Home / Privacy Resources / Article Search / PrivaTalk - July 2001

PrivaTalk - July 2001

PrivaTalk

July 2001
Volume 1
Issue 6

Complaint to the Privacy Commissioner on Access to Credit Scores

In mid-June, the Privacy Commissioner of Canada, George Radwanski, instructed the Toronto-Dominion Bank to release a credit score to one of its customers, who had specifically requested to see her score. The customer filed a letter of complaint with the Privacy Commissioner in February, a month after Canada’s Personal Information Protection and Electronic Documents Act (the Act) came into force. At that time, many Canadian banks argued that credit scores were exempt from the requirement to provide access on the basis that the information is “confidential commercial information”, an exemption found in s. 9(3)(b) of the Act.

Credit information is gathered by credit reporting agencies, called credit bureaus in the United States. When you apply for a loan or mortgate, a lender first turns to a credit reporting agency, of which there are only two major ones on Canada: Equifax Canada Inc., and Trans Union of Canada, Inc.. Governed by provincial and federal laws, these companies store and maintain credit information about individual Canadians for use by members of the credit reporting agency. These members include banks, financing companies, auto leasing companies, credit card companies, retailers, etc. Federal and provincial laws are very specific as to who can review your file and for what purposes. A credit reporting agency may only provide a copy of your file when the request relates to the extension of credit, collection of a debt, housing rental, an application for employment or for insurance purposes.

While there are many kinds of credit scores, the most frequently used are credit bureau risk scores, commonly called FICO scores, based on a scoring model developed by Fair, Isaac an international private company. Such a score only looks at information in a credit report including payment history, outstanding debts, credit history, new credit (whether the individual is taking on new debt), the type of credit (diversity is positive) and public records (court judgments such as liens or bankruptcies are strong negatives). Although not incorporated in the FICO score, lenders may consider many other factors when making a credit decision and incorporate these into their credit score formula, including income, marital status, age, length of time in a residence, and other information based on identified patterns that have been correlated to credit risk. Also, the importance of the score and the definition of a good score will vary with the type of loan (mortgage, credit card, auto) and the individual lender.

Credit scores change whenever information in the report is updated – if a loan is paid off, for example, or a mortgage is added. Keeping the report up-to-date is not the responsibility of the credit reporting agency but of the individual who the report is about. It’s a good idea to check your credit file once a year for discrepancies. Upon request, every credit reporting agency, by law, must give you a complete, accurate report of everything in your file. The reports are prepared in easy to understand language, without all the jargon and rating codes only a lender would understand. The credit reporting agency has an obligation to correct any incorrect personal and credit data.

Up until the introduction of the federal privacy law, there was no similar obligation for a bank to provide credit scores. In an interview with the Financial Post, Mr. Radwanski made it clear that although banks have the right to compile or keep a score to assess creditworthiness for loans, now consumers also have the right to access their credit score information and “at little or no cost within a short period of time”. Regardless of how forceful Mr. Radwanski might be, the reality is that he has no order making powers under the Act. Thus, although the Commissioner has broad powers to investigate complaints, at the end of the day he can only issue a report of findings and recommendations. The issuance of a report does not necessarily result in access – the recommendations may be ignored and there are no sanctions against organizations for failing to adhere to the Commissioner’s recommendations. However, the complainant or the Commissioner can go to the Federal Court to get an order compelling an organization to correct its practices.

Its not just access to the credit score that banks should be providing – the requestor needs to know how the score was produced in order for the access to be meaningful. The number doesn't mean much to the consumer without some accompanying explanation of the main considerations influencing a particular score. The scoring model is indeed a mathematical formula that is proprietary information, however it is possible to discuss the information that influences the final number. The Canadian privacy law specifically states that “the requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided”.

How the complaint against TD Bank will be dealt with is yet to be seen. A number of lawyers and legal academics recently endorsed a letter to Mr. Radwanski criticizing him of planning to keep information about his private sector investigations secret. Given the difficulty with terms in the legislation such as “explicit consent” and “sensitive data” that are wide open to interpretation, the Commissioner’s interpretations would provide valuable information to the private sector. The Commissioner responded that he now plans to make the results of his investigations public, but will have to find a way to ensure that the identity of those subject to the investigation are not inadvertently revealed.

The more businesses know about the types of complaints being pursued and how they are being handled, the better position they will be in to assess their own compliance initiatives.

The Right of Access to Personal Information

Individuals will now have the right to access personal information in the hands of organizations that are subject to the Personal Information Protection and Electronic Documents Act. The Act sets out mandatory procedures to follow when providing access, with very limited exceptions. Access to information is only the first step. People are also entitled to know what use has been made of their personal information, and to whom it has been disclosed. Further, if the information is inaccurate or incomplete, a person can require the organization to correct it.

The right of access is a fundamental component of privacy and any privacy law. Giving a right of access is a significant change for many companies, and many see the Act as intruding on the autonomy companies have traditionally enjoyed with respect to information. Indeed, the employee or customer record or file is the property of the organization, but the information contained in the file belongs to the data subject. Thus, an organization must provide access to the information, but the circumstances under which the file is provided, be it viewing the file only on the organization’s property and only under supervision, is the prerogative of the organization.

The following action items can be taken by an organization in order to be truly responsive to access requests in a way that customers and employees will appreciate:

Organize Files
As much as possible, keep personally identifiable information about individuals in one place. Where this is not possible, flag the information to note other files, databases or locations where additional information may be found.

Eliminate duplicate or informal files containing personal information. Where such files are retained, they should be destroyed or their existence identified as part of the personal information held by the organization. Files must only contain information that is necessary for specified purposes.

Source of Information and Sharing of Files
If not obvious, the source of the information should be identified in the file. Also, develop a list of third parties to whom information has been or may have been disclosed, and provide this list when an access request is made. If personal information that has been disclosed to a third party has been amended or updated, and where that information may be used by the third party to make a decision, the organization has an obligation to inform the third party of the change. Identifying all such third parties in advance will greatly expedite this process.

Severing Information in Files and Refusing Access
Procedures should be developed in advance to deal with situations where information in files may need to be severed. For example, severance is needed where the file contains personal information about a third party, or where access to the full record would reveal confidential commercial information, or will threaten the life or security of another individual, or any of the other specific instances listed under s. 9 where information may or must be withheld.

A manager’s opinion about an employee, as stated in a file, is the manager’s personal information. However, even if the manager’s name is removed, it may still be obvious who made the comment. In order to avoid the difficulty with severance and provide the employee with full access to the file, managers should be made aware of the possibility of access such that only language that is appropriate for the employee to see is contained in the file.

Note that if an individual is requesting access to information that has been disclosed to a government institution, for example, for the purpose of law enforcement, the government institution has the right to be informed of the request and to object to access being provided. The exact procedure is set out in s. 9 of the Act.

Thus, at all times, and particularly when an instance arises such as the investigation of an employee or customer, there needs to be communication with all involved in file management to ensure that the files are properly handled.

Charging a Fee for Access
The Act anticipates that only a minimal fee will be charged, if any. Thus, the cost of routine photocopying of files should be absorbed by the organization. However, for larger files, or files involoving a great deal of effort to assemble, a fee to cover costs is appropriate.

Accuracy and Correction
Look for inaccurate and incomplete information proactively and develop plans to address this. The information need only be as up-to-date as necessary for the purposes for which it is to be used. In fact, an organization must not routinely update personal information unless doing so is necessary for the purposes. If it is clear that the information is not needed, it should be purged and not updated.

After taking all steps possible to attempt to rectify a file, if a dispute still exists, the details of the dispute must be recorded, and, when appropriate, third parties who have access to the data must be informed that a dispute exists regarding specific information.

Training Employees who Provide Access
It must be ensured that only individuals with a right of access to a file can obtain information in that file. Requests must be in writing, and employees should never disclose personal information by phone unless they are absolutely certain of the identity of the individual requesting the information. The written request for information is itself personal information, so it should be quickly and confidentially routed to the appropriate person.

While the organization is ordinarily required to respond with due diligence to an access request within thirty days, this is not a firm deadline. The organization can extend the deadline for an additional thirty days where fulfilling the request would seriously disrupt the activities of the organization, or where consultations are necessary to respond to the request making the time limit impossible to meet.

By being prepared with access procedures and organized files in advance of receiving a request for access, the disruption to business that can result when such a request occurs can be minimized.

Police Surveillance – Balancing Privacy Rights and Crime Prevention

Various forms of surveillance have assisted crime investigators for decades, but the extent of surveillance and the new technologies being deployed are causing serious privacy concerns. In the States, the FBI’s controversial e-mail surveillance program, formerly known as Carnivore, has been under intense fire from lawmakers and privacy advocates for some time. The software skims online traffic and stores the information the government is allowed to intercept under federal wiretap authority. This article will highlight some of the privacy concerns that are now being caused by surveillance technologies in Canadian provinces.

