On February 22, 2013, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings in connection with a complaint that an employee at a mobile phone company improperly altered a phone contract of a customer at the direction of an unauthorized party.
The facts of the case, as reported by the OPC, were relatively straightforward. The stepson of a customer was authorized to use a phone on his stepfather’s account. The stepson visited a mobile phone store and requested changes to his services. The stepson impersonated his stepfather. Bad on the stepson, perhaps, but the OPC concluded that the employee did not follow the mobile phone store’s customer validation process. In particular, the employee did not request identification to authenticate the customer by means of two pieces of identification. The changes requested by the stepson generated a new three year contract. Trouble was that the stepson was not authorized to make those changes and the stepfather was none too pleased.
The employee might have just been trying to be helpful, but the OPC found two violations of the federal privacy principles established by the Personal Information and Electronic Documents Act (PIPEDA).
Principle 4.3: “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”
The use of the real customer’s personal information to renew the contract was not done with that customer’s consent.
Principle 4.7 and 4.7.1: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” “The security safeguards shall protect personal information against loss or theft, as well as unauthorized access disclosure, copying, use or modification.”
There were procedures in place but the employee violated them, thereby failing to protect the personal information from unauthorized use.
Are your employees aware of these principles and that they apply to them? Maybe understanding that these principles are not just the ravings of a compliance department but are also federal law might help convince them that these principles are important.