Canadian companies are growing confused and irritated over some of the grey areas in the federal privacy law around data collection over the Internet, according to the lawyers who counsel them.
Less than a month after the Personal Information Protection and Electronic Documents Act (PIPEDA)
came into full effect, many firms have yet to appoint a chief privacy officer, audit their business practices or rewrite their privacy policies, experts told a Society of Internet Professionals event Monday night. The situation is compounded, they said, by clauses in the Act around personal information (PI) which are still widely open to interpretation.
Eloise Gratton, a lawyer with Montreal-based Mandelsohn LLP and author of Internet and Wireless Privacy, said she has consulted with high-tech firms that publish privacy policies more than 15 pages long, or that rely on aging legacy systems to hold customer data. “”They’ll say they don’t do any data sharing, and I’ll ask them, ‘Do you have an outside company host your site?’ or ‘Do you have a third party handle your Web site transactions?'”” she said. “”They don’t seem to realize that they do share personal information.””
PIPEDA demands companies not only obtain consent from customers before using their PI, but that they don’t collect it unless it’s really necessary. And yet, Gratton said, many firms are moving towards a Web site model whereby users are asked to register before accessing what used to be publicly-available information. Social insurance numbers are often collected without reason, she said. There is also a lack of education around “”spyware”” that tracks users’ surfing habits.
“”You can activate these almost anywhere. I’ve probably downloaded spyware three times in the last six months,”” she said. “”And I’m a privacy lawyer. I should know better!””
The carelessness extends to IT professionals within the enterprise, said Nigel Brown, who works in the IT security, privacy and testing practice at IBM Canada’s Global Services group. Brown said he has frequently come across companies conducting a pilot project using real “”in production”” customer information.
“”The idea (with PIPEDA) is that you don’t just go for minimum compliance,”” he said. “”The government is really trying to take the high-watermark approach.””
At IBM, each manager has to conduct a privacy impact assessment (PIA) which involves a self-evaluation of various business processes. The end result is a gap analysis that tells them whether Big Blue might risk a PIPEDA violation.
“”Making a promise to protect users’ privacy is sort of the easy part,”” he said. “”The difficulty comes when you operationalize that into the core of your company.””
Brown recommended companies make their lives easier by following existing processes like audit checks and adapt PI collection accordingly, rather than try to develop new methods from the ground up.
One of the difficulties is meeting PIPEDA’s requirements that customer data be kept accurate. Gratton cited the case of a U.S. firm conducting a survey which later learned 68 per cent of respondents had typed in their address as Beverly Hills, 90210. Privacy policies around data retention should also take into consideration complementary legislation like the Ontario Limitations Act, which requires some PI to be kept for 15 years. “”Not everything needs to be in there that long, but I would say you should keep data for at least a few billing cycles,”” she said.
While all businesses may face some changes under PIPEDA, it also raises issues for private investigators, said Norman Groot, a privacy investigation lawyer with McCague Peacock LLP in Toronto. As Groot pointed out, someone assigned to investigate insurance fraud or bank fraud can’t very well obtain consent from a suspect about their PI. PIPEDA does allow content to be waived in the event of a breach of contract or if there is reasonable suspicion that a law is being broken, but this usually can’t be proven until privacy has been violated, he said.
Industry Canada is mandating that private investigators be formally designated as an investigative body by applying through their professional association, Groot said.
In general, Gratton said, companies would be well advised to look at international privacy laws as well as PIPEDA as they fine-tune their policies and practices. “”You want to be as compliant as possible,”” she said. “”If you’re on the Internet, the Internet is global, so you’re better to disclose and inform wherever you can.””
Some of the most significant changes to the way enterprises handle PI may be still to come, Gratton added. Quebec, which has had provincial legislation since 1994, recently made a constitutional challenge against PIPEDA, arguing that privacy should be handled at the provincial level.