Denis Chamberland was pleased when his auto dealership e-mailed him to say it was PIPEDA compliant. In fact, it even offered him a test drive. He wrote back saying he’d be pleased to see what personal information of his they stored. So he waited, and waited some more. After two months he fired off a cursory “what’s up” note. The reply was prompt. The dealership got a little ahead of itself and was unable to send him his personal information. Marketing understood the value of PIPEDA, but never checked with IT whether compliance was technically feasible.
“I think in terms of technology, they probably had systems all over the map that were working in silos,” said Chamberland, a partner who specializes in outsourcing and security in the technology law group of Airds & Barlis LLP in Toronto.
This, in a nutshell, is the story of PIPEDA (the personal information protection and electronic documents act); high aspiration levels accompanied by a low rate of success. In January of last year, all Canadian companies had to be compliant with the act but, according to Chamberland, the numbers are not impressive. He said 75 to 80 per cent of small business are non-compliant. At the enterprise level the non-compliance numbers are lower, but not stellar.
ComputerWorld Canada had each of its reporters contact two companies he or she deals with personally. The results were all over the map. One national airline said they would get the information, then didn’t. In a complete breech of privacy, another asked a reporter for her online password. One bank did not include credit ratings or social insurance numbers as part of its definition of personal information. In fact, the information our reporter received was nothing more than a copy of his online banking statement. On the positive side, a cell-phone provider sent a veritable tome, including a list of all calls made.
The problem is policy not meeting reality.
“From our perspective we have seen a number of organizations that have created privacy policies but have not changed their infrastructure, their systems, their procedures (and) they haven’t engaged in training and awareness for their staff,” said Robert Parker, national privacy partner with the enterprise risk services at Deloitte & Touche LLP in Toronto. “They really have not engaged in all the activities required to become privacy compliant.”
Parker points to two reasons for the slow compliance.
“One of the reasons for this is the fact privacy…hasn’t been promoted to the business community through the normal channels,” he said. The other is more daunting. “Essentially there hasn’t been a compelling event in Canada.”
Dina Palozzi, BMO Financial Group’s chief privacy officer, agrees the lack of compelling events has distracted corporations. “It is a natural human trait, we focus on the fires.” And BMO certainly had a fire of its own. In the fall of 2003, two of its servers, replete with customer information, spent some time on e-Bay.
The bank learned from the experience, said Robert Garigue, its chief information security officer. Processes were changed to make sure outgoing hardware was properly wiped of all sensitive data. But even before the server snafu, BMO was aware of the complexity of protecting data, both personal and corporate.
“We work very closely with the IT divisions,” Palozzi said. She and Garigue frequently meet with Kevin Butcher, the head of the bank’s technology division. Palozzi also understands how an auto dealership could get its cart ahead of its horse. “It is important to remember that the extent to which private information is [important] for the business, depends on the industry.” For banks it is their corporate foundation.
Chamberland agreed. “If (companies) think that their clients will care (about privacy) then that will become important, but if they think that their clients will not recognize what PIPEDA is then…it is going to be less important.”
Palozzi also explained how PIPEDA compliance is forcing applications and procedures to change. Traditionally SINs have been used as a unique identifier for internal applications at banks. “In the future, systems development will limit the use of SINs for anything other than taxes,” she said.
In the not so distant future, this won’t matter because individual pieces of information will be XML tagged, with privacy attributes attached, Garigue said. But to do this companies have to understand their data. Companies need to ask themselves where they store information, and how they manage and share it, he said.
“It would behoove organi-zation(s) to get back to the basics first of all and document all the occurrences of personal information and the personal information flow,” Deloitte’s Parker said. “To be honest with you, we don’t see that happening right now, and you’d think that would be the right approach,” said Nick Galletto, a partner who also works in Deloitte’s enterprise risk group.
Garigue agreed this is a problem and to overcome it businesses need to understand the value of information.
“When you share a physical asset, you halve its value. In the digital world, when you share, you double the value,” he said, so the more applications that can use data the more value that can be derived from it. “The whole challenge is (how to put) controls in place to ensure the most applications get access to content without compromising (privacy).” That is where privacy-enabled XML tagging comes in. A SIN could be tagged and stopped from jumping from application to application by internal firewalls. Or it could be deemed scrubbed of personal information (after all it is just nine numbers) and allowed to move around. On the other hand, if a name was with it, it would be stopped.
Though this sort of anonymization does occur today, it is based on rules attached to applications and databases, not the information itself. By placing tags on the information, if a SIN exited a database and later was matched with the name in another application, the data could be anonymized automatically.