Investment Industry Regulatory Organization of Canada

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the 2009 Compliance and Legal Education Committee Conference

December 1, 2009
Toronto, Ontario

Address by Elizabeth Denham
Assistant Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good afternoon, ladies and gentlemen. It is a great pleasure to have been invited to your 2009 Compliance Conference.

Without question, several factors are changing the way the investment services industry operates, and several have a direct impact on the privacy of individuals.

Globalization and trans-border data flows, new technologies such as cloud computing, and the data-collection demands imposed by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act are just three of the influences that are dramatically shaping your industry.

In that context, I am very pleased to have been invited here to talk about PIPEDA, the Personal Information Protection and Electronic Documents Act, and how this crucial piece of legislation works to strengthen privacy protections in the private sector.

Overview

One of the big trends affecting your industry – and, indeed, many others – is the fact that businesses today are finding themselves collecting more and more personal information.

Some of it is their choice, a way to garner a competitive edge.

In other instances, organizations are obliged by law to collect it. The Proceeds of Crime (Money Laundering) and Terrorist Financing Act is one of the most powerful examples of this phenomenon.

In this era of globalization, moreover, the personal information that is collected often tends to be flashed around the world, for use or processing offshore.

And nowadays, with technical advances such as the business services offered through web-based “cloud computing” providers, it may not even be apparent where in the world the data is being sent, stored or processed.

These trends are undeniably powerful, but it is incumbent on all of us to recognize the risks to the privacy of individuals.  With all this collection, use and sharing of personal information come obligations under the privacy law – rules on how to collect data, how to inform people about the collection, how to obtain their consent, and how to safeguard the personal information they entrust to businesses.

Because when the information escapes, it can cause serious problems – to the individual concerned, in the first instance, but also to the business itself.

After all, when there is a data breach, it can cost the organization a lot of money to clean up. More serious still is that organizations that give financial and investment advice live and die by the trust of their clients. A breach can have devastating consequences.

When there is a data breach, there will soon be no place to hide. Mandatory breach notification rules are on the drawing board, supplanting the voluntary guidelines in place now.

But the main message I want to leave you with is that the Office of the Privacy Commissioner of Canada is here to help.

We have issued guidance on such complex matters as trans-border data flows. We have explored a vast range of issues through complaints investigations. We have addressed specific questions in letters and meetings. And we will continue to do so as the challenges evolve.

I will address all these matters in a moment. But first, I thought you would be interested in an overview of some of the issues that have preoccupied our Office of late.

OPC Preoccupations

Facebook investigation

On the private-sector side, one of our biggest files in recent times was last summer’s successful resolution of a complex, multi-part complaint into Facebook’s privacy policies and practices. Indeed, we were the first privacy commissioner’s office globally to complete an in-depth examination of the privacy implications of social networking sites.

Because of the novelty and scope of the challenge, the publication of our findings in July garnered a staggering amount of worldwide attention in the mainstream and online media. That, in turn, provided some of the impetus needed for Facebook to work with us to iron out the remaining handful of unresolved issues.

We were especially delighted when Facebook announced that the privacy enhancements it would make in response to our recommendations would be extended to all 300 million users worldwide.

And one of the other gratifying byproducts of this unprecedented investigation was that it highlighted the flexibility and effectiveness of Canada’s data-protection model.

PIPEDA review

We are also focused on ongoing work within the government to strengthen PIPEDA, a law that has been fully in force since 2004.

One of the key issues for us during the PIPEDA review process has been mandatory breach notification.  The government has said that it plans to move ahead on this issue, which I will address in more detail in a moment.

We also expect that the PIPEDA review process will resolve other outstanding issues, such as clarifying the law’s application in employee-employer relationships.

ECPA

In the near term, we are looking forward to an important refinement in the powers of the Commissioner that will be delivered through a new piece of legislation called the Electronic Commerce Protection Act.

The bill, which is still winding its way through Parliament, is aimed first and foremost at curbing spam and other unwanted electronic communications.  That’s something we’re very pleased about, and we’ve been calling for some time.

ECPA would also expand our Office’s authority to co-operate and exchange information with provincial and foreign counterparts who enforce laws similar to PIPEDA. 

Moreover, it would give our Commissioner a new level of discretion over which complaints to investigate. Rather than investigating all complaints on a first-come, first-served basis, we would be able to focus our resources on more systemic privacy issues, where we have a better chance of leveraging our impact.

For instance, rapidly advancing information technologies, including Internet applications and surveillance technologies, are posing new threats to society. And, in many instances, those threats are so complex and esoteric that the average person would not even know – let alone complain – about them.

These are the kinds of emerging issues that data protection authorities around the world must focus on, if we are to have any hope of curbing the most significant threats to privacy.

PCMLTFA, FINTRAC and excess data collection

To return now to some of the systemic issues that are affecting the investment industry, one of the big ones is the burgeoning demand to collect ever more data.

A key driver of this phenomenon is the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, which obliges organizations such as investment services companies to turn over information about large and/or suspicious funds transfers to FINTRAC, the Financial Transactions and Reports Analysis Centre of Canada.

Without question, organizations are under immense pressure to report, because failure to comply can result in fines of up to two million dollars and prison sentences of up to five years.

Consequently, a recent audit by our Office discovered that FINTRAC was receiving from those organizations personal information that it did not need, use or have the legislative authority to receive.

Here are some examples from that report:

  • One: A person deposited a cheque from a law firm at a financial institution. At the time of the transaction, the institution was satisfied that the person had a legitimate explanation for the source of funds. Nevertheless, it decided to notify FINTRAC because of the person’s ethnic origin and the fact that the individual had recently taken a pleasure trip to a particular country.
  • Here’s a second example: An individual deposited cash under the $10,000 reporting threshold. When questioned about the source of funds, he declared that he bought merchandise in Canada and sold it abroad. The report indicated that, although the account activity appeared normal, the report to FINTRAC was being filed to ensure that the individual complied with all tax requirements. 
  • And here’s a third case we dug up, which would leave most people shaking their heads:

A reporting entity indicating that it was taking what it called a “conservative approach” in filing a number of Suspicious Transaction Reports because, and I quote: “there are no grounds for suspecting that this transaction is related to the commission of a money laundering offence, but there is a lack of evidence to prove that the transaction is legitimate.”

The new anti-money-laundering law clearly has people spooked, but it’s essential not to overlook the provisions of another law, in this case PIPEDA.

According to the Limiting Collection Principle in PIPEDA, the amount and type of information that an organization collects must be limited to what is necessary to fulfil the purposes identified.

We acknowledge that businesses can feel trapped between the push and pull of the two laws. That is why our Office is currently drafting a set of questions and answers to provide some helpful guidance.

For instance, we will address the issue of what kind of ID cards are considered appropriate for the “know your client” forms, and whether businesses should or should not photocopy them.

But, in the end, we encourage organizations to talk to FINTRAC as well. After all, they’re the ones receiving the data, and – particularly after our audit report – I don’t think they’re eager to take on extraneous personal information.

Globalization and trans-border data flows

Another trend that is profoundly affecting your industry is globalization and the worldwide trade in investments and securities.

And the particular slice of that trend that is of most interest to my Office is the trans-national flow of personal information, including the processing of data offshore. Indeed, with the growing popularity of web-based data access and processing, better known as cloud computing, you may not even know where the data is being sent.

I can tell you that, internationally, considerable efforts are being made to find a harmonized approach to data protection. A gratifying outcome of an international conference of data protection commissioners in Madrid in November was a draft agreement on an international approach for the protection of personal data.

We endorse the multi-jurisdictional, principles-based standard envisioned by the Spanish Initiative as a solid and substantive step. Realistically, though, this is only the beginning of what will likely be a long road.

Here at home, PIPEDA already enables us to set pretty clear expectations for businesses operating in Canada. These are well set out in several cases we have investigated, notably the 2005 CIBC Visa case, and SWIFT, the Society for Worldwide Interbank Financial Telecommunication, in 2007.

Accountability approach

To summarize the main points set out through those cases, PIPEDA uses an “accountability approach,” which obliges an organization transferring personal information to ensure that the data is protected by the third-party.

That means the transferring organization must satisfy itself that the third party has policies and processes to protect the information.  Contractual and other means may be used to ensure that the information receives a level of protection comparable to what it would get in Canada.

The law doesn’t distinguish between domestic and international transfers; in either case, the transferring organization remains accountable.

That said, the fact is that no contract gives an organization the power to override the laws of a foreign jurisdiction. As such, data transferred to the U.S., for instance, will still be subject to laws such as the PATRIOT Act.

That is why it is crucial for companies to be transparent about their data-handling practices. Clients must be clearly informed that their personal information may be sent to another jurisdiction, and that it may be subject to access by the courts, law enforcement, or national security agencies in that country.

The protection of personal information that flows across international borders is a complex and nuanced issue, which is why our Office has issued Guidelines for Processing Personal Data Across Borders, a document available on our website to help businesses understand their obligations.

Data Breaches

Clearly, when too much information is collected, or is inadequately protected, the consequent danger is that the data can be lost or fall into the wrong hands.

Data breaches are a serious problem. Just ask TJX, which owns Winners and HomeSense stores.  In late-2006, a breach in the company’s computer system led to the theft of a record-shattering 98 million credit and debit card numbers. Last we heard, the company was facing some 20 class action suits, investigations in about 30 states and a mop-up bill in excess of one billion dollars. The OPC investigated TJX and required significant changes to their encryption standard, and also to their practice of collecting and compiling a database of drivers’ licenses and other personal information.

Last year, our Office studied all private-sector breaches that were reported to us between 2006 and 2008. We found that a significant proportion can be traced back to people working in or for the firm where the breach occurred.

In 36 percent of all cases, a person gained unauthorized access to files. In most instances, the culprit was a rogue employee or contractor, usually accessing the data for fraudulent or other nefarious reasons.

In another 31 percent of cases, the breach was accidental, and inattentiveness on the part of a worker was most often to blame. Mailing, faxing or e-mailing documents to the wrong destination and stolen laptops or other devices were common causes of data breaches.

Mandatory breach notification

Of course, understanding the scope and nature of data breaches is an inexact science, because we don’t have all the information. That’s because reporting breaches to our Office is currently at the discretion of the organization suffering the breach. 

While many companies have taken our 2007 voluntary breach notification guidelines to heart, the fact is that that’s not enough. Which is why we are pleased that a mandatory reporting regime is just around the corner.

This key element of pending updates to PIPEDA would require organizations to report significant data breaches to our Office, as well as to the individuals affected.

NYMITY study

To underscore the need for mandatory reporting, let me share some findings from independent research conducted for our Office.

The study of 27 organizations of various types and sizes found that just over half had a formal breach protocol in place. Most of the rest had at least an informal plan, although they tended to rely on the expertise of the privacy officer.

I won’t pretend that organizations are ecstatic about the prospect of losing the choice over whether or not to report. Many, for instance, expressed concerns about added costs to their businesses.

But a good number also pointed out some benefits, including increase in data security, focusing attention on breach prevention, and inserting more accountability for privacy into the business channels.

It’s our understanding that the proposed regime would be based on an assessment of the risk posed by a breach, and organizations would have substantial latitude in weighing those risks.

Good relationship

Before I conclude, I just want to say that I am pleased by the co-operation our Office has enjoyed with you, as regulators, and the investment industry as a whole. I am gratified by the open lines of communications, under which you have come to us in the past to solicit our thoughts on particularly sticky aspects of privacy protection within your field.

You have, for instance, invited us to weigh in on the question of who is responsible for safeguarding the personal information of a client when a financial adviser moves – with a client in tow – to a new firm.

We advised that the duty of care rests with the dealer’s organization, and any disclosure of client contact information requires client consent. We suggested that this consent could be built into front end processes.

But we are more than happy to provide whatever other guidance could be helpful, whether that is a case precedent, a reminder of the relevant sections of PIPEDA, or some guidelines that could further illuminate the issues.

Conclusion

In summary, I think we can all agree that the world is changing rapidly. The investment services industry collects a vast amount of personal information, and much of it ultimately shoots around the globe, in ways that are increasingly beyond the capacity of most mortals to grasp.

You, as regulators, are once removed from the day-to-day collection of personal information. Still, it is important to understand how the privacy law affects the organizations you regulate.

To understand, for instance, that PIPEDA doesn’t stop organizations from collecting personal information, or from outsourcing it abroad for processing.

What it does do is require that organizations collect only the minimum amount they need; that they remain accountable for its protection, even if they send it elsewhere; and that they are obliged to be transparent about their actions.

In the end, it all boils down to good business: Client trust is the keystone of a successful financial services business. And trust, in turn, is grounded in the clients’ faith that their privacy will be respected.

Over the eight years since PIPEDA was introduced, companies have made tremendous strides in acknowledging the necessity of protecting the personal information of their clients.

The challenge we all share is to sustain this momentum.

Thank you for your attention.

Date modified: