The data management practices of six unnamed Canadian data brokers are being investigated by federal privacy commissioner Daniel Therrien, the first of his promised probes into possible privacy problems across select industries.
“Preliminary inquiries with industry practices raised a number of concerns about how databases of Canadians’ detailed personal information are being compiled and subsequently disclosed to marketers,” he said.
As such the information could be inaccurate, and could be accessed and used for purposes that individuals may know nothing about. “As such we will look at accountability, openness, transparency, the management of information collected, used and disclosed and the means of consent.
It will also look at their conformity with the Canadian Anti-Spam Law, (CASL).
Therrien made the disclosure Thursday at the annual Canadian convention of the International Association of Privacy Professionals (IAPP) in Toronto, one of a number of important announcements:
–The investigation is part of a new compliance division the Office of the Privacy Commissioner is setting up for what Therrien calls “proactive enforcement” of Canada’s privacy law. It will target systemic chronic or sector privacy issues the office believes are not being addressed through complaints and may inflict significant damage to the privacy of Canadians.
–The office is also setting up a new promotion division, with two goals: To educate Canadians on their privacy rights and how to protect their data, and to work with organizations voluntarily to head off privacy complaints. It will also try to better understand new business models and practices such as the Internet of Things and data analytics to address privacy concerns.
–The first advisory project under this division will be working with the Ontario privacy commissioner on Sidewalk Labs’ proposed sensor-connected Toronto lakefront community.
–The release of final guidelines organizations should follow to obtain meaningful consent from people when gathering personal information. A list of so-called ‘no go zones’ — that is, practices that companies shouldn’t do – comes into effect July 1. A list of guidelines for properly obtaining consent comes into effect at the beginning of the new year.
Therrien didn’t say what specifically sparked the investigation into the privacy management practices of data and list brokers, who harvest and resell personal information.
The re-organization shifts his office’s work away from investigating complaints. “We know a successful regulator does not use enforcement as its first or primary strategy to seek compliance,” he told the conference of privacy pros.
“Addressing privacy issues upfront and resolving matters co-operatively outside formal enforcement is our preferred approach. It avoids time-consuming and costly investigations, helps mitigate against future privacy risks, offers organizations a measure of consistency in their dealings with our office, and allows everyone to benefit from innovation. We will consider these tools before engaging in our second strategy, proactive enforcement.”
By giving “practical, actionable advice both to Canadians and organizations, I hope Canadians will begin to feel more empowered and more in control of their personal information, and generally safer in the knowledge their rights will be respected,” Therrien said.
The consent guidelines, a joint effort with Alberta and B.C. privacy officials, stress four elements that must be emphasized to get meaningful consent when collecting personal data: (Click here for more detail)
– what personal information is being collected;
— with who it is being shared
— for what purposes is it being collected, used or disclosed;
— and what are risks of harm or other consequences by the collection, use or disclosure of the information.
On this last, Therrien noted the Personal Information Privacy and Electronics Act (PIPEDA) says valid consent should a person understanding the nature, purposes and consequences of the data being collected, which might include harm.
“Only meaningful, residual risks of significant harm must be included in the notification,” Therrien said, such as bodily harm, humiliation, loss of employment or identity theft. “Meaningful risk” is below the balance of probability, but more than a mere possibility.
The level of detail for each of the four will differ. For example, listing the third parties data might be shared with “need to be described in sufficient detail that for an individual to understand what it is they’re being asked to consent to.”
The ‘no-go zones’ are:
- Collection, use or disclosure that is otherwise unlawful.
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law.
- Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual.
- Publishing personal information with the intended purpose of charging individuals for its removal.
- Requiring passwords to social media accounts for the purpose of employee screening
- Surveillance by an organization through audio or video functionality of the individual’s own device.
The guidance sets out a modernized way to obtain meaningful consent from consumers,” Therrien said in an interview. “We stay at the level of principles because we think companies are best placed to translate that into their own business operations. So I hope they will take the advice and the guidance, reflect on what that means for their business operations and implement it as fully and as generously as they can.”