Data Privacy Week: Some Canadian firms have ‘shortcomings’ in treating privacy, says regulator

Canadian companies still aren’t doing enough to respect the privacy of residents, the federal privacy commissioner said in an interview marking Data Privacy Week.

“In our annual report … we saw a number of instances where there are still shortcomings in terms of how privacy is considered,” Philippe Dufresne said Monday.

In particular, he cited four cases from the report for the 12-month period ending March 31, 2022:

— a joint investigation with provincial privacy officers in Quebec, Alberta, and B.C. found Tim Hortons’ mobile app inappropriately tracked and recorded its customers’ movements every few minutes of every day, even when the app was not open. The collection of what the report called “vast” amounts of location information was not proportional to the benefits the company may have hoped to gain from better-targeted promotion of its coffee and other products. Customers’ consent for collecting that data was done through “unclear, and in certain circumstances, misleading statements;”

— a Rogers Communications customer was enrolled in its Voice ID voiceprint biometric authentication program without her consent. In fact, after discovering she had been enrolled, the customer called Rogers and once again opted out of the program, only to discover that she was still in it. Rogers agreed to get express consent from individuals for this program;

— trucking firm Trimac Transportation Services Inc. had installed dash cameras in its vehicles that continuously recorded audio and video without drivers’ consent. Video and audio clips transferred to Trimac were available, with limited safeguards against unauthorized access, to more Trimac employees than necessary. The company agreed the audio recording should only be active when a driver is on-duty or driving, and to limit the availability of the recordings;

— a Quebec company authorized by the federal government to administer mandatory COVID-19 tests at the Montreal-Trudeau airport used its position to send marketing emails to 147,000 travelers it tested without their consent. The company wrongly thought it had established a “business relationship with arriving passengers and thus relied on implied consent to send email ads,” the report said.

The four examples Dufresne cited involve improperly collecting personal data without proper consent. The website of the Office of the Privacy Commissioner says that under the federal private sector privacy law known as the Personal Information Protection and Electronic Documents Act (PIPEDA), “organizations are required to obtain meaningful consent for the collection, use and disclosure of personal information. Consent is considered meaningful when individuals are provided with clear information explaining what organizations are doing with their information.”

SIDEBAR: PIPEDA applies to federally-regulated commercial firms and companies in all provinces and territories except in B.C., Alberta and Ontario. Here’s a brief outline of what businesses should and shouldn’t do.

During Privacy Week, business and IT leaders should be thinking about what they can do to create a stronger culture of privacy in the workplace and in Canadian society, Dufresne said. “When I was appointed privacy commissioner [last summer] I put forward a vision of privacy that recognizes privacy as a fundamental right, privacy in support of the public interest and Canada’s innovation and competitiveness, and privacy as an accelerator of Canadians’ trust in their institutions and their participation as digital citizens.”

“That means treating privacy as a priority,” he said, “not as an afterthought, as a mere regulatory obligation, but something that is fundamental to individuals and society.

“For organizations, that means conducting privacy impact assessments in appropriate cases to ensure privacy risks are identified and mitigated. It means asking questions and making sure that they are only collecting, using, retaining and disposing of personal information to the extent that it’s demonstrably necessary and proportional to achieving the organization’s legitimate purposes.

“It means that individuals must be properly trained within the organization so that not only do they have good policies, but they are implemented properly and followed through. It means putting up safeguards to protect information against what we are seeing more and more in terms of data breaches and increased threats. And it means leaders recognizing and putting forward a vision of privacy that treats it as a fundamental right and not as an obstacle to the pursuit of an organization’s objectives — whether it’s innovation or economic — but as an asset, something that will support and strengthen those goals and ultimately increase Canadians’ trust in organization and society.”

While Dufresne calls for privacy to be a fundamental right, that’s not what the Liberal government has proposed in its overhaul of PIPEDA, known as Bill C-27. Dufresne said he will outline his detailed opinion on the proposed legislation to Parliament. He didn’t call for amending the Charter of Rights and Freedoms, however, he did say privacy should have “special status” if there is a conflict with other interests.

The government has said that the importance of privacy protection is mentioned in the legislation’s preamble.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads