The Transformation of the Canadian Payments System: Why Privacy is Essential for Trust and Innovation in the Payments System
Submission by the Office of the Privacy Commissioner of Canada to the Task Force for the Payments System Review
September 2011
The Office of the Privacy Commissioner of Canada (OPC) oversees compliance with the Privacy Act, the federal legislation governing the information management practices of federal government departments and agencies, and the Protection of Personal Information and Electronic Documents Act (PIPEDA), Canada’s federal sector privacy legislation that governs organizations’ collection, use, or disclosure of personal information in the course of commercial activities. PIPEDA is principle-based legislation that is flexible in nature to support e-commerce. It is also technologically neutral. The OPC has a legislative mandate to protect the privacy rights of individuals, foster public understanding of privacy, investigate complaints and conduct audits under the two Acts, and also promote the privacy protections available in Canada.
We appreciate the opportunity to respond to the Task Force for the Payments System Review (hereafter, the Task Force) consultation process and are encouraged that the Task Force has acknowledged privacy as a guiding principle associated with the transformation of the payments system linked to their governance framework. We recommend that all references to privacy in the payments system not only recognize this principle, but also that the payments system be designed to meet privacy obligations required by statute.
The OPC recognizes that innovation in the payments system is a factor that encourages economic growth. As such, new and dynamic business practices and technologies are employed to enhance business and consumer experiences. These business and technological innovations increasingly collect, use and disclose vast amounts of consumers’ personal information at the point of payment. While innovation within the payments system is meant to contribute to business and economic efficiencies, there needs to be:
- Recognition that compliance with PIPEDA is a legislative requirement and is non-negotiable.
- Applicable substantially similar privacy legislation in British Columbia, Alberta, Quebec, and in Ontario for health information custodians, must be taken into similar consideration;
- Implementation of the strongest privacy protections throughout the payments system; and
- Ongoing commitment to respect and protect privacy rights of individuals in the face of any change to business practices or governance frameworks.
Building an advantage in the digital economy, and in the economy as a whole, requires not only respect for the business-consumer relationship, and compliance with data protection laws, but also recognition of the importance of stakeholder confidence. Meeting obligations related to information and privacy rights serves as a catalyst to build trust and, as a result, encourages economic participation.
Consumer participation requires that individuals be able to trust that their personal information is collected, used, disclosed and safeguarded by organizations they do business with in compliance with privacy legislation and is treated with a high degree of care. Instances of data breaches, inappropriate disclosure of personal information, inadequate safeguards, or non-compliance with privacy legislation can lead to lowered consumer confidence in an organization.
It is clear that the payments system permeates everyday life in Canada, and that decisions taken now will impact the way in which both the system and our society function for years to come. The OPC has discussed a vision for a privacy-friendly digital economy in its response to Industry Canada’s consultation: Privacy, Trust and Innovation – Building Canada’s Digital Advantage.Footnote 1
This submission will outline how addressing privacy concerns throughout the payments system, including meeting legislated privacy obligations, serves to build trust and encourage innovation. Our comments are limited to privacy and identity management-related issues, which permeate many aspects of the payments system and which we believe the Task Force should keep top of mind as it proceeds with its review.
1 — Payments Involve Personal Information
A 1995 World Bank Report defines payment systems as:
“Payment systems (plural) encompass all the paper and electronic systems used to exchange financial value in order to discharge obligations. They can be simple (cash payments for small, face-to-face consumer purchases) or complex (large electronic payments sent or received by financial institutions).”Footnote 2
Personal information such as debit and credit card information, bank account numbers, loyalty card information, purchase history, and personal identification numbers (PINs) are processed through the payments system. As well, payments made in the digital or mobile environment can also include geo-location information, the time of transactions, e-mail addresses, navigation histories, and IP addresses.
As new technologies are employed to create efficiencies and benefits for all stakeholders in the payments ecosystem, there needs to be a concentrated effort to ensure that these practices respect the legislative privacy requirements related to the collection, use and disclosure of personal information, and that they employ the proper safeguards.
The payment card environment in Canada is quite robust. Interac notes that 9 in 10 Canadian adults have a debit cardFootnote 3 and in 2010 Interact transactions equalled nearly $4 trillion (unless otherwise specified, all figures are in Canadian dollars), growing steadily over the past five years.Footnote 4 In addition, Canada has been referenced as one of the top five debit-card-using nations in the world (in terms of transaction per inhabitant).Footnote 5 In July of 2011, the Canadian Bankers Association reported that there were more than 71 million MasterCard and Visa credit cards in circulation in Canada.Footnote 6
As noted in the Task Force’s discussion paper, The Way We Pay - Transforming the Canadian Payment System, the Canadian payments ecosystem each year accounts for 24 billion payments valued at over $44 trillion.Footnote 7
Reports also indicate that Canadians spent over $16.5 billion in e-commerce activities in 2010 and that this was expected to double by 2015.Footnote 8 E-commerce figures for 2009 were estimated by Statistics Canada to be $15.1 billion.Footnote 9
Building on recent developments such as the rapid adoption of mobile devices (e.g. smartphones), Footnote 10 the ability of payment cards to store more data,Footnote 11 the growth of Near Field Communication (NFC) for mobile payments at point-of-sale terminals,Footnote 12 and the development of innovative capabilities such as digital wallets, mobile payments are poised for dramatic growth.
It has been reported that global mobile payments are expected to triple from the current value of $240 billion to $670 billion (USD) by 2015 and that mobile payments are expected to be widely adopted in Canada.Footnote 13 This is supported by reports that Canadian banks will be trialing these new payments system technologies in the near future.Footnote 14
The success of the payments system is clearly dependent on the responsible management of the personal information that is associated with each and every financial transaction. As such, in order for the payments system to play a role in being able to responsibly accommodate new and innovative technologies - the very essence of what drives the payments system - particular attention needs to be paid to how the personal information associated with financial transactions are handled throughout the payment process lifecycle and that these practices meet PIPEDA’s minimum standards.
2 — Consumers Are Concerned About Their Privacy
As new technologies and innovation are being considered in the Canadian payments ecosystem, it is essential that individuals trust that these technologies and tools are going to be employed in a privacy protective manner.
In a recent survey commissioned by the OPC,Footnote 15 roughly 9 out of 10 individuals indicated concern with business requesting too much personal information, not keeping information secure, selling it to other organizations, or their personal information being used in spam or unsolicited marketing. As well, over 65 percent of those surveyed indicated that the protection of personal information will be one of the most pressing issues in Canada in the next ten years.Footnote 16
A report by Industry Canada on mobile commerce referenced a KPMG study that found 55 percent of Canadians had not engaged in mobile banking due to security and privacy concerns.Footnote 17 As well, a survey undertaken for the Canadian Wireless Telecommunications Association found that security concerns were a top reason as to why individuals have not used cell phones for banking or making purchases.Footnote 18
Those findings clearly demonstrate that Canadians do have concerns with privacy and organizations that make up, or otherwise participate in, the Canadian payments system must meet their legislated privacy obligations. As well, since privacy is a principle that the Task Force has linked to its governance framework, non-compliance with privacy obligations means not meeting the objectives and principles outlined by the Task Force for the sound stewardship of payments.
3 — What Is Personal Information?
Under PIPEDA, personal information is information about an identifiable individual. The OPC and the courts have tended to take a contextual approach in determining whether certain information constitutes personal information in particular circumstances.Footnote 19 While it is easy to make the link that certain information such as name, address or phone number is personal information, the digital environment has created challenges in determining whether information is personal information under PIPEDA.Footnote 20 For instance, the OPC has determined that an Internet Protocol (IP) address is personal information if it can be associated with an identifiable individual.Footnote 21
With specific reference to information that is related to payments, the OPC, in its investigative findings relating to various complaints, has determined that bank account numbers,Footnote 22 transaction histories,Footnote 23 credit card numbers,Footnote 24 email addresses,Footnote 25 consumer purchases,Footnote 26 transactions,Footnote 27 customer membership and account information in the context of frequent flyer or consumer loyalty programs,Footnote 28 and customer complaint informationFootnote 29 are personal information.
The Task Force noted that digital payments contain personal information and that digital payment transactions involving debit card and credit card at point-of-sale machines, mobile payments, and online e-commerce all use personal information.Footnote 30
It should be noted though that employing new technologies and implementing new business solutions may result in the collection of additional, ancillary personal information for purposes that are distinct from the payment transaction.
It is also important to point out that what may initially appear to be “innocuous” anonymous or de-identified information, when combined with information from other sources and databases, could produce data that can be linked back to specific individuals.
One of the challenges the Task Force noted for the payment environment is the need to ensure that new technologies are not employed in a manner that infringes on individual privacy rights.Footnote 31 This is a real concern as there have been reports that, in some instances, electronic logs that were considered anonymized did lead to an identifiable individual when used in conjunction with other available information.Footnote 32
Given the range, specificity, and sheer volume of personal information collected, used and disclosed during payment transactions, it is imperative that stakeholders in the Canadian payment system understand and adhere to their obligations under PIPEDA and applicable provincial privacy legislation. Moreover, there should be ongoing recognition that all payment system options should be implemented in a manner that respects individual personal information and privacy rights.
4 — Develop Strong Privacy Practices In Accordance With PIPEDA And Applicable Provincial Privacy Laws
An essential part of transitioning to a digital economy is developing and implementing a governance framework that supports effective policies and procedures to protect privacy in the payment system.
The Task Force has outlined a set of 12 principles – including privacy – that it says are “fundamental to the sound stewardship of payments.”Footnote 33
With respect to privacy, PIPEDA outlines the legislated information handling practices for organizations that collect, use and disclose personal information in the course of commercial activities. Schedule 1 of the Act contains 10 principles for fair information practices: i) Accountability; ii) Identifying Purposes; iii) Consent; iv) Limiting Collection; v) Limiting Use, Disclosure, and Retention; vi) Accuracy; vii) Safeguards; viii) Openness; ix) Individual Access; and x) Challenging Compliance.Footnote 34
The sound stewardship of payments requires fully addressing all of the principles in PIPEDA and applicable provincial substantially similar privacy legislation. Compliance with privacy legislation is not only a legal requirement for the industry, but a practical necessity so that stakeholders within the payments system, both individuals and organizations, maintain confidence in the payments system governance and operation frameworks. Without this trust, individuals may be wary of adopting new technologies and industry may not have confidence in the payments infrastructure. This may result in lost opportunities for innovation and growth.
For the purpose of this submission, the following section provides an overview of some of the principles that are especially important to consider as they relate to the Task Force’s discussion document on innovation and transition of the Canadian payments system.
Accountability
Under PIPEDA, “(a)n organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.”Footnote 35
Organizations need to demonstrate that they are accountable to their customers and have put in place the appropriate policies, procedures, and privacy management frameworks to minimize risks, protect their customers, and address their legislative compliance requirements.
For example, policies related to training need to be developed so that employees throughout the organization understand their privacy obligations. In addition, training policies, procedures, and programs need to be updated to ensure that they are current with existing business operational requirements and obligations. As mentioned in our 2010 PIPEDA Annual Report to Parliament, a recent survey conducted for the OPC found that only 37 percent of businesses provided privacy training to employees – a result that needs to be improved upon to effectively meet PIPEDA obligations and protect privacy.Footnote 36
Identifying Purposes and Consent
The Identifying Purposes principle states that: “The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.”Footnote 37 The Consent principle means that: “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.”Footnote 38
The Identifying Purposes and Consent Principles are closely linked. Without appropriately defining the purposes for which personal information is to be used, there may be a question as to whether knowledge and consent has been obtained.
Given the ubiquitous nature of the payments system and the volume of personal information involved in payment transactions, identifying why personal information is collected, how it will be used and disclosed, and informing individuals of these reasons are necessary under PIPEDA to obtain meaningful consent. This can be achieved through flexible and innovative means, as long as they are meaningful to consumers and provide them with choice and control. Lack of compliance with these requirements is not only a breach of privacy law, but can undermine consumer trust and participation in the payments system.
The evolving nature of the payments system poses some challenges in this regard, particularly in the mobile environment, but knowledge and consent are requirements under the law. Any new purpose for collecting, using or disclosing the information must be identified and the individual's consent obtained beforehand.
Obtaining meaningful consent is a condition of meeting the privacy expectations of individuals. An individual’s knowledge and consent regarding the collection, use, or disclosure of their personal information is a cornerstone of PIPEDA and is one of the means by which individuals can exert control of their personal information.
Without meeting these privacy obligations, it may be more difficult to fully gain consumer trust.
The importance of knowledge and consent in the digital society has been noted by the OPC in our 2010 Annual Report on PIPEDA. The report mentions that the percentage of complaints related to consent grew from 10 percent to 20 percent from 2009 to 2010 and in part this was attributed to the growing number of online complaints.
Openness
Openness under PIPEDA means: “An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.”Footnote 39
The Task Force notes that the payments system is complex, that new technologies create opportunities and challenges,Footnote 40 and that there are a number of different stakeholders involved.Footnote 41 Given this environment, it is extremely important for organizations to have clearly identified information management practices and transparent privacy policies so that consumers can understand how their personal information is being handled throughout the payments lifecycle.
A system as complex as the payments system may not necessarily be one that many people fully understand. Similarly, it may be difficult for consumers to fully understand how their personal information is handled during the payment process. Therefore, it is essential that organizations that make up, or otherwise participate in, the Canadian payments system have privacy policies that are accessible, transparent and easy to understand. This will serve to provide information to individuals about how the payments industry operates and where they can seek recourse if they feel their privacy rights have been breached or want to ask for a correction to their personal information file.
A responsible and effective business-consumer relationship is supported by practices where privacy policies are easily available, and information management practices are written so that they are understandable.
Limiting Collection
The Limiting Collection principle in PIPEDA states that: “The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.”Footnote 42
With advances in technology, it has become easier and less expensive to collect and store data.
Collecting and keeping vast quantities of personal information can become an unnecessary data breach liability, and can have considerable consequences for both industry and consumers.
The payments system involves sensitive personal information. The risks associated with a data breach have implications for consumers related to time, effort, and possible repercussions to their reputation. As such, having well defined information management practices that limit the collection of personal information to only that which is necessary to execute a given financial transaction can mitigate risks associated with a data breach and demonstrate commitment to consumer’s privacy rights.
Limiting Use, Disclosure, and Retention
The Limiting Use, Disclosure, and Retention principle in PIPEDA requires that: “Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.”Footnote 43
New technologies may offer new ways to use personal information after it has been collected. It is important that information is not used or disclosed beyond the purposes for which it was collected to avoid any possibility of function creep. Consumers should be confident that their information is only used for the purposes to which they have consented.
In an environment where storage options and capacities are increasing and associated costs are dropping, it may be tempting to overlook the requirement of retention and disposal policies under applicable privacy legislation. The retention of users’ personal information should be strictly limited to that which is required for identified purposes in order to mitigate the privacy risks, from a data breach.
Safeguards
The Safeguards principle in PIPEDA means that organizations subject to the Act have a responsibility that, “personal information shall be protected by security safeguards appropriate to the sensitivity of the information.”Footnote 44
New threats to the security of personal information arise with the introduction and adoption of any new technologies, such as smartphones. Recent reports have highlighted a growth in malware targeting mobile devices, threats to online payment systems, potential security risks associated with financial applications, and potential risks in new mobile phone credit card readers.Footnote 45 Malevolent actors employ a range of tactics to illicitly obtain information. Outside of technical attacks, they may also engage in social engineering practices such as phishing.Footnote 46
Given the personal information new payments technologies can process, these new technologies must be deployed in a manner that protects an individual’s personal information and the integrity of the overall payment system. This requires organizations to approach security from multiple aspects, including technical security safeguards, physical security safeguards and procedural security safeguards. Implemented safeguards need to be continuously tested, and reviewed and modified to ensure that they continue to be effective and adaptive as the threats evolve.
A Privacy Impact Assessment (PIA) is a proactive measure that can help address potential privacy and security risks byFootnote 47:
- Identifying all of the personal information related to a program or service and then looking at how it will be used;
- Mapping where personal data is sent after it is collected;
- Identifying privacy risks and the level of those risks; and
- Finding ways to reduce or eliminate privacy risks.
A PIA is a fundamental tool to help with overall privacy protection and also serves as a risk assessment tool. As innovation is being spurred on by new technological solutions, a PIA can play an important role within the overall risk management process in the implementation of new technologies by the payment system sector in Canada.
5 — Identity Considerations in the Payments System
As a best practice, only the minimum essential information should be used throughout the process of identification and authentication and define protocols on a need-to-know basis. This is true regardless of the payment method an individual has chosen.
Individuals should have a variety of payment options available to them, and, in some cases, may choose certain payment methods over others. For example, an individual purchasing a self-help book for depression may wish to make a purchase using cash in order avoid creating a record of the nature of their purchase.
It is understandable that, in some cases such as instances related to Anti-Money Laundering or “Know Your Customer” requirements, there may be certain authentication requirements that are required by law. However, these obligations should not prompt the over-collection of personal information that is not ultimately legally required.
The principles set out in the OPC’s Guidelines for Identification and Authentication Footnote 48and Industry Canada’s Principles for Electronic Authentication: A Canadian Framework Footnote 49outline a number of key issues when addressing identification and authentication considerations. While these documentsremain relevant today, massive social and technological changes encourage us to both broaden and refine our thinking.
As identity management systems are developed within the payments system, the key principles outlined in PIPEDA represent a minimum legal standard that will help build and support a digital identification and authentication system that is privacy-respectful. If not done carefully, the risk is that such a system could be highly privacy-invasive.
6 — Cloud Computing and the Payments System
Many organizations may employ cloud computing solutions as a part of their overall business strategy. While cloud computing may provide efficiencies, there are questions relating to the security of personal information, extra-jurisdictional issues, misuse of processing data, permanence of data, ownership of data, third-party access of information.Footnote 50 PIPEDA does not prohibit transborder data flows, but does contain provisions to ensure that individual’s privacy rights are respected through appropriate means, including contractual obligations to ensure comparable level of protection.
The OPC has issued a consultation paper on privacy issues related to emerging technologies, including cloud computing.Footnote 51 As payment systems may include cloud computing solutions, federal privacy legislation is clear that organizations remain accountable for protecting their customers’ personal information and must be transparent about their information management practices.
To support this, a number of solutions can be employed. For example, an organization can add contractual provisions so they are satisfied that the third party has policies and processes in place to protect information.
The OPC has published materials on its website on the privacy implications of transborder data flows and cloud computing that may help participants in the payments system to understand their obligations and rights under PIPEDA.Footnote 52
7 — The Task Force’s Proposed Governance Framework
The Task Force has proposed a governance framework that includes a Payments Oversight Body, made up of a cross-section of representatives, for accountability and oversight. A truly effective oversight body should include representation from the privacy community, including privacy practitioners and advocates. A broad range of independent privacy experts will be able to provide oversight with respect to data protection.
The Task Force also suggested that payment specific legislation may be introduced to set minimum industry standards.
The OPC would like to reinforce the fact that voluntary industry standards regarding personal information must meet the minimum legal requirements set out under PIPEDA and applicable provincial privacy legislation.
If new proposed payments legislation is to be considered, due consideration must be given to privacy compliance obligations. Before introducing any measures that relate to privacy, a comprehensive review would be needed to properly assess and address roles, responsibilities and jurisdictions currently established under existing regulatory and legislative frameworks.
Finally, the importance of continuing to conduct public consultations is a key step to encourage discussion and understanding of privacy issues raised in the payment system context. A system that is open and participatory will benefit from exchanges involving a broad range of privacy stakeholders. Dialogue can help generate solutions to the challenges that digital payment transactions pose to data protection.
8 — Privacy Literacy in the Digital Environment
The OPC’s 2010 Annual Report on PIPEDA emphasized that Canadians’ privacy literacy needs to match their digital literacy.Footnote 53 In other words, the ability of a consumer to navigate the online environment in a way that preserves their individual privacy is an essential part of digital literacy. There is a need for both consumers and businesses to improve their privacy literacy so that personal information is effectively protected in the digital economy.
Industry Canada issued a report in the winter of 2010 titled: Mobile Commerce - New Experiences, Emerging Consumer Issues. A part of the report focused on the youth and their adoption of mobile devices. The report referenced a study that found that, in 2005, 80 percent of e-commerce by youth in Japan aged 15 to19 was done via cell phones.Footnote 54
The need to improve privacy literacy in an online context is essential for all individuals involved in the payment ecosystem. While youth are usually the most enthusiastic adopters of new technologies, users of all ages need to have the tools necessary to understand and manage how their information is collected, used and disclosed, especially in online and mobile marketing scenarios. We have also heard that youth are interested in learning about tools to control their personal information. Therefore outreach activities and tools aimed at youth, if properly designed, could be useful and welcome by young people.Footnote 55
Taking into account the breadth and sensitivity of personal information used in the payments system, the Task Force should explore the possibility of developing an education and outreach strategy aimed at consumers, including youth.
9 — Conclusion
The Task Force presents four scenarios for consideration in looking at the opportunities and challenges that may face the Canadian payments system moving forward.
With respect to the four scenarios, our Office strongly recommends that any approach to transform the payment system take into account the importance of integrating privacy protection requirements as outlined in PIPEDA throughout the payments system as a necessary pillar for promoting industry and consumer participation and helping foster innovation.
According to Industry Canada:Footnote 56
“The impersonal and remote nature of electronic commerce places a heavy burden on the need for means to reduce or eliminate risk. Security, privacy and consumer protection are all required to instill trust in electronic commerce, for both businesses and consumers.”
Our Office appreciates the opportunity to respond to this consultation and would be more than pleased to continue discussions with the Task Force on the importance of addressing legislative privacy requirements in the payments system.
ENDNOTES
- Date modified: