PIPEDA - Privacy Commissioner's Annual Report

Yesterday, May 31, 2007, Privacy Commissioner of Canada, Jennifer Stoddart, issued her annual report to Parliament on the state of our Personal Information Protection and Electronic Documents Act (PIPEDA).

I've written about this before in "Internet Privacy - Legislation and Personal Privacy Policy" and watched this legislation since prior to its effective date in January of 2004.

It appears that the "big boys", banks, insurance companies, transportation sector, etc. where heavy regulation has always been a factor of life, are doing well in this area. The complaints against them have dropped slightly.

Retail and accomodation (hotels, motels, rentals, etc.) are going the other way - people (you, my readers amongst them I hope) are complaining more about the ways in which you data are used and abused by these industries; especially retail it seems.

She notes that "the majority" (67%) "of businesses that collect personal customer information have fully implemented PIPEDA provisions..." but there are others who neither have done the implementation at their policies and procedures nor even started the process of doing so.

Many businesses - especially the smaller ones - don't have anyone on staff who is familiar with the PIPEDA rules and their impact on customer relations.

Some of the details revealed in the full report are enlightening, pointing especially to a "finding" this April regarding SWIFT (Society for Worldwide Interbank Financial Telecommunication) wherein bank customer information found its way from Canadian banks to the US Treasury Dept. when international money orders were processed via the SWIFT system. The upshot of it is that SWIFT, an international organization, "esponded to compulsory subpoenas for limited sets of data from the Office of Foreign Assets Control of the United States Department of the Treasury” which PIPEDA recognizes as a fact of the Canadian banks doing business with a contractor that is international in scope and therefore has to deal with the laws of each of the countries it works in. This particular item is outside the  dates of reference for the annual report so I'll go into it in another article.

The full report is probably not worth reading for most people, even those actually in the business of conforming to PIPEDA, however some items are of note:

the Commission is looking at adopting some of the privacy provisions currently in force at the provincial level in Alberta and BC - including provisions for prospective purchasers of businesses to only see customer lists under non-disclosure and potential of making it an offence to attempt to collect personal information without consent - something the web industry does all the time in my experience.

extend the provisions for cross-border protection of and (under proper circumstances) sharing of personal information.

continued pressure on government to limit the collection and disclosure of personal information  for law enforcement and national security purposes.

recommendations on mandatory notification of breach when personal information is "lost" (stolen, disclosed, etc.)

Most of the rest of the full report was statistics and summaries of items that can be found in detail on the Commission's web site. Lots of interesting reading if you look for items in your particular field of interest.

Again, I urge you to consider it your right and duty to question any and all requests for your private information - and if they exceed what you feel is reasonable, complain to the Comission. Only in that way will things get better. The Commission is not able to deal effectively with some problems due to their cross-border nature, but many of them can be dealt with before the information gets into the systems involved. They don't take complaints by e-mail, you have to send them to their address - see their contact page for more information

You might also be interested in taking their online Privacy Quiz