If Money Talks, then what is it saying about your Personal Information?
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the 13th Annual Investigative & Forensic Accounting Conference
October 27-28, 2011
Address by Patricia Kosseim
General Counsel, Office of the Privacy Commissioner of Canada
(Check against delivery)
Part I: Introduction
On behalf of the Privacy Commissioner of Canada, I would like to thank you most sincerely for the great honour you have shown us by inviting us to your conference today. It is always an enormous pleasure for me to return to Montreal, and I avail myself of every opportunity possible to come “home.”
It is an even greater pleasure for me to address professionals with a solid and well-established tradition in terms of confidentiality and privacy principles. You have made the obligation to safeguard confidentiality part and parcel of the primary tools of your standards of practice, and you put special emphasis on it in your rules of professional conduct. We were also very much impressed with your Privacy Maturity Model, which you published jointly with your American counterparts last March. It is a useful, effective and flexible framework allowing you to measure the performance of an organization in terms of the protection of personal information, while encouraging it to improve its programs and practices where necessary in order to achieve a higher level of maturity.
As I understand the nature of your work, forensic accountants investigate financial transactions, often with the goal of establishing evidence for current or future criminal or civil legal proceedings. Your clients may be government institutions, private sector organizations or law enforcement. You may assist in investigating criminal fraud, money laundering or other white-collar crimes; terrorist activities, civil fraud, divorce proceedings, bankruptcies, employee theft or embezzlement and increasingly, cybercrime. Essentially, as I understand it, you “follow the money”. Along the way, you necessarily collect a lot of personal information about individuals who are party to the financial transactions and/or otherwise involved in the money trails you investigate. Personal information is very much the currency of your work. And in particular, financial information, which is among the most sensitive personal information for Canadians.
This is where your work classically intersects with data protection law. To the extent that you are collecting, using or disclosing personal information on behalf of your clients in the course of what is essentially a commercial activity, then the federal Personal Information and Electronic Documents Act, or “PIPEDA” will apply – unless you are doing so within British Columbia, Alberta, Quebec or Ontario (with respect to health information custodians), in which case it is substantially similar legislation in that province which applies. If you are collecting, using or disclosing personal information from within a government institution – either federal or provincial – then it is the applicable public sector privacy legislation that governs.
The remainder of my remarks today will focus on PIPEDA and the commercial activities of forensic accountants that fall within its scope.
Part II: PIPEDA as Applied to Forensic Accounting Activities
The term ‘forensic’ stems from the latin word “forensis” meaning "of the forum", where the law courts of ancient Rome were held. If forensic accounting, like other forensic sciences, is intended to bring out the truth before courts of law or in public debate, that I should be here today speaking to you about protecting privacy seems a bit out of place – or does it?
By way of preliminary remark, I should say that PIPEDA as a federal private sector privacy law is intended to protect people’s privacy in a good sense; it is not intended to cloak fraudsters from their accountability under the law.
Inherent in the very purpose statement of PIPEDA is the recognition of both the individual right of privacy with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
“For purposes that a reasonable person would consider appropriate in the circumstances” – that is the clincher. Indeed, that is the very lens through which our office will examine most privacy complaints under PIPEDA.
Let me turn now to some of the specific data protection principles in PIPEDA which apply to your work.
PIPEDA, as a principally consent-based regime, offers several consent exceptions applicable to your work as forensic accountants.
If you are a Certified General Accountant, then you are currently a designated “investigative body” under the act. If you are a forensic accountant working in public sector, then you are likely part of a government institution. In either case – whether an investigative body or a government institution – you would stand as third party in relation to PIPEDA-regulated organizations that may, at their discretion, disclose personal information to you without consent if they have reasonable grounds to believe the information relates to a breach of an agreement or a contravention of a law or they suspect it relates to national security.
For those of you who are forensic accountants working in private-sector – either in-house for a large commercial organization or for a private firm – your own organization or firm may potentially be subject to PIPEDA. PIPEDA allows you to collect and use personal information without consent if it is reasonable to expect that seeking consent from the individual would compromise the accuracy of the information and the collection is reasonable for investigating a breach of an agreement or contravention of a law. In turn, you may, at your discretion, disclose personal information without consent to an investigative body or government institution on the same basis just described. You may also disclose as required to under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
As you could see then, to the extent that you meet the minimal criteria stipulated, PIPEDA affords you with a lot of flexibility to collect, use and disclose personal information without consent in order to carry out your important work without compromising the integrity of your investigations.
That being said, organizations subject to PIPEDA – even though excepted from the consent requirement – must nonetheless meet all of the other principles of PIPEDA. I will now turn to discuss a few of these which I suspect may be among the most challenging to apply in practice.
ii. Limiting Collection
The Limiting Collection principle requires organizations to limit collection to that which is necessary for the purposes identified by the organization and which can be done by fair and lawful means. In other words, organizations do not have free range to conduct wild fishing expeditions, but rather, should only be collecting personal information that is necessary for the purpose of carrying out a well-defined investigation.
Further, organizations, to the extent possible, should avoid collecting personal information about other third parties who are not the direct target of an investigation, such as family members, co-workers, etc. Where it is not practicable to disentangle co-mingled data –for example, joint account holders, parties to relevant financial transactions, parties to relevant correspondence, etc. – organizations should nonetheless make serious efforts to de-identify innocent third parties.
Also related to the Limiting Collection principle is what to do with the explosive use of social media. While certainly a highly tempting source of information that can be very revealing for any investigator, you should nonetheless be mindful and respectful of appropriate parameters. The fact that individuals may share personal information about themselves with others through a social media network or otherwise in the public domain does not mean that the information is “publically available” and therefore “fair game” within the meaning of the Act.
“Publicly available information” must fall within one of the prescribed classes set out in the regulations and the collection, use or disclosure must relate directly to the purpose for which the personal information appears in the prescribed public directories, records, documents or registries.
When it comes to the internet, and in particular, social media websites, individuals may have intended the information to remain “personal” and its dissemination to be restricted to only designated “friends”. Hence, this personal information should be treated as carefully as any other potentially sensitive personal information. It should only be collected to the extent necessary to carry out the investigation as properly identified and scoped out, subject to the same conditions as any other personal information collected without consent. Further, it should not be collected through hacking, pre-texting, entrapment or other deceptive investigative means that may cross the line and run afoul of the law.
iii. Individual Access
Yet another principle that may prove for you to be challenging in practice is the Individual Access principle. While PIPEDA as a rule affords every individual with the fundamental right to access their own personal information – including the right to know what was done with their personal information – there are exceptions. Relevant here are the exceptional cases where the organization has made a disclosure without consent to an investigative body or a government institution for the purpose of investigating a breach of an agreement or contravention of a law, for national security purposes or as required under the Proceeds of Crime and Terrorist Financing Act.
In such cases, the organization cannot provide the individual with access to his/her personal information requested, including the fact that it’s been disclosed without consent for the above stated purposes, without first notifying the government institution and providing it with a 30-day opportunity to object thereto. The government institution could object if it is of the opinion that providing the access requested could reasonably be expected to be injurious to national security, the defence of Canada, the conduct of international affairs, the detection, prevention or deterrence of money laundering or terrorist financing, or the enforcement or investigation of any law. Where the government institution does object, then the organization must refuse the access to personal information request and shall notify the Privacy Commissioner in writing and without delay.
iv. Safeguarding and Retention
Finally, for those of you carrying out your work within organizations subject to PIPEDA, then, as with all other data stewards these days, you face the same challenges with respect to safeguarding sensitive personal data holdings from potential breach. Increasingly, this requires keeping apace with technological advances to ensure your data systems remain reasonably impervious to internal and external threats. This involves designing your information systems with a view to building in privacy protections from the very outset. This may also involve redesigning your IT systems so as to remain up-to-date with latest privacy enhancing technologies and changing industry standards. For those of you contemplating moving your data systems or parts thereof to the cloud, I recommend you visit our website for a practical fact sheet we recently posted as an introduction to cloud computing.
But safeguarding data from potential breach requires more than just the latest bells and whistles, be they firewalls, encryption, audit trails, authentication technologies including the latest in biometrics, etc. It’s also fundamentally about ensuring the appropriate organizational governance structure is in place to identify, account for and ultimately address potential privacy weaknesses. As well, it takes persistent efforts to provide ongoing privacy training for all employees, not just new employees, or employees in new positions, but all employees on a regular basis.
