Bell Canada, Telus and Scotiabank ranked among the top 20 Canadian companies with the best privacy policies, according to a new index developed by a Toronto-based privacy firm.
Others that topped the list, which was divided into five market segments (telecommunications, banking, retail, insurance
and consumer services), include SaskTel, TD Bank Financial Group, Indigo Books & Music, Aviva Canada and TransUnion Canada.
“There are lot of policies out there that have high level motherhood statements that really don’t address specifics related to what a company does with a consumer’s personal information,” said McQuay, adding that Nymity looked at between 100 to 300 companies’ policies. “You can spot them just like that. They’re short, they don’t say too much. We can blast through all kinds of those until we find a good one.”
Four key components that constitute best privacy policies, according to Nymity experts, include accountability to consumers and to the Commissioner’s office, mitigation of business risks such as lawsuits and customer complaints, policies that build consumer trust and compliance of privacy legislation.
Governed by the Canadian Radio-television Telecommunications Commission (CRTC), Bell Canada was subject to stringent customer information restrictions and rules long before the first incarnation of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect in 2001. The full implementation of PIPEDA was rolled out to all Canadian businesses in January 2004.
TransUnion Canada, which placed first in the consumer services category, has also been PIPEDA-compliant since 2001. The company provides services and support to consumers and businesses including credit reporting and fraud victim information.
“(Privacy) is really a key focus of our business,” said company president Ken Porter. “It’s just something that I didn’t want to pay lip-service to. You see a lot of one-liners out there about people’s commitment.”
TransUnion Canada is a fully owned subsidiary of TransUnion LLC, which is based in Chicago, and has a compliance group to lead quarterly training of all its associates that is monitored and led by a chief privacy officer.
Using the index, which is available to PrivaWorks subscribers free-of-charge, Nymity ranked the companies based on 10 areas of criteria, including accountability, safeguards and consent. Starting at $950 for an annual subscription, PrivaWorks is an online resource centre for privacy officers, lawyers and privacy consultants that helps them maintain compliance regulations, alleviate potential privacy breaches and reduce and better-resolve customer complaints.
“We want companies to explain what individuals are consenting to, how long they are consenting for use of that information, who else is going to see information and how many different uses will it be used for,” said McQuay.
Bell, for example, has to obtain customer consent before it shares their information with its mobility division. The telco giant is currently building a process to collect that data.
“We’re old hat at that,” said Giordano, referring to consent practices. “The CRTC regulations prevent us from sharing customer information from our sister companies Bell to mobility.”
Every customer that comes on board with TransUnion Canada needs to have consent in order to pull information from a credit report, said Porter. TransUnion Canada, for example, does in-depth background checks on companies when setting up an account that includes a personal visit, bank check, reference check and audits.
“We made it so if you’re going to be a member of TransUnion and pull customer information you really have consent to do so,” said Porter.
Another area of the index’s criteria looks at individual access in terms of contact numbers, time frames and what an individual can and can’t ask for, according to Nymity. A customer, for example, must inform a company when they no longer want a piece of information to be used.