Canadian organizations have to improve the way they tell customers and partners how personal information is being used to get their informed consent for collecting data, says the federal privacy commissioner.
In his annual report to Parliament released Thursday, Daniel Therrien said his office was told during a public consultation on consent earlier this year that people feel “utterly powerless” when it comes to controlling how their personal information is collected and used by companies.
“Consumers are befuddled by incomprehensible privacy policies, yet feel compelled to consent if they are to obtain the goods or services they desire,” he said. “Some group participants even said that with the information provided, they are ‘never’ really able to give informed consent.”
So, he said, organizations must “be more transparent and accountable for their privacy practices.”
In offering guidance Therrien said four elements should be highlighted in privacy notices and explained in a user-friendly way:
–what personal information is being collected;
–who it is being shared with, including an enumeration of third parties;
–for what purposes is information collected, used, or shared, including an explanation of purposes that are not integral to the service; and
–what is the risk of harm to the individual, if any.
His office will also develop new guidance that would specify areas where collection, use and disclosure of personal information is prohibited — for example, in situations that are known or likely to cause significant harm to the individual.
Therrien is also recommending that Parliament consider whether new exceptions to obtaining consent may be appropriate where consent is not practicable, such as in some big data uses.
“Few of us would like to go back to the pre-digital age, but no one has agreed to give away their privacy on the basis of 50-page privacy policies written in legalese most lawyers don’t understand,” Therrien said.
Organizations under federal control that collect, use or disclose personal data must under the Personal Information Protection and Electronic Documents Act (PIPEDA) seek and obtain consent. The law says personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Therrien said he will recommend Parliament also add “the risk of harm to the individual” as a factor to be considered.
During the consent consultations, the annual report notes, privacy policies were “heavily criticized for obfuscating data practices by being overly lengthy, using complex and ambiguous language, and generally failing to provide individuals with a clear description of how their personal information is to be managed. Individuals talked about the complexity, lack of clarity, and all-or-nothing approach of consent mechanisms. Based on what we heard, in the mind of the average person, privacy policies are broken. Many of our focus group participants had no clear or definite idea of what it means when a company has a privacy policy and most admitted to not reading them.”
“Organizations should deliver the right information to individuals when they most need it,” says the report. “This includes using meaningful language and going beyond vague descriptions of purposes such as ‘improving the customer experience.’ We recognize the difficulties of finding the sweet spot between delivering information required for users to make informed decisions and not disrupting the flow of their experience or causing consent fatigue. Nonetheless, it is only when the right information is brought to individuals’ attention at the right time and in a digestible format that they can exercise meaningful control.
The section of the report on consent is lengthy and includes useful advice for privacy officers.
Therrien said also said his office is – again – recommending Parliament give the commissioner power to make order-making powers and levy fines for violating privacy laws.
“Canadians’ fear that they are losing their privacy is real,” he said in a statement. “They expect concrete, robust solutions to restore their confidence in technology as something that will serve their interests and not be a threat to their rights.”
Polls show that an overwhelming majority of Canadians are concerned about their privacy, he pointed out.
Therrien has been so worried about the state of corporate readiness for cyber attacks that since May he’s stopped waiting until people file complaints about alleged privacy issues before acting. Instead he’s ready to launching investigations into questionable privacy practices or “chronic problems” on his own when necessary.
Also in the annual report, Therrien’s office looked at a number of other issues:
–on new law allowing federal departments to share personal information they collect, the Security of Canada Information Sharing Act (SCISA), the report found there was no formal overarching reporting structure in place to capture the exchange of information betrween departments. Record keeping practices varied among institutions – and in one case, within the same institution – and not all disclosures or receipts of information under SCISA were recorded. As a result, the commissioner’s office couldn’t assess whether all disclosures under SCISA complied with the Privacy Act, which covers the federal government (PIPEDA covers the private sector).
There is no legal duty to keep a record of SCISA disclosures, the report notes, but without records it’s hard to hold institutions accountable for the information they are sharing.
–on the federal MyDemocracy.ca Web site, designed to stimulate debate on the election reform, the commissioner looked into a complain that the use of Facebook Connect” violated the Privacy Act. The site wasn’t designed in a privacy sensitive way, the report concluded, because it allowed in some cases the disclosure of personal information including IP addresses and other web browsing information with Facebook when the site’s home page was loaded. That meant it violated the proper disclosure provisions of the Privacy Act.
The site was designed by a third party.
While the commissioner found no evidence that the Privy Council Office, which was responsible for the site, used IP addresses or other data elements to identify specific individuals, he did find that users who were logged into their Facebook account when visiting the website, the information shared with Facebook clearly constituted the personal information of the Facebook logged-in user as this could have been linked back to and identified the user via the Facebook ID.
Even for users who were not logged-in to Facebook, the report adds, there was a serious possibility that these individuals could have been identified using the information shared with Facebook, such as their IP address, particularly when combined with other information such as browser characteristics and site URLs the user had viewed, and thus, this constituted personal information.
And some information was also being shared with Google as a result of the integration of the Google Analytics service.
The Privy Council Office – essentially the office that runs the government bureaucracy – made some changes to the site after a preliminary report in May, including changing its privacy policy. However Therrien isn’t satisfied that even the amended policy was good to obtain meaningful consent from individuals for data disclosure.
“The right information must be brought to an individual’s attention at the right time, and in a format that allows individuals to exercise meaningful control over their personal information,” says the report..
The site is no longer in use.
