Print Friendly | Email a Friend

A Closer Look at Canada's New Privacy Laws
Beyond Numbers · April 2004

By Susan Johnson, CA, CISSP

Editor: In the October 2003 issue of Beyond Numbers, we provided an overview of PIPEDA, which had yet to come into effect for all private sector organizations. Several months have now passed since its implementation, along with the implementation of PIPA in BC, so this month we offer a more in-depth look at the legislative environment, key compliance issues, real-life pitfalls, and opportunities —courtesy of an information privacy and security expert.

Reflecting a global reality

According to the National Post, privacy legislation is a “multi-dimensional mess” for which George Radwanski, Canada's former privacy commissioner, is to blame. Many businesses might agree, but to view the new legislation as just another example of government red tape and bureaucracy is to ignore Canadian and global realities.

Privacy legislation exists because consumers are concerned about misuse of their personal information—plain and simple. This concern has been consistently expressed in Canadian, American, and British surveys by a large majority of respondents. This same majority has also said it will refuse to buy from companies that have questionable privacy policies and practices. Companies are concerned as well: According to a recent survey of Canadian executives conducted by Robert Half Management Resources, for example, 32% of CFOs said they perceived their firms to be most vulnerable in the area of information systems security.¹

The level of concern is justified: At the very least, junk mail, spam email, and intrusive telemarketing practices have become an increasing annoyance for all of us; at the very worst, some of us have experienced invasions of privacy, such as stalking or identity theft.

Canadian consumers might be surprised to learn that Canada was actually behind many other developed countries, including the UK, the European Union, and Australia, when it enacted the Personal Information Protection and Electronic Documents Act (PIPEDA) for federally regulated enterprises in January of 2001, and then extended it to all private sector organizations on January 1, 2004. The UK, for example, has had data protection legislation since 1998. In truth, the fact that most countries already required equivalent privacy laws for international business where personal information is shared was a major impetus for Canada to pass the legislation.²

So now that the new privacy laws are in place, what's a smart business to do? Well, compliance with the letter of the law is just the beginning. Smart businesses will seize this legislation as an opportunity to improve the quality and reduce the cost of the information they collect; strengthen customer and employee relations; protect valuable business relationships with strategic partners; meet international privacy standards; and most importantly, gain a competitive edge over companies that fail to embrace the best privacy practices.

Before we get to these opportunities, let's review some compliance issues, including potential pitfalls.

The legislative environment
PIPA & PIPEDA: a comparison

In a survey conducted for Telus in 2003, “British Columbians… rated the protection of personal information the second most important issue in the province, even ahead of the environment or crime.”³

Perhaps the BC government took this survey to heart, as the BC Personal Information Protection Act (PIPA) also took effect January 1, 2004. Although there has been no official ruling, both the Province of BC and the Office of Canada's Privacy Commissioner expect PIPA to be “substantially similar” to PIPEDA.

However, some of the differences between PIPA and PIPEDA are worth noting:

Non-profits

According to the new Federal Privacy Com-missioner Jennifer Stoddart, PIPEDA distinguishes between “commercial activities” and other activities of non-profits, “such as collecting membership fees, organizing club activities, compiling a list of members' names and addresses, and mailing out newsletters. Similarly, fundraising is not a commercial activity. However, some clubs—for example many golf clubs and athletic clubs—may be engaged in commercial activities which are subject to the Act.”

PIPA, however, applies to all organizations—specifically including non-profits, trade unions, and associations—and covers the personal information of customers, employees, donors, volunteers, contractors, suppliers, and members.

The upshot? All non-profit groups in BC are automatically subject to privacy legislation, whereas it's possible for some of the activities of a non-profit group in Ontario, for instance, to be exempt.

Grandfather clause

PIPA has a “grandfather” clause, meaning that organizations don't have to get consent from existing customers for information already held. However, the other provisions of the legislation relating to use, disclosure, and safeguards still apply.

Employee personal information

Employee personal information is explicitly covered by PIPA. However, the legislation recognizes that certain information must be collected to manage employment (such as name, address, and SIN), and that some information may be necessary for “reasonable accommodation” for persons with special requirements or to ensure that special circumstances are considered. PIPEDA, on the other hand, only applies to the employee information of federally regulated companies, such as airlines and telecoms.

Power to make orders

Finally, PIPA gives the BC Privacy Commissioner (currently David Loukidelis) the power to make orders, with fines of up to $100,000 per incident for non-compliance. The federal privacy commissioner, by contrast, does not have the power to make binding orders or levy fines.

Loukidelis has also stated that he will publicize the names of offending companies. (The former federal privacy commissioner was criticized for not doing so in his findings.)

Jurisdictional issues

As lawyers will tell you, there are some jurisdictional issues. For example, if you do business or have customers in other provinces, you should know that Alberta and Quebec have their own privacy legislation, and that Quebec has initiated a constitutional challenge to the federal government's authority to pass privacy legislation. For more information on jurisdictional differences, consult with your legal counsel.

The privacy minefield

Not all aspects of the legislation are straightforward, and, unfortunately, some might not be resolved until the complaints and lawsuits begin. Purpose, consent, access, employee monitoring, outsourcing, and safeguards are among the potential landmines you might encounter.

Purpose

What is a reasonable business purpose for collecting personal information, and who decides? You should challenge the rationale for every piece of personal information you currently collect. The acid test: Would you think it was reasonable if you were the customer?

When defining business purpose, it's important to consider both the collection and use of personal information. It's common for businesses to collect information for one purpose and then use it for other purposes as well. For example, a bank may collect personal financial information for purposes of issuing a credit card and then decide to transfer that information to their insurance subsidiary to support the marketing of insurance products to the same individual. Marketing is considered to be a non-essential use or “secondary purpose.” Businesses must prominently disclose (at the time of collection) all purposes for which they intend to use personal information, and allow individuals to opt out of any non-essential uses.

If a business has collected personal information for a stated purpose, then decides only later to use or disclose it for another purpose, they must go back and obtain the consent of the individual for the secondary use. It is far more efficient to identify and disclose all possible uses at the time of first collection and obtain consent for them all, than to go back to the customer after the fact and ask permission for secondary uses.

Be aware that businesses cannot deny service to individuals who refuse to provide personal information to be used for secondary purposes if this information is not also required for the transaction's primary purpose. As a consumer, this means that you can refuse to provide your home telephone number and other personal information to a retailer for a cash transaction, and they cannot require it as a condition of selling you their goods.

Consent

Implied

As opposed to express consent, implied consent can be inferred either through an ongoing relationship or through reasonable expectation—using the return address on a donation cheque to send a donor a receipt for income tax purposes, for example. Businesses use implied consent to speak to their customers.

“Opt-in”

Opt-in refers to the use of express consent to collect, use, or disclose personal information. You may have seen this type of wording on website forms: “Tick here to allow us to share your information with carefully selected partners.” Organizations should obtain opt-in consent before transferring any data that could reasonably be considered sensitive to a third party, like financial or medical information.

“Opt-out”

Opt-out is a mechanism to let individuals decline selected or all contact with your organization. If an individual has an oppor-tunity to opt-out, and does not choose to exercise it, the organization is considered to have obtained their consent for further contact.

It is important to clearly disclose (in other words, not in legalese) your intended usage of the information; again, this includes secondary uses such as marketing. You must also provide your customer/client with an easy and inexpensive/free means of opting out. For example, asking them to call a 1-800 number would be acceptable; asking them to call a 1-900 number would not.

You also need to track consent and opt-outs to make sure you don't inadvertently contact individuals who've already opted out. This may be a significant issue for smaller businesses that don't have sophisticated customer database systems.

And bear this in mind: According to a survey by Ekos Research Associates,⁴ of the 82% of Canadians who said they wanted businesses to obtain their permission before using their information for marketing purposes, 69% considered opt-out approaches unacceptable.

Access to personal information

Individuals are entitled to access their information, correct or update it, and know who else has seen it. To allow for this level of access without creating procedural nightmares, businesses must first ask a few fundamental questions, such as: How much will we charge, if at all, for access? And how will we ensure that the request for information is legitimate?

A case study: We recently helped a client develop a procedure and forms for information access. With no branches or public offices, requests would be coming in by mail. The solution was to have the individual's identity certified by a guarantor from a recognized profession, as with passport photos, and to include the signature and stamp of the guarantor with the request form. Although this approach presents a hurdle for the individual, the business must ensure it does not put personal information in the wrong hands.

Also new: Employees will now be able to request access to personal information kept about them by their employer—performance appraisals, for instance—so be careful what you put in writing.

Employee monitoring

Employee monitoring/surveillance has already been the subject of a Privacy Commissioner of Canada ruling applying to a federally regulated corporation.⁵ The key issue in the case revolved around the potential use of information obtained from video surveillance for disciplinary purposes.

To help businesses determine whether the use of video cameras is reasonable, the Canadian Commissioner identified four criteria:

• Is the measure demonstrably necessary to meet a specific need?
  
• Is it likely to be effective in meeting this need?
  
• Is the loss of privacy proportional to the benefit gained? And
  
• Is there a less privacy-invasive way of achieving the same end?

Applying these criteria to the aforementioned case, the Commissioner concluded that the employee's complaint was well founded, and recommended that the offending company remove its digital video cameras.

Many companies also monitor their employees' Internet usage and email communications. The key requirement here is notice, not consent. Ensure that you have an “acceptable use” policy for corporate assets like email, and that employees have signed a document acknowledging no expectation of privacy with respect to the use of these corporate assets.

Outsourcing and accountability

The outsourcing of information-handling functions could significantly increase the risk of non-compliance with privacy legislation. Under California law, for example, companies are required to notify customers of any database breach that may have compromised their personal data as soon as the breach is discovered. But how best to detect and respond to security breaches at offshore facilities?

In an incident in January 2003, referred to by the Toronto Star as the “Exxon Valdez of data leaks,”⁶ the personal information of 180,000 customers of The Co-operators Life Insurance Company was compromised through the theft of a hard drive from ISM Canada, Co-operators' data management company. (See For the Profession, Beyond Numbers, April 2003.) Co-operators was forced to send letters to all of its affected customers, warning them that their private information was at risk and could be used to steal their identity. Some customers responded by launching a class action lawsuit against them.

Outsourcing does not absolve you of responsibility for protecting customers' personal information. You must ensure that suppliers are contractually tied to specific conditions that stipulate how data can be transmitted, accessed, used, stored, shared, and safeguarded. This should include prohibitions against the subcontracting of work without notification and agreement. Note: If the outsourcing company is a subsidiary of an American company, you must also consider the possible application of the Patriot Act, which requires companies to turn over personal information to the FBI and prohibits them from disclosing having done so.

Safeguards

Safeguards are a big issue. The privacy legislation only stipulates that personal information be safeguarded commensurate with its sensitivity. As with other aspects of the legislation, judgment is required. Again, a good standard is to ask yourself what safeguards you would expect if it were your own personal information.

The following examples show that even large companies can stumble over safeguards:

In September 2003, two Bank of Montreal branch computers filled with sensitive customer information were offered online at an auction site. These second-hand computers were purchased from a Montreal-based company. The buyer then posted them for sale on eBay for six hours before realizing they contained hundreds of customer files; these files included account balances and information on lines of credit, credit cards, RRSPs, GICs, and insurance. Concerned, the buyer reported the computers (which had no password protection) to the Bank of Montreal, but not before contacting the Montreal Star. The result was a public relations nightmare for the Bank of Montreal.⁷

In another case, WashingtonTimes.com reported in February 2004 that St. Louis's Southern Commercial Bank had potentially compromised the privacy of more than 40,000 customers, violating state and federal guidelines.⁸ The bank had emailed unsecured personal data to an independent computer programmer; the data included bank account and social security numbers, as well as addresses for customers who owned checking, savings, and money market accounts. South-ern Commercial Bank's officials said the bank had not violated its own policies or federal regulations designed to protect customer information. However, the commissioner of the Missouri Division of Finance, which regulates Southern Commercial Bank and other state-chartered banks, is currently investigating the matter.

Stories like these are reported in the media on a daily basis, and the damage they do to an organization's reputation has a much larger impact than a slap on the wrist or a regulatory fine.

First steps

No one expects businesses to be in total compliance immediately. What's important is that you take the following first steps:

• Establish accountability by appointing a privacy officer or team;
  
• Conduct a privacy opportunity and risk assessment to focus your compliance efforts and identify opportunities;
  
• Develop and publish a high-level privacy policy in consultation with all key stakeholders;
  
• Develop supporting procedures and systems, including changes to forms. Procedures should cover consent, inquiries, individual access, complaint handling, and security measures;
  
• Have a realistic plan for implementing the policy; and
  
• Communicate to and train staff, contractors, and volunteers as to your plan.

If you want your privacy policy to be followed—note: having a policy that isn't followed is more dangerous than having no policy at all—all the affected groups (such as marketing, finance, and information technology) should be involved in its development. However, since the initial development and implementation of a privacy policy will require more effort than its ongoing maintenance, many organizations will find external assistance more likely to achieve effective results quickly. An outside perspective can also be useful in challenging assumptions and helping you to think creatively about your information management and customer relationship processes.

The privacy payoff

What is the privacy payoff? For the Royal Bank, which has had a privacy code since 1987, privacy is worth $11 billion and change. According to Peter Cullen,⁹ RBC's former privacy officer, RBC's studies showed that privacy accounts for 7% of their customer's buying decision. For personal clients, it's 14% of the brand value. RBC's customer surveys found that over 80% would “walk” if they believed their personal information was not being protected. Further, the surveys revealed that each segment of RBC's customer market had specific privacy needs that translated into specific dollar values.

As RBC's and other surveys have shown, many people will buy from companies they trust to respect their privacy. So how do you get the privacy payoff? Think like a marketer. Use privacy to win and keep customers. Develop and implement good privacy practices, then use them in your marketing and advertising.

In addition to using the CICA's excellent assessment tools that focus on risk (www.cica.ca/index.cfm/ci_id/258/la_id/1.htm), ask the following questions to specifically identify opportunities:

• Customer profile: What are our customers' privacy profiles/preferences?
  
• Value proposition: What value could we offer to our clients as an incentive for them to provide accurate personal information at minimal or low cost to us?
  
• Trust promise: Does our privacy policy attract or repel customers? Does it say: “We are deserving of your trust, and here's why?”
  
• Competitor analysis: What are our competitors' privacy policies and practices?
  
• Marketing messages: In what ways does our company communicate trustworthiness in the marketplace? Are there opportunities to strengthen our message across the many channels in which we operate?
  
• Brand alignment: How consistent is our privacy approach with our corporate image?
  
• Information management: What are our costs to collect, update, store, use, secure, and dispose of client information? Could we reduce the amount of information we keep?

Moving forward from here

Whether you agree with the National Post or whether you applaud the new privacy legislation as a positive step forward, the fact remains that it's here. Compliance will help you avoid fines, lawsuits, and damage to your reputation, but consider this just the beginning. Take this opportunity to go beyond compliance to best practices whenever possible. Doing so will not only strengthen your business operations—streamlining your processes and eliminating duplication of effort and information—it will strengthen your relationships with customers and clients, and put you at a distinct advantage in the marketplace.

Susan Johnson, CA, CISSP (certified information systems security professional™), is a partner with APS (Applied Privacy and Security) Group in Vancouver, which specializes in privacy and security management. The APS website offers many free resources, including a high-level privacy plan, a privacy glossary, useful links, and other tools. Go to: www.aps-group.com/library.php to find out more.

Endnotes

1. According to a release issued March 11, 2004. More information about the Robert Half survey is available on Canada NewsWire at: www.newswire.ca/en/releases/archive/March2004/11/c9205.html.
   
   
2. According to a study conducted by the American Civil Liberties Union in January 2003 (report entitled “Bigger Monster, Weaker Chains: The Growth of an American Surveillance Society,” by Jay Stanley and Barry Steinhardt), the US is now a “glaring exception” for not having followed the legislative trend: “… every [other] advanced industrialized nation in the world has enacted overarching privacy laws that protect citizens against private-sector abuses. When it comes to this fundamental human value, the US is an outlaw nation.” (The US does have sectoral legislation for financial and health care information, and some states, notably California, have passed significant privacy legislation to protect their citizens.) More at: www.aclu.org/Privacy/Privacy.cfm?ID=11573&c=39.
   
   
3. The quote re: the Telus survey was made by Jacqueline Koropatnick in a presentation entitled “How TELUS approached compliance while meeting customer and business needs,” made to the Canadian Society of Association Executives at its February 12, 2003, Private Sector Privacy Seminar.
   
   
4. The EKOS Research Associates survey was commissioned by the Public Interest Advocacy Center in August 2001, and can be accessed at www.piac.ca/privacy.htm.
   
   
5. PIPED Act Case Summary #114 - “Employee objects to company's use of digital video surveillance cameras.” www.privcom.gc.ca/cf-dc/2003/cf-dc_030123_e.asp.
   
   
6. Tyler Hamilton, Toronto Star, February 17, 2003. www.thestar.com/NASApp/cs/
   ContentServer?pagename=thestar/Layout/Article_Type1&
   c=Article&cid= 1035777852620&call_pageid=968350072197
   &col=969048863851.
   
   
7. Toronto Star, September 15, 2003. www.thestar.com/NASApp/cs/
   ContentServer?pagename=thestar/Layout/Article_Type1&
   c=Article&cid=1063577414565&call_pageid
   =968332188492&col=968793972154.
   
   
8. St. Louis Post-Dispatch, February 22, 2004. www.stltoday.com/stltoday/
   business/stories.nsf/Business/9D53CE21E23D8AB486256E430024A17A?
   OpenDocument&Headline=E-mail+ensnarls+bank+in+privacy+inquiry.
   
   
9. As cited in the The Privacy Payoff, by Ann Cavoukian (Privacy Commissioner of Ontario), McGraw-Hill Ryerson, 2002. The stats are referred to in a presentation Cavoukian made at the November 7, 2002 Privacy and Security: Totally Committed conference, entitled “Getting to the Truth about Privacy & Security.” www.cacr.math.uwaterloo.ca/conferences/2002/isw-eleventh/announcement.html.

----------

More on legislation

The various pieces of privacy legislation in Canada, including PIPEDA and PIPA, are all based on the same basic principles set out by the Canadian Standards Association (CSA) in its Model Code for the Protection of Personal Information in 1996. These principles require businesses to be accountable; tell their customers why they're collecting personal information; ask their permission first; only collect what they really need; limit who they share it with; make sure it's accurate; keep it safe; be open about their practices; show their customers what they're keeping; and be prepared to handle complaints.

According to the Association, “All organizations that comply with the CSA standard can be confident that they meet the federal requirements of PIPEDA. Organizations involved in multinational exchanges of information can also be confident that they are addressing increasingly rigorous international demands for the protection of personal information.”

For more on the CSA's privacy statement, go to: www.csagroup.org/legal. For more on PIPEDA, go to: www.privcom.gc.ca/legislation/index_e.asp. For more on PIPA or for a copy of the implementation guide from the Office of the Information and Privacy Commissioner for BC, go to: www.oipc.bc.ca .

----------

Sample T1 letter

To download the ICABC Professional Advisory Services department's updated sample T1 engagement letter, go to www.ica.bc.ca under Members Only. The letter is a separate appendix to the March 2004 issue of News 'n' Views.

----------

Security tips to enhance privacy

Start at the beginning: Think about privacy considerations when developing business cases or project plans, and throughout the development cycle. Deal with privacy at the beginning, rather than forcing it in at the end.

Data classification schemes: Properly implemented and maintained data and information classification schemes help determine what data you're collecting, and why and how it is used. This helps you determine collection and use policies, and the level of protection needed for each element or combination of data.

Unique access identifiers: Assign unique user ids to track access and support individual accountability whenever sensitive information is accessed.

Protection by default: Implementing a default that all information is protected and access will only be granted to authorized users ensures that sensitive information is not inadvertently left “in the open.” And don't forget to protect any back-up and log files as well.

Beyond passwords: Access to your information systems should always require at least a unique user identifier and password in combination. Extremely sensitive information may also require further protection through additional authentication or even use of encryption capabilities.

Keeping track: Knowing what has happened to data or information in your charge is integral to a privacy effort, yet most information systems only track changes to information—and many don't even do that. Comprehensive logging capabilities should include recording all accesses, even if no changes were made to the data.

Gone but not forgotten: Deleting a data file does not mean the information it contained is no longer accessible. It is now possible to retrieve “deleted” information, even after it has been overwritten several times, using tools readily available on the Internet. Use a good quality shredder program to ensure that deleted files cannot be recovered, and don't forget about the back-up copies.

Paper cuts: Printed reports need to be handled with the same diligence as computer files. Keep track of where reports with sensitive / confidential information are distributed, provide lockable cabinets for their storage, and provide industrial strength shredders so users can properly dispose of reports when done with them. Shred material before letting it out for recycling. If you use outside services for document destruction, make sure they don't end up on a beach somewhere or on a movie set!