Most importantly, as the Commissioner has stated many times in past findings, one of the most effective safeguards for protecting data against breach, is not to collect and retain so much of it in the first place. I understand that retention and destruction schedules are a delicate subject for professionals who are otherwise obligated by their professional codes to retain records for potential liability or auditing purposes well beyond the completion date of a contract. Doctors, lawyers and other professionals face the same dilemma. That being said, once the retention period has fulfilled your minimum professional requirements, personal information should be destroyed as soon as possible thereafter.
Part III: Bill C-12 & PIPEDA on the Horizon
Up to now, I have been speaking to you about PIPEDA as it stands. However, as many of you know, Bill C-12, an Act to amend PIPEDA, was tabled in Parliament on September 29th of this year. The Bill as introduced is essentially identical to its predecessor Bill C-29.
For present purposes, I will highlight three notable amendments being proposed:
First is mandatory breach notification. Under the proposed changes, organizations would be obligated to report material breaches to the Privacy Commissioner of Canada. In cases where it is reasonable to believe that the breach could cause real risk of significant harm, organizations would also be obligated to notify the individuals involved directly. The mandatory breach notification regime in Bill C-12 closely resembles our current voluntary guidelines. If passed, these legislative amendments will likely incentivize many more organizations to take necessary security safeguards seriously and to report and address breaches that may currently go unreported, ultimately and hopefully enhancing organizations` accountability under the Act.
Second, the Bill, if passed, would do away with the current designation scheme for investigative bodies under the current PIPEDA. This would mean that persons or organizations conducting investigations would no longer have to seek a special designation by formal means of order-in- council. Rather, PIPEDA would allow disclosure without consent where necessary for the purpose of investigating a breach of an agreement or a contravention of a law or for the purpose of preventing, detecting or suppressing fraud. In other words, permissible disclosure of personal information without consent would depend on the purpose of the proposed disclosure and no longer on the formal status of the person or entity to whom it was disclosed.
Third, in an effort to better define “lawful authority”, a term many agree is nebulous in the current Act, the Bill proposes a definition which is formulated in the negative, by defining what lawful authority is not. C-12 states that lawful authority is something “other than a subpoena, warrant or order issued or made by a court, person or body with the jurisdiction to compel the production of information”, or “rules of the court relating to the production of records”. Together with the related proposed amendment absolving the organization disclosing the information from having to verify the validity of the lawful authority, several commentators have suggested that this attempt to clarify lawful authority is not helpful and may result in more disclosures without consent to government institutions.
Part IV: Conclusions
Throughout my talk, I may have left you with an image of forensic accounting and privacy on opposite ends of a scale, with the challenge being to find the right balance these opposing forces. However, in many ways, the work of forensic accounting and data protection is growing increasingly integrated as part of a single force, particularly against the new opposing threat of cyber crime. As personal information becomes the new currency in a growing digital economy, your job of following the money will soon become a job of following personal data. Your investigative skills well-honed in tracing financial transactions will increasingly be transposed to personal data flows. As the government rolls out its strategy to build Canadians’ trust and confidence in the new digital economy, your profession will no doubt assist in the investigation of identity theft and other online threats. Forensic accounting will become indispensible to relevant organizations and regulatory agencies, including the three enforcement bodies charged with implementing the new Anti-Spam Act, of which OPC is one.
Let me show you an example:
However, in the current context of exploding information technologies, global data sharing and highly complex and obscure profit structures that drive the internet market, it is increasingly clear to our Office, among others, that accountability and openness are becoming the most critical success factors for effective data protection – and if I may be so bold to suggest, for effective business as well. If anyone gets the importance of accountability and transparency, your profession certainly does. We count on you to set a model example in the ways you handle personal information yourselves in the course of your investigations, so that you can play an important and credible role in investigating and combating the new threats to Canadians’ personal information. As the title of the sequel to Oliver Stone’s Wall Street movie suggests, “money never sleeps”; and nor does personal information. We need your investigative skills and your active participation to help ensure that the new currency of Canada’s digital economy remains protected from threats of fraudulent conduct. We look forward to working with you.
- Date modified: