BC auto body shops object to auto insurer's credit-card policy

Auto body repair shops in British Columbia are complaining to the province's privacy commissioner about the public auto insurer requiring that the shops hand over customer credit card information in the course of routine audits.

I wonder whether there's anything in the customer's policy allowing ICBC to collect this information?

Check it out:

Auto body shops take aim at ICBC's credit-card policy

Neal Hall, Vancouver Sun

Published: Monday, August 13, 2007

An association representing auto body shops and automotive glass repair companies has filed a complaint with B.C.'s information and privacy commissioner about having to hand over customer credit card numbers to the Insurance Corp. of B.C.

The United Auto Trades Association of B.C. says disclosure of a customer's personal and financial information during ICBC audits should not be done without a customer's written consent.

The complaint, obtained by The Vancouver Sun, says the disclosure without written consent is "clearly unlawful."

"It's of concern to us," said Gerry Preddy, vice-president of the association. "We've had examples of files being lost [by ICBC]."

The association, in its complaint, cites the federal Personal Information Protection Act, which states: "An organization must not, as a condition of supplying a product or service, require an individual's consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service."

ICBC demands such information during audits of auto body and glass repair shops that participate in ICBC's Glass Express Program to make sure shops are charging the vehicle insurance deductible amount.

"When a customer makes a claim, they are required to pay a deductible," explained ICBC spokeswoman Kate Best, "so repair shops provide ICBC with credit card information to confirm the payment of the deductible."

ICBC's position is that audits of repair shops are reasonable to verify payments, she said.

"The matter is currently before the information and privacy commissioner and ICBC will await the ruling," Best said.

The association says while membership in the glass express program is voluntary -- about 700 businesses and 60 per cent of glass repair shops participate in the program -- shops would suffer a drastic loss in business if they withdrew or refused to hand over the financial information of customers during ICBC audits.

The association made a final submission to the privacy commissioner on July 30, pointing out a recent B.C. Court of Appeal decision "confirmed that the collection and disclosure must be authorized by law."

The appeal court, in its ruling involving Royal City Jewellers & Loans Ltd., struck down a New Westminster bylaw allowing police to collect financial and personal information about people selling or pawning items to second-hand stores and pawn shops. The shops still collect the information but take the position they won't hand it over to police without a court order or search warrant.

Royal City Jewellers launched the court challenge, stating it was an invasion of privacy for law-abiding customers.

Parliamentary review of PIPEDA: Report

The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:

ETHI (39-1) — Fourth Report: STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) — Standing Committee on ACCESS TO INFORMATION, PRIVACY AND ETHICS - Committees of the House of Commons

The Standing Committee onACCESS TO INFORMATION, PRIVACY AND ETHICS

has the honour to present its

Fourth Report

Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:

The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.

Here are the recommendations:

47

Recommendation 1

The Committee recommends that a definition of “business
contact information” be added to PIPEDA, and that the
definition and relevant restrictive provision found in the
Alberta Personal Information Protection Act be considered for
this purpose.

Recommendation 2

The Committee recommends that PIPEDA be amended to
include a definition of “work product” that is explicitly
recognized as not constituting personal information for the
purposes of the Act. In formulating this definition, reference
should be added to the definition of “work product
information” in the British Columbia Personal Information
Protection Act, the definition proposed to this Committee by
IMS Canada, and the approach taken to professional
information in Quebec’s An Act Respecting the Protection of
Personal Information in the Private Sector.

Recommendation 3

The Committee recommends that a definition of “destruction”
that would provide guidance to organizations on how to
properly destroy both paper records and electronic media be
added to PIPEDA.

Recommendation 4

The Committee recommends that PIPEDA be amended to
clarify the form and adequacy of consent required by it,
distinguishing between express, implied and deemed/opt-out
consent. Reference should be made in this regard to the
Alberta and British Columbia Personal Information Protection
Acts.

Recommendation 5

The Committee recommends that the Quebec, Alberta and
British Columbia private sector data protection legislation be
considered for the purposes of developing and incorporating
into PIPEDA an amendment to address the unique context
experienced by federally regulated employers and employees.

Recommendation 6

The Committee recommends that PIPEDA be amended to
replace the “investigative bodies” designation process with a
definition of “investigation” similar to that found in the Alberta
and British Columbia Personal Information Protection Acts
thereby allowing for the collection, use and disclosure of
personal information without consent for that purpose .

Recommendation 7

The Committee recommends that PIPEDA be amended to
include a provision permitting organizations to collect, use
and disclose personal information without consent, for the
purposes of a business transaction. This amendment should
be modeled on the Alberta Personal Information Protection Act
in conjunction with enhancements recommended by the
Privacy Commissioner of Canada.

Recommendation 8

The Committee recommends that an amendment to PIPEDA be
considered to address the issue of principal-agent
relationships. Reference to section 12(2) of the British
Columbia Personal Information Protection Act should be made
with respect to such an amendment.

Recommendation 9

The Committee recommends that PIPEDA be amended to
create an exception to the consent requirement for information
legally available to a party to a legal proceeding, in a manner
similar to the provisions of the Alberta and British Columbia
Personal Information Protection Acts.

Recommendation 10

The Committee recommends that the government consult with
the Privacy Commissioner of Canada with respect to
determining whether there is a need for further amendments to
PIPEDA to address the issue of witness statements and the
rights of persons whose personal information is contained
therein.

Recommendation 11

The Committee recommends that PIPEDA be amended to add
other individual, family or public interest exemptions in order
to harmonize its approach with that taken by the Quebec,
Alberta and British Columbia private sector data protection
Acts.

Recommendation 12

The Committee recommends that consideration be given to
clarifying what is meant by “lawful authority” in section
7(3)(c.1) of PIPEDA and that the opening paragraph of section
7(3) be amended to read as follows: “For the purpose of clause
4.3 of Schedule 1, and despite the note that accompanies that
clause, an organization shall disclose personal information
without the knowledge or consent of the individual but only if
the disclosure is […]”

Recommendation 13

The Committee recommends that the term “government
institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA
to specify whether it is intended to encompass municipal,
provincial, territorial, federal and non-Canadian entities.

Recommendation 14

The Committee recommends the removal of section 7(1)(e)
from PIPEDA.

Recommendation 15

The Committee recommends that the government examine the
issue of consent by minors with respect to the collection, use
and disclosure of their personal information in a commercial
context with a view to amendments to PIPEDA in this regard.

Recommendation 16

The Committee recommends that no amendments be made to
PIPEDA with respect to transborder flows of personal
information.

Recommendation 17

The Committee recommends that the government consult with
members of the health care sector, as well as the Privacy
Commissioner of Canada, to determine the extent to which
elements contained in the PIPEDA Awareness Raising Tools
document may be set out in legislative form.

Recommendation 18

The Committee recommends that the Federal Privacy
Commissioner not be granted order-making powers at this
time.

Recommendation 19

The Committee recommends that no amendment be made to
section 20(2) of PIPEDA with respect to the Privacy
Commissioner’s discretionary power to publicly name
organizations in the public interest.

Recommendation 20

The Committee recommends that the Federal Privacy
Commissioner be granted the authority under PIPEDA to share
personal information and cooperate in investigations of
mutual interest with provincial counterparts that do not have
substantially similar private sector legislation, as well as
international data protection authorities.

Recommendation 21

The Committee recommends that any extra-jurisdictional
information sharing, particularly to the United States, be
adequately protected from disclosure to a foreign court or
other government authority for purposes other than those for
which it was shared.

Recommendation 22

The Committee recommends that PIPEDA be amended to
permit the Privacy Commissioner to apply to the Federal Court
for an expedited review of a claim of solicitor-client privilege in
respect of the denial of access to personal information
(section 9(3)(a)) where the Commissioner has sought, and
been denied, production of the information in the course of an
investigation.

Recommendation 23

The Committee recommends that PIPEDA be amended to
include a breach notification provision requiring organizations
to report certain defined breaches of their personal
information holdings to the Privacy Commissioner.

Recommendation 24

The Committee recommends that upon being notified of a
breach of an organization’s personal information holdings, the
Privacy Commissioner shall make a determination as to
whether or not affected individuals and others should be
notified and if so, in what manner.

Recommendation 25

The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration
should be given to questions of timing, manner of notification,
penalties for failure to notify, and the need for a “without
consent” power to notify credit bureaus in order to help
protect consumers from identity theft and fraud.

Alberta order on consent and withdrawal thereof

A new and interesting Order from Alberta:

Order P2007-003

Two Complainants brought complaints under the Personal Information Protection Act with respect to the collection, use and disclosure of their personal information by International Stereo Ltd., (now operating as Urban Audio Video Inc.) (the “Retailer”). The information had been collected by the Retailer and then conveyed to Wells Fargo Financial Corporation of Canada, so as to permit the latter organization to conduct credit checks for determining whether it would grant credit for buying the Retailer’s merchandise. Although the Complainants signed applications containing clauses consenting to use of personal information for credit checks, they said they had been assured their personal information would not be used in this way. They also said they had been led to believe the cards for which they applied would allow them to get 10% discounts on purchases. As well, one of them complained that his request to withdraw his application had been refused.

The Adjudicator found that the Retailer collected, used and disclosed the Complainants’ personal information in violation of section 7 of the Act (collection, use and disclosure without consent), that it failed to provide adequate notification of the purpose for collection in contravention of section 13, and that it failed to cease collecting, using or disclosing the personal information after consent had been withdrawn, in violation of section 9(4).

PIPA review released in BC

The Special Committee of the BC Legislature reviewing the Personal Information Protection Act has recently released its report:

April 17, 2008: Special Committee Recommends Changes to Streamline B.C.’s Private-Sector Privacy Law Media Releases Special Committee to Review the Personal Information Protection Act 4th Session 38th Parliament Committees

SPECIAL COMMITTEE RECOMMENDS CHANGES TO STREAMLINE B.C.’S PRIVATE-SECTOR PRIVACY LAW

VICTORIA – The Special Committee to Review the Personal Information Protection Act submitted its Report to the Legislature this afternoon. The all-party committee was appointed in 2007 by the Legislative Assembly to review the act that regulates the collection, use and disclosure of personal information by private-sector organizations in the province. During the past year, the committee received 39 submissions.

The key findings from the consultations are that the act seems to be working well overall for private-sector organizations operating in British Columbia, while the public is not as aware of the purpose, rules and scope of the act. The act also aligns with the federal and Alberta private-sector privacy laws.

The report, titled Streamlining British Columbia’s Private Sector Privacy Law, was unanimously adopted by all committee members. The report contains 31 recommendations, including:

• Making private-sector organizations accountable for personal information they transfer for processing outside Canada
  
• Requiring organizations to notify affected individuals of privacy breaches in certain circumstances
  
• Banning the use of blanket consent forms by provincially regulated financial institutions
  
• Revising consent exceptions to better address business practices in the insurance industry
  
• Permitting disclosure of personal contact information for health research
  
• Retaining the minimal fee for access to personal information
  
• Streamlining the complaints process in the province’s privacy laws
  
• Strengthening the Information and Privacy Commissioner’s oversight powers

“Keeping personal information private is vitally important,” said committee chair Ron Cantelon, MLA. “We want to enhance safeguards, but at the same time, balance that goal against imposing unnecessary regulations on business, particularly small businesses.”

The members of the Special Committee to Review the Personal Information Protection Act are:

Ron Cantelon, MLA Nanaimo-Parksville

Harry Lali, MLA Yale-Lillooet

Leonard Krog, MLA Nanaimo

Mary Polak, MLA Langley

John Rustad, MLA Prince George-Omineca

Information about the committee’s work can be found on its website at http://www.leg.bc.ca/cmt/pipa/index.asp, or by contacting the committee chair, Ron Cantelon, MLA, or any committee member.

Alberta faults Ticketmaster for requiring consent to secondary purposes

The Alberta Information and Privacy Commissioner has found that Ticketmaster violated that province's privacy law by requiring that purchasers consent to use of their information by concert promoters. From the Commissioner:

OIPC

Office of the Information and

Privacy Commissioner of Alberta

December 19, 2007

Ticketmaster investigated under Personal Information Protection Act

The Office of the Information and Privacy Commissioner has found that Ticketmaster
Canada Ltd (Ticketmaster) contravened the Personal Information Protection Act (PIPA) by
requiring on-line customers to consent to the use of personal information for the event
provider’s marketing purposes, as a condition of a ticket sales transaction.
The investigation also determined Ticketmaster’s on-line opt-out process did not allow
customers to make an informed decision about consent nor did it offer customers a
reasonable opportunity to decline or object to the use of their personal information for event
providers’ marketing purposes. Ticketmaster’s on-line privacy policy was also found to be
complex and ambiguous.

The Complainant went on Ticketmaster’s website, www.ticketmaster.ca to purchase tickets
for an event. During the on-line transaction, the Complainant was unable to proceed with his
on-line ticket purchase unless he consented to Ticketmaster’s “Use of Personal Information”
privacy statement. The Complainant was particularly concerned with the contents of this
privacy statement, which authorized Ticketmaster to share his email address with event
providers for the event providers’ marketing purposes.

Ticketmaster agreed to implement the Investigator’s recommendations, which included
launching, across Canada, a new on-line and telephone opt-in mechanism for event
providers’ marketing communications. This mechanism offers on-line and telephone
customers the opportunity to opt-in to receiving marketing materials from event providers by
checking a box during the on-line ticket purchase process. In conjunction with the new on-
line opt-in mechanism, Ticketmaster posted its revised on-line privacy policy with an easily
navigable table of contents linking to appropriate section of the policy.
To obtain a copy of Investigation Report P2007-IR-007, please visit our website at:
www.oipc.ab.ca

CBC has some coverage of the story here: CBC.ca Arts - Ticketmaster's online sales violated Alberta privacy law.

Investigator: Employer did not violate PIPA by investigating whether staffer was looking for another job

An interesting investigation report from the Information and Privacy Commissioner of Alberta, in which the investigator found that an employer did not violate PIPA by seeking information about whether a current employee had sought employment with another company:

OIPC

April 10, 2007

EPCOR Utilities Inc. found in compliance with Personal Information Protection
Act

The Office of the Information and Privacy Commissioner has found that EPCOR Utilities Inc.
(EPCOR) complied with the Personal Information Protection Act (PIPA) when it collected,
used and disclosed personal employee information without consent. EPCOR’s collection, use
and disclosure of the employee’s personal information was also found to be reasonable for
purposes of an investigation.

The complainant, an EPCOR employee at the time, took a leave of absence from EPCOR.
Shortly thereafter, EPCOR received unsolicited information suggesting the complainant was
about to begin work for another company. EPCOR contacted the other company to verify the
complainant’s alleged employment there. The complainant complained that EPCOR
collected, used and disclosed his personal information without consent.

The Investigator found that EPCOR had collected, used and disclosed the complainant’s
personal information to investigate a possible contravention of the complainant’s employment agreement. As such, consent was not required.

Further, the Investigator found that the information qualified as personal employee
information under PIPA: the information was reasonably required to manage the
complainant’s employment relationship with EPCOR, and consisted only of information
related to that employment relationship. The complainant was notified at the time of hire that
his personal information could be collected, used or disclosed for investigation purposes. As
such, EPCOR did not require consent to collect, use and disclose the complainant’s personal
employee information in these circumstances.

For more information about investigation report P2007-IR-004, please visit our website at:
http://www.oipc.ab.ca/

What's new from Alberta

There have been some interesting releases from the Information and Privacy Commissioner of Alberta's office:

OIPC

Order P2007-014

Posted: Mar/19/2008

Adjudicator rules personal information released in contravention of Personal Information Protection ActAn Adjudicator with the Office of the Information and Privacy Commissioner has ruled that the Alberta Teachers’ Association contravened the Personal Information Protection Act (PIPA), when it published an article containing the personal information of former members.

The Complainants filed the complaint when the ATA published their names in a newsletter stating that they no longer were required to adhere to the ATA’s Code of Professional Conduct.

The ATA argued while it had published personal information, it had done so for “journalistic purposes” and that PIPA did not apply.

The Adjudicator determined that PIPA did apply and that the information was disclosed contrary to sections 7 and 19 of PIPA.

Order F2007-026

Posted: Mar/18/2008

Adjudicator finds Alberta Energy and Utilities Board did not disclose personal information in contravention of the FOIP Act

Order F2007-019

Posted: Mar/11/2008

Information and Privacy Commissioner, Frank Work, has ruled that the parents of a student had no legal standing in a complaint over the seizure of their son’s cell phone. The Commissioner says he was not presented with any evidence under section 84 of the Freedom of Information and Protection of Privacy Act (FOIP) that the parents were authorized to act on behalf of their son, nor is there any evidence that the son is even aware of a complaint being made on his behalf.The parents complained to the Commissioner their son’s cell phone had been seized by school administrators who had accessed photographs contained on the phone.

During an inquiry into the matter, the Commissioner found the evidence did not establish that the parents had standing to make a complaint. The Commissioner also found there was little evidence that the son’s personal information had been collected or used by the school.

Investigation Report P2008-IR-002

Posted: Mar/06/2008

Commissioner releases investigation report on DeVry Institute of Technology, related to discovery of identity theft.

News Release P2008-IR-002

Posted: Mar/06/2008

Commissioner releases investigation report related to discovery of identity theft

News Release: New Video Surveillance Guidelines

Posted: Mar/06/2008

New guidelines set out how companies should evaluate the use of video surveillance that respects privacy rights and complies with the law.

Order F2008-007

Posted: Mar/06/2008

Adjudicator upholds decision not to release Crown Prosecutor records

Order P2008-001

Posted: Mar/06/2008

Adjudicator rules company tried to find applicant's personal information

BC Commissioner's submissions on PIPA Review

The British Columbia Information and Privacy Commissioner has submitted a report to the Special Committee of the British Columbia Legislature to Review the Personal Information Protection Act (BC). The Commissioner has found that the Act was a balanced and effective law that did not require major changes.

Privacy commissioner raps home improvement retailer for collecting drivers licenses on product returns

The Information and Privacy Commissioner of Alberta has ruled that Home Depot violated the Personal Information Protection Act (Alberta) when it collected and recorded a customer drivers license information in connection with a product return. The company's policy was that returns for purchases that were made with a debit card, even with a receipt, are treated as a "no receipt" return and the information is collected. The Commissioner noted that the information would be placed in a database maintained by the American parent company in the United States, which is a disclosure of personal information.

The article on Canada.com quotes a Home Depot spokesperson who says this is no longer the policy as customers thought it to be an invasion of privacy. See: Privacy commissioner raps Home Depot.

Alberta Commissioner upholds cameras in locker rooms at health club

This is likely to spur some interesting discussion:

OIPC

A complaint was made against the Organization which operates the “Talisman Centre for Sport and Wellness”. The Complainant stated that the Organization had placed overt security cameras in the Talisman Centre’s men’s locker rooms. The Complainant was concerned about a loss of privacy and that patrons of the Centre would be unable to change without being viewed by the cameras. The Organization stated that the security cameras were installed in 1997 in response to over 900 incidents of theft and property damage during the years 1994-97. The security cameras were installed after all other means to prevent criminal activity had failed. The cameras’ field of vision was restricted to the lockers and had no zoom, panoramic or audio capabilities. The cameras were not actively monitored and a protocol was in place which restricted the viewing of images to instances where there was an incident or reported criminal activity with a case number assigned by the Calgary Police Service. Viewing of the images occurs only in the presence of two senior staff members or by one such member and a police constable. If images are not reviewed they are automatically overwritten in approximately 21 days. After installation of the cameras there was a sharp reduction in criminal activity. As of the date of the Organization’s submission to the Commissioner only 19 images had ever been viewed. The Commissioner found that due to the history of theft, the attempt to use other measures prior to using security cameras as a last resort, and the fact that the images recorded were only accessed in the event of a criminal incident, that the Organization’s collection of personal information was for purposes that were reasonable, as required by section 11(1) of the Personal Information Protection Act (“PIPA”). However, the Organization’s signage was not in compliance with section 13(1) of PIPA. The Commissioner ordered the Organization to change the signage.

Click to view more information Order P2006-008

Privacy Commissioners Release New Video Surveillance Guidelines

The Privacy Commissioners of Canada, British Columbia and Alberta today have released Guidelines for Overt Video Surveillance in the Private Sector to help businesses consider privacy matters when deciding whether to and how to implement overt video surveillance. (I wonder whether they'll also produce guidelines on covert surveillance?)

From the media release:

Privacy Commissioners Release New Video Surveillance Guidelines

Privacy Commissioners Release New Video Surveillance Guidelines

OTTAWA, March 6, 2008 — Private-sector organizations considering video surveillance systems must take specific steps to minimize the impact on people’s privacy, say video surveillance guidelines released today.

The new guidelines set out how companies should evaluate the use of video surveillance and ensure any surveillance they undertake is conducted in a way that respects privacy rights and complies with the law.

These guidelines have been endorsed by Jennifer Stoddart, the Privacy Commissioner of Canada, Frank Work, the Information and Privacy Commissioner of Alberta, and David Loukidelis, the Information and Privacy Commissioner for British Columbia.

“We have seen a dramatic increase in the use of surveillance cameras by private-sector organizations. Many of our day-to-day activities are now captured by these cameras,” says Commissioner Stoddart.

“There are some legitimate reasons to conduct video surveillance, but privacy laws in Canada impose restrictions and obligations when, where and how businesses can conduct this kind of surveillance,” says Commissioner Loukidelis.

“These guidelines make it clear that businesses must carefully evaluate why they are installing video surveillance equipment, and what they will do with the information that is collected,” says Commissioner Work.

The Commissioners say it is disturbing to hear stories about video surveillance operators deliberately pointing cameras to ogle women, as well as surveillance images of people caught in unflattering situations finding their way onto video sharing sites like YouTube and Vimeo.

The new guidelines are aimed at businesses subject to the Personal Information Protection and Electronic Documents Act, or PIPEDA. They are also targeted at businesses subject to the provincial Personal Information Protection Acts in Alberta and British Columbia.

The overarching principle for video surveillance – which stems from the key legal test under the federal and provincial laws – is that it should be used only for purposes that a reasonable person would consider appropriate in the circumstances.

The guidelines state that, in order to limit the impact on privacy, cameras should be positioned to avoid capturing the images of people not being targeted (e.g., someone walking outside a store). As well, cameras should not be used in areas where people have a heightened expectation of privacy, such as washrooms, and through building windows.

The guidelines also say:

• People should be notified about the use of cameras before they enter the premises.
  
• Individuals whose images are captured on videotape should, upon request, be given access to this recorded personal information.
  
• Organizations must ensure that video surveillance equipment and videotapes are secured and used for authorized purposes only.
  
• Individuals who operate video surveillance systems should understand the privacy issues related to surveillance and their obligations under the law.
  
• Video surveillance recordings should be retained only as long as necessary and destroyed securely.

The complete guidelines for private-sector organizations are available at www.privcom.gc.ca, www.oipc.ab.ca and www.oipc.bc.ca. The Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for British Columbia have previously published guidelines for the use of video surveillance in public places by police and law enforcement authorities.

All three privacy commissioners are statutorily mandated to oversee compliance with the Acts and are advocates and guardians of privacy and the protection of personal information rights of Canadians.

Alberta Commissioner Order about journalistic collection and disclosure of personal information

The Information and Privacy Commissioner of Alberta just released a new Order in which the he determined he did not have jurisidction because the personal information in question was collected and disclosed for journalistic purposes, which is excluded from the purview of the Personal Information Protection Act.

Order P2005-004

Summary: The Complainant alleged that the Organization had disclosed the Complainant's personal information when it published a newspaper article. The Organization argued that the disclosure of personal information in the form of a newspaper article was for journalistic purposes only as provided for by section 4(3)(c) of the Personal Information Protection Act. As such the Act did not apply to the personal information in question. The Commissioner decided the personal information disclosed were materials written for publication in the media and therefore collected and disclosed for journalistic purposes only in accordance with section 4(3)(c). The Commissioner, having determined that he had no jurisdiction in the matter, further stated that he had no authority to determine the remaining issue of the inquiry, regarding the allocation of a complainant's burden of proof.

Alberta Commissioner forbids license scanning

In a long awaited decision, the Information and Privacy Commissioner of Alberta has ordered a nightclub to cease scanning drivers licenses. The practice is an unreasonable collection of personal information and is not justified under the Personal Information Protection Act.

From the decision, the Commissioner didn't see the connection between the collection of drivers license information and the supposed purposes for collecting it:

[para 31] From my review of the evidence and the parties’ submissions, I find that, at best, the Organization offers conjecture that collecting driver’s license information of patrons may act as a deterrent to violent behaviour. The Organization did not submit any evidence to establish that collecting the Complainant’s driver’s license information, or that of other patrons, is in any way a deterrent to violent behavior. In addition, it did not provide any evidence regarding the causes of violence in bars or statistics relating to the incidence of violence in bars before and after the implementation of a driver’s license collection program. I draw the inference that the Organization is unable to produce any evidence to draw a correlation between violence, patron safety, and collecting driver’s license information. As a result, the Organization has failed to establish any reasonable relationship between collecting driver’s license information and any of its stated purposes for scanning driver’s licenses. I am therefore unable to conclude that the Organization has a reasonable purpose within the meaning of section 11 when it scans patrons’ driver’s licenses.

[para 32] For these reasons, I find that the Organization did not comply with the requirements of either section 11(1) or (2) when it scanned the driver’s license information of the Complainant, as its collection of personal information is not reasonable related to its purpose....

On the topic of whether putting up a poster results in informed consent:

[para 53] The Complainant’s evidence is that his driver’s license was scanned before he could raise an objection. He had assumed that the Organization’s employee would check his birth date, but she instead scanned the information on the license into a database. The Organization does not challenge the Complainant’s version of events, but points to a poster it has now posted for patrons explaining why it collects driver’s licenses and what it does with them. It argues that this poster satisfies the requirements of section 13(1).

[para 54] As noted above, the poster explains that its collection practice is intended “to encourage our patrons to behave responsibly and deter those who are seeking to ruin your experience with us, from entering the venue.” The poster is not clear about the purposes of the Organization in collecting the information and does not warn patrons that information will be retained for a period of 7 – 10 days or longer by the Organization.

[para 55] I find that the poster is misleading and does not provide sufficient information for patrons to provide informed consent to the Organization’s collection of personal information. In addition, the Organization provided no evidence that the poster was in place when it scanned the Complainant’s driver’s license. In fact, paragraph 8 of the Organization’s affidavit establishes only that the notice was posted on August 24, 2006, the date of the affidavit.

[para 56] I find that the Complainant did not consent to the scanning of the information on the face of his driver’s license, other than to permit the Organization employee to confirm his date of birth. I also find that the Organization did not provide adequate notice to the Complainant of its collection of his personal information. As none of the provisions of 14 apply, and because an individual cannot consent to the unreasonable collection of personal information, I find that the Organization was required to provide notice of its collection and did not. As a result, I find that the Organization contravened section 13 of the Act when it collected the Complainant’s personal information.

The Calgary Sun reports that the owner of the bar is considering appealing and is "furious" about the decision: The Calgary Sun - Bar owner furious after licence checks halted.

Alberta Commissioner's office faults EAP provider

Released today from the Information and Privacy Commissioner of Alberta:

Employee Assistance Provider found in contravention of Personal Information Protection Act

The Office of the Information and Privacy Commissioner has found that Wilson Banwell Human Solutions Inc. (Wilson Banwell) contravened the Personal Information Protection Act (PIPA) by disclosing more personal information than was necessary to a complainant's employer. The investigation also determined Wilson Banwell contravened PIPA by disclosing the complainant's personal information to a union for purposes that were not reasonable, and to an extent that was not reasonable.

After failing to pass a drug and alcohol test, the complainant was referred to Wilson Banwell, an Employee Assistance Provider (EAP), for a "return to work assessment." He signed a consent authorizing release of "assessment / treatment summaries" to his employer to facilitate his return to work. The complainant believed Wilson Banwell would limit its report to recommendations arising from the assessment. However, the Wilson Banwell psychologist sent a three-page report to both the complainant's employer and union. The report provided a summary of the clinical interview the psychologist conducted with the complainant, including details of a previous visit the complainant had made to Wilson Banwell on his own initiative, and some personal information of the complainant's wife.

The Investigator recommended Wilson Banwell:

• revise its "Release of Information" form to clarify exactly what information will be disclosed to a client's employer for return to work purposes, and
  
• remind all staff of Wilson Banwell's policies respecting written consent, and the requirement to disclose only the least amount of information necessary for reasonable purposes.

Wilson Banwell agreed to implement these recommendations.

For more information about investigation report P2007-IR-001, please visit our website at: http://www.oipc.ab.ca/

I expect the result would have been the same if the complaint was brought under PIPEDA, except the parties wouldn't have been named.

Inadequate security safeguards led to TJX breach, Commissioners say

The federal Privacy Commissioner and the Information and Privacy Commissioner of Canada have released their reports on the TJX/Winners breach (Report of Findings (September 25, 2007) Privacy Commissioner of Canada and Investigation Report P2007-IR-006). The moral of the story: don't collect information you don't need, don't keep it any longer than you need and properly secure the information you have.

Here's the media release:

News Release: Inadequate security safeguards led to TJX breach, Commissioners say (September 25, 2007) - Privacy Commissioner of Canada

Inadequate security safeguards led to TJX breach, Commissioners say

September 25, 2007 –The risk of a breach of sensitive personal information held by TJX Companies Inc., the US parent company of Winners and HomeSense stores in Canada, was foreseeable, but the company failed to put in place adequate security safeguards, an investigation by the Privacy Commissioners of Canada and Alberta has found.

“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” says Privacy Commissioner of Canada Jennifer Stoddart.

“Criminal groups actively target credit card numbers and other personal information,” says Commissioner Stoddart. “A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures.

“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”

The joint investigation by the two Commissioners was launched after TJX disclosed in January that its computer system had been breached. This breach involved millions of credit and debit card numbers as well as other personal information, such as driver’s license numbers collected when customers returned merchandise without receipts.

“This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction,” says Frank Work, the Information and Privacy Commissioner of Alberta.

“One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with unreceipted returns which strikes an appropriate balance between privacy rights and a retailer’s need to take steps to prevent fraud.”

TJX believes the intruder may have initially gained to customer information via the wireless local area networks at two of its US stores. Customer information was stolen from mid-2005 through December 2006, a TJX investigation found. Some stolen information involved transactions dating back to 2002.

Stolen information included credit card account data as well as data collected when customers returned merchandise without a receipt (drivers’ license numbers, names and addresses).

The investigation concluded TJX did not comply with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Alberta’s Personal Information Protection Act (PIPA). The investigation found:

• TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected.
  
• The company failed to act quickly in converting from a weak encryption standard to a stronger standard. The conversion process took two years to complete, during which time the breach occurred.
  
• TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
  
• The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.

The investigation also found the company did not have a reasonable purpose to collect driver’s license and other identification numbers when unreceipted merchandise was returned. TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely.

In response to these concerns, TJX proposed a new process to address fraudulent returns. Store staff will continue to ask for identification, however, information such as a driver’s license number will instantly be converted into a unique identifying number when it is keyed into the point-of-sale system. This will allow the company to track unreceipted merchandise returns without keeping original driver’s license numbers in its system.

The Commissioners called on TJX to take a number of steps to improve its security measures and privacy practices and are pleased the company has agreed to follow these recommendations.

Commissioner Stoddart says the Winners/HomeSense breach illustrates the need to get security right in the first place to avoid the potentially huge costs of mopping up after a security breach. “Organizations need to ensure they have multiple layers of security and that they keep up with advances in security technologies. The cost of failing to do this can be enormous – not only to a company, but to its customers,” she says, adding that a data breach can also have a major impact on credit card companies, banks, law enforcement agencies and regulatory bodies.

A summary of the findings in the case is available on the Commissioners’ websites.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

The Information and Privacy Commissioner of Alberta has a mandate to promote a society where personal privacy is respected and public bodies are open and accountable.

Alberta Commissioner on Freedom of Expression and disclosure of personal information

The Information and Privacy Commissioner of Alberta released a very interesting order today, considering whether the right to freedom of expression in the Charter overrides the restriction on disclosure of personal information without consent. In this case, a shopper at Safeway was allegedly caught shoplifting. The "shopper" was an employee of another grocery chain and a representative of Safeway reported the incident to her employer, and she was fired. She then complained that Safeway had disclosed her information without her consent, in breach of the Personal Information Protection Act. At an inquiry under that Act, Safeway argued that the restriction on disclosure was unconstitutional. In the order, the Commissioner disagreed.

Order P2005-006

Summary: The Complainant, an employee of another food retail chain, entered a store of Canada Safeway Limited (the “Organization”) while wearing her employee uniform. The Complainant gathered several goods, paying for some and not for others. When the Complainant left the store, security for the Organization stopped the Complainant and accused the Complainant of theft. The unpaid items were returned and the police were notified. Upon review of the incident, no charges were laid.

The Organization, without the consent of the Complainant, advised the Complainant’s employer about the incident. As a result the Complainant was dismissed. The Complainant initiated a complaint with the Office of the Information and Privacy Commissioner, and the matter proceeded to a written inquiry. The Organization argued that it did not require consent to disclose personal information of the Complainant under section 7(1)(d) (consent to disclose) of the Personal Information Protection Act, (the “Act”) as the section is contrary to section 2(b) (freedom of expression) of the Canadian Charter of Rights and Freedoms (the “Charter”). The Organization also argued that if it is found that section 7(1)(d) of the Act is not contrary to the Charter, then section 20(b) (disclosure pursuant to a statute of Canada that authorizes or requires disclosure) of the Act and section 20(m) (disclosure reasonable for investigation or legal proceeding) of the Act apply and permit the disclosure of the Complainant’s personal information.

