Submission to the OPC’s Consultation on Consent under PIPEDA (TransUnion)

TransUnion

October 2016

Note: This submission was contributed by the author to the Office of the Privacy Commissioner of Canada’s Consultation on Consent under PIPEDA.

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.


To Whom It May Concern:

Please accept the following as Trans Union of Canada, Inc.’s (“TransUnion”) written submission to the Office of the Privacy Commissioner of Canada’s (the “OPCC”) consultation on consent.

By way of introduction, TransUnion has been a leading provider of credit information services in Canada since 1989. We are entrusted with protecting and maintaining accurate and up-to-date credit information about Canadians. For businesses, we verify credit applications of customers so that businesses can make informed and accurate decisions about an applicant’s credit worthiness, thereby reducing financial risk. We also verify the identity of potential customers on behalf of businesses. For consumers, we provide tools, resources, and education to help Canadians manage their credit health and achieve their financial goals. TransUnion maintains credit information on consumers furnished by its data suppliers (mostly financial institutions and Government entities) located across Canada. Should you require any additional information to enhance your understanding of TransUnion and our business, we invite you to consult our website.

Respect for and protection of the personal information of consumers is a core element of TransUnion’s business operations. Given our business model, our processes and our client base, TransUnion is positioned to provide the OPCC with insights related to consent in the course of commercial activity.

TransUnion believes that the Personal Information Protection and Electronic Documents Act (“PIPEDA”) is an effective piece of legislation and our organization is supportive of the efforts to ensure that individuals exercise a control over their personal information. Since PIPEDA was first drafted the rapid evolution of technology and development of new business models and channels have spurred a much-needed discussion on the current framework, in order to ensure consent is informed and properly obtained. By and large, however, TransUnion’s view is the PIPEDA is adaptable enough to meet the challenges of the changing landscape without a complete change to its present model, including consent. With that in mind, TransUnion would like to provide comments to a few questions highlighted in the discussion paper.

Of the solutions identified in this paper, which one(s) has/have the most merit and why?

A. Enhancing Consent:

  1. Greater transparency in privacy policies and notices: Under Principle 8 of PIPEDA, organizations have an obligation to make their policies and practices pertaining to personal information available to individuals. This principle is also supported by Principle 1 (Accountability) and Principle 9 (Individual Access). While PIPEDA prescribes some of the content required in these policies and practices, it permits the organization to choose the means of communication in the manner that best fits “the nature of its business and other considerations.” At TransUnion, we have a posted a lengthy privacy policy that is available on the bottom rail of our consumer-facing website. Over time, the policy has become lengthy because TransUnion’s use of personal information is extensive and consumers often have questions pertaining to our practices. However, as noted in your paper and elsewhere, the length and complexity of the document may have reduced the usefulness of the information to consumers.

    By contrast, TransUnion reviews privacy policies of prospective customers as part of its credentialing process. A detailed privacy policy provides us with insight into the personal information protection practices of the prospect and the seriousness with which it handles the information. That review, coupled with many other factors that form part of our credentialing process, may impact TransUnion’s decision to grant access to credit information.

    Finding a balance between the need for the information and making it understandable to the end user is a difficult one. We support the proposal for greater transparency in privacy policies and notices that simplify the language and break down key information that informs consent. However, we would caution that an across-the-board requirement for certain types of privacy policies and notices should be avoided. In the case of TransUnion’s business, just-in-time notifications would not work well because the information in our repository is largely collected from third parties who obtain the consent from consumers on our behalf.Footnote 1 As with other components of PIPEDA, the manner in which the information is communicated should be left up to the organization to determine, given the nature and scope of the information the organization is handling.

    It may also be helpful for the OPCC to issue additional guidance on consent because it is arguable that privacy policies have become lengthy because organizations are endeavouring to comply with the perceived expectations of the regulators.

  2. Privacy as a default setting (Privacy by Design): We also support a greater role for Privacy by Design in Canada.  As it is incorporated in the development of new technology, it becomes a standardized system that all businesses can seek to apply and implement. This model may also simplify the process of obtaining consent for smaller businesses, in our view a key objective for reviewing the approach to consent.

B. Alternatives to Consent:

  1. De-identification: De-identified data has taken a leading role in research and innovation. De-identified data helps small and large businesses innovate and improve service offerings. As much as de-identified data can be very useful for businesses, some privacy concerns have been raised with the handling of such information, for example, the use of secondary information and the combination of different de-identified data sources to enable a process of re-identification. However, TransUnion believes that the current model, which allows the use of depersonalized data without consent, is workable. In order to meet the challenges of the changing data environment, we think that a risk-based approach is the most practical. Organizations should ask whether, in the circumstances, there is a reasonable likelihood of re-identification. If there is a risk of re-identification, the organization should either modify the data elements involved and/or implement compensating controls to reduce the associated risk. One compensating control mentioned in the paper is to ensure that specific contractual provisions are in place when organisations are handling de-identified data. For example, organizations can use contractual clauses with guaranties that recipient organisations will not attempt to re-identify the de-identified data, or clauses that limit the specific purpose for obtaining and using these types of data. There may be additional compensating controls that make sense in the particular circumstance, depending on the sensitivity of the data. As mentioned earlier, the concept of context is already built into PIPEDA so this approach should not require any significant change to the legal framework.

What, if any, legislative changes are required.

TransUnion believes that the current legislative framework still provides a workable regime and is flexible enough to deal with the challenges described in the paper. Accordingly, we do not believe legislative changes are required at this juncture. In particular, we don’t believe that the OPCC should be given additional powers to oversee compliance and enforce new or enhanced consent rules.  In TransUnion’s view the current system works extremely well and has fostered a strong culture of compliance in Canada.

Additional Considerations

Any approach to consent must consider the unique needs and resources of small- and medium- sized businesses. TransUnion’s clients include some of Canada’s largest corporations and many small and medium-sized businesses and organizations. Small businesses and organizations do not have the same tools to manage privacy issues and ensure compliance that many larger entities do. Many large organisations have personnel dedicated to dealing with privacy issues, as opposed to small businesses who are not necessarily equipped with the same tools and the same capacity. For this reason compliance burdens are often more onerous for small businesses. While many of the emerging issues identified in the paper are largely identified as issues faced by large businesses, any solutions or changes that the OPCC proposes need to consider the realities and needs of Canada’s small businesses as well. Having a manageable framework in place also allows small businesses to access TransUnion’s products and services to grow their businesses. Likewise, any solutions that look to "ethical" frameworks would not likely be practicable and actionable for small organizations.

Thank you very much for considering TransUnion’s submission. Please contact us if you have any questions.

Yours truly,

TRANS UNION OF CANADA, INC.
Noelle Paraskevopulos
Senior Legal Counsel and Chief Privacy Officer

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: