Complying with PIPEDA

Changing corporate policy is never an easy task, especially when there is an exact date for compliance. Y2K gave companies lots of practice so it is with less anxiety that corporations greet PIPEDA compliance, as the remainder of the law goes on the books Jan. 1, 2004.

The Personal Information Protection and Electronic Documents Act is the law which, as its name suggests, protects individuals from having their personal information bandied about the databases of the world. Federally regulated companies have had to comply since Jan. 1, 2001 .

Many of these companies found compliance, though laborious, not intrinsically difficult since privacy practices have often already been in place. Call it common sense.

“Many companies are doing polling and discovering that customers will leave them if they feel that there is a breach of trust,” said Stephanie Perrin, chief privacy officer with Zero-Knowledge Systems in Montreal.

“In our case, we have had a formal privacy code for some 15 years…so at one level there wasn’t a whole lot of need to do anything dramatic in order to be…compliant with the privacy act once it came in effect,” said Peter Cullen, corporate privacy officer with the Royal Bank in Toronto.

Regardless, the financial institution used PIPEDA as an opportunity to remind its employees about Royal Bank’s policies and to make sure they were understood and adhered to.

In essence it has been a refresher course for the entire company and allowed them to re-instill the practice of being vigilant about customer’s information privacy.

“We have approached it from a standpoint that if we ever get to the point where someone in the organization says I don’t need to worry about privacy because somebody else is, we are in deep trouble,” he said. So if privacy is at the front of everyone’s mind then deep trouble can be avoided.

It also helps that the Royal never sold, distributed or traded customer information in the first place, so there was no distribution to curtail or loss of revenue to make up.

“Because information is absolutely core to our strategy and absolutely core to our customer’s trust, quite frankly it has a hell of a lot more value to us to insure that we keep it as opposed to selling it,” Cullen said.

The Hudson’s Bay Company, which is not required to comply to the majority of PIPEDA until 2004 (portions of the act covering such things as mailing list distribution were law Jan. 2001) decided there was an advantage to start the compliance process long before it was actually legally necessary.

“We decided as a national scope company that it would be reasonable business practice on our part…to do it early, so [the policies] were pretty much in place in January,” said David Crisp, senior vice-president of human resources with HBC in Toronto.

Getting your company ready to comply with PIPEDA, now instead of later, makes a great deal of sense. Many corporations are starting to implement customer relationship management solutions to better track and serve their customers. One potential outcome is finding that information you held in individual business silos was not considered personal but that it is once it is all gathered under one roof. Your sales may have names and addresses, while marketing has ages and income data. Alone there is little problem, together they could be a public relations disaster in the making.

all aboard

Getting employees to understand that protecting customer information makes good business sense is generally not a tough sell since each individual has his or her own personal information stored with other companies. But getting employees to comply is harder, since personal information is not always stored in neat corporate databases. It can be found throughout a company, some of it literally residing on pieces of paper or index cards.

“The task for a retailer is far more complex than may appear at first glance,” Crisp said.

“Say you buy a suit at the Bay and the guy who fit you has your name and number down on a card to call you when the suit is in,” Crisp explained. “[Well] he may also ask you if it is OK to contact you if they have any suit sales.”

“That sort of clientele card, we are now trying to automate so that we have it in a repository,” he said.

During HBC’s initial stages of PIPEDA compliance individual store managers were briefed and then managers would tell the employees. But HBC also realized technology could help.

To get all of the pertinent information across to its thousands of employees, HBC turned to the Internet. Employees take Internet based courses, which they have to pass, to insure they have the most up to date information. It also certainly didn’t hurt that HBC already had a rule in place that stated it can fire employees for giving out customer information.

Bell Canada, being in a federally regulated industry, was in the same boat as the Royal Bank – complete compliance in 2001.

But it too had some policies in place beforehand, since telecommunications is regulated by the CRTC and there were already some rules in place about divulging certain information.

“Definitely there were things that we had to do and we have been working on for some time…[but] a lot of the processes and procedures in place necessary to comply with this act, we would have had in place already” due to CRTC regulations, said Suzanne Morin, senior counsel, regulatory law, with Bell Canada in Ottawa.

Cullen said that Royal builds the processes right into daily practices.

“When a client opens up an account now, one of our behaviours that we ask from our sales people is not just to get the client to sign a document that gets consent but to explain what that actually means,” he said.

request for information

Companies are allowed to charge customers an administrative fee to access their information, if they decide to check what data a company is holding on them. At first glance this seems a little unfair since companies do have, after all, your information.

But the reality is, many companies have a whole hell of a lot of information on you.

“Asking for all of the transactions for all of the service charges [an individual] has paid over the past seven years…if they are after every bit of information that is on file then there will quite likely be a charge,” Cullen said.

The key, he said, is to help the customer focus in on the information they are after, and in this case there would likely be no charge.

Crisp agrees with Cullen that focus is the key.

“One of the difficulties that everyone is going to have is that people send in very broad requests (for information),” he said.

But there is another potential reason to charge customers to access personal information.

“We have to (keep the ability to charge), if we ever got campaigned…which gathered individuals and encouraged them to request all that information in that kind of broad way, we could be swamped,” Crisp said.

Though Canadians should be aware of PIPEDA, there is a sinking feeling few are well informed.

“We haven’t seen a large volume of complaints yet partially because the Canadian public doesn’t know that the act has passed by and large,” Perrin said.

And the Royal’s statistics seem to agree with this.

The Royal Bank “has not seen a real increase in people asking for information,” Cullen said.