal to provide a copy of its written privacy policy; and - Fox’s decision to store the residency information it collects at its head office in Los Angeles.
Collection, Use and Disclosure of Residency Information In order to obtain special film industry tax credits for its employees under both a federal and provincial program, Fox is required to show that the employee is a Canadian resident working on a film or TV show produced in BC.
From the provincial and federal government’s perspective, the most reliable manner in which to establish the residency requirement was to obtain a copy of the person’s income tax Notice of Assessment (“NOA”). However, it would also accept three pieces of other secondary information, such as a copy of the person’s BC Medical Service Plan premium billing statement or a copy of a billing statement from a utility company.
In its hiring documents, Fox expressly advised applicants that it required their residency information in order to obtain tax credits. It allowed applicants to cover up/delete any financial information from the NOA.
Fox also advised applicants that it was a condition of employment for each Canadian to satisfy the residency requirements and if the person did not do so, their services would be terminated. In assessing Fox’s practices, the Commissioner first noted that in order to qualify as “employee personal information”, the following must be satisfied:
(1) the information must be “personal information” (i.e., “information about an identifiable individual”); (2) the personal information must be reasonably required to be collected, used or disclosed for the purposes of establishing, managing or terminating an employment relationship; (3) the personal information must be collected “solely” for those purposes; and (4) the personal information must not be personal information that is unrelated to the individual’s employment.
In finding that the residency information was “employee personal information” and that Fox did not violate PIPA in collecting, using and disclosing it, the Commissioner noted, among other things, that:
- Fox collected this information to manage or terminate an employment relationship, noting that Fox’s own documents referred to this personal information as “a condition of employment” and “necessary to establish and maintain the employment relationship”. - Fox’s purposes for collecting the information was a purpose reasonably required to establish, manage or terminate the employment relationship, in light of Fox’s business decision to claim tax credits. - If Fox collected other personal information while trying to satisfy the residency requirements (for example, a person’s MSP plan number), this information would not be employee personal information and thus Fox must not collect it except in accordance with PIPA’s other provisions as to notice and consent. As such, Fox was required to make a reasonable effort to ensure that the job applicants were given the opportunity, and the means, to remove other personal information, unless they consented to providing that information.
Provision of Written Privacy Policy The Complainant also complained about Fox’s failure to provide him with a copy of its written privacy policy when he phoned and asked for it.
Fox’s practice was to make its written privacy policy available to employees but not necessarily to others who requested it. Fox had provided the Complainant with a verbal summary of its privacy practices but not the policy itself. The Complainant argued that this practice put applicants in the difficult position of submitting their personal information without first receiving a copy of the privacy policy.
The Commissioner noted that section 5 of PIPA requires organizations to, among other things, “make information available on request” about their privacy policies and practices. However, there is no duty for an organization to provide anyone with a copy of any written policies and procedures, on request or otherwise. As such, Fox’s actions were not in violation of PIPA.
Storage of personal information in Los Angeles The final aspect of the Complainant’s complaint concerned the obligation on organization under section 34 of PIPA to employ reasonable security arrangements “to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks” in relation to the personal information it has custody of or controls.
In particular, the Complainant objected to Fox’s practice of storing the residency information for its BC cast and crew at its office in Los Angeles. Among other things, the Complainant noted that once personal information is in the US it is vulnerable to the USA Patriot Act.
According to Fox’s evidence, a Fox production accountant in BC was responsible for collecting the residency information of the cast and crew. The information was then sent to Los Angeles, where it was kept in a secure, locked filing cabinet in the accounting department under the supervision of a Vice-President. Access by Fox personnel was limited to authorized personnel only. Following the Canada Revenue Agency audit in relation to the tax credits, all documents containing the personal information of Canadian cast and crew were shredded.
In relation to this part of the complaint, the Commissioner noted that in previous decisions under the public sector Freedom of Information and Protection of Privacy Act, he had stated that when considering what “reasonable security arrangements” would entail, he would consider:
(1) the sensitivity of the personal information at stake; (2) the forseeability of a privacy breach and resulting harm; (3) the generally accepted or common practices in a particular sector or kind of activity; (4) the medium and format of the record containing the personal information; (5) the prospect of criminal activity or other intentional wrongdoing; and (6) the cost of security measures.
The Commissioner noted that in light of Fox’s evidence about its security arrangements, and given the nature of the information being collected, Fox had met its obligations. Specifically, Fox was not collecting sensitive information such as health information, financial information, educational information or information about employment history, and the information it was collecting would more often than not be available to the public in telephone or internet directories.
In relation to the transfer of personal information across borders, the Commissioner noted that “The geographic location of personal information, which may change throughout the life cycle of a transaction, is far from determinative of threats to the security of personal information. Personal information may be at risk in BC and be better protected elsewhere.”
He also noted that while personal information located outside BC is subject to the laws that apply where it is found (such as the USA Patriot Act), the risk of personal information being disclosed to government authorities is not a risk unique to US organizations, as various PIPA provisions also authorize organizations to, without notice or consent, disclose personal information located in BC to law enforcement agencies.
Finally, the Commissioner concluded that in the circumstances of this case, including the nature of the employee personal information in question, there was no obligation on Fox to notify employees that their personal information may be located in the US or elsewhere. However, he recommended that Fox nonetheless consider giving notice to prospective employees as a measure of transparency.
Tally-Ho Motor Inn decision In Tally-Ho Motor Inn(3), the Complainant had contacted WorkSafe BC about what he believed were unsanitary conditions in the hotel bar where he worked.
The manager of the bar later told the maintenance manager and the opening bartender, who were responsible for the cleanliness of the bar, about the complaint and who made it. The Complainant considered this to be an improper disclosure of his personal information and filed a complaint under PIPA.
In allowing the complaint, the Commissioner made several findings including:
- In the circumstances, the Complainant’s name was “employee personal information”; - While it was reasonable for the manager to tell employees responsible for bar sanitation that a complaint had been made to WorkSafe BC, and to tell them the outcome of the investigation, the disclosure of the Complainant’s name was not reasonable for the purpose of managing the Complainant’s employment relationship. Further, there was no basis on which to conclude that disclosure of the Complainant’s identity was for a purpose related to the management of his employment relationship.
The Commissioner made clear, however, that this case does not stand for the general proposition that the name of a complainant can never be used or disclosed in the employment setting. He then cited the example of a harassment complaint, where the accused employee could be hard pressed to defend himself or herself against the charges without knowing the particulars, which would very likely involve disclosing the accuser’s identity.
Despite finding that there had been a improper disclosure of personal information, the Commissioner declined to made an order requiring the hotel to stop disclosing personal information in contravention of PIPA because: (1) what had occurred did not amount to a serious breach of privacy; (2) there was no indication that disclosure of the Complainant’s name was ongoing; (3) the entity in charge when the personal information was disclosed no longer owned/managed the bar; and (4) it was not even clear if the Complainant still worked at the bar.
Greg Gowe
|