In February of this year, the Ontario Information and Privacy Commissioner found that the Ontario Provincial Police (OPP) are acting appropriately when using sophisticated surveillance technology to photograph patrons of the province's casinos, if they only scan the faces of suspects and warn all customers that this is being done. The biometric face-recognition system matches faces in casino crowds with mug shots in law enforcement databases. The Commissioner concluded that it was acceptable to do facial scanning in casinos since the OPP wasn't scanning the face of every casino patron. In fact, it was found that only five facial scans were done out of every million customers. The Commissioner concluded that the public must be properly notified of the activity, hence, the casinos now have public disclosure statements describing the surveillance technique.

In Alberta, Calgary Police are proposing to install two surveillance cameras along a busy, noisy and sometimes violent nightclub strip in the city's core in order to cut down crime. Civil liberties groups and some residents worry about the diminished privacy in public places but business owners are quite supportive of the proposition. Calgary is not alone. Many Canadian cities already have or are considering having cameras mounted in public places for safety reasons, for example, at busy intersections. When there are other public interests such as safety at stake, or if the surveillance has the effect of reducing violence and vandalism, these important benefits of the technology need t to be balanced with the right to privacy. The question is: How intrusive is the surveillance techinique?

The Federal Privacy Commissioner found that similar surveillance cameras installed last month to monitor activity outside a Yellowknife drugstore violated the new private sector privacy legislation. The message was essentially that the private security company should have obtained consent from the entire population before it placed the cameras outside the building! The cameras have since been removed.

While widespread use of surveillance cameras has long been a tool in Europe, Canada has only recently started monitoring public spaces. In an increasingly monitored society, the public is already watched by cameras in the workplace, elevators, bank machines and schools, but many cities have been hesitant to install them on street corners.

Heading over to British Columbia, the B.C. Supreme Court of British Columbia recently threw out evidence gathered by the RCMP in a drug investigation because it was seized after police used a helicopter equipped with infrared radar without a warrant. Investigators suspected that marijuana was being grown at a certain site. In a series of flyovers, RCMP photographed the site and used infrared radar, which records heat. In a later raid authorized by a general warrant, police found a large-scale marijuana growing operation. However, the judge said the discovery did not justify the prior unauthorized invasion of privacy. The flyovers together with the use of the intrusive technology were found to be an unlawful search and seizure.

The question of how much personal privacy should be sacrificed for safety is controversial. When it comes to surveillance or investigations by the police or private investigators, the critical question becomes: Does a less privacy-invasive way to achieve the same public good exist? Alternatives to invasive technologies must be explored. As opposed to cameras being installed, could there be more community policing in an area or would this put officers lives at risk? Would the delay involved in obtaining a search warrant result in justice not being done? If the surveillance or investigation technique is reasonable in the circumstances, appropriate exemptions to consent requirements need to be available in order to support the societal protections we rely upon. These activities often require that personal information be collected without the knowledge of the data subject, and require the sharing of personal information between law enforcement officials.

European Union Calls for Data Protection Contract Clauses

In July 1995, the European Union adopted privacy rules in its Directive 95/46/EC on Data Protection that prohibits the transfer of consumers' private data to countries outside the EU unless those countries have “adequate” privacy protection. This provision of the Directive (Article 25) had the potential to create a data trade barrier by prohibiting EU data from being transferred to the United States. The Safe Harbour provisions were introduced by the U.S. Department of Commerce to bridge the gap between the stricter European privacy rules and the more lenient rules in the United States. They came into effect on November 1, 2000. American companies can voluntarily pledge allegiance to EU privacy laws and engage in data transfers while remaining under U.S. government supervision for compliance. Non-participating companies doing business in EU member states could face prosecution by European regulators, exposing themselves to a much tougher regulatory environment.

The EU announced on June 18, 2001 that it has adopted a set of standard contractual clauses aimed at protecting the personal information of EU citizens when sent outside the EU. If these privacy-protection clauses are adopted by a non-EU nation in an international business agreement, the EU nation will be required to recognize that the company’s data protection procedures offer adequate protection. The clauses are intended for countries not already pledging to abide by the EU’s expectations. Only Switzerland, Hungary and the United States, where Safe Harbor arrangements apply, have privacy protections deemed adequate by the EU.

The new standard contract clauses include a legally enforceable declaration by both the exporter and the importer of data that they will process data in accordance with basic data protection rules, and that individuals may enforce their rights under the contract. The basic data protection rules, as set out in the Directive, state that personal data may only be collected for specified, explicit and legitimate purposes, and the subjects must be informed of the purposes and who is using their data. Also, individuals have a right of access and correction to the data, and to compensation if the information is mishandled. The clauses are not needed where the data subject has given unambiguous consent to the proposed transfer, or where the transfer is in the subject’s best interests.

The United States now has three separate federal laws that protect consumer data: the Graham-Leach Bliley Act covers customers' financial information; the Health Information Privacy Protection Act covers medical data; and the Children's Online Privacy Protection Act protects children under 13 from online collection of personal data. However, there is no comprehensive privacy legislation that broadly applies to the private sector as in Canada or the EU.

According to the FTC, as of mid-June, only about 100 Amrecian companies had signed up to participate in the Safe Harbor program. Companies are probably waiting to see the implications of not joining, given the effort and expense of conforming with the guidelines.

EU nations will have to look for safe harbour adherence or the contractual clauses when doing business with companies in the United States. Meanwhile, in Canada, private sector privacy legislation that is far more comprehensive than anything the United States exists and is being phased in. Earlier this year, the EU Working Party did not recommend that the EU Commission find the PIPED Act to be adequate. The Working Party warned the EU Commission to keep in mind the limited application of the law to commercial activities and the long phase-in period before full implementation in 2004, when making its finding about adequacy. It is clear that the Working Party would have preferred privacy legislation in Canada with a broader application and a tighter timeline, and that they are waiting to see if privacy legislation at the provincial level will fill in the gaps.

Thus, American companies have the luxury of being evaluated on a one-by-one basis, whereas Canadian federally regulated companies engaging in commercial activities and thus clearly governed by C-6, are expected to introduce the new contract clauses. The imbalances are hard to ignore. With their judgements on adequacy, and now by working their way into commercial contracts, its clear that the EU is driving the international agenda on privacy issues by effectively exporting EU privacy law around the world.

Alan Westin’s Testimony on American Privacy Surveys

Dr. Alan Westin, a well known privacy expert in the United States and President of Privacy and American Business, testified before the Subcommittee on Commerce, Trade and Consumer Protection at a hearing entitled: “Opinion Surveys: What Consumers Have to Say About Information Privacy”. This article will provide a brief summary of Dr. Westin’s testimony.

The Subcommittee asked: “Has there been a transformation of the privacy concerns of American consumers in the Internet Age? If so, what are the sources of this development? What do these concerns suggest about legislative choices on privacy protection?”

With respect to whether there has been a transformation of privacy concerns. Dr. Westin answered a most definite “yes”. The reliable surveys within a larger pool of over 100 U.S. privacy survey reports collected by P&AB were first isolated – reliability being determined by examining the content and order of the questions, the representativeness of the sample and the perspective of the sponsors. These surveys show that nine out of ten Americans are concerned about the potential misuse of their personal information, and three quarters of them say they are now "very concerned". Further, a majority of American consumers have become privacy-assertive. They are refusing to give their personal information to businesses when they feel it is too personal, or if they are not sure how it will be used or feel the information is not really needed by the business. Concern about privacy is the single most cited reason Net users give for not making purchases online and non-Net-users give for declining to go onto the Net. These results probably ring true of Canadians as well.

At the same time, however, surveys show that most consumers want the opportunities and benefits of our consumer service and marketing-driven society. With proper notice and choice, more than three out of four consider it acceptable that businesses compile profiles of their interests and communicate offers to them.

When it comes to overall consumer privacy preferences, consumers continue to divide into three basic segments that Dr. Westin’s surveys have been tracking since the early 1990s. These are Privacy Fundamentalists (25%), who reject offers of benefits, want only opt-in and seek strict legislative privacy rules; Privacy Unconcerned (now down to 12% from 20% three years ago), who are comfortable giving their information for almost any consumer value; and Privacy Pragmatists (63%), who ask what’s the benefit to them, what privacy risks arise, what protections are offered and figure out if they trust the company or industry to apply those safeguards and to respect their individual choices. How to create conditions of trust for the Privacy Pragmatists is the challenge for businesses and lawmakers alike. Although we are taking the route of broad legislation in Canada, this distinction is an important one to keep in mind. Legislative initiatives and organizations’ compliance plans must be pragmatic.

Consumers report that their views on privacy do not come solely from what they read or hear in the media, but strongly reflect their own personal experiences and those of family and friends. The higher a respondent's general distrust of institutions and fears of technology, the greater their concerns about privacy.

So, what do consumers want? Systems for informed privacy choices that are implemented and enforced. Organizational surveys in 2000-2001 show that a majority of American businesses have, at last, gotten the message that many consumers will make decisions to assert their interests on the basis of privacy. Surveys of business conduct on and off the Net show most businesses are now adopting meaningful privacy policies, and in public surveys, a majority of consumers say that they think this is happening. Surveys have also shown that a majority of the American public does not favor a European-Union-style omnibus national privacy law and a national data protection regulatory agency.

There are some new issues that P&AB are beginning to test in surveys, for example, whether consumers think that the appointment of Corporate Privacy Officers (CPOs) by companies is a positive development, what consumers want CPOs to do and whether such institutionalization of privacy responsibility in individual firms enhances consumer confidence in such companies.

It is clear that where especially sensitive consumer information is being collected and exchanged, in the financial and health areas in particular, surveys show the public wants to see legal privacy-protection rules enacted and enforcement actively pursued. Congress has indeed enacted legislation for both types of information. Surveys showing overwhelming Net-user hostility to spam may lead Congress to pass anti-spam legislation this session. Similar survey results showing strong public opposition to the use of genetic information for employment or health insurance purposes suggest that legislation may come into play in the U.S. to deal with these concerns.

Dr. Westin concluded that the work of this decade, among survey researchers and U.S. Congresspersons alike, is to discover what will persuade the Privacy Pragmatists that there exists the right blend of business initiatives and legal oversight for good consumer information relationships with business. Hopefully Canada can achieve that blend through broad federal and provincial privacy legislation, without the confusing patchwork of sector-specific privacy legislation that is developing in the United States.

Peer-to-peer networks – From Security Threat to Privacy Haven

Peer-to-peer (p-to-p) networks are designed to bypass large servers and put one user's computer in direct connection with other computers. P-to-p is nothing new – when modems were first introduced to computer users, all connections were p-to-p and used for messaging and file exchange.

The difficulty with p-to-p is its lack of security. It hasn’t evolved to a point that allows groups to transparently communicate on both sides of the firewall. Many p-to-p technologies demand special ports to be opened in a firewall, thereby leaving organizations vulnerable to hackers. Moreover, the lack of a centralized server, through which a company can control communications and secure mission-critical data, has caused much reluctance to p-to-p. Hybrid solutions are becoming popular, where the best of p-to-p technologies are married with a number of client/server variations, so as to have a server-to-server approach. Users can manage, access and exchange content across distributed servers using p-to-p protocols.

While the legal actions taken against companies offering file trading p-to-p services such as Napster have taken a toll on the industry, some Net programmers are focusing on improving p-to-p by building a wholly anonymous, virtually untraceable way of communicating and trading files online. Chief among these is an open-source project called Freenet. Freenet acts like a network that exists in parallel to the Internet, where information is stored, cached, and distributed on demand. However, unlike the Web, this is a true p-to-p infrastructure and information is not stored at fixed locations or subject to any kind of centralized control. In the true p-to-p spirit, Freenet draws solely on individual computers to host content and relay messages around the Net. Content can be uploaded and downloaded without any way to track who created a given "site," or to take down a given piece of content once it is in the network. But unlike other such p-to-p systems, Freenet has a built-in method of pushing content between different computers, so that a given file can migrate around the network between different people's hard drives until it is stored near regions where it is most often used. This allows Freenet to be more efficient than the Web, and also allows information to be published and read without fear of censorship because individual documents cannot be traced to their source or even to where they are physically stored. Freenet gives people the ability to communicate online without being tapped, traced or monitored by anyone – whether it be law enforcement officials or record labels looking for pirated MP3s. People who give up portions of their hard drives as Freenet "nodes", or storage centers, can't decode this portion of their drives, so nobody – not even the hosts – can tell just what they're storing at any given moment. These features provide the strong protections against censorship and tracking that has been missing in p-to-p systems to date.

A similar Canadian project called Cryptobox is being developed in Canada by a University of Ottawa engineering research team. The Cryptobox developers are concentrating more on ensuring absolutely private communications than on creating a way to publish content free of any censorship. The technology under development would protect communications between computers, allowing people to send instant messages or e-mail that couldn't be read by outsiders. Although e-mail using PGP encryption, anonymous remailers, or other Web services that shield a surfer’s identity are relatively common, Cryptobox users can communicate anonymously without bothering with the complicated steps of today’s encryption technology. Also, encrypted messages have weaknesses – an eavesdropper may be unable to decipher a particular message, but could determine the identities of the two parties communicating. The Cryptobox system uses two-way anonymity, such that the message is broadcasted within a stream of fake data, making it difficult to determine whether any messages are being sent at all. The Cryptobox software is scheduled to be released by the end of this year.

It is clear that privacy and security are key issues that are being addressed in the next wave fo p-to-p technologies. Further, p-to-p presents opportunities to improve upon the open structure of the Internet and its inherent privacy problems.