Getting a handle on your business' personal information practices and how good privacy practices are good for business

The speech was part of a series of speaking events for the cross-Canada Chamber of Commerce tour

April 27, 2016
London, Ontario

Address by Brent Homan
Director General, PIPEDA Investigations Branch

(Check against delivery)

Introduction

Thank you for the opportunity to speak to you today about privacy.

Given the myriad of new technological advances and potential low cost uses for information at your disposal to help grow your business and communicate more effectively with clients, it is an issue many of you have no doubt grappled with in recent years.

Social media and email have created tremendous opportunities for targeted advertising and direct communications. Big data and new business models related to the commoditization of personal information are now more accessible than ever to organizations large and small. And when it comes to tech innovation, its impact on privacy can only be described as revolutionary. The expansion of computing power, data-storage and bandwidth has greatly outpaced historical innovations such as the introduction of electricity and the telephone. In terms of cost and accessibility just ponder that in 1992 a gigabyte of data cost $569 while today that has dropped to fractions of fractions of a cent.

Of course, this has also led to drastic increases in the collection, use and disclosure of personal information, along with novel challenges and risks that flow from that increase.

Just recently, the Office of the Privacy Commissioner of Canada (OPC) learned of a company in the North West Territories that was using Facebook to name and shame customers for non-payment of their accounts. We quickly intervened and put a stop to this activity. I don’t think I have to explain why.

As the Spiderman comic suggests: with great power comes great responsibility. Companies need to first realize that a law exists, know their limits and act responsibly.

In 2015, the OPC unveiled a set of privacy priorities to guide the work we do over a span of five years. The economics of personal information—finding that balance between privacy protection and innovative new business models that profit from the trade of personal information—was identified as one of these key priorities going forward. We want to encourage privacy protection in ways that don’t hamper innovation. This will ultimately engender trust by ensuring individuals retain meaningful control over what happens with their personal information.

In researching and consulting stakeholders on those future priorities, it became apparent that small businesses as a group that may not be entirely aware of their privacy protection obligations under the Personal Information Protection and Electronic Documents Act, or PIPEDA, Canada’s federal private sector privacy law.

An analysis of complaints to our Office found that more than a third of PIPEDA complaints closed related to small businesses. Common problems included personal information being emailed to the wrong person, the unnecessary collection of sensitive information such as Social Insurance and driver’s license numbers and the use of video surveillance without adequate notice. Retailers, landlords, real estate agencies, collection agencies, travel agencies, law firms, financial planners and online businesses are among the most common targets of privacy complaints to our Office.

Further, a poll of more than 1,000 businesses across Canada found the smaller the enterprise, the lower the level of privacy awareness it had. Smaller businesses are less likely to use encryption or even locked filing cabinets to protect customer information. Some companies have also admitted that they did not know they were subject to PIPEDA. And do you know what? I get it. This is not entirely surprising given that we are dealing with businesses and sectors that may not have historically collected a lot of customer information, but now are.

Think of the restaurant sector that 10 years ago took reservations in a book and who may now be using 3rd party apps to make reservations and establish loyalty programs. The good news is that many of the privacy challenges these businesses face are low-tech problems with low-tech solutions, some of which I will get to later.

The purpose of this Chamber Tour is to begin to reverse this current reality by not only highlighting small businesses’ privacy obligations but why it makes good business sense to protect your customers’ personal information.

For starters, we know that small businesses face a multitude of compliance pressures, on top of their day-to-day operational demands and compared to larger organizations, many of you struggle with a limited staff to address all of those issues. But we also know that Canadians are increasingly concerned about their privacy and are choosing to do business with organizations that are sensitive to those concerns.

The bare truth is, good privacy practices are good for your business. In fact, privacy, alongside traditional factors like price and quality, is increasingly a material consideration in consumer’s purchasing decision, not dissimilar to how environmental impact and the “green-ness” of a product or service has been a factor. If customers have confidence in how you will protect their information, that may very well make the difference in whether or not they choose to do business with you.

Your obligations under PIPEDA

So what are your obligations under PIPEDA?

Put simply, PIPEDA is a federal law that sets out the rules surrounding the collection, use, disclosure, retention and disposal of personal information. It applies to all organizations involved in commercial activity, except those in British Columbia, Alberta and Quebec which have their own similar private sector privacy laws. That being said, the federal law continues to apply in those provinces (i) to companies engaged in interprovincial or international transactions and (ii) to all federally regulated organizations such as banks, telecommunications and transportation companies.

PIPEDA includes 10 fair information principles that all businesses subject to the Act are required to adhere to. These are outlined in our Privacy Toolkit for Businesses. I brought some copies to share following my presentation. I’m not going to get into all of them but I will elaborate on a few that are particularly relevant to your business.

A big one is to obtain valid consent, which is generally required for any collection, use or disclosure of an individual’s personal information. To be valid, your customer must understand the nature, purpose and consequences of what they are consenting to. It is ultimately your responsibility to obtain consent after explaining, verbally or in writing, the reasons for which you are collecting, using or disclosing the personal information – and this is a good first test of whether you are over-reaching, if you can’t answer yourself the question “why are you collecting this information” you probably shouldn’t be collecting that information in the first place.

The reasons should be provided before or at the time the information is being collected and at any point you decide to use information previously collected for a different purpose. And remember, consent is not a silver bullet. The request for information itself must be considered reasonable, which I’ll expand upon in just a moment.

It is also a good practice to limit collection. Do not collect information you do not need or information you think you may require down the road. For example, driver’s license information can be valuable to those who intend to commit identity crimes. With that in mind, you may ask to see an individual’s driver’s license to confirm identity, but making a copy of such a sensitive document should not be a standard operating practice, and certainly not keeping a book of such information accessible at a service counter, a scenario that I learned of from the Yukon Commissioner when visiting Whitehorse a few months back.

Another key obligation under PIPEDA is to use appropriate safeguards to protect the information you collect. Whether provided to you in writing or electronically, you are responsible for securing the personal information in your care from loss or theft. You may choose to do this through some very simple means such as using locked filing cabinets to protect paper documents, limiting access to certain employees and using passwords and encryption to protect electronic data. Privacy is a dynamic rather than static obligation, so it is also important that you review and update security measures regularly.

One final thing I would like to note is that PIPEDA states that any collection, use or disclosure of personal information only be for purposes that a reasonable person would consider appropriate in the circumstances. While somewhat subjective, there are examples that serve to highlight what might be considered inappropriate. A few years ago, our Office concluded that it was inappropriate for a rent-to-own company to use covert spyware, with the ability to snap pictures and log keystrokes, to locate allegedly stolen laptops.

Similarly, we concluded it was not appropriate for a company to monitor people’s bathroom visits in order to locate the person responsible for messing up the men’s toilet. And finally, we concluded a case against Bell last year, where we found that it would not be appropriate to use credit score information in order to create profiles of customers to send them targeted ads.

Common Sense is key here and there’s a simple technique to assess appropriateness that you may wish to try out – just put yourself in the customers shoes – would the collection of information leave you feeling creeped out or uncomfortable? If the answer is yes, that’s a good sign it may not be appropriate to use!

Addressing issues to avoid damaging your reputation/profits

The bottom line is privacy issues can damage your company’s reputation and cut into your profit margin. One of the fair information principles I showed you earlier is accountability. You are responsible for protecting the personal information you have collected.

That means building privacy protections into everything you do as a business and having clear policies and procedures for the collection, use and disclosure of personal information. The best way to do this is by developing a privacy management program that covers all aspects of how you handle the personal information in your care. We have guidance on designing a privacy management program available on our website, along with a handy tip sheet for businesses.

For starters, lead by example. Business owners and senior managers need to buy in to the notion that privacy makes good business sense if staff is to follow suit. You’re the leaders, if it matters to you, it will matter to your staff. Show you’re serious about privacy by appointing a privacy officer or somebody to lead up privacy issues. Provide contact information so your customers can address their questions to that individual. This includes questions from staff too.

Remember, your staff is key. Train them about privacy. If your sales clerks have been told to ask customers for their email address or postal code at point of sale, make sure they can answer why that information is being collected because I promise you, there will be customers who will ask.

Take responsibility for the actions of your employees. Having a privacy policy is great but that policy needs to be followed. Consider limiting access to personal information to those who need to know it, monitoring who accesses certain systems that contain sensitive data and providing additional training where necessary. There should be consequences for those who fail to follow procedures. We have seen a series of complaints in the area of employee snooping – which is basically, employees, perhaps through curiosity, looking at customer or client information when they have no business reason to – whether it’s a friend, neighbour, family member or celebrity. Employees must understand this is a serious matter with disciplinary repercussions.

You are also responsible for what happens to personal information you shared with third-parties. Whether passing along a customer’s address to a courier to deliver a product, storing customer purchase records in a cloud or sharing client data for marketing purposes, it is incumbent on you to review the privacy practices of contractors you do business with to ensure their security safeguards and privacy practices meet your standards. You could also consider adding a clause to any third-party contract requiring the contractor to protect your customer’s information, use it only for the purposes agreed and that they destroy the information once the contract is complete. Consulting a lawyer or privacy expert could help with this.

On that note, you should have policies in place for how your company gets rid of its own old records. We once received a complaint from an individual who learned his banking information had been discovered in a recycling bin in an underground parking lot. It turned out a pair of employees tasked with cleaning out a former colleague’s desk tossed the documents in the recycle pile rather than the shredder pile. It prompted the company to review its disposal and employee termination policies and re-train their staff.

Turning to cameras, if you use video surveillance on your premises, you have to tell your customers or clients, even if you don’t retain the footage – people’s images are clearly personal information. Post signs in obvious places to let people know that they are being filmed, don’t point cameras directly at people’s homes, provide contact information in case anybody has questions about the use of video surveillance and be discreet about where you monitor the feed. For instance, property managers should not be monitoring surveillance footage from the comfort of their living rooms!

Now here’s a biggie, I would highly caution against asking for a person’s Social Insurance Number (SIN), which is meant for income reporting purposes. We sometimes see this in the accommodations sector, for example, as part of a rental agreement. Few organizations are legally required to collect it. It is not required for a credit check and should be clearly marked as optional on any forms. Companies should never demand a SIN as a condition of service, unless, of course, required by law. For more information on SINs, you may wish to have a look at our Best Practices guidance on our website.

You should also develop a clear process to deal with any complaints about your company’s personal information handling practices. Being able to address privacy questions or concerns upfront and quickly can go a long way towards avoiding complaints to our Office. As I’m certain you are aware, customers tend to get frustrated when “passed around” too much when trying to get an answer!

A vast amount of the complaints we receive result from the simple and correctable fact that staff could not explain why information was needed, or that no-one at a company would listen to their concerns. Ensuring that staff can explain such reasons could very well avoid costly investigations, which have been said to run in the range of $25K according to one company. We have a tip sheet specifically aimed at avoiding complaints to our Office on our website, you may wish to have a look at!

Finally, let’s talk about something that is constantly in the news – breaches, everyone has heard of the Ashley Madison breach right? – this is a matter we have examined through a joint investigation with our Australian privacy counterparts.

Quite simply, breaches are often equated to privacy crises and you will want to have procedures in place in the event they occur. That said, despite your best efforts, breaches can and do happen. It might involve the theft of personal information by computer hackers, the loss of a flash drive containing customer data or even a disgruntled ex-employee walking off with a box of client information or contact lists.

According to a recent US study, 90% of breaches impact small businesses and the average cost of a breach to a small business is around $36K and can reach $50K. These costs may include forensic exams, notification of customers and repair costs, but aside from that there are significant non-monetary costs as well which includes damage to your brand and reputation, in addition to the bad press that often accompanies breaches.

Last year, private sector organizations voluntarily reported 92 breaches to our Office, a significant jump compared to the last five years. Some 35 per cent of those breaches involved small businesses, a figure consistent with previous years. As you may know, private sector breach reporting is voluntary but that is soon to change. A law passed in June 2015 has made it mandatory for companies to report serious breaches to our Office and to notify impacted individuals.

But there are measures that can be taken to minimize the chances or mitigate the damage of breaches, and just because you have had a breach does not mean you are in violation of privacy laws.

So what can you do – for starters, test your technology for vulnerabilities and make sure old systems or databases aren’t vulnerable when you upgrade to newer technology. There’s off-the-shelf solutions and security specialists that can help with this in the likely event you don’t have an “IT Dept”. It’s also a good idea to be aware of breaches within your industry. Attackers will often employ the same tricks against multiple businesses. The more alert you are, the more likely to you are to avoid the same pitfalls.

By heeding this advice and preparing for the worst, you are better armed to avoid the sort of problems that could cost your business serious cash and credibility.

CASL and what it means for e-marketing

Before wrapping up, I want to spend just a few minutes on CASL, Canada’s Anti-Spam Legislation, as it includes a number of new responsibilities for businesses and we often get questions about it.

CASL came into force on July 1, 2014. Enforcement of this new law is shared between our Office, the Canadian Radio-television and Telecommunications Commission (CRTC) and the Competition Bureau. Our Office is responsible for dealing with two types of violations:

• Address Harvesting, which generally involves using computer programs to automatically mine the Internet for email addresses in order to compile lists for marketing purposes; and
• The collection of information through use of spyware or malware.

We recently announced the conclusion of our first CASL investigation against a Quebec-based training company that we found to be engaged in address harvesting, scraping and using people’s emails without their consent to contact them with sales offers. We have also just commenced our first spyware case.

Now, you may be thinking – “hey, this isn’t the type of stuff that effects my business or that I need to worry about”, and on that point you would be wrong. So to that end, I’m going to share a few tips related to these areas.

With respect to electronic address harvesting, what you need to know is that any customer lists that are compiled must be done so with the full consent of individuals on that list. In the event you hire a third party to do email marketing on your behalf, make sure they don’t engage in address harvesting either, and that the list they produce has been developed with full consent, because if you use it, you are still on the hook for the Address Harvesting provisions.

So what can you do?

Well if you buy an email list from a vendor to conduct in-house e-marketing, ask questions about how that list was compiled and make sure address harvesting was not used. You should also be aware of how those who compiled the list obtained consent from the individuals on it, and what measures are being taken to ensure lists are kept up-to-date as individuals are able to withdraw their consent to receive commercial messages at any time. Make this a contractual provision with third parties and do your due diligence.

Our other role has to do with programs known as malware or spyware which can be downloaded and remotely installed on computers in order to collect personal information. Such programs may be used to gather information about web browsing for marketing purposes, or for more nefarious reasons, like to capture individual keystrokes to steal passwords and credit card numbers. Some act like a virus and are designed to harvest a person’s email address book.

Conclusion

Without question, technology has opened the door to all kinds of new opportunities for businesses and the most successful are increasingly those that find innovative new ways to use technology. PIPEDA does not exist to stifle innovation. Canada’s federal private sector privacy law is here to support and promote safe and responsible electronic commerce. But legal obligations must be respected. Your employees expect it, your customers demand it and your bottom line can’t survive without it.

According to our last public opinion poll of Canadians, only 16 percent believe businesses take their responsibility to protect personal information very seriously. Nearly a third said they have suffered negative consequences due to an organization misusing, sharing or losing their personal information.

The good news is that 81 percent said they would choose to do business with a company specifically because it has good privacy practices.

These figures demonstrate Canadians care about their privacy and choose to do business with companies that have strong personal information protection practices. This is your opportunity to demonstrate that you are one of those businesses.

At the end of the day, privacy is good business. The Office of the Privacy Commissioner of Canada is here to help.

I’d be delighted to take some questions.