PIPEDA and the Protection of Privacy in the Regulated Financial Sectors
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Joint Forum for Financial Market Regulators
March 25, 2009
Address by Elizabeth Denham
Assistant Privacy Commissioner of Canada
(Check against delivery)
Thank you, Bob Christie, for that kind introduction.
It is a pleasure to be here this afternoon, and I thank you for inviting me to share a lunch and a few thoughts about privacy with you.
On behalf of Jennifer Stoddart, the Privacy Commissioner of Canada, I’d like first to convey our best wishes for a successful conference and a stimulating exchange of ideas.
I know that, as regulators in your respective sectors, you all perform an invaluable service to the people of Canada. Particularly at this time of economic uncertainty, Canadians need reassurance that their pensions, insurance and securities are protected within an effective regulatory framework.
But as vital as the financial interests of Canadians is their privacy, a basic right that underlies such other rights as personal autonomy, freedom of assembly and freedom of speech.
In a nutshell, privacy protection means the right of individuals to maintain a measure of control over their personal information.
And while I understand that you, as regulators, are once removed from the day-to-day collection of personal information, it is important to understand how the privacy law affects the organizations you regulate.
Businesses often face a complex balancing exercise when it comes to the myriad of regulatory requirements that affect them. Those organizations also gather and manage a great deal of sensitive personal information, and it is critical that they get it right.
Permit me to begin with some context.
I think we can agree that, more and more, privacy today is under threat.
It’s under threat from technology, which is capable of following us pretty much wherever we go, and of giving other people unprecedented insights into our personal lives. Our digitial footprints are expanding exponentially. The Internet age has also spawned a whole new generation of identity thieves and other swindlers.
Privacy can also become collateral damage when governments seek to redress specific problems, such as cybercrime and threats to national security.
From a commercial standpoint, protecting consumer and client privacy makes good business sense, because the costs of not doing so – in terms of cleaning up after information breaches and repairing damaged corporate reputations – can dwarf the investment in privacy protections. Corporate reputation and brand trust are critical in today’s marketplace.
Within this context, my intent this afternoon is to give you an overview of the legislation that governs privacy and the protection of personal information in the private sector. I want to talk about where and how it applies, and to give you some examples of how it works in practice.
Let me begin with a story. It’s about a man who was off work on long-term disability leave.
One day, he answers the doorbell to a stranger who thanks him for having participated in a telephone survey and who offers him, as a reward, a free magazine.
The man thanks the stranger for the publication, and goes about his business.
Later, he learns that their brief and rather mundane encounter was captured by a hidden camera, part of a covert surveillance effort by a private investigator.
The P.I. was hired by an insurance firm that was sure the man was exaggerating his ailment. The man was angry and complained to our Office about an invasion of privacy.
Who was right?
After weighing all the facts in this case, we sided with the complainant. In our view, the insurance company had violated a key privacy principle in collecting more information than it actually needed to fulfill its specific business purpose.
We concluded there were less privacy-invasive techniques to confirm the identity of the man under investigation than to photograph him surreptitiously at his home.
This was one of more than 400 complaints that the Office of the Privacy Commissioner closes in a typical year under PIPEDA, the Personal Information Protection and Electronic Documents Act.
The Act, which governs the protection of personal information in the private sector, came fully into force in 2004. It applies to organizations that collect, use and disclose personal information in the course of commercial activity.
PIPEDA covers virtually all commercial enterprises in Canada – including in the three sectors you regulate. The only exception is for provincially regulated businesses in Alberta, British Columbia and Quebec, which have passed their own substantially similar privacy laws.
PIPEDA requires organizations to collect, use or disclose people’s personal information by fair and lawful means, with their consent, and only for purposes that are stated and reasonable.
They’re also obliged to protect the information through appropriate security measures, and to destroy it when it’s no longer needed for business purposes.
Under PIPEDA, consumers have the right to expect that the personal information that organizations hold about them is accurate, complete and up-to-date. And so they have a right to see the information, and to ask for corrections if they feel something is wrong or incomplete.
People who believe companies are not living up to PIPEDA’s requirements can complain to the Office of the Privacy Commissioner and we must investigate.
Because the Privacy Commissioner is primarily an ombudsman, our approach is to try to resolve problems through negotiation.
We don’t have direct enforcement powers, but if a company refuses to follow our recommendations, we do have the power to go to Federal Court to seek a compliance order.
Happily, virtually everyone complies with our recommendations. In fact, fewer than 10 cases go to litigation in a typical year.
We also try to avoid problems that lead to complaints in the first place, with public education initiatives, funding for privacy research, consultation with industry groups, and audits of businesses to verify compliance with the law.
Introduction to Issues
My Office has dealt with cases involving businesses in all of your sectors, although more issues tend to arise in the insurance industry than either of the two others.
That’s understandable, since the insurance industry often deals with very sensitive personal information such as medical records. The relationship between insurer and claimant can also become contentious. Insurers may also turn to private investigators, covert surveillance and other information-gathering techniques, which may raise privacy issues.
Technology today is also adding new dimensions to this information-gathering process.
For instance, many new cars are equipped with “black boxes,” or event data recorders, that record information related to a crash, such as vehicle speed, whether the brakes were applied, or whether the seatbelts were fastened. Such data are now used by many organizations as evidence in court.
Black box data may be personal information of the driver and therefore subject to the rules of PIPEDA. But, since most people don’t even know that the devices are installed in their vehicles, they can hardly consent to the use of the data.
Knowledge and Consent
Indeed, knowledge and consent are among the key issues we deal with under PIPEDA.
As we’ve stated repeatedly in our findings, companies must tell their customers in clear language why and how their personal information is being collected, used and disclosed, and collect only the information necessary for the purpose.
We resolved one case two years ago in which a man complained that, when some jewelry and money were stolen from him, his insurance adjuster didn’t stop at the usual Proof of Loss form.
Instead, the adjuster also wanted the man to fill out a Personal Information Consent form, which asked for all sorts of other information, such as medical records, credit history, employment information and even witness statements.
We agreed with the complainant that the language was too broad and made recommendations to the adjuster, as well as to industry groups. The adjuster stopped using the form and replaced it with two separate ones -- one for property claims and the other for injury claims.
Because of the issues around knowledge and consent, my Office urges caution in the use of covert surveillance, a practice undertaken by employers and the insurance industry.
In general, PIPEDA requires the knowledge and consent of the individual for the collection, use and disclosure of his or her personal information.
There are, however, exceptions, such as when the information is needed to detect or investigate fraud or the contravention of a law. In those cases, seeking the consent of the individual might well defeat the purpose.
What we’ve found is that covert surveillance can often be justified in insurance cases.
Other times – as in the case of the man lured to the doorstep under a phony pretext so that an investigator could snap his photo – covert surveillance simply goes too far.
But drawing the line is difficult. And, because the issue is so complex, we have consulted with industry players and are currently preparing a best-practices document to provide some helpful insights and guidance.
Collect Just What you Need
Another important principle under PIPEDA is that organizations should collect only the personal information they need for their specific business purposes.
Because once they’ve collected it, they have a duty to protect it. And that poses real risks of loss, theft or other data breaches, which I’ll address in a moment.
Knowing exactly how much information to collect can be tricky, and the securities industry yielded a case that allowed us to explore that question.
In 2006, a person complained to our Office that his investment dealer was demanding too much personal information.
Apart from his social insurance number, he was also asked to provide photocopies of two pieces of identification, including one with a photograph, and to state whether he was an insider or controlling shareholder of a publicly traded corporation.
Upon investigation, our Office noted that securities regulations oblige investment firms to establish the identity, creditworthiness and reputation of each client.
We concluded in that case that the information sought was actually needed for the firm to meet its legal requirement to “know its clients”.
But what the case underscores for us is that there is growing pressure for data collection from a number of different directions, and one of the big sources of pressure is national security.
The Proceeds of Crime (Money Laundering) and Terrorist Financing Act, for example, obliges many businesses and professionals, including banks, casinos, lawyers, realtors and accountants, to collect information about clients and to report the information to FINTRAC -- the Financial Transactions and Reports Analysis Centre of Canada.
It is troubling that some businesses are collecting excessive amounts of personal information under the legislation. As well, the Act calls on them to make a judgment about what constitutes suspicious behaviour. Businesses should carefully review the legislative requirements before implementing new data-collection practices.
Privacy advocates agree on the need to combat money laundering and terrorist financing. But there needs to be a balance in measures that cast the net widely.
Fortunately, we are entitled to speak our minds on the issue: The Act requires our Office to review FINTRAC every two years and to report the results to Parliament.
Trans-border Data Flow
Another key aspect of PIPEDA is that, once a company has gathered all this personal information, it has an obligation to safeguard it. It’s important for them to realize that this obligation imposes specific risk-management burdens upon them. And the more they collect, the more they have to protect.
That can be tough enough if all their business is conducted in Canada. But, in this era of outsourcing and globalization, it’s just as likely that information is sent out of the country for processing.
PIPEDA does not prohibit trans-border data flows, but it does require companies to protect the personal information in their care, even if the use of the information has been outsourced beyond Canada’s borders.
PIPEDA also requires companies to inform customers that their personal information may be sent out of the country, and that while such information is out of the country, it is subject to the local laws.
This brings us to the U.S. Patriot Act, under which the personal information of Canadians that is outsourced to American companies may be disclosed to U.S. government agencies.
In 2007, we investigated a complaint about SWIFT, the Society for Worldwide Interbank Financial Telecommunication. This is a European-based financial cooperative supplying messaging services and interface software to financial institutions in more than 200 countries, including Canada.
The New York Times revealed that, after 9/11, the U.S. Department of the Treasury used administrative subpoenas under the Patriot Act to access tens of thousands of SWIFT’s records, including those of Canadians.
Even so, our Office found that SWIFT did not contravene PIPEDA when it disclosed the personal information of Canadians to the U.S. Department of Treasury because it was complying with lawful subpoenas served outside Canada.
In short, SWIFT was abiding by the laws of the country in which it operated.
The protection of personal information that flows across international borders is a complex and nuanced issue, which is why our Office recently issued Guidelines for Processing Personal Data Across Borders, a guidance document to help organizations understand their obligations.
With all these pressures on organizations to collect personal information, and with the colossal computing power that enables it, there’s always a chance that things will go wrong – in a big way.
In the U.S., for instance, the theft of just one Veterans Affairs laptop compromised the records of 26 million veterans. In 2007, the TJX calamity involved the theft of a staggering 98 million credit and debit card numbers, a record for this sort of data breach.
Here at home, we had a case in late 2006 in which the CIBC tried to courier a portable disk drive from Montreal to Markham, Ontario. The drive contained the personal information of more than 400,000 current and former clients of Talvest Mutual Funds.
Unfortunately, while the package arrived, the disk drive did not. Happily, to this day, there’s been no proof that the data has been compromised or improperly accessed. In fact, no one is sure if the drive was even inserted into the package; no one has ever found it.
So, while some potentially harrowing consequences may have been averted, our investigation highlighted some important points.
We concluded, for instance, that it’s not enough for an organization to have nice tidy security policies and procedures; they must also be acted on – consistently and with diligence.
That, in turn, demands ongoing privacy training for management and staff to foster an appreciation for information security throughout the organization.
I want to underline that the protection of personal information is everybody’s business in an organization.
The fact is that, while the gargantuan TJX-type of breaches get all the media attention, the most common types of breaches are mundane accidents – somebody faxing, mailing or e-mailing a document to the wrong place.
A three-year analysis by our Office found that such routine accidents constitute 36 percent of breaches. Unauthorized access or disclosure, usually by an employee or contractor, comprises another 26 percent. The rest are losses of something like an encrypted disk, where it is unclear whether personal information actually was actually disclosed.
Because most breaches have garden-variety, low-tech origins, the most effective solutions are often also low-tech: Like instilling in employees a sense of care and respect for the personal information entrusted to them.
Equally important are procedures around breach notification.
Our office has said that, in the event of an incident such as a suspected theft of personal information, an organization should inform the police as soon as possible, so as to prevent evidence from becoming stale or contaminated.
Informing the affected clients in a timely way is equally important.
In a case we looked at last year, a laptop was stolen from a bank, and with it the personal information of more than 870 customers.
Apart from the lax security measures that should have prevented a laptop from being walked out the door, the complainant also condemned the bank for taking three months to inform her about the breach. This, she felt, heightened the chances that her stolen information would be used for other criminal purposes.
In our findings, we urged institutions to be more proactive and direct in notifying their customers of a breach. In 2007, we developed voluntary breach notification guidelines with industry and the lager financial and retail organizations frequently report breaches to us and seek our advice.
I want to also mention that the government is currently considering amending PIPEDA to make it mandatory for organizations to notify the Office of the Privacy Commissioner of significant data breaches, as well as the customers or other people affected.
I think it’s fair to say that most businesses nowadays grasp the importance of privacy, especially when they deal with people’s securities, their pensions or their insurance needs.
Even so, there’s a lingering concern about cost, with companies sometimes wondering whether the investments in information-security practices are really worth it.
To that I would say: Absolutely; many times over.
Just ask TJX, which has reportedly spent more than $25 million to clean up after its massive privacy breach. The company faces some 20 class action lawsuits, not to mention investigations in about 30 states, by the Federal Trade Commission, and by our own Office, which jointly investigated the matter with Alberta’s Privacy Commissioner.
When all is said and done, it is estimated that the company’s total bill could exceed $1 billion. And that’s in direct costs; bear in mind that breaches also generate very real indirect costs, in terms of damage to a company’s reputation and lost business opportunities.
Businesses must accept that they are key players in the battle to keep personal information out of the wrong hands.
And so they need to adopt – and abide by – the policies and practices that will safeguard personal information.
They must, in short, start handling personal information as they would actual cash. It is, after all, just as valuable.
I know I have covered a lot of cases and many aspects of the private-sector privacy law. I assure you, there won’t be a quiz!
But I do want you to know that my Office is intent on getting the message out. When a case generates important lessons, we want to make sure they’re widely shared.
And so we post searchable case summaries on our website, and issue guidance documents aimed sometimes at a general readership, and sometimes at specific groups, such as retailers.
I know that your role as regulators is to ensure the appropriate conduct of your respective sectors in the marketplace. With all you have to focus on, it’s easy to lose sight of one more thing.
But I am confident that the businesses you oversee are coming around. Over the eight years since PIPEDA was introduced, companies have made tremendous strides in acknowledging the value of privacy and protecting the personal information of their customers.
Our challenge, one all of us in this room share, is to sustain this gratifying momentum.
I thank you for your attention.
- Date modified: