Home / Privacy Resources / Article Search / February 2001

February 2001

PrivaTalk

February 2001
Volume 1
Issue 1

The Position of Chief Privacy Officer – Still a New Phenomenon in Canada

Upon experiencing the public relations and legal nightmares that privacy problems can cause, corporate leaders in the United States began appointing chief privacy officers (CPOs) last year, giving them the same status as chief financial officers and chief information officers. Although the job description varies, the CPO generally monitors the companies' privacy policies and watches for ways in which a company's use of information invades customers' privacy. The position would also involve ensuring compliance with the ever-growing number of privacy-related laws and regulations. The CPO essentially ensures that the company's practices create a secure environment to attract and retain customers.

Because the legal issues are so challenging, most companies in the U.S. hire their CPOs out of the legal/regulatory departments. The challenge is ensuring that the legal expert also understands the technology. The relationship between the CPO and the IT group is critical. Not only must a CPO understand technical security issues, but he or she needs to understand how the IT group treats customer data as it flows through the company's
systems.

The Center for Social & Legal Research in the U.S. formed the Association of Corporate Privacy Officers (“ACPO”) in July of last year. The ACPO is a private, non-profit professional association that provides support and services to its members to help guide them in this new field. The ACPO is likely to grow substantially in 2001 as the CPO position becomes more and more popular.

It appears that the sudden interest in appointing a CPO stems as much from fear as it does from the desire to protect customers. DoubeClick Inc., an online advertising firm in New York provides a good example. DoubeClick brought in a CPO after the FTC and several states started to investigate its data-sharing practices last year. Individuals were complaining about DoubleClick's tracking of Web users by name and then matching the information to a marketing profile database. DoubleClick appointed the CPO to oversee and educate the public about its privacy policies.

Stephanie Perrin became the first CPO in Canada in April of 2000 when she joined Zero-Knowledge Systems Inc., a Montreal-based privacy software company. She was formerly the director of privacy policy for Industry Canada’s E-Commerce Task Force. Given that Zero-Knowledge develops software tools that protect personal privacy, it is not surprising to see this company take a proactive approach to the new position – privacy is their business.

In September, the Royal Bank of Canada named Peter Cullen as its Chief Privacy Officer making the Royal Bank the first in the financial services industry to have a position that deals exclusively with the use and protection of clients' personal information. Again, with financial information being one of the most sensitive kinds of personal information, we expect the banks to be doing everything they can to reassure the public of a commitment to privacy.
It will be interesting when companies whose businesses are not heavily connected to privacy start appointing CPOs in Canada. In the U.S. for example, Eastman Kodak Company proactively announced their new CPO on January 9, 2001. Privacy consciousness will grow quickly in Canada, as will the realization that dedicating a full-time position to privacy is a clear indication that the company is serious about it.

Creating an Effective On-line Corporate Privacy Policy

In the wake of government regulation and consumer fears, many web sites now have privacy policies explaining how they collect and use personal information gathered from on-line visitors. The problem is that many of these policies are not understandable. Many are full of jargon and littered with legalese that confuse their readers rather than assure them that the company protects personal information. Privacy policies must be written in plain language and clearly convey a company’s information-handling practices and objectives.

Perhaps the most challenging issue is how detailed a company needs to be in their policy. Canada’s new privacy legislation anticipates that businesses will develop and make known a privacy policy that gives effect to CSA International’s Model Code for the Protection of Personal Information. Some of the questions such a policy should answer include:

  • Who within the organization is accountable for compliance with the policy?
  • What type of personal information does the organization collect?
  • How is the information collected?
  • Can individuals opt out of having their information collected?
  • What is the information used for?
  • Who is the information disclosed to and why?
  • Is consent obtained for the collection, use and disclosure of the information and how is it obtained?
  • Is the information relied upon accurate and complete?
  • How is the information secured to prevent loss or unauthorized access?
  • How does an individual access and correct their information?
  • When is the information disposed of?
  • What procedures are in place for individuals to challenge the organization’s information-handling practices?

    It may seem difficult to answer these questions concisely, but it can be done. One reason why many privacy policies are incoherent is that companies with sizable technology infrastructures have difficulty identifying all the information they collect from customers and visitors. For example, last year Microsoft came under scrutiny for violating its own privacy policy when it was discovered that personal data was being collected on a server providing customer support. The collection was in violation of Microsoft’s policy, and Microsoft claimed that they didn’t even know that the data was there. Although the problem was fixed, it was clear that Microsoft’s internal data collection audit was less than comprehensive. It is crucial to develop and follow a privacy compliance plan prior to putting together a privacy policy. A compliance plan involves:

    1. Putting together a privacy team to monitor and respond to privacy-related issues.
    2. Auditing data collection practices across the organization, both on-line and off-line.
    3. Assessing and modifying information-handling practices.
    4. Documenting revised practices and creating a privacy policy.
    5. Training employees and reviewing policies and procedures frequently.

    Typically, an audit is performed by a team of key personnel who come into contact with customer data in the course of their daily activities, such as sales and marketing representatives as well as technical administrators. The result of a properly conducted audit can be surprising. You may be accumulating and storing personal information you don’t use and didn’t even know you had. A simple rule: don’t collect what you don’t need. This rule makes constructing workable privacy policies much easier.

    Regardless of the type of business, the best way to protect your company is to clearly post and diligently enforce an on-line privacy policy. Your policy should be accessible from the site’s home page. A privacy policy that is buried deep within the site and is impossible to find is as bad as no policy at all.

    What should your policy say with respect to the disclosure of personal information to third parties? On the one extreme, the kitchen-sink policies where a company throws in anything possible that they may do with the information are not helpful. The other extreme occurs when a company says in their privacy policy that they will never disclose personal information to anyone. That simply isn’t true. An organization will usually release information when compelled to do so by a subpoena or court order. Companies make routine disclosures of personal data to their lawyers, auditors and computer service companies, among others. Telling customers will not scare them off. If anything, a careful and precise description will give a privacy policy more clout.

    Essentially, when addressing how the information is used or to whom it is disclosed, a fine balance needs to be drawn between current practices and future intended uses. Strictly addressing current practices, knowing that future business decisions may require a policy rewrite, is dangerous. Amazon.com, got into hot water with angry customers and bad publicity in the fall of last year when they changed their privacy policy from a “no disclosure” rule to saying that they may sell customer information in the future. A lesson can be learned from this – inform visitors to your web site upfront of all the third parties with whom their information may be shared. The reality is that a site is free to disclose the personal information it collects, provided visitors are not being deceived when the information is collected.

    Up until recently, privacy was not an issue that concerned companies when putting together web sites. Now, good privacy practices have become critical to pleasing regulators, web site visitors, customers and business associates. Once a business creates and posts a privacy policy, that policy should be internally monitored and enforced so as to continually reflect the organization’s information-handling practices.

    • Ontario’s Proposed Privacy Act – Different Rules across the Country?

    Provinces that enact laws which are substantially similar to the new federal privacy legislation will be exempt from the Canadian law. If a province has not enacted its own privacy legislation by January 1, 2004, the federal law will apply at that time to organizations that conduct business strictly within a province as well. To date, Quebec is the only province that has adopted comprehensive privacy legislation for the private sector and is thus exempt from the Canadian law. In the rest of Canada, privacy protection is sporadic and industry-specific, creating uncertainty for business and a lack of uniform protection for consumers. British Columbia is seriously considering private sector legislation and the Ontario government is currently reviewing the results of a consultation it held between July and September of last year, in which it received submissions by interested parties on the proposed Ontario Privacy Act. The consultation paper can be found on the web site of the Ministry of Consumer and Commercial Relations .

    Here are some of the key differences between the legislation proposed by Ontario and the Canadian legislation now in place:

  • Ontario proposed laws that apply to all organizations, not just those engaged in commercial activities. This means the activities of non-profit organizations, the education system and provincially licensed professions would be caught.

  • Ontario proposed not to incorporate all of the principles of CSA International’s Model Code for the Protection of Personal Information, essentially excluding principles that require the establishment of policies, procedures and staff training. For example, Ontario suggested that they will not incorporate the principle of Openness (requiring organizations to make its information-handling practices and policies readily available), or the principle of Accountability (requiring organizations to designate individuals accountable for the organization’s compliance with the principles).

  • Enforcement provisions proposed include mediation, compliance orders or assurances of voluntary compliance, publicized findings, offences and prosecution. It was suggested that fines of up to $500,000 for corporations or other organizations be imposed on businesses that commit an offence, such as collecting, using or disclosing information in conflict with the proposed Act, or refusing to provide individuals with access to their personal information. On the contrary, the Federal Privacy Commissioner will issue findings and recommendations after an investigation or audit, but does not have the power under the legislation to order compliance. The only offences under the federal legislation occur if an organization disadvantages an employee who reports non-compliance to the Federal Privacy Commissioner, or if an organization’s records are knowingly destroyed, or the Commissioner is in any way obstructed in conducting an investigation or audit. A maximum fine of $100,000 could be given for such offences.

    Other interesting proposals coming from Ontario include clarifying circumstances where consent could be implied and giving individuals the right to review personal information collected before the Ontario Act comes into force.

    Ann Cavoukian, the Privacy Commissioner of Ontario raised two significant concerns with the consultation paper (her submission can be found on the Ontario Commissioner’s web site ). Dr. Cavoukian suggested that an enforcement model be based on privacy compliance and not business regulation. Such a model would focus on consultation and prevention, similar to the federal law, as opposed to orders and offences. She also suggested that the CSA Code be adopted in its entirety because the Code does not pose undue burdens on organizations and because consistency with the federal legislation should be achieved.

    A uniform approach enabling consistent interpretation and application of privacy laws in all Canadian jurisdictions is crucial. Inconsistent legislation among the provinces will lead to added uncertainty and expense for business. It will also prevent the objective as stated in the preamble of the federal legislation, being to “support and promote electronic commerce”, from being met. The Ontario proposal will see many revisions yet – hopefully consistency will be achieved and Canada will appear as a united front on the issue of privacy.

    • Financial Services Sector Hit with Privacy Laws in Canada and the U.S.

    Financial services companies in the United States and Canada have until July 1, 2001 to comply with the privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act ( “U.S. law”). In Canada, financial institutions are subject to the Personal Information Protection and Electronic Documents Act (“Canadian law”) as of January 1, 2001. So what will this mean for firms collecting personal information both in the United States and in Canada such as American financial institutions with Canadian subsidiaries?

    Because they are federally regulated, the Canadian law definitely applies to banks as of January 1, 2001, but will not apply to many others in the financial services sector till 2004. The U.S. law applies to all companies offering “financial services”, which is broadly defined to include not only banks, insurance companies and securities firms, but also businesses such as department stores and other retailers that maintain their own credit operations. Those caught by the legislation must implement onerous privacy measures. Violations can be costly.

    The U.S. law draws an important distinction between a "consumer" and "customer”. A "consumer" is an individual who obtains a financial product or service from a company that is to be used primarily for personal, family or household purposes. A "customer" is a consumer who has a "continuing relationship" with the financial services company. This provides a good example of one of the key differences between the Canadian and the U.S. law – the distinction is not made in the Canadian law whereas in the U.S., a financial institution's obligations to a customer as opposed to a consumer are different in some respects.

    Under the U.S. law, a financial services company must post a clear and conspicuous privacy policy. The policy must disclose, among other things, the categories of “nonpublic personal information”, personally identifiable financial information, that might be shared with a third party, such as age, gender or transaction history. The customer has a right to this disclosure at the time the customer relationship is established, whether or not data sharing with a third party is contemplated at that time. However, a consumer, for example an individual shopping for a price quote, would only be entitled to a privacy policy disclosure if the institution intends to share personal information collected about the consumer with a nonaffiliated third party. Opt-out notices are required only if data sharing with nonaffiliated third parties is contemplated, regardless of whether the individual is a customer or a consumer. An opt-out notice allows financial institutions to share personal information with third parties if the consumer or customer has not opted out of the sharing within a reasonable time.

    Unless the U.S. law disclosure and opt-out requirements are observed, nonpublic personal information may not be shared with third parties. There are substantial consequences for institutions that don't or can't comply with the U.S. law. Each violation can result in substantial fines and penalties. The American Bankers Association has estimated that the industry is spending billions of dollars in an attempt to comply with the privacy law. Although penalties for non-compliance could be imposed on a company by the Federal Court of Canada if an application for a court hearing was made, any such penalty or fine would pale in comparison to that given under the U.S. law.

    Unlike the U.S. law, Canada’s privacy law does not distinguish business obligations based on the services provides to an individual. Instead, the Act states more generally that organizations “shall be open about their policies and practices” and that “the knowledge and consent of the individual are required for the collection, use or disclosure of personal information”.

    Privacy protection has always been an important focus of the financial services sector. The challenge arises when the privacy rules under which business is conducted vary around the world. Legislative conflicts in this area are best handled with a uniform standard that meets the requirements of the jurisdiction with the most stringent rules. If this is not feasible from a business perspective, then information management systems need to be in place to keep track of where personal information is collected, who are the subjects of the personal information, and the consents provided.

    Based on the above analysis, it seems clear that an upfront disclosure of information-handling practices through a privacy policy is a must for a financial services company conducting business in Canada and the U.S., regardless of the relationship with the subject of the personal information.

    Survey of Web Sites shows Canadian Businesses are Far from Compliant

    A study was released at the end of last year to determine whether companies are complying with Canada’s new privacy law, the Personal Information Protection and Electronic Documents Act . The study was conducted by Professor Michael Geist and Gabriel Van Loon, a third year law student at the University of Ottawa. A total of 259 sites were studied, the majority of which were of Canadian origin, that is, sites with Canadian corporate owners and a Canadian target audience. 65 of the sites were based outside of Canada but still targeted a Canadian audience. The sites were chosen based on such factors as on-line user traffic surveys and the 2000 Globe and Mail Report on Business listing of top Canadian companies.

    The most appalling finding was that 41% of all sites did not have a privacy policy at all, and in fact 50% of sites of Canadian origin did not have a privacy policy. Although the numbers may be improving somewhat since the survey was released, 27% of the sites that collect significant personal information (such as age, salary, address) did not have a privacy policy a month prior to Canada’s privacy legislation coming into force. Some sectors fared worse than others. For example, of the Services Group studied (which included telecommunications, legal, real estate, travel agents, airlines, trains and buses), 46% of those sites without privacy policies collected significant personal information.

    Of those sites that did have privacy policies, these were far from complying with the new law. For example, 46% didn’t meet one of the primary obligation of the legislation, that is, stating the purposes relating to information collection. If this requirement isn’t met, neither can the requirement of “knowledge and consent”. If the purposes are not stated, meaningful consent becomes impossible. 40% of sites did not indicate whether they share personal information with third parties, which hardly fits with the requirement that organizations be open about their policies and practices.

    Click here for the highlights of the study.

    The poor on-line performance of many Canadian companies as identified in this study could mean a combination of two things: many companies are either ignoring the law, hoping to go unnoticed, or are completely unaware of it. Either way, there are enough privacy advocates and concerned Canadians out there to ensure that the Canadian privacy law is put to the test – many businesses are asking for it.

    Taking the Mystery out of Encryption – How PGP Works and Why you Should Use It

    If you send e-mail that is not encrypted, you have to assume that anybody on the Internet can access your messages and your attachments. So why do so few people encrypt confidential business communications? Encryption seems complicated and many businesses have too much faith in the web of computers that make up the Internet. Those who have had their security breached have probably considered encryption or refuse to use e-mail for sensitive communications, needlessly forsaking the convenience of e-mail in such circumstances.

    PGP (Pretty Good Privacy) is one of the most popular ways to sign and encrypt e-mail messages. By using such an encryption tool, only you and the recipient of your messages should be able to access the unscrambled contents of your e-mails and documents. Businesses need to be proactive about securing their communications instead of waiting for problems to occur.

    Cryptography is the science of securing data, using encryption and decryption, such that the information remains hidden from anyone who is not intended to receive it. Encrypting plain text results in unreadable gibberish called ciphertext. The process of reverting ciphertext to its original plain text is called decryption.

    In conventional cryptography, also called secret-key encryption, one key is used both for the encryption and decryption. This method of encryption is very fast and is especially useful for encrypting data that is not going anywhere. However, conventional encryption alone as a means for transmitting secure data can be quite expensive simply due to the difficulty of secure key distribution. For a sender and recipient to communicate securely using conventional encryption, they must agree upon a key and keep it secret between themselves.

    Public key cryptography uses a pair of keys for encryption: a public key, which encrypts data, and a corresponding private, or secret key for decryption. You publish your public key to the world while keeping your private key secret. Anyone with a copy of your public key can encrypt information that only you can decrypt and read using your private key. It is computationally infeasible to deduce the private key from the public key. The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely. The need for the sender and receiver to share secret keys via some secure channel is eliminated since all communications involve only public keys, and a private key is never transmitted or shared.

    PGP combines some of the best features of both conventional and public key cryptography. First a session key is created, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. This session key works with a very secure, fast conventional encryption algorithm to encrypt the text. The result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient. Decryption works in the reverse. The recipient's copy of PGP uses his or her private key to recover the temporary session key, which PGP then uses to decrypt the conventionally-encrypted ciphertext.

    The combination of the two encryption methods combines the convenience of public key encryption with the speed of conventional encryption. Conventional encryption is about 1,000 times faster than public key encryption. Public key encryption in turn provides a solution to key distribution and data transmission issues. Used together, performance and key distribution are improved without any sacrifice in security.

    Keys are stored in encrypted form in two files on your hard disk – one for public keys and one for private keys. These files are called keyrings. As you use PGP, you will typically add the public keys of your recipients to your public keyring. Your private keys are stored on your private keyring. If you lose your private keyring, you will be unable to decrypt any information encrypted to keys on that ring.

    What is the best way to get started? Download a free copy of the non-commercial version of PGP from the MIT web site . Once you install PGP, you will be led through the process of creating a private and public key. Next, access your e-mail program and type a message. If you are using a popular e-mail program, additional buttons will already be added to your e-mail client. As long as you have the public key of the person to whom you intend to send your message, you can quickly encrypt the message. Then you use your private key to add your unique signature. Once you encrypt the message, you will see undecipherable gibberish on your monitor that tells you the file is encrypted.

    When you receive an encrypted message, you use your private key to unscramble the message and the public key of the sender to verify his or her digital signature. I highly recommend that you learn how to use PGP, and then explore commercial versions of PGP that can be used on a regular basis to exchange documents.