January 2005 Edition
Privacy Pays

by Patricia Nicholson


The proper handling of customers’ personal information has always been good business. New Privacy legislation now makes it required practice.


The federal Personal Information Protection and Electronic Documents Act (PIPEDA) was intended to balance the needs of businesses to collect and use personal information, with the right of individual to maintain their privacy with respect to their personal inforamtion. Although the act came into effect a year ago, the Canadian Marketing Association (CMA) has advocated permission-based marketing and respect for customer privacy for the past decade.


“It really separates reputable organizations from those that aren’t,” says Ed Cartwright, Director of Communications for the CMA. “It demonstrates to the consumer that you, as a marketer or as a restaurant operator, value and also recognize the need for consumer consent, and the importance of protecting an individual’s privacy.”


British Columbia, Quebec and Alberta have provincial privacy legislation, says Janina M. Kon, professor at the School of Business at University of British Columbia, and President of Streamline Counsel Inc., a legal firm specializing in privacy compliance, training, and policy development. All other regions are covered by PIPEDA. While there are some differences in the provincial and federal laws, Kon says some concepts – such as the definition of personal information – are common across the legislation.


“People think it has to be something highly confidential like medical information or a Visa card,” she says. “It includes a much wider scope than that, which is essentially any information that can be identified to an individual.”


Names and addresses that are available in a public registry, such as a telephone book, are not classified as personal information, Cartwright says.


“If you’re asking them about their eating habits, where they shop, what their likes and dislikes are . . . that’s when it becomes personal information that’s identifiable,” he explains.


Use of that information – for secondary marketing, for example – without consent would violate privacy legislation. However, aggregate information that cannot be linked back to individuals does not fall under the legislation.


“We’re talking about information that would identify the individual and may be used for secondary marketing,” Cartwright says. “If there’s personal information that’s being transferred, they have to get the permission of that individual to transfer that information to a third party.”




Kon says consent is one of the key principles of the legislation. “Any business collecting personal information must, in some form or another, obtain consent for that collection for the use they wish to make of it and how they wish to disclose it,” she says.


Organizations that don’t obtain consent may be found in contravention of the federal privacy act, usually through a complaint registered with the privacy commissioner. The commissioner may then issue a finding.


“Now, the finding is just that: it’s a finding from the privacy commissioner’s office to the organization that in fact they did not follow the letter of the law,” Cartwright says. “But it’s not an actual criminal charge.”


Although the individual may pursue further legal restitution, Cartwright says the danger for a restaurant operator is public image. Media reports of a breach of privacy law could do serious damage to a company, he says.


Consent can be acquired in writing, verbally or electronically. Common methods of acquiring consent include “opt in” and “opt out” alternatives. These allow customers to express their agreement to the purpose for which the information is collected (opting in), or to express their disagreement with that purpose (opting out). This is often achieved with a check box on paper or electronic forms, but businesses must be careful to make sure the terms are clear.


The CMA supports positive consent, or “opt-in” wording.


“It has to be easily recognizable,” Cartwright says. “It’s a simple question: would you be agreeable to this information being shared with another organization that can provide you with special offers that are relative to what your interests are? Please check here.”


Cartwright adds that it’s important that it be positive consent, rather than a negative option in which the customer’s information will be shared unless the box to opt out is checked.


“It’s much more up front with consumers,” Cartwright says of positive consent.




Beyond consent, the legislation has specific standards that businesses must meet.


“Privacy laws now require that businesses have privacy policies in place, and procedures; that they are accountable for these procedures; and that they can make these procedures known to any members of the public from whom they collect personal information,” Kon says.


In addition to a privacy policy, a business must also appoint a privacy officer who is responsible for the organization’s compliance, Kon says. She adds that the legislation applies to all businesses, no matter what their size.


Kon recommends that staff receive training in what procedures should be followed when handling information, including credit card numbers. She also recommends using printed credit card receipts that do not include full credit card numbers. Kon says she would not be surprised if such measures became required practice.


In fact, the Office of the Privacy Commissioner is investigating a complaint received about credit card receipts and the amount of personal information that they display, says Renee Couturier of the Office of the Privacy Commissioner of Canada.


Businesses keeping personal information on file are responsible for keeping it secure, and for doing due diligence with respect to security, Kon says. Businesses are required to consider security practices in three areas:


-         Physical security: locking cabinets, restricted access to areas where personal information is stored

-         Organizational security: restricting information on a need-to-know basis, staff training

-         Technological security: passwords, firewalls, virus protection


Information that is no longer required for the purpose for which it was collected should be destroyed or rendered anonymous.


Acquiring information from other sources is another area in which due diligence is required.


“If you are buying a mailing list from a third party, the onus is on you to ensure that the company gathered those names and addresses and information in accordance with the privacy act,” Cartwright says.


Kon points out that given high public concern about spam, unwanted marketing, and identity theft, proper information handling is just good business. Complying with privacy legislation is well worth the effort. ¨


All businesses are responsible for complying with these 10 fair information principles:


Be accountable

Identify the Purpose

Obtain consent

Limit your collection

Limit use, disclosure and retention

Be accurate

Use appropriate safeguards

Be open

Give individuals access

Provide recourse


For more information about how to comply with these principles, see the Office of the Privacy Commissioner of Canada’s guide for business at http://www.privcom.gc.ca/information/005