The Commissioner found that section 7(1)(d) of the Act did not contravene section 2(b) of the Charter; that sections 20(b) and 20(m) of the Act did not authorize the Organization to disclose the Complainant’s personal information without consent; and that the Organization disclosed the Complainant’s personal information contrary to section 7(1)(d) of the Act.

Alberta Commissioner considers reference checks under PIPA

From Alberta:

Commissioner rules reference check was in compliance with Personal Information Protection Act

January 8, 2008

Commissioner rules reference check was in compliance with Personal Information Protection ActInformation and Privacy Commissioner, Frank Work, has determined that information collected in an employment reference check was in compliance with the Personal Information Protection Act (PIPA).

An individual had complained that a former employer had disclosed information not related to her job to a prospective employer in contravention of PIPA and that the prospective employer had collected the information in contravention of the Act. The individual also complained that the former employer had not responded to her request for her personal information.

Following an inquiry into the matter, the Commissioner determined that the information collected in the reference check was personal employee information as defined in PIPA and that no unrelated personal information about the individual was collected. The Commissioner found no evidence that personal information, aside from work related information, had been disclosed or collected.

The Commissioner did find, however, that the former employer did not properly respond to the Complainant’s request for her personal information and has ordered the former employer to respond to that request.To obtain a copy of Orders P2006-006 and P2006-007, visit our website, http://www.oipc.ab.ca/.

Happy birthday to the Canadian Privacy Law Blog

Today marks the fourth anniversary of the Canadian Privacy Law Blog. Four years ago, on January 2, 2004, I put fingers to keyboard and joined the interesting conversation that was beginning to take shape on the internet among veteran bloggers and I'm glad I did. (Welcome to the Canadian Privacy Law blog.) According to Blogger, this will be my 2740th post to the blog.

Forgive me if I get a bit melancholic and wistful as I look back on the past four years, but it has been a very eventful one for me and for the world of privacy. And both are related, I think. (I mean the changes in the world of privacy have influenced me, not the other way around.)

The day before my first posting, the Personal Information Protection and Electronic Documents Act ("PIPEDA") came fully into force for all commercial activities in Canada. That day, the Personal Information Protection Acts of British Columbia and Alberta came into force, but were not declared to be "substantially similar" to PIPEDA until ten months later (Alberta and British Columbia privacy laws declared to be substantially similar.) Also on the legislative front, Ontario passed the Personal Health Information Protection Act and it became law in May, 2004 (Ontario's Personal Health Information Protection Act receives royal assent.) Perhaps as importantly, it was declared substantially similar on November 28, 2005. (PHIPA declared substantially similar.)

Much attention has been paid to the continuing erosion of privacy rights in the United States and Canada. In 2004, the Information and Privacy Commissioner of British Columbia brought the USA Patriot Act under scrutiny. (U.S. Patriot Act worries Privacy Commissioner and BC Information and Privacy Commissioner releases his report: Patriot Act contravenes BC privacy laws.) In response, British Columbia, Alberta and Nova Scotia have passed laws or amendments to existing laws to closely regulate the export of personal information outside of Canada. In the US, the USA Patriot Act has been subject to many judicial challenges with some success.

Perhaps the area that has been most visible to laypeople is the growing trend of requiring companies to report data breaches. California led the way and now more than thirty US states have such requirements. We haven't seen it in Canada (except in PHIPA in Ontario) but advocates are calling for such a requirement in Canada's privacy laws of general application. Coming clean has led to the public disclosure of a number of huge breaches, including Cardsystems, TJX/Winners, Department of Veterans Affairs and the UK Revenue and Customs Service. Whether we see a change in Canadian law has yet to be seen. Despite the huge publicity given to these breaches, business built on personal information -- such as Facebook -- thrive.

On the professional front, I've been very fortunate to have been invited to speak on the topic of privacy on more occasions than I can estimate. Highlights have been speaking at the Canadian Bar Association general meeting in Winnipeg in 2005, Canadian IT Law Association for the past few years and innumerable professional organizations. The blog has also led to innumerable media interviews and some amazing awards (I'd like to thank the academy. And my blog ... and An honour to even be considered.)

Perhaps more satisfying is that I've been fortunate to have met (in some cases, in the flesh) and to have been inspired by some great fellow legal bloggers. This list includes Connie Crosby, Rob Hyndman, David Canton, Michael Geist, Michael Fitzgibbon and the amazing Slawyers.

To my readers, thank you very much for taking the time to drop by. I hope it has been informative and useful. Please pass along any suggestions or your thoughts, either in the comments to my posts or via e-mail at david.fraser@mcinnescooper.com.

Birthday cake graphic used under a creative commons license from K. Pierce.