An organization receiving personal information from a third party must ensure it has the individual’s consent prior to collecting, using or disclosing that individual’s personal information. In an April 18 Order the Alberta Office of the Information and Privacy found that the Professional Driver’s Bureau of Canada Inc. (the “Organization”) had not obtained consent from the complainant, had not provided notice of collection of personal information and had not established that it collected, used or disclosed personal information for reasonable purposes. The Adjudicator therefore ordered the Organization to cease collecting, using and disclosing personal information of the complainant (among other things).
The Organization offers an employee background checking service for truck drivers in which the Organization collects employment history information about truck drivers from the truck drivers’ past employers, enters that information into a database and uses that information to create a report on the truck drivers’ employment history, which it then sells for a fee to potential future employers of that truck driver. Some of the personal information collected by the Organization is very sensitive, including driver’s license number, social insurance number and birthdate; the report disclosed by the Organization to the potential employer will also include sensitive information, such as the truck driver’s employment history, opinions of past employers and driver’s license information.
Although the Organization collected information about employees generally, the Adjudicator found that the Organization did not collect “personal employee information” as defined in Alberta’s privacy legislation, the Personal Information Protection Act (PIPA), as there was no employment relationship between the Organization and the complainant and there was no evidence that the Organization acted as an agent for companies seeking employee background checks. The Adjudicator therefore found that the exemptions for personal employee information contained in PIPA were not applicable in this case, and the Organization was instead responsible for obtaining consent from the individual truck drivers prior to collection, use and disclosure of their personal information. However, much of the Order references the fact that the Organization did not provide adequate submissions or evidence to contradict the Complainant’s statements and serves as a good warning to companies responding to investigations to submit as much supporting evidence for the case as possible.
As the information collected by the Organization was not considered personal employee information, the Organization was therefore required to obtain consent from the individual truck drivers prior to the collection, use and disclosure of their personal information. It appeared that the complainant in this case did sign consents to allow a potential employer to do an employment reference check, although the Adjudicator found that the authorization did not extend to information collected prior to the consent date and was not sufficient to allow the Organization to use the personal information for its own business purposes (in providing reference checks). Although not specifically addressed in the Order, this decision should also serve as a caution to employers releasing their own employees’ personal employee information to a database service provider to ensure proper prior consent has been obtained in order to avoid any potential breaches of PIPA relating to employer’s disclosure of the information.
This Order is a good reminder to companies that they must seek the consent of an individual prior to collecting that individual’s personal information, and not assume consent was obtained simply because the personal information is coming from the individual’s employer. Organizations should review their information collection practices and ensure that such practices are in line with PIPA, and any consent to collect, use or disclose personal information for a particular purpose is obtained from the individual prior to collection.