 |
 |
 |
 |
Log In
|
Log Out
|
 |
 |
News Feed  |
|
|
 |
|
|
 |
|
|
 |
 This work is licensed under a Creative Commons License. |
|
PrivacyInfo.ca Decision Summary 519
| DECISION # 377: Law Firm Reprimanded for Poor Privacy Practices Which Result in Missing Personal Information | ||||
Complaint Summary |
||||
The complainant had been a client of a law firm. The law firm was responsible for preparing documentation and affidavits to be used by the client, and it then referred the complainant and the related documentation to another lawyer. When the complainant requested access to all of his personal information held by the firm he received no response. In order to determine what information the law firm held, representatives of the Office of the Privacy Commissioner visited the law firm and reviewed its personal information policies, safeguards, and procedures. The Office of the Privacy Commissioner determined that the law firm did not have any established written privacy policies or procedures. The Office of the Privacy Commissioner also reviewed the client file process. A client visits the firm, a file is opened, and all documentation produced as a result of the case is placed in the file. The lawyer who is contracted to handle the case obtains the file to go to court. Once the hearing or court appearance concludes, the file is returned to the law firm by the lawyer who handles the client and then retained at the firm until the client asks for the file. The law firm had provided the complainant with some of his personal information prior to his written access request. After the representatives of the Office of the Privacy Commissioner met with the firm, the firm admitted that it had not considered the complainant’s financial records, which it did have in its possession, when the access request was made. The firm ultimately provided the complainant with his financial transaction records, 23 months after he had made his request. However, the firm could not provide the complainant’s file because it had apparently been lost. The firm searched its offices and spoke with the lawyer who had worked on the complainant’s case, and the file could not be located. |
||||
Findings Summary |
||||
The Assistant Privacy Commissioner noted in order to provide individuals with access to their personal information, in accordance with their obligations pursuant to Principle 4.9 of the Personal Information Protection and Electronic Documents Act (PIPEDA), they have to have adequate policies, procedures and retention schedules in place. The law firm in question failed to meet all of these obligations. The firm did not have established privacy policies and procedures to protect personal information or to respond to a request for access to personal information, contrary to Principle 4.1.4(a) and (b). Further, contrary to its obligations pursuant to Principle 4.1.3 of PIPEDA, the law firm essentially turns over responsibility for the personal information it collects since it does not track what happens to files once they leave its physical possession. Nor does the firm attempt to confirm whether or not the lawyer to whom a file is transferred has in place proper personal information handling practices. Accordingly, the law firm has acted contrary to Principle 4.7.1 because it has not ensured that personal information under its control was sufficiently protected. The firm also did not have established schedules for the retention and destruction of personal information. The Assistant Privacy Commissioner maintained that the firm had to address the deficiencies she had noted in order to meet its obligations pursuant to PIPEDA. She recommended that the firm develop a privacy policy and establish privacy procedures and practices which: (i) ensure that third parties who conduct work on the firm’s behalf have a comparable level of protection while processing the personal information; (ii) set retention and destruction schedules for personal information it holds; and (iii) establish procedures to handle requests for access to personal information. The firm responded only to the final recommendation, and was discussing a schedule of all documents that are delivered to third parties. The Assistant Privacy Commissioner noted that while this helped meet the requirements of Principle 4.1.4(a)and (b), 4.9 and 4.9.4, the firm still had not completely responded to its obligations. Accordingly, the firm was still in contravention of Principles 4.1.3, 4.5, 4.5.3 and 4.7.1. To this end, the complaint was deemed to be well founded. The Assistant Privacy Commissioner informed the firm that it would be pursuing the matter in accordance with its authorities under PIPEDA. |
||||
Resolution |
||||
Notes/Comments |
||||
Provisions Raised/Addressed |
||||
Other Information |
||||
| Decision Date: | 2007 April 5th | |||
| (Not) Well-Founded: | Well-Founded | |||
| (Not) Resolved: | ||||
| Sector #1: | ||||
| Sector #2: | ||||
| Online at: | http://www.priv.gc.ca/cf-dc/2007/377_20070405_e.cfm | |||
| 519 | ||||
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
|
Copyright (c) 2003 Michael Geist