The Transformation of the Canadian Payments System: Why Privacy is Essential for Trust and Innovation in the Payments System

Submission by the Office of the Privacy Commissioner of Canada to the Task Force for the Payments System Review

September 2011

The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with the Privacy Act, the federal legislation governing the information management practices of federal government departments and agencies, and the Protection of Personal Information and Electronic Documents Act (PIPEDA), Canada’s federal sector privacy legislation that governs organizations’ collection, use, or disclosure of personal information in the course of commercial activities. PIPEDA is principle-based legislation that is flexible in nature to support e-commerce. It is also technologically neutral. The OPC has a legislative mandate to protect the privacy rights of individuals, foster public understanding of privacy, investigate complaints and conduct audits under the two Acts, and also promote the privacy protections available in Canada.

We appreciate the opportunity to respond to the Task Force for the Payments System Review (hereafter, the Task Force) consultation process and are encouraged that the Task Force has acknowledged privacy as a guiding principle associated with the transformation of the payments system linked to their governance framework. We recommend that all references to privacy in the payments system not only recognize this principle, but also that the payments system be designed to meet privacy obligations required by statute.

The OPC recognizes that innovation in the payments system is a factor that encourages economic growth. As such, new and dynamic business practices and technologies are employed to enhance business and consumer experiences. These business and technological innovations increasingly collect, use and disclose vast amounts of consumers’ personal information at the point of payment. While innovation within the payments system is meant to contribute to business and economic efficiencies, there needs to be:

Recognition that compliance with PIPEDA is a legislative requirement and is non-negotiable.
Applicable substantially similar privacy legislation in British Columbia, Alberta, Quebec, and in Ontario for health information custodians, must be taken into similar consideration;
Implementation of the strongest privacy protections throughout the payments system; and
Ongoing commitment to respect and protect privacy rights of individuals in the face of any change to business practices or governance frameworks.

Building an advantage in the digital economy, and in the economy as a whole, requires not only respect for the business-consumer relationship, and compliance with data protection laws, but also recognition of the importance of stakeholder confidence. Meeting obligations related to information and privacy rights serves as a catalyst to build trust and, as a result, encourages economic participation.

Consumer participation requires that individuals be able to trust that their personal information is collected, used, disclosed and safeguarded by organizations they do business with in compliance with privacy legislation and is treated with a high degree of care. Instances of data breaches, inappropriate disclosure of personal information, inadequate safeguards, or non-compliance with privacy legislation can lead to lowered consumer confidence in an organization.

It is clear that the payments system permeates everyday life in Canada, and that decisions taken now will impact the way in which both the system and our society function for years to come. The OPC has discussed a vision for a privacy-friendly digital economy in its response to Industry Canada’s consultation: Privacy, Trust and Innovation – Building Canada’s Digital Advantage.^{Footnote 1}

This submission will outline how addressing privacy concerns throughout the payments system, including meeting legislated privacy obligations, serves to build trust and encourage innovation. Our comments are limited to privacy and identity management-related issues, which permeate many aspects of the payments system and which we believe the Task Force should keep top of mind as it proceeds with its review.

1 — Payments Involve Personal Information

A 1995 World Bank Report defines payment systems as:

“Payment systems (plural) encompass all the paper and electronic systems used to exchange financial value in order to discharge obligations. They can be simple (cash payments for small, face-to-face consumer purchases) or complex (large electronic payments sent or received by financial institutions).”^{Footnote 2}

Personal information such as debit and credit card information, bank account numbers, loyalty card information, purchase history, and personal identification numbers (PINs) are processed through the payments system. As well, payments made in the digital or mobile environment can also include geo-location information, the time of transactions, e-mail addresses, navigation histories, and IP addresses.

As new technologies are employed to create efficiencies and benefits for all stakeholders in the payments ecosystem, there needs to be a concentrated effort to ensure that these practices respect the legislative privacy requirements related to the collection, use and disclosure of personal information, and that they employ the proper safeguards.

The payment card environment in Canada is quite robust. Interac notes that 9 in 10 Canadian adults have a debit card^{Footnote 3} and in 2010 Interact transactions equalled nearly $4 trillion (unless otherwise specified, all figures are in Canadian dollars), growing steadily over the past five years.^{Footnote 4} In addition, Canada has been referenced as one of the top five debit-card-using nations in the world (in terms of transaction per inhabitant).^{Footnote 5} In July of 2011, the Canadian Bankers Association reported that there were more than 71 million MasterCard and Visa credit cards in circulation in Canada.^{Footnote 6}

As noted in the Task Force’s discussion paper, The Way We Pay - Transforming the Canadian Payment System, the Canadian payments ecosystem each year accounts for 24 billion payments valued at over $44 trillion.^{Footnote 7}

Reports also indicate that Canadians spent over $16.5 billion in e-commerce activities in 2010 and that this was expected to double by 2015.^{Footnote 8} E-commerce figures for 2009 were estimated by Statistics Canada to be $15.1 billion.^{Footnote 9}

Building on recent developments such as the rapid adoption of mobile devices (e.g. smartphones), ^{Footnote 10} the ability of payment cards to store more data,^{Footnote 11} the growth of Near Field Communication (NFC) for mobile payments at point-of-sale terminals,^{Footnote 12} and the development of innovative capabilities such as digital wallets, mobile payments are poised for dramatic growth.

It has been reported that global mobile payments are expected to triple from the current value of $240 billion to $670 billion (USD) by 2015 and that mobile payments are expected to be widely adopted in Canada.^{Footnote 13} This is supported by reports that Canadian banks will be trialing these new payments system technologies in the near future.^{Footnote 14}

The success of the payments system is clearly dependent on the responsible management of the personal information that is associated with each and every financial transaction. As such, in order for the payments system to play a role in being able to responsibly accommodate new and innovative technologies - the very essence of what drives the payments system - particular attention needs to be paid to how the personal information associated with financial transactions are handled throughout the payment process lifecycle and that these practices meet PIPEDA’s minimum standards.

2 — Consumers Are Concerned About Their Privacy

As new technologies and innovation are being considered in the Canadian payments ecosystem, it is essential that individuals trust that these technologies and tools are going to be employed in a privacy protective manner.

In a recent survey commissioned by the OPC,^{Footnote 15} roughly 9 out of 10 individuals indicated concern with business requesting too much personal information, not keeping information secure, selling it to other organizations, or their personal information being used in spam or unsolicited marketing. As well, over 65 percent of those surveyed indicated that the protection of personal information will be one of the most pressing issues in Canada in the next ten years.^{Footnote 16}

A report by Industry Canada on mobile commerce referenced a KPMG study that found 55 percent of Canadians had not engaged in mobile banking due to security and privacy concerns.^{Footnote 17} As well, a survey undertaken for the Canadian Wireless Telecommunications Association found that security concerns were a top reason as to why individuals have not used cell phones for banking or making purchases.^{Footnote 18}

Those findings clearly demonstrate that Canadians do have concerns with privacy and organizations that make up, or otherwise participate in, the Canadian payments system must meet their legislated privacy obligations. As well, since privacy is a principle that the Task Force has linked to its governance framework, non-compliance with privacy obligations means not meeting the objectives and principles outlined by the Task Force for the sound stewardship of payments.

3 — What Is Personal Information?

Under PIPEDA, personal information is information about an identifiable individual. The OPC and the courts have tended to take a contextual approach in determining whether certain information constitutes personal information in particular circumstances.^{Footnote 19} While it is easy to make the link that certain information such as name, address or phone number is personal information, the digital environment has created challenges in determining whether information is personal information under PIPEDA.^{Footnote 20} For instance, the OPC has determined that an Internet Protocol (IP) address is personal information if it can be associated with an identifiable individual.^{Footnote 21}

With specific reference to information that is related to payments, the OPC, in its investigative findings relating to various complaints, has determined that bank account numbers,^{Footnote 22} transaction histories,^{Footnote 23} credit card numbers,^{Footnote 24} email addresses,^{Footnote 25} consumer purchases,^{Footnote 26} transactions,^{Footnote 27} customer membership and account information in the context of frequent flyer or consumer loyalty programs,^{Footnote 28} and customer complaint information^{Footnote 29} are personal information.

The Task Force noted that digital payments contain personal information and that digital payment transactions involving debit card and credit card at point-of-sale machines, mobile payments, and online e-commerce all use personal information.^{Footnote 30}

It should be noted though that employing new technologies and implementing new business solutions may result in the collection of additional, ancillary personal information for purposes that are distinct from the payment transaction.

It is also important to point out that what may initially appear to be “innocuous” anonymous or de-identified information, when combined with information from other sources and databases, could produce data that can be linked back to specific individuals.

One of the challenges the Task Force noted for the payment environment is the need to ensure that new technologies are not employed in a manner that infringes on individual privacy rights.^{Footnote 31} This is a real concern as there have been reports that, in some instances, electronic logs that were considered anonymized did lead to an identifiable individual when used in conjunction with other available information.^{Footnote 32}

Given the range, specificity, and sheer volume of personal information collected, used and disclosed during payment transactions, it is imperative that stakeholders in the Canadian payment system understand and adhere to their obligations under PIPEDA and applicable provincial privacy legislation. Moreover, there should be ongoing recognition that all payment system options should be implemented in a manner that respects individual personal information and privacy rights.

4 — Develop Strong Privacy Practices In Accordance With PIPEDA And Applicable Provincial Privacy Laws

An essential part of transitioning to a digital economy is developing and implementing a governance framework that supports effective policies and procedures to protect privacy in the payment system.

The Task Force has outlined a set of 12 principles – including privacy – that it says are “fundamental to the sound stewardship of payments.”^{Footnote 33}

With respect to privacy, PIPEDA outlines the legislated information handling practices for organizations that collect, use and disclose personal information in the course of commercial activities. Schedule 1 of the Act contains 10 principles for fair information practices: i) Accountability; ii) Identifying Purposes; iii) Consent; iv) Limiting Collection; v) Limiting Use, Disclosure, and Retention; vi) Accuracy; vii) Safeguards; viii) Openness; ix) Individual Access; and x) Challenging Compliance.^{Footnote 34}

The sound stewardship of payments requires fully addressing all of the principles in PIPEDA and applicable provincial substantially similar privacy legislation. Compliance with privacy legislation is not only a legal requirement for the industry, but a practical necessity so that stakeholders within the payments system, both individuals and organizations, maintain confidence in the payments system governance and operation frameworks. Without this trust, individuals may be wary of adopting new technologies and industry may not have confidence in the payments infrastructure. This may result in lost opportunities for innovation and growth.

For the purpose of this submission, the following section provides an overview of some of the principles that are especially important to consider as they relate to the Task Force’s discussion document on innovation and transition of the Canadian payments system.

Accountability

Under PIPEDA, “(a)n organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.”^{Footnote 35}

Organizations need to demonstrate that they are accountable to their customers and have put in place the appropriate policies, procedures, and privacy management frameworks to minimize risks, protect their customers, and address their legislative compliance requirements.

For example, policies related to training need to be developed so that employees throughout the organization understand their privacy obligations. In addition, training policies, procedures, and programs need to be updated to ensure that they are current with existing business operational requirements and obligations. As mentioned in our 2010 PIPEDA Annual Report to Parliament, a recent survey conducted for the OPC found that only 37 percent of businesses provided privacy training to employees – a result that needs to be improved upon to effectively meet PIPEDA obligations and protect privacy.^{Footnote 36}

Identifying Purposes and Consent

The Identifying Purposes principle states that: “The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.”^{Footnote 37} The Consent principle means that: “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”^{Footnote 38}

The Identifying Purposes and Consent Principles are closely linked. Without appropriately defining the purposes for which personal information is to be used, there may be a question as to whether knowledge and consent has been obtained.

Given the ubiquitous nature of the payments system and the volume of personal information involved in payment transactions, identifying why personal information is collected, how it will be used and disclosed, and informing individuals of these reasons are necessary under PIPEDA to obtain meaningful consent. This can be achieved through flexible and innovative means, as long as they are meaningful to consumers and provide them with choice and control. Lack of compliance with these requirements is not only a breach of privacy law, but can undermine consumer trust and participation in the payments system.

The evolving nature of the payments system poses some challenges in this regard, particularly in the mobile environment, but knowledge and consent are requirements under the law. Any new purpose for collecting, using or disclosing the information must be identified and the individual's consent obtained beforehand.

Obtaining meaningful consent is a condition of meeting the privacy expectations of individuals. An individual’s knowledge and consent regarding the collection, use, or disclosure of their personal information is a cornerstone of PIPEDA and is one of the means by which individuals can exert control of their personal information.

Without meeting these privacy obligations, it may be more difficult to fully gain consumer trust.

The importance of knowledge and consent in the digital society has been noted by the OPC in our 2010 Annual Report on PIPEDA. The report mentions that the percentage of complaints related to consent grew from 10 percent to 20 percent from 2009 to 2010 and in part this was attributed to the growing number of online complaints.

Openness

Openness under PIPEDA means: “An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.”^{Footnote 39}

The Task Force notes that the payments system is complex, that new technologies create opportunities and challenges,^{Footnote 40} and that there are a number of different stakeholders involved.^{Footnote 41} Given this environment, it is extremely important for organizations to have clearly identified information management practices and transparent privacy policies so that consumers can understand how their personal information is being handled throughout the payments lifecycle.

A system as complex as the payments system may not necessarily be one that many people fully understand. Similarly, it may be difficult for consumers to fully understand how their personal information is handled during the payment process. Therefore, it is essential that organizations that make up, or otherwise participate in, the Canadian payments system have privacy policies that are accessible, transparent and easy to understand. This will serve to provide information to individuals about how the payments industry operates and where they can seek recourse if they feel their privacy rights have been breached or want to ask for a correction to their personal information file.

A responsible and effective business-consumer relationship is supported by practices where privacy policies are easily available, and information management practices are written so that they are understandable.

Limiting Collection

The Limiting Collection principle in PIPEDA states that: “The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.”^{Footnote 42}

With advances in technology, it has become easier and less expensive to collect and store data.

Collecting and keeping vast quantities of personal information can become an unnecessary data breach liability, and can have considerable consequences for both industry and consumers.

The payments system involves sensitive personal information. The risks associated with a data breach have implications for consumers related to time, effort, and possible repercussions to their reputation. As such, having well defined information management practices that limit the collection of personal information to only that which is necessary to execute a given financial transaction can mitigate risks associated with a data breach and demonstrate commitment to consumer’s privacy rights.

Limiting Use, Disclosure, and Retention

The Limiting Use, Disclosure, and Retention principle in PIPEDA requires that: “Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.”^{Footnote 43}

New technologies may offer new ways to use personal information after it has been collected. It is important that information is not used or disclosed beyond the purposes for which it was collected to avoid any possibility of function creep. Consumers should be confident that their information is only used for the purposes to which they have consented.

