In her first report since the Personal Information Protection and Electronic Documents Act was fully implemented more than a year ago, the federal privacy commissioner said the Commissioner’s Office, in conjunction with provincial counterparts, has developed fair, consistent and clear rules of enforcement for the act.“The totally unwarranted signals of alarm seemed to have died down,” said the Privacy Commissioner of Canada, Jennifer Stoddart in an interview following the tabling of her 2004 Annual Report on PIPEDA. “Things have come into line. People realize this is simply part of good business.”
The Commissioner’s 2004-2005 Annual Report on the Privacy Act, Canada’s public sector privacy law, was also tabled last month.
More confusion
But Ian Turnbull, executive director at the Canadian Privacy Institute, who had not looked at the report by press time, said there’s still a fair amount of confusion out there in terms of accountability.
“If you’re a business in Ontario that has employees in B.C. and you’re processing payroll and benefits in Alberta, who’s responsible for (the privacy) that?” said Turnbull. “The short answer is that nobody has a clue.”
Last year the privacy commissioner’s office introduced several measures to help organizations comply with PIPEDA. These included a follow-up procedure to monitor the progress of businesses in implementing the commissioner’s recommendations; a process for establishing “reasonable grounds” to select subjects for audits; and, a self-assessment tool to help organizations ensure compliance with PIPEDA.
The number of complaints in 2004 increased by more than 100 per cent from the previous year — from 302 to 723, with 29 per cent or 213 of complaints related to the financial sector. In terms of complaint type, just over a third or 286 of those pertained to use and disclosure of information with collection and access following closely behind.
Consent of the individual remains at the heart of the act, especially as newer technologies such as Radio Frequency Identification (RFID) make their way down to the consumer level. The commissioner’s office will be conducting a survey in the upcoming months on RFID to look at how the technology is used and how businesses are thinking about using it, the report said.
“Businesses that want to use (RFID) should sit down and look at all the specific features of the technology, how it impacts the use and disclosure of personal information and how to make the customer aware of this so the customer can give meaningful consent,” said Stoddart, adding the privacy commissioner’s office is also concerned about the eventual temptation of linking individual items or repeated purchases of items to individual customers.
“There are a lot of profound personal information applications,” she said. “This is going to be something we are going to follow very closely.”
In the report, which highlighted a number of key investigations under PIPEDA, one case looked at the use of biometrics in a company for the purposes of employee identification. The privacy commissioner’s office found the complaint was not well founded, but in another example found that an employer had collected an employee’s personal information by way of video surveillance without his knowledge or consent.
While Turnbull said decisions coming out of the privacy commissioner’s office were very few in the majority of the last 12 to 14 months, he added the privacy commissioner’s office has recently picked up the pace a bit. Some of the decisions, however, such as a recent one on e-mail, were fairly surprising, he said.
In response to a complaint that somebody was using somebody else’s e-mail, the privacy commissioner’s office deemed e-mail to be personal information. Turnbull, however, questions this decision given that most, if not all people these days, have their e-mail address printed on their business cards.
“In the U.S. for example there are laws that they’ve put in place to try and stop spam, e-mail and fax-related spam,” he said. “This Act does not do that.”