Employer performed unauthorized credit checks on employees

locked-filesI recently read an investigation report from the Alberta Office of the Information and Privacy Commissioner, where an employer made a big mistake and ended up violating the privacy of at least 25 employees.

The employer, a public body, had an agreement with Equifax Canada under which it was permitted to access the Equifax database to obtain credit reporting services for legally permissible purposes to conduct its work involving collecting child and spousal support payments and forward them to rightful persons. It could conduct credit checks by logging into the Equifax database, entering an individual’s identifying information (name, date of birth, social insurance number), and viewing or printing the individual’s credit report (no one could save the report).

There was an internal investigation within the public body into allegations of fraudulent cheques being cashed at various locations. It was ultimately determined that the breach was external, so the investigation was handed over to a municipal police service. However, it was still possible that an internal employee was involved in the forgeries.

Consequently, the public body decided to rule out the risk of internal involvement by obtaining credit reports on all employees working in the relevant units of the workplace. The special investigations unit was told to conduct these searches using the names, dates of birth and social insurance numbers of employees to obtain the credit reports. The credit reports were printed and delivered directly to the director of compliance. The conclusion was that there were no identified risks. The credit reports were then provided to the executive director. According to the public body, the credit reports were shredded, but this could not be confirmed because the executive director had since left the public body.

Well, you shouldn’t be surprised when the affected employees complained to the Office of the Information and Privacy Commissioner. The employees asserted that the public body violated their privacy by conducting credit checks on them without their knowledge or consent. They wanted to know why this was done, who ordered it and what could be done to correct it.

The employer admitted that it was in error. The Office of the Information and Privacy Commissioner agreed that the employer’s actions clearly violated the Freedom of Information and Protection of Privacy Act.

The public body accessed credit reports that typically contained an individual’s name, social insurance number, date of birth, address, employer name, credit inquiries, judgments, past and present history of credit checks, credit rating, level of payments and updates. The public body did this without the knowledge or consent of the individuals. The collection and use of the information was not authorized under the Act. The records were only disclosed internally to the manager, the director of compliance and the executive director.

Since the employer knew it made a mistake by conducting the credit checks on its employees, it attempted to minimize the blow and ensure it would not happen again by:

  • Writing a letter of apology to each employee whose credit report was likely obtained, and agreeing to reimburse the employees for the expenses that were incurred as a direct result of the credit check
  • Making changes to better protect employees’ personal information kept in the personnel records in the personnel office:
    • Identifying information that was appropriate to hold and track onsite, and removing all extraneous records such as social insurance numbers (they were either shredded or moved to the appropriate file)
    • Keeping the personnel records in a locked office, and granting access to only three staff members who worked with the records
    • Making sure records were signed in and signed out, and the removal of other documents was not permitted
    • Redefining the scope and authority of the special investigation unit officers to more specifically ensure their authority was utilized appropriately in accordance with a standing operating procedure

The employer also made it clear that employees were not to be investigated in the future.

The Office of the Information and Privacy Commissioner noted the employer’s remedial actions and commented that there was no point in taking the matter further, as there was no remedy available for the employees under the Act.

Even though the employer made a mistake that violated the Act, the employer did the right thing in the end by admitting it was in error, apologizing and ensuring the error would never be repeated.

I’m wondering, does your organization have a system in place to protect your employees’ personal information contained in personnel records? Do you hold on to extraneous information, or do you have procedures in place to discard unnecessary or dated information? Do you have policies and procedures in place regarding methods of physical protection of information, and computer security protection strategies? Have you trained your employees in these policies and procedures?

Christina Catenacci
First Reference Human Resources and Compliance Editor

Alberta
Alberta Office of the Information and Privacy Commissioner
canadian employment law
credit check
credit report
credit reporting
Employee privacy
employment law
Equifax Canada
Freedom of Information and Protection of Privacy Act
investigation
Privacy Commissioner
privacy policy
procedures
unauthorized collection
unauthorized credit checks on employees
unauthorized use
violating the privacy of employees
violation of privacy
Share

Related Posts

Imagen 1

Addressing domestic violence in the workplace – some insights

The Ontario Occupational Health and Safety Act violence and harassment prevention provisions (Bill 168) require an employer to take all reasonable precautions in the circumstances for the protection of all employees if a domestic violence situation is likely to expose a worker to physical injury in the workplace and the employer becomes aware or ought reasonably to be aware of the situation.

But what does that imply? The law states the requirement but provides little guidance on what employers need to do to prevent domestic violence from spilling into the workplace. In addition, many employers are not comfortable addressing a situation of such a personal nature. It is not an easy task to complete and might never be.

Marie-Yosie Saint-Cyr, LL.B. Managing Editor

Read more
Imagen 1

Sleeping on the Job? What do you have to do to get fired in Canada, anyway?

Employees can be dismissed for cause, and therefore without notice or severance, when their misconduct or performance is so egregious that the employment relationship has been irreparably harmed. In assessing this issue, employers must adopt a contextual approach, which considers not only the misconduct in question, but the entirety of the employment relationship.

Rudner Law, Employment / HR Law & Mediation

Read more
Imagen 1

Employees with disabilities – accommodation strategies (Part I)

Accommodating employees with disabilities to the point of undue hardship under human rights legislation can be a complicated task. It’s important to make sure the accommodation process goes smoothly and the employee can focus on working as efficiently as possible, but employers may not be sure about what kinds of questions to ask disabled employees in order to meet their needs.

Christina Catenacci, BA, LLB, LLM, PhD

Read more