In an environment where storage options and capacities are increasing and associated costs are dropping, it may be tempting to overlook the requirement of retention and disposal policies under applicable privacy legislation. The retention of users’ personal information should be strictly limited to that which is required for identified purposes in order to mitigate the privacy risks, from a data breach.

Safeguards

The Safeguards principle in PIPEDA means that organizations subject to the Act have a responsibility that, “personal information shall be protected by security safeguards appropriate to the sensitivity of the information.”^{Footnote 44}

New threats to the security of personal information arise with the introduction and adoption of any new technologies, such as smartphones. Recent reports have highlighted a growth in malware targeting mobile devices, threats to online payment systems, potential security risks associated with financial applications, and potential risks in new mobile phone credit card readers.^{Footnote 45} Malevolent actors employ a range of tactics to illicitly obtain information. Outside of technical attacks, they may also engage in social engineering practices such as phishing.^{Footnote 46}

Given the personal information new payments technologies can process, these new technologies must be deployed in a manner that protects an individual’s personal information and the integrity of the overall payment system. This requires organizations to approach security from multiple aspects, including technical security safeguards, physical security safeguards and procedural security safeguards. Implemented safeguards need to be continuously tested, and reviewed and modified to ensure that they continue to be effective and adaptive as the threats evolve.

A Privacy Impact Assessment (PIA) is a proactive measure that can help address potential privacy and security risks by^{Footnote 47}:

Identifying all of the personal information related to a program or service and then looking at how it will be used;
Mapping where personal data is sent after it is collected;
Identifying privacy risks and the level of those risks; and
Finding ways to reduce or eliminate privacy risks.

A PIA is a fundamental tool to help with overall privacy protection and also serves as a risk assessment tool. As innovation is being spurred on by new technological solutions, a PIA can play an important role within the overall risk management process in the implementation of new technologies by the payment system sector in Canada.

5 — Identity Considerations in the Payments System

As a best practice, only the minimum essential information should be used throughout the process of identification and authentication and define protocols on a need-to-know basis. This is true regardless of the payment method an individual has chosen.

Individuals should have a variety of payment options available to them, and, in some cases, may choose certain payment methods over others. For example, an individual purchasing a self-help book for depression may wish to make a purchase using cash in order avoid creating a record of the nature of their purchase.

It is understandable that, in some cases such as instances related to Anti-Money Laundering or “Know Your Customer” requirements, there may be certain authentication requirements that are required by law. However, these obligations should not prompt the over-collection of personal information that is not ultimately legally required.

The principles set out in the OPC’s Guidelines for Identification and Authentication ^{Footnote 48}and Industry Canada’s Principles for Electronic Authentication: A Canadian Framework ^{Footnote 49}outline a number of key issues when addressing identification and authentication considerations. While these documentsremain relevant today, massive social and technological changes encourage us to both broaden and refine our thinking.

As identity management systems are developed within the payments system, the key principles outlined in PIPEDA represent a minimum legal standard that will help build and support a digital identification and authentication system that is privacy-respectful. If not done carefully, the risk is that such a system could be highly privacy-invasive.

6 — Cloud Computing and the Payments System

Many organizations may employ cloud computing solutions as a part of their overall business strategy. While cloud computing may provide efficiencies, there are questions relating to the security of personal information, extra-jurisdictional issues, misuse of processing data, permanence of data, ownership of data, third-party access of information.^{Footnote 50} PIPEDA does not prohibit transborder data flows, but does contain provisions to ensure that individual’s privacy rights are respected through appropriate means, including contractual obligations to ensure comparable level of protection.

The OPC has issued a consultation paper on privacy issues related to emerging technologies, including cloud computing.^{Footnote 51} As payment systems may include cloud computing solutions, federal privacy legislation is clear that organizations remain accountable for protecting their customers’ personal information and must be transparent about their information management practices.

To support this, a number of solutions can be employed. For example, an organization can add contractual provisions so they are satisfied that the third party has policies and processes in place to protect information.

The OPC has published materials on its website on the privacy implications of transborder data flows and cloud computing that may help participants in the payments system to understand their obligations and rights under PIPEDA.^{Footnote 52}

7 — The Task Force’s Proposed Governance Framework

The Task Force has proposed a governance framework that includes a Payments Oversight Body, made up of a cross-section of representatives, for accountability and oversight. A truly effective oversight body should include representation from the privacy community, including privacy practitioners and advocates. A broad range of independent privacy experts will be able to provide oversight with respect to data protection.

The Task Force also suggested that payment specific legislation may be introduced to set minimum industry standards.

The OPC would like to reinforce the fact that voluntary industry standards regarding personal information must meet the minimum legal requirements set out under PIPEDA and applicable provincial privacy legislation.

If new proposed payments legislation is to be considered, due consideration must be given to privacy compliance obligations. Before introducing any measures that relate to privacy, a comprehensive review would be needed to properly assess and address roles, responsibilities and jurisdictions currently established under existing regulatory and legislative frameworks.

Finally, the importance of continuing to conduct public consultations is a key step to encourage discussion and understanding of privacy issues raised in the payment system context. A system that is open and participatory will benefit from exchanges involving a broad range of privacy stakeholders. Dialogue can help generate solutions to the challenges that digital payment transactions pose to data protection.

8 — Privacy Literacy in the Digital Environment

The OPC’s 2010 Annual Report on PIPEDA emphasized that Canadians’ privacy literacy needs to match their digital literacy.^{Footnote 53} In other words, the ability of a consumer to navigate the online environment in a way that preserves their individual privacy is an essential part of digital literacy. There is a need for both consumers and businesses to improve their privacy literacy so that personal information is effectively protected in the digital economy.

Industry Canada issued a report in the winter of 2010 titled: Mobile Commerce - New Experiences, Emerging Consumer Issues. A part of the report focused on the youth and their adoption of mobile devices. The report referenced a study that found that, in 2005, 80 percent of e-commerce by youth in Japan aged 15 to19 was done via cell phones.^{Footnote 54}

The need to improve privacy literacy in an online context is essential for all individuals involved in the payment ecosystem. While youth are usually the most enthusiastic adopters of new technologies, users of all ages need to have the tools necessary to understand and manage how their information is collected, used and disclosed, especially in online and mobile marketing scenarios. We have also heard that youth are interested in learning about tools to control their personal information. Therefore outreach activities and tools aimed at youth, if properly designed, could be useful and welcome by young people.^{Footnote 55}

Taking into account the breadth and sensitivity of personal information used in the payments system, the Task Force should explore the possibility of developing an education and outreach strategy aimed at consumers, including youth.

9 — Conclusion

The Task Force presents four scenarios for consideration in looking at the opportunities and challenges that may face the Canadian payments system moving forward.

With respect to the four scenarios, our Office strongly recommends that any approach to transform the payment system take into account the importance of integrating privacy protection requirements as outlined in PIPEDA throughout the payments system as a necessary pillar for promoting industry and consumer participation and helping foster innovation.

According to Industry Canada:^{Footnote 56}

“The impersonal and remote nature of electronic commerce places a heavy burden on the need for means to reduce or eliminate risk. Security, privacy and consumer protection are all required to instill trust in electronic commerce, for both businesses and consumers.”

Our Office appreciates the opportunity to respond to this consultation and would be more than pleased to continue discussions with the Task Force on the importance of addressing legislative privacy requirements in the payments system.

ENDNOTES

Footnote 1

Submission from the Office of the Privacy Commissioner of Canada, “Privacy, Trust and Innovation – Building Canada’s Digital Advantage”. Online at: http://www.priv.gc.ca/information/pub/sub_de_201007_e.cfm

Return to footnote 1

Footnote 2

Word Bank Research Paper No. 1519, “Payment Systems in Latin America” pg.1 http://www-wds.worldbank.org/servlet/WDSContentServer/WDSP/IB/1995/10/01/
000009265_3961019150441/Rendered/PDF/multi_page.pdf

Return to footnote 2

Footnote 3

Interac Association, Interac: Research Facts webpage. Accessed on August 15, 2011. Online at: http://www.interac.ca/media/researchfacts.php

Return to footnote 3

Footnote 4

Interac Association, Interac: Statistics webpage. Accessed on August 15, 2011. Online at: http://www.interac.ca/media/stats.php

Return to footnote 4

Footnote 5

Interac Association, Interac Statistics: Canada vs. Other Countries - Debit use webpage. Accessed on August 16, 2011. Online at: http://www.interac.ca/media/stats.php

Return to footnote 5

Footnote 6

The Canadian Bankers Association, “Credit Card: Statistics and Facts” Accessed on August 15, 2011. Online at: http://www.cba.ca/en/media-room/50-backgrounders-on-banking-issues/123-credit-cards

Return to footnote 6

Footnote 7

The Task Force for the Payment Systems Review, “The Way We Pay - Transforming the Canadian Payment System” pg. 3, July 2011. Online at: http://paymentsystemreview.ca/index.php/news-and-articles/the-way-we-pay-call-for-submissions/

Return to footnote 7

Footnote 8

“US Retailers help boost Canadian Ecommerce” eMarketer, February 23, 2011. Online at: http://www.emarketer.com/mobile/article_m.aspx?R=1008246

Return to footnote 8

Footnote 9

Statistics Canada, “The Daily, Ecommerce: Shopping on the Internet” September 27, 2010. Online at: http://www.statcan.gc.ca/daily-quotidien/100927/dq100927a-eng.htm

Return to footnote 9

Footnote 10

Supra note 7, pg. 9; and Canadian Radio-television and Telecommunications Commission (CRTC), “Navigating Convergence II: Charting Canadian Communications Change and Regulatory Implications”. Online at: http://crtc.gc.ca/eng/publications/reports/rp1108.htm

Return to footnote 10

Footnote 11

MasterCard Worldwide, “Exchange: A guide to Understanding Payment Cards”. Online at: http://www.google.ca/url?sa=t&source=web&cd=9&ved=0CE8QFjAI&url=http%3A%2F%2Fwww.mastercard.com%2Fca%2Fwce%2FPDF%2F17589_Exchange-Guide-EN.pdf&ei=jZJJTtz7EOODsgLRs5HmCA&usg=AFQjCNHuQ0uF3mhr4op4e4F1_qpXtiCUaQ

Return to footnote 11

Footnote 12

Sam Gustin, “Visa Digital Wallet Accelerates Mobile-payments Race” Wired, May 16, 2011. Online at: http://www.wired.com/epicenter/2011/05/visa-digital-wallet-nfc/

Return to footnote 12

Footnote 13

Emily Jackson, “Cell Phone Payments Set to take Off” CTV news. Online at: http://www.ctv.ca/generic/generated/static/business/article2087704.html

Return to footnote 13

Footnote 14

Dana Flavelle, “Visa to offer one-stop online credit card shop” The Star, May 11, 2011. Online at: http://mobile.thestar.com/mobile/business/article/989795

Return to footnote 14

Footnote 15

The Office of the Privacy Commissioner of Canada, “2011 Canadians and Privacy Survey”. Online at: http://www.priv.gc.ca/information/survey/2011/por_2011_01_e.cfm#toc3a

Return to footnote 15

Footnote 16

The Office of the Privacy Commissioner of Canada, “Privacy Commissioner urges users of mobile devices, social networks and other technologies to better safeguard their personal information”. Online at: http://www.priv.gc.ca/media/nr-c/2011/nr-c_110825_e.cfm

Return to footnote 16

Footnote 17

Industry Canada, “Mobile Commerce - New Experiences, Emerging Consumer Issues”, Published by Consumers Affairs Organization, Winter 2010. Online at: http://www.ic.gc.ca/eic/site/oca-bc.nsf/eng/ca02518.html#return21. KPMG survey sourced at footnote 44: KPMG LLP. 2009. “The Rising Power of the Consumer: Demand Seamless Bundling Services, Price Transparency, and Security and Privacy”, Media Advisory, June 15, 2009. Online at: www.kpmg.ca/en/news/pr200906015.html

Return to footnote 17

Footnote 18

Survey undertaken by Quorus Consulting Group and prepared for the Canadian Wireless Telecommunications Association. Slide 55, April 29, 201. Online at: http://cwta.ca/CWTASite/english/facts_figures_downloads/Consumer2011.pdf

Return to footnote 18

Footnote 19

Office of the Privacy Commissioner of Canada, “Interpretations (Personal Information)” Online at: http://www.priv.gc.ca/leg_c/interpretations_02_e.cfm

Return to footnote 19

Footnote 20

The Office of the Privacy Commissioner of Canada, “PIPEDA and Your Practice, A Privacy Handbook for Lawyers”. Online at: http://www.priv.gc.ca/information/pub/gd_phl_201106_e.cfm#sec1e; See also Office of the Privacy Commissioner of Canada, “Data at the Tipping Point: Managing and Mitigating the Risk of Re-identification, Speech by Patricia Kosseim, General Counsel, January 25 2011” Online at: http://www.priv.gc.ca/speech/2011/sp-d_20110125_pk_e.cfm

Return to footnote 20

Footnote 21

The Office of the Privacy Commissioner of Canada, Commissioner’s Findings, “PIPEDA Case Summary #2005-319: ISP's anti-spam measures questioned” Online at: http://www.priv.gc.ca/cf-dc/2005/319_20051103_e.cfm and http://www.priv.gc.ca/cf-dc/2005/319_20051103_e.cfm

Return to footnote 21

Footnote 22

The Office of the Privacy Commissioner of Canada, Commissioner Findings: PIPEDA Incident Summary #2: CIBC’s privacy practices failed in cases of misdirected faxes”Online at: http://www.priv.gc.ca/incidents/2005/050418_01_e.cfm

Return to footnote 22

Footnote 23

The Office of the Privacy Commissioner of Canada, Commissioner’s Findings, “PIPEDA Case Summary #2006-356: Customer’s banking personal information found in a recycling bin” Online at: http://www.priv.gc.ca/cf-dc/2006/356_20061023_e.cfm and “PIPEDA Case Summary #2006-331
Credit card account history disclosed to estranged spouse” Online at: http://www.priv.gc.ca/cf-dc/2006/331_20060329_e.cfm

Return to footnote 23

Footnote 24

The Office of the Privacy Commissioner of Canada, Commissioner's Findings, “Settled case summary #25: Personal information on credit card receipts to be masked by 2007” Online at: http://www.priv.gc.ca/ser/2006/s25_060127_e.cfm, and “PIPEDA Case Summary #2003-144: Alleged improper disclosure of credit card number to third party” Online at: http://www.priv.gc.ca/cf-dc/2003/cf-dc_030401_1_e.cfm, and “Report of an Investigation into the Security, Collection and Retention of Personal Information, TJX Companies Inc. /Winners Merchant International L.P.” Online at:
http://www.priv.gc.ca/cf-dc/2007/TJX_rep_070925_e.cfm

Return to footnote 24

Footnote 25

PIPEDA Case Summary # 277 - Mass mailout results in disclosure of contest entrants e-mail addresses. Online at: http://www.priv.gc.ca/cf-dc/2004/cf-dc_040902_02_e.cfm; and PIPEDA Case Summary # 297 - Unsolicited e-mail for marketing purposes. Online at: http://www.priv.gc.ca/cf-dc/2005/297_050331_01_e.cfm

