Cautionary Tale For The Helpful Employee


On February 22, 2013, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings in connection with a complaint that an employee at a mobile phone company improperly altered a phone contract of a customer at the direction of an unauthorized party.

The facts of the case, as reported by the OPC, were relatively straightforward. The stepson of a customer was authorized to use a phone on his stepfather’s account. The stepson visited a mobile phone store and requested changes to his services. The stepson impersonated his stepfather. Bad on the stepson, perhaps, but the OPC concluded that the employee did not follow the mobile phone store’s customer validation process. In particular, the employee did not request identification to authenticate the customer by means of two pieces of identification. The changes requested by the stepson generated a new three year contract. Trouble was that the stepson was not authorized to make those changes and the stepfather was none too pleased.

The employee might have just been trying to be helpful, but the OPC found two violations of the federal privacy principles established by the Personal Information and Electronic Documents Act (PIPEDA).

  • Principle 4.3: “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”

The use of the real customer’s personal information to renew the contract was not done with that customer’s consent.

  • Principle 4.7 and 4.7.1: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” “The security safeguards shall protect personal information against loss or theft, as well as unauthorized access disclosure, copying, use or modification.”

There were procedures in place but the employee violated them, thereby failing to protect the personal information from unauthorized use.

Are your employees aware of these principles and that they apply to them? Maybe understanding that these principles are not just the ravings of a compliance department but are also federal law might help convince them that these principles are important.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.