Archive for the ‘Private Organizations’ Category

20 Sep 2013

An update on our Internet privacy sweep


Last month, we released the initial results of our Internet privacy sweep. You can read the original blog post to see what we observed. (We should note here that the screenshots and references in that blog post reflect what we saw online during the sweep and were still in place when we originally blogged about the sweep results on August 13.)

As part of our efforts on the sweep, our Office advised the companies that were mentioned in the blog, inviting them to contact the OPC if they wished to discuss the Sweep and our observations.

Since that original post, we are very pleased to see that some of the organizations we highlighted have made changes to enhance their online privacy policies.

A&W changed its privacy policy shortly after we issued the results of our Privacy Sweep. Their original 110-word privacy policy has now been expanded to just under 1600 words and covers the collection, use, disclosure and retention of customers’ personal information collected through customer feedback, events, gift card purchases and contests.

Bell Media also updated their privacy policy shortly thereafter, fixing the broken link to their Privacy Officer’s email address:

 New Bell Media privacy policy

We think customers will be pleased as well to see that the companies they choose to do business with are more open and straightforward about how they use customer information.

Hopefully other companies we looked at, as well as those that didn’t, will take note.


13 Aug 2013

Initial results from our Internet Privacy Sweep: The Good, The Bad, and The Ugly


You might recall, a few weeks back our Office led and participated in the first annual Global Privacy Enforcement Network (GPEN) Internet Privacy Sweep.

We sought to replicate the consumer experience by spending a few minutes on each site, assessing how organizations communicated their privacy practices with the public.  The sweep was meant to assess transparency online and was not an assessment of organizations’ privacy practices in general. It was not an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches.

After searching over 300 sites that day, our Office is still poring over the reports we’ve created, but we wanted to share some of our preliminary results with you.

The good:

We found several positive examples of transparency when it came to sharing privacy practices. The best policies were oriented towards the consumer, providing information that real people would actually want to know and would find helpful. Here are a few of our favourites:

Tim Horton’s outlines the different types of personal information they collect and use in relation to a number of activities – for example, when people shop online, enter contests, or register for a payment card. Overall, we found their policy uncluttered and straightforward – click on the screenshot to read this excerpt:

Collection and Use of Personal Information  Tim Hortons collects and uses personal information from customers and others (an "Individual") as follows:     Tim Hortons may collect and maintain personal information such as an Individual's name, contact information, payment card information and purchase history when an Individual subscribes for services or purchases products on our website, in one of our stores or at a kiosk.      Tim Hortons may collect personal information from an Individual where the Individual submits an application for programs operated from time-to-time by Tim Hortons, such as the Tim Hortons Scholarship Program (the "Programs") or for an employment opportunity (such as that contained in a resume, cover letter, or similar employment-related materials). We use submitted personal information as is reasonably required to assess the Individual's eligibility in the Programs and to advertise and promote the Programs or to assess the Individual's suitability for employment at Tim Hortons as well as to process the application and respond to the Individual.     When participating in a contest or promotion, we may collect personal information, such as a contest winner's name, city of residence, and prize winnings in order to award prizes and promote such contests. This information may be published in connection with contests.      From time to time, we may obtain an Individual's consent to use the Individual's contact information to provide periodic newsletters or updates, announcements and special promotions regarding Tim Hortons products and services.

Tripadvisor’s Privacy Policy takes the extra step of offering a detailed explanation of its Instant Personalization feature, which uses information provided by Facebook to give the user a more customized experience. Their explanation not only details what information is collected and how it’s used, but also provides instruction on how to enable or disable the feature – take a look at this screenshot:

We have partnered with Facebook to provide Instant Personalization on TripAdvisor for members of Facebook. If you have Instant Personalization set to “enabled” in your Facebook privacy settings and you are logged into Facebook, then TripAdvisor will be personalized for you when you visit the Web site, even if you are a first-time user of TripAdvisor’s Web site. For example, we will show you reviews that your Facebook friends have posted on TripAdvisor and places they have visited. In order to provide you with this personalized experience, Facebook provides us with information that you have chosen to make available pursuant to your Facebook privacy settings. That information may include your name, profile picture, gender, friend lists and any other information you have chosen to make available.  When you first visit TripAdvisor, you will see an option to turn off Instant Personalization in just one click. If you decide to turn it off at a later date, you can do so by first logging into Facebook and clicking on the disable link on this page, or by scrolling over the “Learn More” link on the top of the page on TripAdvisor and clicking on “How to turn off personalization”. You can also turn off Instant Personalization by editing your privacy settings on Facebook. Please note that, if you have Facebook friends who are using TripAdvisor, they may also have shared information about you with us through Facebook. If you wish to prevent that sharing, you can do so by editing your Facebook privacy settings.   Learn more about Instant Personalization on Facebook or read TripAdvisor’s Instant Personalization FAQ’s.

Also going that extra step is Allstate, which has established an anonymous and confidential reporting system through a third party for its customers to report privacy breaches with discretion.  Promoting and facilitating two-way communication about privacy with consumers is a key element of transparency, so it’s heartening to see that a company like Allstate is thinking about how their consumers might want to communicate with them about privacy concerns.

As part of our ongoing commitment to privacy, we have established an anonymous (optional) and confidential reporting system, so that customers can report any breaches of privacy.  All comments made through this reporting mechanism are considered important to Allstate.  Accordingly, they will be reviewed in a timely manner and, rest assured, with the utmost discretion.    To report any issue relating to privacy concerns, please go online or mail:  ClearView Connects™  P.O. Box 11017 Toronto, Ontario M1E 1N0  1-866-505-9915

Privacy policies that cover both online and in-store practices made our list of bouquets as well. IKEA Canada’s privacy notice points out IKEA’s use of closed circuit television (CCTV) cameras in its stores and parking lots and references their separate CCTV Surveillance Policy, which can be obtained by contacting their privacy officer. Given that many stores and parking lots use CCTV monitoring technology, this example shouldn’t be as rare as it is!

For security, safety and liability purposes, we use CCTV cameras in our stores and adjoining areas such as parking lots. Information recorded by such cameras is retained for a short period (approximately 90 days), unless needed in connection with an investigation. Notices advising of the use of such cameras are posted in our stores. By visiting a store, you consent to our use of such cameras and the recording of your information. For further information regarding CCTV use in our stores, please see IKEA’s CCTV Surveillance Policy, a copy of which may be obtained by contacting our Privacy Office, as provided at the end of this Notice.

The bad:

Approximately 20 percent of sites we reviewed either listed no privacy contact, or made it difficult to find contact information for a privacy officer.

For example several sites, including theloop.ca and tsn.ca, linked to Bell Media’s Privacy Policy which reads in part:

QUESTIONS, COMMENTS OR SUGGESTIONS? If you have questions, comments or suggestions about this Privacy Policy or Bell Media's privacy practices that were not answered here, send us an email.

And that e-mail address is….?

Well, we couldn’t find it.

Many of the websites we looked at spent thousands of words regurgitating PIPEDA but providing very limited information of actual interest to readers. Just as the good examples made an effort to provide clear and useful information to the consumer, the not-so-good stuck to a more legalistic approach and merely claimed compliance to legislation.

For instance, take a look at GlaxoSmithKline’s explanation of how they seek consent for the collection, use and disclosure of individuals’ personal information, below. While their privacy policy hews closely to the language found in Canadian privacy legislation, it’s not all that helpful to a consumer who wants to know when their consent might be sought.  We’ve highlighted the text that appears almost verbatim from Schedule 1 of PIPEDA :

3.PRINCIPLE 3 - CONSENT The knowledge and consent of the individual are required for the collection, use and disclosure of personal information, except where inappropriate. 3.1 The way in which we seek consent, including whether it is express or implied consent, may vary depending on the sensitivity of the information and the reasonable expectations of the individual. An individual may withdraw consent at any time, subject to legal and contractual restrictions and reasonable notice. 3.2 GSK will typically seek consent for the use or disclosure of personal information at the time of collection, but in certain circumstances consent may be sought after collection but before use. 3.3 GSK will only ask individuals to consent to the collection, use or disclosure of personal information as a condition of the supply or purchase of a product, if such use, collection or disclosure is required to fulfil an identified purpose. 3.4 In certain circumstances, as permitted or required by law, we may collect, use or disclose personal information without the knowledge and consent of the individual. These circumstances include: Personal Information which is subject to solicitor-client privilege or is publicly available as defined by regulation; where collection or use is clearly in the interests of the individual and consent cannot be obtained in a time way; to investigate a breach of agreement of a contravention of the law; to act in respect to an emergency that threatens the life, health or security of an individual; for debt collection; or to comply with a subpoena, warrant or court order.

Huh?

GlaxoSmithKline also offer readers an Internet privacy policy which, in some ways does a better job than their privacy code at explaining how a consumer’s information might be collected and used. However we found this policy, like others we saw during our sweep, focused on the use of cookies and other technical information collected via their site, while not providing enough information relevant to how the organization was collecting and using other types of information about the consumer.

The ugly:

About one out of every ten sites we looked at did not appear to have a privacy policy.

Another 10 percent had a privacy policy that was hard to find – sometimes exceedingly difficult to find, since it was buried in a lengthy Legal Notice or in the Terms and Conditions.

While almost 90 percent of the sites we swept had some sort of privacy policy or privacy notice, some policies offered so little transparency to customers and site visitors that the sites may as well have said nothing on the subject.

For example, A&W Canada, which collects personal information such as photos, addresses and dates of birth for various initiatives, has a 110-word privacy policy tacked on to the very end of the Terms and Conditions that offers nothing but a blanket promise of compliance with the law. While they do provide some other detail with respect to their privacy practices elsewhere on the site, and it is possible for visitors to their site to learn more by contacting their privacy officer through the e-mail address provided, we think organizations can do better. Individuals shouldn’t have to jump through hoops and provide their own personal contact information just to learn what an organization is going to do with their information.

Privacy Policy A&W Food Services of Canada Inc. is committed to protecting the privacy of personal information. Personal information obtained in the course of conducting our business will not be collected, used or disclosed except in compliance with governing legislation, including Canada’s Personal Information Protection and Electronic Documents Act and British Columbia’s Personal Information Protection Act. For further information on our Privacy Policy, contact our Privacy Officer at privacyofficer@aw. We may revise this Privacy Policy from time to time. You are responsible for checking this Policy when you visit our site to review the current policy. If you do not agree with the Policy, you should cease use of the site immediately.

Paternity Testing Centers of Canada, which collects and processes highly sensitive DNA samples of its clients, has a privacy statement so short it would fit in a tweet: “Paternity Testing Centers of Canada care about our clients and ensure that every test performed is strictly confidential.”

Confidentiality Uncertainty about parentage can have life-long psychological consequences. DNA paternity testing is the most advanced and accurate method available for resolving these parentage questions. Paternity Testing Centers of Canada can perform both Legal (court approved) and Non-legal tests. With advanced DNA technology, paternity testing is accurate, rapid and an affordable means for obtaining conclusive answers with respect to parentage. Paternity Testing Centers of Canada care about our clients and ensure that every test performed is strictly confidential.

We wanted to provide you with some preliminary results that stood out to us from our sweep.  Once we’ve completed a review of the results from our Office and the other jurisdictions that participated in the sweep, we will determine any appropriate follow-up action, in conjunction with our international sweep partners.


8 May 2013

Be prepared for a crisis with our Privacy Emergency Kit


It’s Emergency Preparedness Week in Canada – time to encourage Canadians to become better prepared to face an emergency with basic steps such as keeping bottled water and canned goods in the basement.

The Office of the Privacy Commissioner of Canada is also encouraging organizations to ensure they are prepared to address privacy issues that may arise during a time of crisis.

Personal information can play an important role in an emergency situation.  Uncertainty around the sharing of personal information could result in unnecessary confusion and delays – and have significant consequences for people.

Our Office, in consultation with several provincial and territorial counterparts, has created a Privacy Emergency Kit to help both private and public sector organizations ensure they are prepared.

Privacy laws do allow for appropriate sharing during a time of crisis, but it is crucial that organizations understand the legislation that applies to them and consider privacy issues in advance of an emergency situation.

The Government of Canada’s Get Prepared site advises individual Canadians: “Whatever you do, don’t wait for a disaster to happen.”

That’s also good advice for organizations subject to privacy legislation.


21 Nov 2012

Employee privacy – a balancing act


Companies are always seeking ways to improve productivity.  The most innovative and successful methods can create some positive buzz around a company.

Other approaches can sometimes be ill-advised, premature or ineffective, and this can make waves within an organization.

Last month, a law firm in Toronto was the subject of some media interest over its highly controversial plan to use fingerprint-scanning technology to monitor the comings and goings of its administrative staff. The plan was meant to ensure that staff were not “abusing the system” with lengthy lunch breaks and short work days. Media reports and blog posts zeroed in on the privacy implications of such a plan.

Our Office wouldn’t have oversight over this specific employment matter – we only have oversight into matters of employee privacy in federal works, undertakings, or businesses (lovingly referred to as “FWUBs”). Otherwise, employee privacy is largely a provincial matter, with several provinces having passed privacy legislation that applies to personal information of private sector employees. It’s unfortunate that there is little redress for employees in those provinces that do not have legislation in place, this being one such case in point.

An employer’s need for information should be balanced with an employee’s right to privacy. While employers may be focused on increasing productivity, they should seek to ensure that they weigh the benefits of any potentially privacy-invasive plans against the costs — and not just economic  costs.  Cost considerations should include potential impact on staff morale, loss of trust and loss of human dignity.

Law firms, in particular, could set a model example in how they handle personal information when managing their law practice. In Girao v. Zarek Taylor Grossman Hanrahan LLP, Hon. Justice Richard Mosley wrote,

““Law firms providing advice to clients who deal with the personal information of their customers must be knowledgeable about privacy law and the risks of disclosure. Lawyers also have a public duty to protect the integrity of the legal process. The failure of lawyers to take measures to protect personal information in their possession may justify a higher award than that which would be imposed on others who are less informed about such matter.”

While the Federal Court was referring to the personal information of clients rather than employees in those circumstances, it’s still a significant message about the high standards of conduct judges expect lawyers to live up to.

We hope law firms will take the opportunity to consult our privacy guidance for lawyers. And we hope organizations will take advantage of the other resources we have on dealing with workplace privacy issues, including our fact sheet for human resources professionals.

 


10 May 2012

When using technology to safeguard personal information, sometimes small steps can prevent a big loss


An Office of the Privacy Commissioner of Canada (OPC) survey of 1,006 companies across Canada shows that many businesses are not employing recommended technological tools or practices to protect the digitally-stored personal information of their customers.

For example, the survey found that while the vast majority of companies are using passwords to protect personal information stored on digital devices, many do not ensure that passwords are difficult to guess or that their employees change them regularly—two practices that can really help thwart online criminals.

The survey also showed that almost 50% of companies that store personal information on portable devices like laptops, USB sticks, and tablets do not use encryption to protect the information on these devices—despite the fact that these types of devices are far more likely to be misplaced, lost or stolen.

While the survey did find that many Canadian companies recognize the importance of protecting privacy, it is vitally important that businesses take the time to get it right—for their customers and for their own survival. Businesses that jeopardize personal information, risk losing their customers’ trust and their business.

The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website.


3 May 2012

Accountability and the Importance of Effective Privacy Management Programs for Businesses


Accountability matters when it comes to privacy. As a business, though, you may not always find it clear what accountability really means when it comes to personal information protection.  

Accountability is the first fair information principle in the federal Personal Information Protection and Electronic Documents Act (PIPEDA). This reflects its importance—it is the bedrock of the Act. It’s also implicit in Alberta and British Columbia’s respective privacy laws, the Personal Information Protection Act (PIPA).  The principle outlines the things organizations need to do to have a compliant and accountable privacy program in place.  But what does that mean in practice?

To help businesses “get accountability right”, Alberta, BC and our Office have released new guidelines —Getting Accountability Right with a Privacy Management Program. These new guidelines outline the elements of an effective privacy management program and offer scalable strategies that can be implemented by any size business.

Why should you care? 

These new guidelines outline how our offices view effective privacy management.  Big or small, an accountable business should be able to demonstrate to Privacy Commissioners that they have an effective, up-to-date privacy management program in place in the event of a complaint investigation or audit.  

Compliance, of course, is essential.  But we think there are a number of other benefits to having a privacy management program in place:

  • An organization that has a strong privacy management program may enjoy an enhanced reputation that gives it a competitive edge.
  • A privacy management program helps foster a culture of privacy throughout an organization and offers reassurance to customers and clients
  • Proper use of risk assessment tools can help prevent problems. Fixing a privacy problem after the fact can be costly so careful consideration of the purposes for a particular initiative, product or service, and an assessment that minimizes any privacy impacts beforehand is vital.
  • With a privacy management program, organizations will be able to demonstrate to customers, employees, partners, shareholders, and privacy commissioners that they have in place a robust privacy program that shows only compliance with privacy laws in Canada, but also that they are taking protection of personal information seriously.

Related Documents:

Guidelines: Getting Accountability Right with a Privacy Management Program

Interpretations: “Accountability”

Announcement: Commissioners Outline Building Blocks for Effective Privacy Management


27 Mar 2012

Privacy: Not just good business, but good for business


A recently released study has given further evidence to the link between privacy and personal information protection and consumer confidence.

The Edelman study  released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations.  For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information.  An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.

It’s hardly surprising that consumers are nervous.  Stories about privacy and security flaws and breaches abound in the media these days.  From flaws in mobile applications, retroactive release of archives for marketing, service amalgamation and data breaches, users are constantly confronted with evidence that their personal information is at risk.  Lack of transparency on the part of organizations and consumer discomfort with cross-border data traffic, outsourcing and cloud storage only further exacerbate the issue.

This challenge to trust appears to correlate to an increased willingness on the part of consumers to invest in their privacy.  Where a 2009 study concluded that consumers were unwilling to pay extra for privacy, recent research from the European Network and Information Security Agency (ENISA) finds that individuals weigh security and privacy considerations as heavily as those relating to a product’s design, style, and physical dimensions. All other things being equal, the study discovered that consumers were willing to pay a higher price in order to protect their privacy. 

Investing in privacy is not the only way that consumer concerns are indicated – the Edelman data also shows nearly 50% of participants either leaving or avoiding companies that have suffered a security breach.  Following a data breach suffered by an organization with whom they’re already involved, up to 70% of those surveyed expressed willingness to terminate a relationship or switch providers. 

Findings like this should be a wake-up call for organizations, an indicator that it is no longer enough to “manage” security and privacy concerns. Instead, privacy and security need to be prioritized and strengthened to the point where they can be made key parts of branding and corporate identity.   Consumer confidence is key, and reliant upon trust. And new evidence increasingly shows that privacy is not only good business – it’s good for business.


14 Nov 2011

Is anything of value ever truly free?


Many people would tend to think of Internet content as being free.

And indeed, we can spend seemingly endless hours reading online news articles and watching Youtube videos, all without handing over a penny.

But is there a cost?

One might say that depends on how much you value your privacy.

One thing beyond dispute however, is the fact that advertisers see immense value in the data trails we create when surfing the web.

Our IP number can reveal the city or region in which we live.

Our web traffic can provide a pretty strong sense of what we’re interested in, particularly if it shows we travel to the same sites regularly or even daily.

All this to say, once a site you visit provides you with a cookie, advertisers follow the trail of crumbs.

In the end, they target and tailor ads to your perceived interests which appear on various sites you visit.

Some may see benefits in this as they’d prefer being offered products and services that do indeed correspond to their interests.

Others may chafe at the thought of being ceaselessly monitored.

For anyone who wants to learn more about behavioural advertising, I invite you to click here to read our latest fact sheet.

And stay tuned. You’ll be hearing more from us on this in the weeks to come in the form of new information for organizations


21 Oct 2011

Tips and Tools to Help Your Small Business Address Privacy


As a small business owner, you wear many hats. You’re the Chief Executive Officer, the Chief Financial Officer, the VP of Marketing and Sales. And of course, you’re also the Chief Information Officer and Chief Privacy Officer. While big business has the budget to keep legal advisers on retainer to deal with privacy issues, this isn’t a likely option for you.

This is one of the major reasons why the Office of the Privacy Commissioner has developed a suite of tools and resources over the years to help you meet your privacy obligations and build trust with your customers and clients. 

By running your business, you’re making an important contribution to the economy and your community. And it’s our pleasure to do what we can to make things easier for you. Speaking of which, listed below, you’ll find all of these tools in one place.

Cybersecurity for Small Business Articles:

Guidance for Small Businesses:

Online Tools:

 Fact Sheets:


20 Oct 2011

Responding to privacy concerns


It is vital to give your customers a single point of contact at your organization to deal with privacy issues. Many unhappy consumers have approached the Office of the Privacy Commissioner of Canada upset that they could not find someone within a business who could answer their privacy questions.

No matter how hard you work at enhancing customer loyalty, there will be instances when your organization does not meet your customers’ expectations of privacy. The first step to ensuring customer satisfaction is to acknowledge privacy complaints promptly on receipt.

Give individuals access

Individuals have a right to know what kind of personal information you have about them. If you should receive a request, respond to the request as quickly as possible and no later than 30 days after receipt of the request. Explain how the information is or has been used and provide a list of any organizations to which the information has been disclosed. Give individuals access at minimal or no cost and make sure the requested information is understandable.

Provide recourse

Develop simple and easily accessible complaint procedures which inform complainants of their avenues of recourse. These include your organization’s own complaint procedures, those of industry associations, regulatory bodies and the Office of the Privacy Commissioner of Canada. Correct any inaccurate personal information or modify policies and procedures based on the outcome of the complaint, and ensure that staff in the organization are aware of any changes to these policies and procedures. Notify individuals of the outcome of investigations clearly and promptly, informing them of any relevant steps taken.

Educate your employees regularly

Your organization’s privacy policy is a critical tool to safeguard your customers’ personal information. It is your responsibility to ensure your employees are aware of your company’s policy and the circumstances under which they may and may not collect, use or disclose customer information—and that they understand the reasons for collecting information.

Handling a complaint fairly and appropriately may help to preserve or restore the individual’s confidence in your organization and help you maintain a positive reputation among the public.

For more information, go to our Guide for Businesses and Organizations.

To access small business tools developed by the Office of the Privacy Commissioner of Canada, click on: http://www.priv.gc.ca/resource/sbw/2011/index_e.cfm