Case In Point
Federal Privacy Commissioner Weighs In Against Sharing Details of Employee Discipline
Date: April 5, 2016
In a recently released decision summary, the Office of the Privacy Commissioner of Canada (OPC) held that a bank acted properly in deciding not to tell the victim of unauthorized access precisely how it had punished its offending employee (Employee).
The victim, the complainant in this case, was a neighbour of the Employee who happened to work at the complainant’s bank. The complainant became suspicious that the Employee had improperly accessed her personal information at the bank and she complained to the bank. It confirmed that her account had been accessed by the Employee without authorization. The complainant requested further details about the privacy breach, including “how many times and on what dates the employee had accessed her account, what information was accessed, whether it was disclosed to a third party, and what specific disciplinary measures were taken” against the Employee. The bank was forthright about the breach but told the complainant that it could not disclose the specific measures taken against the Employee. Dissatisfied with this response, the complainant pursued the matter internally with the bank and eventually filed a complaint with the OPC.
The OPC held that the bank had acted appropriately in providing the complainant with the details relating to her own personal information but withholding the information relating to what discipline it had taken against the Employee. In other words, the OPC held that the complainant was entitled to her own personal information (which included details about how and when the information was accessed), but not to the Employee’s information, including the specific disciplinary steps taken against her.
The OPC’s guidance is welcome and topical in light of the media attention recently given to the problem of employee “snooping” and in light of the pending federal breach notification requirement. Note that the Office of the Information and Privacy Commissioner of Ontario has taken a different approach in enforcing Ontario privacy legislation, requiring institutions and health information custodians to share the details of any disciplinary response to a privacy breach.
Organizations are advised to pay close attention to the applicable regulatory guidance in notifying and otherwise communicating with individuals affected by improper employee access and other types of privacy incidents.