OTTAWA — The best way for e-businesses to rebuild the public’s waning trust of online transactions is to comply with Canada’s new privacy rules, says Jennifer Stoddart, privacy commissioner of Canada.
Stoddart went before a conference in Ottawa recently to champion the federal government’s Personal
Information Protection and Electronic Documents Act (PIPEDA) as a piece of legislation that will improve the bottom lines of those in the e-commerce industry.
“”PIPEDA is not an impediment to e-commerce and e-business,”” she said during her keynote address to IT Privacy and Security Symposium 2004, which was attended by several hundred members of the high-tech community.
“”It’s an act to support and promote electronic commerce by protecting personal information. Our intention is not to stand in your way, but to help you provide your customers with assurances that you are protecting their personal information appropriately.””
Stoddart made an aggressive pitch, referring to a 2002 Leger Marketing survey that found security and privacy continue to be the biggest barriers to Canadians making online purchases.
“”These fears are fuelled by an identity theft problem galloping out of control, which is estimated to result in losses of $2 trillion worldwide by the end of 2005,”” she said.
Stoddart cautioned that while a company may see a business opportunity in data mining, “”their next door neighbour might see it as an unacceptable invasion of privacy.””
Yet, if a business conforms to PIPEDA’s “”informed consent”” and “”document storage”” provisions on the treatment of personal electronic information, that business stands to recoup the loyalty of would-be customers, she said.
“”This will help you grow your business by improving trust,”” said Stoddart.
Ann Cavoukian, information and privacy commissioner of Ontario and one of Stoddart’s co-presenters, pointed to a Harris/ Westin poll conducted in 2001 and 2002 which supported her federal counterpart’s argument.
Over 90 per cent of the poll’s respondents said the volume and frequency of business they conduct with a company is directly related to the level of confidence they have in that company’s privacy practices. The same poll found that 83 per cent of respondents would stop doing business with a company if they felt that their personal information was misused.
Cavoukian also emphasized that while privacy and security aren’t the same thing, a company cannot realistically have one without the other.
This point wasn’t lost on Hugh Ellis, chief executive of Cinnabar Networks Inc. and presenter of Combined Security and Privacy Risk Analysis.
In the past, different people have done security and privacy assessments at different times, he told Computing Canada before his presentation.
“”Historically, privacy and security people haven’t gotten along very well,”” he said. “”Privacy people are worried about protecting the rights of an individual, whereas the security people are more interested in protecting the system. So from the outset they have different perspectives, and it takes a bit of work for them to get on the same page.””
However, these competing perspectives can and should work together, Ellis added.
If security and privacy risk-assessors work together, it can mean cost- and time-savings for e-commerce companies that are trying to comply with both camps, he said.
“”The team that’s building their application is focused on building it,”” said Ellis. “”In some cases, they’re on a really tight timeline. Having people ask them questions about privacy and security and how the system works takes time away from building the system.””
Meanwhile, Stoddart emphasized that e-commerce companies need to realize they are responsible for the products they distribute.
“”Developers and sellers of data management software maybe tend to feel that they are just providers of a product and it’s up to the customer to use that software in a responsible manner,”” she said.
“”But I propose that you think beyond that for a moment. Your company’s name and reputation is behind that product. If it’s seen as not handling personal information appropriately, your company could be seen negatively by consumers, not to mention potential embarrassment to your clients.””