Take time to track personal data

The new Personal Information Protection and Electronics Documents Act (PIPEDA) has been on the books for a year now. It is nice to know it is there, but does it really amount to much? How many people have actually contacted their bank or telephone company and asked to see their personal information file? How many people actually knew they could do it? And for that matter, how many Canadians even care?

For the past year we have been able to request that federally regulated private companies, such as financial institutions and phone companies, divulge what personal information of ours they have on file. Other than correcting any data, what does this really mean about one’s private information? The companies I spoke to said they never divulge personal information to third parties, collect only pertinent information and get consent in doing so. This is great, but it doesn’t address one real shortcoming of PIPEDA.

Individuals have little recourse to force a company to delete information which they have no right to have. A senior lawyer, who is a PIPEDA expert, admitted the act’s definitions are so grey that she could only come up with, “I think so,” when asked whether an individual has the right to force a company to delete inappropriate information. Whether or not companies use certain data is moot, the question is whether they have the right to store specific information in the first place.

I spoke to one individual who was shocked when an employee told her his telephone company contacted him because they wanted to verify the information they had in his file. The data included his provincial health insurance number and his social insurance number. How did they get this information and how could they possibly justify having it? Video rental companies often ask for far more than just a credit card number to secure a rental. One car rental company sends me a birthday card with a coupon for a free day’s rental. It is a nice touch but I don’t think they have the right to store my birthday data unbeknownst to me. Were it not for the card I would never have known they store it in some database. Regardless, when the law covers all companies in 2004, it is unlikely I will contact all of those companies I regularly deal with to scrutinize my personal information. And even if I do, what exactly is my recourse to force them to delete information I feel they have no right owning? If push comes to shove who is going to win this argument?

PIPEDA says companies in the future will only be able to collect information that is pertinent to their needs. The problem is they are far more imaginative at justifying why they need all this data than we are at justifying why they shouldn’t have it. A dialogue needs to be started to help decide what it and what isn’t pertinent customer information because most individuals are too easily separated from it, seldom having the guts to question a corporation’s data gathering policies.

Companies have a right to store information which can aid them in serving their customers better, but they have no right to gather and store information unrelated to the relationship at hand. It is time companies are forced to purge unwarranted customer data. No question it will be an onerous task but there is already too much personal data floating around. Admittedly, PIPEDA is in its infancy. It will be interesting to watch it develop.