Return to footnote 25

Footnote 26

PIPEDA Case Summary #296 - Language of consent and monitoring activity challenged. Online at: http://www.priv.gc.ca/cf-dc/2005/296_050314_02_e.cfm; and PIPEDA Case Summary #300 - Company collecting consumer personal information without identifying purposes halts practice and implements privacy policies and practices. Online at: http://www.priv.gc.ca/cf-dc/2005/300_050429_e.cfm; and PIPEDA Case Summary #366 - Auto body shop implements privacy policy and undertakes changes to privacy practices. Online at: http://www.priv.gc.ca/cf-dc/2007/366_20070119_e.cfm; and PIPEDA Case Summary - Ticketmaster Canada Limited revised its policies and practices with respect to PIPEDA to protect customers’ personal information - http://www.priv.gc.ca/cf-dc/2008/cf-dc_20080212_e.cfm

Return to footnote 26

Footnote 27

PIPEDA Case Summary #374 -Bank faxes credit card account statement to fraudster. Online at: http://www.priv.gc.ca/cf-dc/2007/374_20070323_e.cfm; and PIPEDA Case Summary #176 - Bank records customer call without consent; refuses to erase tape. Online at: http://www.priv.gc.ca/cf-dc/2003/cf-dc_030603_e.cfm; and PIPEDA Case Summary #72 - Telecommunications company improves its collection and disclosure practices. Online at http://www.priv.gc.ca/cf-dc/2002/cf-dc_021007_1_e.cfm

Return to footnote 27

Footnote 28

PIPEDA Case Summary #292 - Former employer changed account information of Air Canada frequent flyer member. Online at: http://www.priv.gc.ca/cf-dc/2005/292_050406_e.cfm; and PIPEDA Case Summary #241 - Bank complies with consent principles. Online at: http://www.priv.gc.ca/cf-dc/2003/cf-dc_031204_04_e.cfm

Return to footnote 28

Footnote 29

PIPEDA Case Summary #370 - Airline broadens interpretation of personal information and improves handling of personal information access requests. Online at: http://www.priv.gc.ca/cf-dc/2007/370_20070112_e.cfm

Return to footnote 29

Footnote 30

Supra note 7, pg. 17

Return to footnote 30

Footnote 31

Supra note 7, pg. 17

Return to footnote 31

Footnote 32

Nate Anderson, “”Anonymized” data really isn’t – and here’s why not”, Ars Technical. Online at: http://arstechnica.com/tech-policy/news/2009/09/your-secrets-live-online-in-databases-of-ruin.ars; and
Sawn Kawamoto and Elinor Mills, “AOL apologizes for release of user search data” Cnet, August 7, 2006. Online at: http://news.cnet.com/AOL-apologizes-for-release-of-user-search-data/2100-1030_3-6102793.html?tag=mncol;2n

Return to footnote 32

Footnote 33

Supra Note 7, pgs 20-21.

Return to footnote 33

Footnote 34

Further information on these principles and PIPEDA can be found on the OPC’s website at: www.opc.gc.ca

Return to footnote 34

Footnote 35

Schedule 1 of the Personal Information Protection and Electronics Documents Act, Principle 1 – Accountability. Online at: http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-16.html#h-25

Return to footnote 35

Footnote 36

The Office of the Privacy Commissioner of Canada, “Annual Report to Parliament 2010: Personal Information Protection and Electronic Documents Act”, 2011. Online at: http://www.priv.gc.ca/information/ar/201011/2010_pipeda_e.cfm

Return to footnote 36

Footnote 37

Schedule 1 of the Personal Information Protection and Electronics Documents Act, Principle 2 – Identifying Purposes. Online at: http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-16.html#h-25

Return to footnote 37

Footnote 38

Schedule 1 of the Personal Information Protection and Electronics Documents Act, Principle 3 – Consent. Online at: http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-16.html#h-25

Return to footnote 38

Footnote 39

Schedule 1 of the Personal Information Protection and Electronics Documents Act, Principle 8 – Openness. Online at: http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-16.html#h-25

Return to footnote 39

Footnote 40

Supra note 7, pg. 17

Return to footnote 40

Footnote 41

Supra note 7, pg. 15

Return to footnote 41

Footnote 42

Schedule 1 of the Personal Information Protection and Electronics Documents Act, Principle 4 – Limiting Collection. Online at: http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-16.html#h-25

Return to footnote 42

Footnote 43

Schedule 1 of the Personal Information Protection and Electronics Documents Act, Principle 5 – Use, Disclosure, and Retention. Online at: http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-16.html#h-25

Return to footnote 43

Footnote 44

Schedule 1 of the Personal Information Protection and Electronics Documents Act, Principle 7 – Safeguards. Online at: http://laws-lois.justice.gc.ca/eng/acts/P-8.6/page-16.html#h-25

Return to footnote 44

Footnote 45

Matt Liebowitz, “Zeus Trojan Hits Android Smartphones” MSNBC.com, July 12, 2011. Online at: http://www.msnbc.msn.com/id/43728379/ns/technology_and_science-wireless/; and
“Smartphone malware Growing” CBC, August 8, 2011. Online at: http://www.cbc.ca/news/technology/story/2011/08/08/technology-smartphone-security-malware.html; and
Jameson Berkow, “Payment giant demands Square mobile card readers be recalled” The Financial Post, March 9, 2011. Online at: http://business.financialpost.com/2011/03/09/square-mobile-credit-card-readers-have-major-security-flaw-alleges-payment-giant-verifone/; and
Lance Whitney, “Study, iPhone, Android apps store sensitive user info” Cnet, August 9, 2011. Online at: http://reviews.cnet.com/8301-19512_7-20090006-233/study-iphone-android-apps-store-sensitive-user-info/

Return to footnote 45

Footnote 46

Social engineering refers to the practice of influencing or manipulating people in the hopes that they divulge personal information. Phishing is a practice where individual’s believe they are logging into a site that they trust, such as their bank’s website, but they are not and their log-in information, passwords and other personal information is being hijacked. Further information can be found at: The Office of the Privacy Commissioner of Canada, “Recognizing Threats to Personal Data: Four Ways That Personal Information Gets Hijacked Online”. Online at: http://www.priv.gc.ca/id/phishing_e.cfm

Return to footnote 46

Footnote 47

The Office of the Privacy Commissioner of Canada, “Fact Sheet On Privacy Impact Assessments”. Online at: http://www.priv.gc.ca/fs-fi/02_05_d_33_e.cfm

Return to footnote 47

Footnote 48

Office of the Privacy Commissioner of Canada, “Guidelines for Identification and Authentication”, October 2006: http://www.priv.gc.ca/information/guide/auth_061013_e.cfm

Return to footnote 48

Footnote 49

Industry Canada, “Principles for Electronic Authentication: A Canadian Framework”, May 2004: http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/eng/h_gv00240.html

Return to footnote 49

Footnote 50

The Office of the Privacy Commissioner of Canada, “Report on the 2010 Office of the Privacy Commissioner of Canada's Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing”, May 2011. Online at: http://www.priv.gc.ca/resource/consultations/report_201105_e.cfm#toc6; and Reaching for the Cloud(s):, Privacy Issues Related to Cloud Computing. Online at: http://www.priv.gc.ca/information/pub/cc_201003_e.cfm#toc2d

Return to footnote 50

Footnote 51

Ibid

Return to footnote 51

Footnote 52

The Office of the Privacy Commissioner of Canada, “Guidelines for Processing Data Across Borders”. Online at: http://www.priv.gc.ca/information/guide/2009/gl_dab_090127_e.cfm; and
The Office of the Privacy Commissioner of Canada, “Reaching for the Cloud(s):Privacy Issues Related to Cloud Computing. Online at: http://www.priv.gc.ca/information/pub/cc_201003_e.cfm#contenttop

Return to footnote 52

Footnote 53

The Office of the Privacy Commissioner of Canada, “Annual Report to Parliament 2010: The Personal Information Protection and Electronic Documents Act” Online at: http://www.priv.gc.ca/information/ar/201011/2010_pipeda_e.cfm

Return to footnote 53

Footnote 54

Industry Canada, “Mobile Commerce — New Experiences, Emerging Consumer Issues”, Published by Consumers Affairs Organization, Winter 2010. Online at: http://www.ic.gc.ca/eic/site/oca-bc.nsf/eng/ca02518.html#return21
Sourced from footnote 21: Sachi Izumi, “Dial-Up Bargains”, The Courier Mail, October 26, 2006. Online at: www.news.com.au/couriermail/story/0,23739,20654358-23272,00.html

Return to footnote 54

Footnote 55

Return to footnote 55

Footnote 56

Reference to a statement issued by Industry Canada in 1988 as found in: Industry Canada, “Mobile Commerce — New Experiences, Emerging Consumer Issues”, Published by Consumers Affairs Organization, Winter 2010. Online at: http://www.ic.gc.ca/eic/site/oca-bc.nsf/eng/ca02518.html#return21

Return to footnote 56

Date modified:: 2013-04-29

Language selection

Search and menus

Search

The Transformation of the Canadian Payments System: Why Privacy is Essential for Trust and Innovation in the Payments System

Table of Contents

Submission by the Office of the Privacy Commissioner of Canada to the Task Force for the Payments System Review

1 — Payments Involve Personal Information

2 — Consumers Are Concerned About Their Privacy

3 — What Is Personal Information?

4 — Develop Strong Privacy Practices In Accordance With PIPEDA And Applicable Provincial Privacy Laws

Accountability

Identifying Purposes and Consent

Openness

Limiting Collection

Limiting Use, Disclosure, and Retention

Safeguards

5 — Identity Considerations in the Payments System

6 — Cloud Computing and the Payments System

7 — The Task Force’s Proposed Governance Framework

8 — Privacy Literacy in the Digital Environment

9 — Conclusion