Last week’s column dealt with the right of public access to government
information and the right to privacy. An equally important issue is the
use of personal information gathered by private companies, be it banks,
credit card companies or grain handling firms.
In January 2001, a federal law, the Personal Information Protection and
Electronic Documents Act, came into force. This legislation applies to
businesses operating under federal law, such as banks, airlines and
grain handling companies.
Read Also
Ask tough questions to determine if business still works
Across the country, a hard conversation is unfolding. Many producers are starting to ask a tougher question: can we keep doing this the way we always have?
By Jan. 1, 2004, it will apply to all provincial enterprises, unless
provinces enact similar legislation.
The governing principles of this legislation are that personal
information shall only be collected with the consent of the individual;
that the reason why information is collected will be disclosed; that
information collected will be that which is reasonable in the
circumstances; that as a condition of providing service a business will
not require a person to consent to collection or use of information
beyond that required to provide the service; that personal information
will only be kept as long as required to fulfil the contract; and that
an individual has a right to challenge any information and have it
amended as appropriate.
The federal privacy commissioner, George Radwanski, at 800-282-1376,
handles privacy violation complaints. Here are two examples handled by
the commissioner.
An individual signing up for internet service was asked to provide her
social insurance number and was told “no SIN, no connection.” In
dealing with the complaint the commissioner noted the long-standing
position that the SIN not be used as a universal identifier. He was
satisfied that a reasonable person would object to the collection of
SINs for the purpose of internet connection.
The commissioner concluded the company was not in compliance with the
principles of the act. The company removed the SIN from the
individual’s file and was in the process of changing its policy so that
SINs would no longer be requested.
The next example involves a bank. A person applied for a credit card
but was turned down. She then requested that the information she
provided be deleted from the bank’s computer system.
The branch manager informed the applicant he did not have the authority
to remove the information. The commissioner found the bank in breach of
the principles by indefinitely keeping the information on hand. He
noted that the bank subsequently deleted the information but had not
communicated it to any third parties.
Recently, the commissioner ruled against Air Canada and its Aeroplan.
He found that personal information in the plan was shared with
“corporate partners and agents for direct mail marketing campaigns.” He
was also critical of the company’s negative or opt-out consent.
Negative consent means you have to contact the company and ask that
your personal information not be disclosed to other parties. He
concluded that the opt-out clause puts the responsibility on the wrong
party.
Full details on the act and the work of the commissioner can be found
at the website, www.privcom.gc.ca.
Don Purich is a former practising lawyer who is now involved in
publishing, teaching and writing about legal issues. His columns are
intended as general advice only. Individuals are encouraged to seek
other opinions and/or personal counsel when dealing with legal matters.
