Privacy, once lost, is impossible to regain. Maintaining privacy against the inroads of commercial interests and protecting it so that only those with authorization can access it has become a do-good and do-no-harm virtue. Entrenched in Canada’s Personal Information Protection and Electronic Document Act, PIPEDA for short, the concept has become policy.
It became law on January 1, 2001 for interprovincial and international trade. It became the law of all business in Canada on January 1, 2004, says Brian Bowman, a lawyer who specializes in privacy law at Winnipeg law firm Pitblado LLP. Good intent but vague in requirements, PIPEDA can reach from a data bank to the office water cooler. “The law respecting privacy even applies to verbal correspondence,” Bowman says.
PIPEDA is national law except in Quebec, Alberta and British Columbia, which have their own, similar versions of PIPEDA. But the concept of protecting privacy is easier said than done. Ever-increasing amounts of personal data, the demonstrated vulnerability of stored information, and the use of third parties to handle, warehouse, and process data leave the responsibility for privacy with those that control data while distributing the care and feeding of the data to many parties.
“Protecting and safeguarding client information is not new,” explains Jeff Green, Chief Privacy Officer for RBC Financial Group in Toronto. “Protecting the privacy and confidentiality of clients and employees has been a cornerstore of how we do business. What is new is that we have to respect the choices that our clients make about how they want their personal information used.”
That policy, which is the Canadian expression of expanding world standards for protection of privacy, imposes substantial duties on companies that collect, hold or use personal information. PIPEDA does not clearly say exactly how personal information should be protected. But protection is essential in a time when what could be called the iconic crime of the information age, identity theft and its correlate, abuse of identity, are making headlines.
In Canada, consistent with the view that it is negligent to let information flow without knowing where it is going, PIPEDA imposes substantial responsibilities on managers of data systems that hold personal information. Guidelines call for information to be “stored securely,” though the statute does not spell out precisely what that means.
Toronto lawyer Mark S. Hayes, a technology specialist at Blake Cassels & Graydon LLP, notes that PIPEDA specifies no method of care for guarding personal information. PIPEDA stipulates in its Principle 7 that “sensitivity” is a test of the measures to be used, he says, Alberta and B.C. statutes that parallel PIPEDA require only that “reasonable” security measures be used.
There is, nevertheless, reason to believe that a strict standard of conduct is developing that will hold businesses regulated by PIPEDA liable if there is any breach of privacy. In a decision
rendered in Sept., 2004, the Privacy Commissioner of Canada held that release of data through error is no defense to a finding of liability. That ruling, Hayes says, may imply a standard of strict liability. And that will have a detrimental effect on business, he argues. There would be the same finding of liability were the release of information intentional. “This will hardly encourage companies to spend money on personal information security,” he said.
Hayes’ comments recognize the ambiguity in the range of protections the diligent collector of personal information can use to comply with PIPEDA. Charles Morgan, partner who specializes in technology law at McCarthy Tétrault LLP in Toronto, admits that the problem is lack of certainty.
“There is not a lot of guidance that has come out in the various privacy decisions from the federal Privacy Commissioner,” Morgan explains. Yet, he notes, there are three kinds of security safeguards for information that can be employed.
Classification of information begs the question of how to guard it. A file may contain data that is both sensitive, such as a Social Insurance Number, and non-sensitive, such as a phone number that has been published in a city directory. Routing data of differing levels of sensitivity to various tiers of storage creates administrative issues of its own.
“At the end of the day, we will employ different levels of security, depending on the sensitivity of the data,” Green says. “We use various layers of security to protect the data in our possession. We ask what information could advance the proliferation of ID theft. That is sensitive personal information that goes beyond simply name and address and account number. The big concern that I have is that individuals would defer protecting their own information without taking suitable precautions themselves. A case is in point is phishing, which uses low level technology with deceit. That is social engineering, not data management.”
John Weigelt, Microsoft Canada’s national technology officer, is aware of the information storage issues in PIPEDA. Formerly the privacy compliance officer for the company, he says that access to personal data should begin at the front door of a data bank for information that has “high impacts” on business.
“For high impact information, Microsoft uses two-factor authentication,” Weigelt says. “When people log on, we know who they are.” Smart cards accompanied with a code number of password the user must know achieves that level of security, he notes.
So, he adds, does encryption, secure sessions and software protocols such as Secure Sockets Layer (SSL). But when is technical security sufficient? Says Hayes, “a few years ago, when encryption was required, the general view was that 64 bit encryption was strong, then as computing power has increased, it became clear that 128 bit keys were needed. Today, the 256 bit key is a commercial standard, but the size of the key is a moving target that likely will continue to change.”
Weigelt acknowledges that technology alone will not satisfy PIPEDA. “There are a number of elements in privacy. Technology control is one, so are data governance and accountability. “The market will act as an enforcement agency,” he concludes.
The trend of law is toward viewing divulging personal information without the consent of the subject as a compensable injury, says Brian Bowman. “It pays to reduce exposure to liability by taking steps to prevent privacy breaches. Lawsuits for unlawful handling of information under PIPEDA are foreseeable and are increasing.”
The implication would seem to be that it is important to guard all personal information with a high level of security, but, says Bowman, practical business realities have to be weighed. “It may not be practical to treat all information in one way. For example, a personal, oral exchange could wind up having to be recorded and authenticated and then protected. That is not practical in many business settings.”
How much protection should companies build into their security systems for personal information? Hayes notes that there are diminishing returns in spending on security. If getting to 95th percentile of prevention of incidents cost $1,000 and getting to the 99th costs $1million, a strict liability standard that penalizes companies even if they have been diligent in trying to protect privacy tends to discourage them from advancing too far up the curve, he explains.
In the first report since the Personal Information Protection and Electronic Documents Act (PIPEDA) was fully implemented more than a year ago, the federal privacy commissioner said the Commissioner’s Office, in conjunction with provincial counterparts, has developed fair, consistent and clear rules of enforcement of the act.
“The totally unwarranted signals of alarm seemed to have died down,” said the Privacy Commissioner of Canada, Jennifer Stoddart, in an interview following the tabling of her 2004 Annual Report on PIPEDA. “Things have come into line. People realize this is simply part of good business.”
Last year, the office introduced several measures to help organizations comply with PIPEDA. These included a follow-up procedure to monitor the progress of businesses in implementing the commissioner’s recommendations; a process for establishing “reasonable grounds” to select subjects for audits; and a self-assessment tool to help organizations ensure compliance with PIPEDA.
The number of complaints in 2004 increased by more than 100 per cent from the previous year from 302 to 723, with 29 per cent or 213 of complaints related to the financial sector. In terms of complaint type, just over a third, or 286, of those pertained to use and disclosure of information with collection and access following closely behind.
Consent of the individual remains at the heart of the Act, especially as newer technologies such Radio Frequency Identification (RFID) and biometrics make their way down to the consumer level. The commissioner’s office will be conducting a survey in the upcoming months on RFID to look at how the technology is used and how businesses are thinking about using it, according to the report.
“Businesses that want to use (RFID) should sit down and look at all the specific features of the technology, how it impacts the use and disclosure of personal information and how to make the customer aware of this so the customer can give meaningful consent,” said Stoddart, adding her office is also concerned about the eventual temptation of linking individual items or repeated purchases of items to individual customers. “There are a lot of profound personal information implications,” she said. “This is going to be something we are going to follow very closely within the next few years.”– Sarah Lysecki