Home / Privacy Resources / Article Search / PrivaTalk - July/August 2004

PrivaTalk - July/August 2004

PrivaTalk

July/August 2004
Volume 4
Issue 4

Ontario Court Releases New PIPEDA Decision

The Ontario Superior Court of Justice recently issued a decision, Ferenczy v. MCI Medical Clinics, interpreting PIPEDA in the context of video surveillance.  


One of the first decisions to interpret the consent provisions of PIPEDA since the statute came into full effect on January 1, 2004, the decision sheds some light on how the courts will deal with PIPEDA in the future.  


The need for clarification and guidance from the courts is well summed up by the Ontario court’s concluding remarks: “The [broad] wording of [PIPEDA] leaves a lot to be desired in terms of clarity and usefulness.”   


Indeed, businesses across all industries have been concerned about what impact PIPEDA might have on their business practices.  This decision, at least, seems to answer insurance companies’ question on whether or not PIPEDA will affect their claims investigation practices (e.g. the ability to order video surveillance of claimants).  


This case involved a medical malpractice lawsuit against a doctor for his diagnosis and treatment of the plaintiff’s left wrist.  At trial, the plaintiff testified that it was very difficult for her to grip a cup with her left hand.  The defendant sought to introduce video surveillance evidence, taken by a private investigator the defendant hired, of the plaintiff continuously holding a coffee cup in her left hand.  


The plaintiff argued, in part, that the taking of the video contravened PIPEDA as it was personal information collected in the course of commercial activity without consent, and as such, the video surveillance evidence is inadmissible.  


The Ontario court disagreed with the plaintiff, and held that even if the collection of the evidence violates PIPEDA, the statute does not prohibit its admissibility.   


Perhaps the more controversial aspect of the decision is the Ontario court’s conclusion that, in any event, the collection of the video surveillance evidence was not contrary to PIPEDA.   


The Ontario court provided the following three reasons:  


First, the Ontario court held that the video surveillance evidence was not collected in the course of “commercial activities” because the private investigator was an agent of the doctor and the doctor’s purpose and intended use of the video was to defend himself against the present lawsuit.    However, many practitioners have raised concerns with respect to this reasoning given the nature of the dispute, which involved a doctor being sued for his professional (i.e. commercial) activities.   


The Ontario court also held that when the plaintiff commenced the lawsuit, she gave implied consent to the defendant to collect her personal information insofar as it relates to defending himself in the lawsuit.   


Lastly and most interestingly, the Ontario court held that the activity fell under the exception in section 7(1)(b) of PIPEDA, which allows the collection of personal information without the knowledge or consent of the individual where “it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating…a contravention of the laws of Canada or a province.”  The Ontario court found that “the laws of Canada or a province” includes the common law, including the law of tort.    I


t is important to keep in mind that the controversial conclusions reached by the Ontario court may differ from those of the Federal Privacy Commissioner or the Federal Court.    


According to Grey Areas (a newsletter published by the law firm Steinecke Maciura LeBlac), observers have long speculated that the courts will read down PIPEDA, through various interpretive techniques, to reduce the impact of its broad principles and the lack of guidance on how they will be applied to different situations.  Even so, the Ontario court’s restrictive reading of PIPEDA in this decision has already stirred up a heated debate among privacy practitioners.  

Guidelines for Identity Authentication

Principle 4.7 of PIPEDA states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.  Principle 4.7.2 further stipulates that the nature of the safeguards will vary depending on the sensitivity of the information collected, the amount, distribution, and format of the information, and the method of storage.  It is clear that organizations must institute reasonable security safeguards to protect against, among other things, unauthorized access and disclosure.  But how far do organizations need to go in order to protect against disclosure of personal information to impersonators?  


The answer to the above question can be found in a recent decision by Canada’s Assistant Privacy Commissioner, PIPEDA case summary #254.  


This case was brought by a mother against her phone company.  The mother had recently switched from a regular long-distance service to a calling card protected by a PIN to keep her daughter from running up excessive long-distance charges.  


The daughter found the calling card, called the phone company service line impersonating the mother, and obtained the PIN from a customer service representative after correctly providing her mother’s name, telephone number, and date of birth.   


To prevent disclosure of personal information to unauthorized persons, the phone company had a policy where forgotten PINs are disclosed to callers only after the callers successfully answer questions that relate to personal information likely to be unknown to persons other than the cardholder.  


After balancing the need for cardholders to retrieve forgotten PINs against the need to safeguard the PINs from unauthorized disclosure, the Assistant Commissioner concluded that the phone company’s procedures constitute reasonable security safeguards.  However, she found that the questions asked by the customer service representative were inadequate as the answers would likely be known by household members, friends, and even relatives.  As such, the Assistant Commissioner felt the appropriate security procedures were not properly applied in this case, and thus found the phone company in contravention of Principles 4.7 and 4.7.2.  


The findings of this case are consistent with PIPEDA case summary #137, which involved an estranged husband who used his wife’s cell phone account statement to gain internet access to her cell phone account.  Since in general, only the account holder and the company would know the account information, the Commissioner found that the cell phone company “could [not] have done anything else to prevent a situation in which a husband impersonated his wife to gain access to her [cell phone] account.”  


These cases tell us that personal identifiers used to authenticate customer identity, whether they are in the form of questions or account information, should consist of information generally not known to persons other than the customer and the company.     


To improve the security procedures for authenticating customer identity without imposing undue inconvenience on the customers or the organizations themselves, organizations should consider following the Assistant Commissioner’s suggestion of involving customers in determining the questions to be asked for identity authentication.  


In addition, organizations should remind its employees dealing with personal information of the established safeguard processes.  While an obvious step, it is not uncommon to find cases where organizations violated Principle 4.7 despite having appropriate safeguard procedures already in place.  For example, in PIPEDA case summary #155, a bank had an established policy of verifying the identity of customers before providing any confidential information over the phone.  However, the bank was found to be in contravention of Principle 4.7 after a customer service representative disclosed account information by relying on the call display screen to verify the caller’s identity instead of following the established policy.

New Privacy Guidelines for CRM Released

On May 3, 2004, the Canadian Marketing Association (CMA) and Ontario’s Information and Privacy Commissioner (IPC) jointly released a paper which offers privacy guidelines on CRM (Customer Relationship Management) initiatives.  


The paper argues that “building a privacy framework into CRM initiatives is not only a legal necessity in Canada but can play a pivotal role in maintaining customer trust and loyalty, which is the ultimate goal of CRM.”   


Studies show that CRM, which involves the collection, use and disclosure of customers’ personal information by businesses for marketing purposes, is currently practiced by the majority of Canadian business.  “As CRM sophistication increases, so does the need to implement appropriate safeguards for personal information and to abide by customers’ privacy expectations,” the paper states.  


Entitled “Incorporating Privacy into Marketing and Customer Relationship Management,” the paper sets how the CSA Model Code’s 10 fair information practices, appended as a schedule to PIPEDA, can be effectively applied to CRM.   


Key guidelines from the paper include:



  • Accountability: Designated privacy officers should actively take part in the design and implementation of CRM initiatives and projects.
  • Identifying Purposes: Businesses must disclose, as openly as possible, the intended purposes for which personal information is collected (eg. marketing).  To use the collected information for another purpose, customers must be informed of the new purpose prior to its use.
  • Consent: While opt-out consent is appropriate for less sensitive information, opt-in consent is needed for sensitive information (eg. financial or health information).  In addition, either an opt-out or opt-in consent is required for the disclosure of personal information to a third party for marketing purposes.  However, some circumstances may warrant implied consent (eg. sending out subscription renewals to existing subscribers). 
  • Limiting Collection: Businesses must limit both the amount and the type of personal information collected to only what is necessary for the identified purposes, and should not be deceptive or misleading about the purposes of collection.
  • Limiting Use, Disclosure, and Retention: Personal information no longer required for a CRM’s identified purposes should be destroyed, erased, or anonymized (eg. aggregated).
  • Accuracy:  Information in CRM databases should be as accurate, complete, and up-to-date as possible. 
  • Safeguards: Access to CRM databases should be password-protected, at minimum, and limited to the employees who need access for the performance of their jobs.  Businesses should also consider using privacy-enhancing technologies such as encryption.
  • Openness:  Information about a business’ privacy policies and procedures, written in plain language, should be easily accessible or obtainable by customers. 
  • Individual Access:  Upon request, businesses shall give customers access to their personal information in CRM databases and amend any inaccurate or outdated information.
  • Challenging Compliance:  Businesses must adopt procedures whereby customers can bring complaints about CRM practices to designated privacy officers.  

For current best practices in Canada, you can refer to the privacy policies and practices of leading CRM companies such as Kodak Canada [http://www.kodak.ca] and The Loyalty Group [http://www.arimiles.ca].   


Canada’s marketing industry has been significantly affected by PIPEDA, which came into full effect on January 1, 2004.  CMA president and CEO Jon Gustavson hopes the guidelines would encourage compliance with PIPEDA.   


CMA, the largest marketing association in Canada, has been commended by the Ontario Privacy Commissioner Ann Cavoukian for “[understanding] just how important privacy is to their customers.”  


A complete copy of the paper can be obtained from the IPC website [http://www.ipc.on.ca/scripts/index_.asp?action=31&P_ID=15173&N_ID=1&U_ID=0&LG_ID=1].  

American Companies Attempt to Manage Privacy Risks Associated with Offshore Outsourcing

U.S. privacy protection ends at the U.S. border and obtaining redress in the U.S. civil justice systems in cases of abuse involving overseas companies is very difficult.  


The EU law permits personal data to be sent offshore only to countries whose privacy laws have been deemed to provide equivalent privacy protections and that have been found to have strong enforcement capabilities.  


Bills are pending in several states that would prohibit overseas outsourcing where personal information is involved.  At the federal level, the co-chair of the congressional Privacy Task Force, has been a prominent advocate of extending privacy protections to offshore service contracts.


Few legal restrictions exist on financial service companies sending customer data to foreign countries. Financial institution customers may not opt out of these information transfers to nonaffiliated service providers if the transfer is for a purpose described in section 502(e) of the Gramm-Leach-Bliley Act (GLBA). For example, the opportunity to opt out does not apply where the information transfer is to: (1) service or process a financial product or service that the customer requested or authorized; or (2) maintain or service the customer's account.


However, GLBA does provide important protections that cover both domestic and offshore outsourcing. GLBA establishes affirmative and continuing obligations on  financial institutions to respect customer privacy and protect customer personal information against reasonably foreseeable internal or external threats to its security, confidentiality, and integrity. The Federal Banking Agencies have extended these obligations to include the monitoring of the activities of those service providers to which financial institutions transfer customer information.


Privacy risks when outsourcing vary by job type. For instance, relatively lower-risk activities include computer source-coding or application development and maintenance, whereas higher-risk activities include any function using personal data, such as call centers or transaction processing. At present, financial institutions are primarily offshoring low-risk IT work in addition to higher-risk, customer database type work, including mortgage servicing and customer-assistance/help-desk services.


Undisclosed third-party contracting arrangements may increase risk in outsourcing relationships. This potential increase in risk occurs regardless of whether the undisclosed third party resides domestically or offshore; however, inherent outsourcing risks may be amplified due to unique country risk when the third party is an offshore vendor.  Canadian and American financial institutions that outsource data to domestic vendors should be aware when domestic vendors have in turn subcontracted out that same work to overseas or domestic third parties. This practice has not always been the case.  The May 2004 edition of the American Bankers Association's Banking Journal discusses an instance where subcontracting to an offshore vendor occurred without the knowledge of the financial institution.


Regardless of the industry or jurisdiction, a procedure for examining outsourcing arrangements should be implemented to ensure adequate controls are in place, or the service provider has proper procedures and controls to monitor their outsourcing arrangements.  Such a procedure should include:  Identifying and reviewing contracts between the financial institution and data service providers that allow for subcontracting or subsequent outsourcing to occur; and determining whether subsequent outsourcing has in fact occurred as indicated in the contract or outside the terms of the contract.

Canadian and U.S. Companies Differ on Approaches to Privacy

According to a cross-national study released on May 25, 2004, Canadian and U.S. companies have markedly different approaches to privacy.  


A joint project of the Ontario Information and Privacy Commissioner and The Ponemon Institute, an Arizona-based think-tank, the study examined the corporate privacy practices of 19 leading Canadian companies and 19 comparable U.S. companies representing a cross-section of industries.  


One of the striking differences between Canadian companies and their U.S. counterparts is that over 60% of Canadian companies view privacy as an important part of their companies’ brand or image, while only less than 20% of U.S. companies hold the same view.   


The study suggests that Canadian companies connect “good privacy practices with enhanced customer trust and loyalty to the brand”.  In contrast, U.S. companies tend to see “compliance and risk management” as the primary goals of their privacy initiatives.  


The study also shows that Canadian companies are outperforming U.S. companies in a number of key areas:  



  • Canadian companies are far more likely to have full-time privacy officers reporting directly to senior management with sufficient resources to achieve the objectives of their privacy programs.   
  • 82% of Canadian companies have ongoing privacy training programs and 71% have privacy awareness activities for new employees, compared to 50% and 43%, respectively, for U.S companies.  However, no U.S. companies and a dismal 6% of Canadian companies offer privacy training to business partners.  
  • Canadian companies are twice as likely to require business partners to comply with their privacy policies.  However, the majority of both Canadian and U.S. companies use business contracts that contain appropriate language to ensure privacy protections.  
  • Canadian companies are more likely to have a formal process in place for customers and consumers to access and correct their personal information and resolve privacy concerns.   
  • U.S. companies are more likely to share customer information with non-affiliated third parties, more likely to share employee data with affiliates, and less likely to provide opt-out or opt-in choices over secondary use and sharing of personal information.   

The areas of greatest weakness for both Canadian and U.S. companies are, according to the study, “the objective measurement of program effectiveness and the monitoring of sensitive personal data collected about customers, target customers and employees”.  As outsourcing of data management becomes increasing prevalent in North America, the study cautions that there will be increasingly greater need for “data privacy controls, due diligence, and verification”.  


The results of the study may be attributed to Canada’s provincial and federal privacy commissioners and the Personal Information Protection and Electronic Documents Act (PIPEDA), a federal privacy law that applies to the private sector.  In contrast, the U.S has no one comprehensive privacy law that applies to the entire private sector.  Instead, there are numerous sector and state-specific laws that apply to businesses operating in the U.S.  


Another reason, offered by Ann Cavoukian, Ontario’s privacy commissioner, is the fact that Canadian marketers view privacy as a way to “earn their customers’ respect and trust”, not “an impediment to marketing”. 

What Your Company Can Do to Avoid Security Breaches

In two recent U.S. cases involving Tower Records and Barnes & Noble, customers’ personal information was inadvertently disclosed to third parties due to security design flaws in the companies’ websites.  Both companies were required to implement appropriate information security programs and in addition, Barnes & Noble was fined $60,000.   


Effective information security programs can go a long way in helping companies avoid paying substantial fines to the authorities and even more importantly, the loss of existing and potential customers’ confidence.  


The leading information security standards in the U.S. are found in the Gramm-Leach-Bliley (GLB) Safeguards Rule.     


Essentially, the GLB Safeguards Rule requires companies to have written information security programs to protect customer information by taking the following steps:  


1.   Designate one or more employees to oversee and coordinate the information security program.


2.   Identify and assess internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, or other compromise of such information, and assess the sufficiency of safeguards currently in place to control the identified risks.  This risk assessment, at a minimum, should include all relevant areas of the operation.  Typically, employee training and management, information systems, and system failure management are relevant for information security.  The following are examples of best practices companies should consider adopting in these areas:


a)  Employee training and management                         


i.     Every new employee should be required to sign a confidentiality and security standards agreement.                                                  
ii.     All employees should be properly trained in basic security enhancing practices (eg. use password-activated screensavers).                                                
iii.     All employees should be regularly reminded of the privacy and security policies in place.                                                
iv.     Only the employees who need to have access to customer information to perform their job duties should be given such access.


b)  Information systems (includes network, software design, and information processing, storage, transmission, and disposal)                                                    


i.     Customer information should be stored in a secure area (e.g. electronically stored customer information should be stored on a password-protected or otherwise secure server kept in a physically secure area).                                                  
ii.     When collecting or transmitting customer information, provide for secure data transmission (e.g. do not transmit sensitive information over e-mail, use Secure Sockets Layer (SSL) when collecting customers’ credit card or financial information).                                                
iii.     Customer information no longer required should be promptly disposed of in a secure manner (e.g. shred customer information on paper).


c)  System failure management (detection, prevention, and response)                                                    
i.     In the event of any security breaches, a written contingency plan should be followed.                                                  
ii.     All software (including anti-virus software) should be updated regularly.                                                
iii.     Use procedures and tools, such as passwords combined with personal identifiers, to electronically verify and validate the identity of customers wishing to access customers’ personal information on the company website.


3.   Design and implement safeguards to control the risks identified in step 2, and monitor and test the new safeguards on a regular basis.  Third party security professionals or external auditors should be hired to monitor and test the safeguards.


4.   Select service providers that can maintain appropriate safeguards and contractually require the service providers to implement and maintain such safeguards.


5.   Evaluate and adjust the information security program based on step 3 or any changes to the operations or business arrangement.  


The above steps can serve as useful guidelines to Canadian and U.S. companies in all industries, not just U.S. financial institutions, in developing, implementing, and maintaining information security programs.