Home / Privacy Resources / Article Search / PrivaTalk - January 2003

PrivaTalk - January 2003

PrivaTalk

January 2003
Volume 3
Issue 1

“The Privacy Payoff” – Timely Advice for Business

“The Privacy Payoff: How Successful Businesses Build Customer Trust”, written by Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario, and Tyler Hamilton, a technology reporter and columnist for the Toronto Star, is a must-read for organizations struggling with whether to do anything about privacy and what exactly to do.

It is useful to place this book on the privacy spectrum, a concept originally introduced by Dr. Alan Westin, President of Privacy and American Business. There are the Privacy Fundamentalists on one end of the spectrum who reject offers of benefits in exchange for personal information, who want only opt-in and seek strict legislative privacy rules; the Privacy Unconcerned on the other end of the spectrum, who are comfortable giving their information for almost any consumer value; and the Privacy Pragmatists somewhere in the middle, who ask what’s the benefit to them, what privacy risks arise, what protections are offered and figure out whether they trust the company or industry to apply those safeguards and to respect their individual choices.

The Privacy Payoff does sometimes swing slightly to one end of the spectrum or the other, however, overall, it most definitely aligns with the Privacy Pragmatist approach. How to create conditions of trust for the Privacy Pragmatists is a challenge for businesses and lawmakers alike, and The Privacy Payoff does an excellent job of helping organizations do exactly that, albeit with a few more acronyms than necessary.

Although the book’s subtitle suggests a business theme, the book looks into building trust in all transactions, including those between government and citizens. Cavoukian and Hamilton persuasively argue that a new kind of trust is essential to success in today’s on-line world. The keys to gaining this trust are information management techniques that include privacy and security protections.

To make their point, Cavoukian and Hamilton have grounded some basic theoretical ideas in practical tips and strategies. Interviews with leading chief privacy officers in industry and government back up the tips. The most interesting interview may be with Zoe Strickland of the U.S. Postal Service who, as the chief privacy officer of U.S. mailing addresses, has one of the most difficult jobs in Washington, D.C. Strickland offers good advice, such as mapping data flows and policies. She also suggests using technology to audit the security and proper use of information.

Cavoukian and Hamilton devote several chapters to the specifics of technologies that can accomplish this goal. The result is a nice mix of basic technical information for the policy audience and a full education in policy concerns and solutions for the technological audience. The authors also identify the broader advantages to tracking data flow: “Getting a solid and comprehensive handle on data flow and information systems will help an organization identify inefficiencies, discover misplaced or inaccurate data, flush away useless data and detect potential problems – well beyond privacy – that could lead to a better-run, more profitable business”.

As many of us know, lots of information being collected on the Web is nonsense. Upset at being asked for too much information, people lie – one estimate is that 40 per cent of consumers are giving false information. Companies then base their strategy and specific marketing thrusts on that false information. The authors insist people will give accurate information if the request is reasonable and consumers view it as being in their interest. Privacy rules, therefore, can enhance rather than detract from data collection by ensuring that the data are relevant and accurate.

In discussing opt-in versus opt-out consent, the authors state: “Many marketers worry that positive consent may become a widely accepted standard; they fear that it will hurt their business. It stands to reason that if a consumer wants to hear more about a product or service, this consumer will ask to receive information about it”. In reality, when marketers ask whether a consumer who has already purchased a product would like to receive information on other products by the same retailer or manufacturer, opt-in consent will in all likelihood result in marketers having a shorter marketing list than they would with opt-out. As with all other topics covered in The Privacy Payoff, the authors do ultimately suggest a balanced approach, using opt-in when its truly needed, either when dealing with more sensitive information or when sharing the information with third parties – a practice that could offend the customer.

The authors acknowledge that a company will likely need the assistance of lawyers, consultants or “privacy architects” in managing data flows and implementing privacy rules, but there is also a great deal that a company can do themselves. Finishing with a bang in their last chapter “Where to begin: An Action Plan for Business”, the authors offer invaluable advice supported by relevant case studies.

The book is timely – with federal privacy legislation that will take full effect in a year, many businesses will use 2003 to bring their information-handling practices into line with privacy principles. Overall, the authors offer a comprehensive, easy-to-read guide to the technological, legal and philosophical issues surrounding privacy, and a staunch argument that businesses should view this as an opportunity.

A Glance at PIPEDA Complaints in 2002

Of the 69 reported 2002 decisions on the Federal Privacy Commissioner’s Website dealing with complaints under the Personal Information Protection and Electronic Documents Act (PIPEDA), 34 are in relation to privacy complaints against banks (almost 50%), whereas about 22% (15 of the 69) involve complaints against telecommunications companies. Complaints relating to the failure of a company to provide adequate or timely access to the complainant’s personal information made up 14 of the complaints, while the others were related to improper disclosures, lack of consent or other violations of the legislation.

Based on the website reports involving banks, PIPEDA, as interpreted and applied by the Commissioner, requires a bank to:

- Provide access to personal information in an understandable format within the statutory deadline;
- Comply with PIPEDA’s access provisions regardless of the expense;
- Revise or develop document retention and destruction policies;
- Implement measures for specifying the purposes for which they collect information, including training staff; and
- Disclose an individual’s personal information in a manner consistent with its stated practices, the terms of a confidentiality agreement, or with the consent of the individual.

It is clear from the reports that the Commissioner is quick to throw out complaints as “Not well-founded” if the facts warrant doing so – such as when a complaint is being filed with the Commissioner simply to spite or attempt to make life difficult for an organization.

In August 2002, Mathew Englander became the first person to sue under PIPEDA. Englander was among the first to file a complaint under the new legislation in January of 2001 when the law came into effect. A Vancouver lawyer, Englander took issue with Telus Corp., claiming the telecommunications company discloses the names, addresses and phone numbers of its customers in its White Pages and directories without their consent. Englander also objected to the fee Telus charges to customers who want to keep that information unlisted.

But Canada’s Privacy Commissioner, George Radwanski, didn’t see much merit in Englander’s case. He found that Telus’ actions passed the Act’s reasonable person test, which states the “collection, use and disclosure of personal information must be limited to purposes that a reasonable person would consider appropriate in the circumstances”. Undeterred, Englander exercised his right under section 14 of PIPEDA and has applied for a federal court hearing on the matter.

We should see even more activity at the Federal Privacy Commissioner’s office in 2003 as Canadians become increasingly aware of their privacy rights. The Federal Privacy Commissioner will want to see the provinces introduce their own substantially similar legislation in 2003 though – without it, come 2004, the Federal Commissioner will be flooded with complaints regarding the activities of businesses that are not federally regulated, even if just operating within a single province.

Provincial Privacy Laws – What Can We Expect in 2003?

The Ontario government’s failure to bring in new privacy legislation for the private and health-care sectors before the legislature rose in December didn’t come as a surprise to many stakeholders who have seen one delay after another since the Ministry of Consumer and Business Services first consulted the public about privacy legislation in the Summer of 2000. Ontario’s Information and Privacy Commissioner, Ann Cavoukian, stated in a rather harsh letter to Premier Ernie Eves that it is “particularly distressing” that protections haven’t been put in place and accused the government of breaking a crucial promise. She stated: “I am deeply disappointed with this failure to take action.” Minister Tim Hudak was set to introduce the Privacy of Personal Information Act, a draft version of which has been posted on the Ministry’s website since February of 2002. The legislation would have provided Ontario residents with comprehensive privacy protection by covering the commercial, not-for-profit and health sectors. The scope of the proposed Ontario law was much broader than its federal equivalent – the federal Personal Information Protection and Electronic Documents Act (PIPEDA) only applies to commercial activities and the cross-border trade in personal information.

Cavoukian has said there have been “enormous transgressions” when it comes to the protection of health information in recent years. While the Prairie provinces have specific health-related privacy legislation, large parts of the sector in Ontario remain unregulated in terms of privacy.

If a province introduces “substantially similar” provincial legislation and that legislation is in force by 2004, the provincial legislation and not PIPEDA will apply to activities within that province. Ontario was the first to announce that they would introduce their own legislation to keep the feds out. A spokesman for Hudak said the government “is still committed” to the legislation but simply ran out of time this Fall. If that’s true, we may see the legislation revived in the Spring of 2003, however given the likelihood of an election and the broad reaching impact of the privacy legislation on a number of industries, the Ontario government may shy away from bringing it back. Time is also running out because the government would need to, before 2004, give businesses time to comply before the law took effect and would also have to leave time for Industry Canada to make the determination on substantial similarity.

Meanwhile, the Western provinces, B.C. and Alberta, are working very closely together in drafting a privacy law for the private sector, in response to PIPEDA, which they hope to introduce in their respective legislatures in the Spring of 2003. The bills will be very similar although they will be different in at least one respect: Alberta’s Health Information Act already protects health information, so Alberta’s general privacy law would not cover health information. The Western provinces hope that other provinces will follow their model privacy law which they plan to be short (perhaps 25 pages with few regulations) rather than the Ontario approach (over 150 pages with many regulations). B.C. and Alberta have met and are continuing to meet with Industry Canada regarding their plans for provincial laws in order to ensure that they are developing “substantially similar” legislation.

So although Ontario aimed to be the first to introduce made-in-Ontario privacy legislation and seemed far ahead in 2002 of the other provinces, the Ontario government has lost momentum, and we will likely see the Western provinces take the lead in 2003.

The Final Round – Australian Privacy Laws Apply to Small Businesses

As of December 21, 2002, most Australian companies whose business is primarily in handling or selling personal information will be covered by the Privacy Act. Businesses with an annual turnover of more than $3 million have been subject to the privacy law for the past year. Small businesses are generally not covered by the new Privacy Act, an issue causing headaches for Australia’s Attorney-General because this exemption has resulted in the European Union rejecting Australia’s privacy laws as not complying with its directive on data protection. However, as of December 21st, a small business that is a health service provider, trades in personal information, is related to a business with an annual turnover greater than $3 million, is a contractor to Commonwealth agencies or pays others to collect information, is obliged to comply with the law.

The work needed to comply with the laws can be extensive. Small businesses covered by the Act need to review how they handle personal information including how they collect, use, disclose personal information and how they keep it secure. In practical terms complying with the Australian Privacy Act is likely to mean:

- Telling people you collect personal information and what you will do with it;
- Only using personal information about people in ways that they might expect;
- Not passing personal information on to third parties without telling people;
- Giving people the chance to see any information you hold about them if they ask;
- Keeping personal information safe; and
- If people ask, telling them how you handle personal information in your small business.

Under the rules, an affected organization must also have a person in charge of privacy issues. All of these obligations are set out in the National Privacy Principles incorporated into the Act. The Act exempts employment records where information about employees is only used for employment purposes. Thus, if employee information is the only personal information held by an Australian company then there are probably no obligations under the Privacy Act.

Australia Privacy Commissioner, Malcolm Crompton has, to date, been focusing largely on educating businesses about compliance. However, judging from the fact that the number of complaints that the Commissioner’s office has received over the past year has quadrupled, there will likely be a shift of focus towards enforcement in 2003.

Meanwhile, people wanting to see their health records will be able to rely on a single set of rules under a proposed national health privacy code released in December. The code sets out 11 health privacy principles. They include rules on when information may be collected, how it should be used, maintained, shared and stored, who should have access to it and how to handle the closure of a health records keeper. There are also rules that limit the ways people may be identified on their records. The principles say people should be allowed to remain anonymous where practical.

The proposed code has come from a working group set up by all of the nation’s federal, state, and territory health ministers. The proposed HealthConnect database, a national system for centralizing and sharing health records, was one reason for the code. The increasing difficulty of distinguishing between private and public health records was another. The discussion paper states that it was sometimes hard for health providers to tell what rules they should follow, so consistent rules across the nation is critical. Submissions on the new code are due by April 18, 2003.

Further details on the recent privacy legislation developments in Australia can be found on the Commissioner’s website at http://privacy.gov.au/.

How Canadians Feel about Giving the Government Personal Information On-Line

The results of a survey conducted in August 2002 by Leger Marketing were recently released and found that about two-thirds of Canadians believe it is unsafe or very unsafe to go on-line to give governments key information such as annual income and credit card numbers. Forty-five per cent of respondents in the survey said it was unsafe, while 22 per cent believed the practice was very unsafe. On the flip side, 20 per cent thought it was safe and 7 per cent said it was very safe.

Regionally, 33 per cent of Ontarians believed it was safe or very safe to use the Internet to provide governments with important financial information. Other provincial breakdowns along the same lines were: the Atlantic provinces, 26 per cent; British Columbia, 25; Alberta, 24; Quebec, 20; and Manitoba and Saskatchewan, 18.

The poll of 1,501 Canadians is considered accurate within 2.5 percentage points, 19 times out of 20. Predictably enough, younger respondents in the poll felt much more at ease than their elders in giving out such information. Forty-two per cent of people under 25 thought it was safe or very safe. The numbers then kept dipping as the ages rose. They reached their low with only 7 per cent of respondents 65 and over saying it was safe or very safe to provide sensitive financial information to governments on-line.

Although such information is often collected on secure, encryption protected Web pages, the overall numbers may reflect a lack of knowledge of the technology involved, or that people are afraid that those managing these tools aren’t necessarily focusing on protecting the information. Its not surprising that Ontarians seem the least worried about giving out on-line information such as bank account numbers, because there would likely be more confident technology-comfortable users in Ontario.

Note that 48 percent of the 1,501 Canadians polled said they had used government on-line services in the previous 12 months. That level put Canada in seventh place in a 31-country international survey. Sweden topped the list, at 57 per cent, followed by Norway, Singapore, Denmark, the Faroe Islands and Finland.

The survey results seem to suggest that the convenience of dealing with the government on-line may outweigh concerns regarding on-line security and privacy for many Canadians.

The Federal Government’s Plans to Use Face-Recognition Technology

The federal government is launching a pilot project using face-recognition technology for passport applications. The government is accepting tenders for a system that can check the identities of applicants within an existing database of passport holders. The project is aimed at preventing terrorists and other criminals from using falsified Canadian passports.

The International Civil Aviation Organization, which has been looking into biometrics for more than a decade, has asked Canada to explore options including fingerprints, retinal scans and facial recognition. The goal is to ensure that the person who applies for a passport is actually the person he or she claims to be.

The tender, issued on behalf of the Passport Office, says the technology must be able to compare about 19,000 photos per day against two databases now containing about 100,000 photos and three million photos respectively. This will grow to about 11 million photos within three years. The searchable database will eventually contain the electronic photo of every man, woman and child whose face appears in a passport file.

For the first time, federal officials will be able to scan photos quickly to check whether an image is attached to more than one name. The Passport Office will initially use the database in-house to secure the issuing process, but it could also eventually allow faces photographed for passports to be checked against terrorism watch lists, police wanted files and other databases.

The Federal Privacy Commissioner has questioned the practical need for such technology, and has stated on numerous occasions that no one has been able to show how biometric identification would have prevented the September 11th terrorist attacks or would prevent future attacks. However, in the context of issuing passports, the connection between face recognition technology and enhanced security couldn’t be clearer. The challenge lies in ensuring that the technology is not overused such that privacy is unnecessarily compromised for an apparent increase in security.

The Passport Office is currently putting existing hard-copy photos into the database as digital files. Starting next spring, it will require new applicants to submit digital photographs. The new U.S. Border Security and Visa Reform Act requires all visitors, including Canadians, to have biometric-capable travel documents by October 26, 2003. If this pilot project is successful, the new passport technology would help meet that obligation.