Organizations should take note of a recent decision of the Alberta Office of the Information and Privacy Commissioner (OIPC) in which an adjudicator emphasizes the narrow scope of personal information that can be considered reasonable to collect, use, and disclose for the purpose of providing background checks. The decision warns against over-collection, use and disclosure while reiterating the duties owed by those who have custody or control of personal information.
In Order P2013-01, it was held that the Professional Drivers Bureau of Canada Inc. (PDB) failed to establish that it had conducted a reasonable search for responsive records with respect to a particular driver. PDB was found to have contravened the Personal Information Protection Act(PIPA) on the basis of four main grounds: not obtaining consent in circumstances where necessary to do so; not providing notice of collection; not collecting, using, or disclosing personal information only for reasonable purposes; and failing to collect, use, or disclose only the personal information necessary for meeting its purposes.
PDB collects information about truck drivers from their former employers to create Driver History Reports for the use of subscribing clients. It maintains a nationwide central database with over 160,000 driver work histories that clients which are truck driving companies pay to access. The information that is provided by PDB assists these companies in their decision-making regarding a particular driver as a potential employee. In essence, PDB provides a background check service for future employer truck driving companies. According to the driver history report documents, PDB provided personal information about the Complainant (a truck driver) to prospective employers on five occasions.
The Complainant requested her personal information from PDB pursuant to s. 24(1) of PIPA which allows individuals to request their personal information in the possession of an organization. Initially, PDB did not respond to this request, prompting the Complainant to request a review. After being provided with an allegedly incomplete response, the Complainant submitted a complaint and an inquiry was initiated. The basis for her complaint was that PDB was collecting, using, and disclosing inaccurate information about her without consent, and failed to provide her with a complete account of the information they had collected.
The information PDB produced consisted of the Complainant's employment history, including the names of former employers, results of drug tests and reasons for termination. In addition, it included her driver's licence number, date of birth, social insurance number, family status, height, weight, address and phone number. While the information was originally collected with consent by the Complainant's former employer for establishing or managing the employment relationship, PDB is not authorized by this former consent as they are not the employer's agent. Also, the only authorization was for PDB to conduct a reference check and this authorization was obtained after the fact.
The Complainant made submissions for the inquiry; however, PDB did not make submissions, and opted to only provide the Complainant's file. The adjudicator found that PDB had not obtained consent or provided notice for collecting the Complainant's personal information, contravening PIPA from the outset. However, the decision also discussed what "reasonable" means in the context of collecting, using, and disclosing personal information.
A Reasonable Search for Responsive Records
An organization must only collect, use, or disclose the personal information of employees or others to the extent reasonable for meeting the purpose behind that collection, use or disclosure. In other words, there must be a direct correlation between the purpose of collection and the scope of personal information collected which must be reasonable for that purpose.
This decision suggests that organizations should err on the side of caution regarding what purposes or search methods may be classified as reasonable. This is particularly true with "sensitive information," described in Order P2012-02 as information that could be used to commit identity theft or subject an individual to harassment or harm.
The adjudicator appears to narrow the definition of "reasonable" as defined in section 3 of PIPA. This is consistent with the line of reasoning in Penny Lane Entertainment Group v. Alberta (Information and Privacy Commissioner), which concluded that a night club's practice of scanning driver's licences was not reasonable for the purpose of enhancing security. What a reasonable person would consider appropriate in the circumstances is seemingly limited to what a reasonable person would consider necessary in the circumstances. While Leon's Furniture Limited v. Alberta (Information and Privacy Commissioner) permitted the limited recording of driver's licence numbers (one of the pieces of personal information PDB collected), it was distinguished on the basis that the purpose behind collecting the numbers, in Leon's, was to combat fraud. In contrast, the adjudicator characterized PDB's purpose as offering a driver history report to indicate performance of drivers as employees. Therefore, the adjudicator concluded that the Complainant's driver's licence number, height, weight, family status, address, phone number and social insurance number, were irrelevant and unreasonable to collect. Therefore, all of the personal information collected beyond the employee history would not have been deemed responsive records to a reasonable search, had PDB complied with all other aspects of PIPA.
The PDB decision firmly reiterates a strict stance by the OIPC on the collection, use, or disclosure of personal information, emphasizing the reasonableness requirement in all respects. The demand for a reasonable search for responsive records by organizations conducting background checks, in addition to the need for consent and fulfillment of all other duties, establishes a strong protective mechanism for individuals of which organizations need to be aware. Reasonableness will be considered on a case-by-case basis by the OIPC. However, this decision suggests that where personal information cannot be characterized as necessary for advancing the purpose for which it was collected, it will be deemed unreasonable to collect and thereby constitute a violation of PIPA. Organizations also have the burden of proving that their purpose in collecting, using, or disclosing personal information is reasonable.
It is notable that this decision not only precipitated an order from the OIPC but broader scrutiny; indeed, as reported in the Calgary Herald, organizations not party to the proceeding have called for further investigation by the OIPC into PDB's practices after reviewing this decision. This underscores the potential broader implications of having a report about an organization published by the OIPC and the importance of privacy compliance.
In determining whether the purpose is reasonable, organizations should take into account their relationship with the individual whose personal information they possess, whether they have consent either explicitly or via statute, the type of information being collected, the purpose behind that collection and the search method that is used. The accuracy of the information collected must also be considered; however, in contrast to the other duties established by PIPA, ensuring the accuracy of information is treated more flexibly by OIPC and only requires reasonable efforts, not confirming that the information is true (Order P2008-010).
This article was co-authored by Tara Russell.