Order of the Office of the Information and Privacy Commissioner ("OIPC") in Moore's Industrial Service Ltd. (Order P2013-07) (the "Order") serves as a good reminder to review and update privacy policies.
The Order arose from a complaint by a retired employee of Moore's Industrial Service Ltd. ("Moore's") regarding access by his former employer to his personal web based e-mail account. The employee had, on the occasion of his retirement, returned to Moore's a laptop they had provided him for use while he was employed. While the former employee had wiped the hard drive of the laptop his login ID and password for his web based personal e-mail account were saved on the laptop and the CEO of Moore's was able to access the former employee's personal e-mails. The CEO of Moore's accessed the e-mail and forwarded at least one e-mail message, containing a reference letter for one of the complainant's former co-workers, to the CEO's e-mail account and to at least two other people in Moore's.
The OIPC determined that a login ID for a personal e-mail account and the associated password are personal information, but that the information was not personal employee information. Because the individual was no longer employed by Moore's the only possible relevant purpose that Moore's could reasonably require the information was for managing the post-employment relationship. In this case, Moore's could not convince the OIPC that its reason for accessing the personal information was for the purpose of ensuring a termination agreement with the former employee was enforced, the information was not required to manage the post-employment relationship, and therefore not personal employee information. The OIPC found that there was no evidence to suggest that there had been a breach of the termination agreement, and even if there had been a breach, the steps taken by Moore's still may not have been reasonable.
The OIPC determined that Moore's was not authorized to collect, use or disclose the personal information without consent. Moore's maintained that the former employee had consented to the collection of the information by returning the laptop but the OIPC disagreed with that argument because the former employee had wiped the hard drive prior to returning the laptop, which the OIPC considered evidence that the employee did not intend to disclose any personal information to his former employer. The OIPC also determined that Moore's did not have the authority to collect, use or disclose the personal information of the complainant.
The OPIC found against Moore's on all accounts and Moore's received a very small penalty that amounted to harm to its reputation and a requirement that their staff be trained concerning the appropriate management of personal information. While the penalty was not significant what is interesting about this Order, and a helpful reminder for all organizations, is the OIPC comments on the Moore's privacy policy. Moore's had indicated that they accessed the e-mail in accordance with their e-mail policy, however the OIPC indicated that the privacy policy did not contain any provisions concerning accessing employee e-mail or address the use of company laptops. Had the policy contained such provisions Moore's would have likely be in a much stronger position and may have been able to justify their actions in accessing the personal information of their former employee.
It is easy to take an established privacy policy for granted, however the Moore's decision is a good reminder that policies should be revisited regularly to ensure they reflect the current practices of an organization and reflect changes in technology and other internal policies and procedures.
It is New Year – perhaps it is time for New Privacy Policies, or at least a review of the ones your organization currently has in place.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
