Privacy chief discusses Sept. 11 fallout, PIPED Act

Privacy is the defining issue of the coming decade, according to George Radwanski, the privacy commissioner of Canada.

In his address to attendees of the eCustomer World 2001 conference in Toronto Tuesday, Radwanski stressed that privacy is a fundamental human right that is at the heart of liberty, and that in light of the current battle against terrorism, Canadians must be careful not to sacrifice this right.

“We must distinguish short-term measures from the big picture,” he advised.

One of these short-term measures could be the introduction of identity cards, a topic that has been widely discussed since the Sept. 11 terrorist attacks.

“We may implement some measures that infringe somewhat on our privacy for greater security, and I certainly, as privacy commissioner, would never stand in the way of demonstrably necessary measures to meet the security challenges that we face,” Radwanski explained.

“But neither will I stand by or represent intrusions on our privacy that are designed to make us feel better without a real need or without being demonstrably helpful. So far nobody has demonstrated to me what exactly we would achieve [with identity cards] that’s not achievable already. “

The bulk of Radwanski’s address focused on the Personal Information Protection and Electronic Documents (PIPED) Act, which will be completely rolled out by January 2004.

The Act, which is similar to privacy standards set in every industrialized nation in the world, with the exception of the United States, is based on the reality of the market place, according to Radwanski.

The first and current stage of the rollout concerns personal information collected, used or disclosed in the course of commercial activity by federal works, undertakings and businesses. These are primarily the banks, airlines, telecommunications companies, broadcasters and transportation companies. This stage of the rollout also applies to information about employees about these companies, and to any disclosure of personal information across provincial or international boundaries.

“That means that if a company in Ontario sells or leases a mailing list to a company in Alberta, that information is subject to the protections contained within the Act,” he explained.

The second stage begins on Jan. 1, 2002, which extends to personal health information of all employees and customers of federal works and undertakings.

The third and final stage of the act will be in place by Jan. 1, 2004, and it is this stage that will most affect Canadian businesses and their processes of dealing with information. At this time the Act will apply to all personal information collected, used or disclosed in the course of commercial activities by all private sector organizations.

“I realize that businesses are going to face some new challenges in meeting the law’s central requirement, which is to obtain customer consent. Marketers for example, collect information from a variety of sources – contests, market research, warranty cards. That will all be subject to consent. You need to take that requirement seriously. Implied consent is permitted under the act, but in limited circumstances. You shouldn’t rely on it.”

Radwanski explained that information can only be used for the purpose for which the individual has consented, and consent is needed to collect the information in the first place.

“Consent must be meaningful. The individual must have a reasonable idea about what they are consenting to and how the information will be used.”

Additionally, the Act requires that personal information can be retained only as long as it is required to fulfil the purpose for which it was collected.

“Organizations cannot hold onto personal information forever because someone thinks the information might come in handy someday, somehow,” Radwanski said.

Further, the opting out option that is often found on companies’ Web sites, is considered by Radwanski and the Act to be a “weak form of consent” because it puts the responsibility on the wrong party.

“Someone wanting to collect information should get active consent,” he said. “Invite the person to opt in.”

He continued by encouraging companies to put the needs of the customers first and to always maintain a consistent level respect.

Radwanski advised that the best way for a company to avoid issues with his department is to build privacy into the business plan from the outset.

“Privacy can’t be an afterthought,” he warned.