In February 2017, at the 18th annual Privacy and Security Conference, Acting Commissioner Drew McArthur (“Commissioner”) commented on the first-ever audit of a private sector business conducted by the Office of the Information and Privacy Commissioner for British Columbia (“OIPC”). He stated that OIPC “used this audit as an important opportunity for public education, and a reminder to private businesses that they should only use video surveillance as a last resort after exploring other less privacy-invasive options.” The Commissioner’s speech is available here.
OIPC initiated the audit of the lower mainland medical clinic (“Clinic”) after receiving a complaint about the Clinic’s collection of personal information through video and audio surveillance. The Clinic used surveillance cameras on a 24/7 basis in its lobby, hallways, back exists, and fitness room to collect personal images and audio of patients, employees, contractors, and others.
The Commissioner concluded that the Clinic’s use of video and audio surveillance was excessive in the circumstances. The Clinic could not provide sufficient evidence of a safety or security problem or other significant issues to justify the use of surveillance, and did not make any attempt to use less-intrusive means to achieve to achieve the Clinics goals of security, liability protection and client protection in the fitness room, and monitoring staff. Further, the Clinic did not obtain the appropriate consents to collect the personal information, did not have the appropriate mechanisms and processes in place to store, secure and dispose of the personal information collected, and did not have an effective Privacy Management Program in place.
The Privacy Audit and Compliance Report covers:
- the methodology used by OIPC to conduct the investigation, which included an on-site inspection of the clinic, a review of the Clinic’s policies, practices, and training, and interviews with key Clinic staff (page 8);
- the information covered by OIPC in an interview of the Clinic’s owner (page 9);
- the applicable legislation (pages 9-10);
- the Commissioner’s findings (pages 12-33); and
- 12 recommended actions for the Clinic to take that, when implemented, will help ensure that the Clinic is in compliance with its obligations under BC’s Personal Information Protection Act for protecting personal information (pages 35-37).
Of particular note to employers using video surveillance or considering using such surveillance is the Commissioner’s guidance regarding the collection of personal information by video surveillance at pages 10-11. The full report is available here.