• Article
  • Print
  • Send to a friend
  • Comment (0)
  •  
David Reid
Member since January 30, 2012

Recent Comments

BrazeauSellerLLP

[Professional Blog] Guardrails on the Information Highway

Published on January 30, 2012

Canada’s privacy laws made news once again when the Supreme Court refused to hear an appeal of the Alberta Court of Appeal’s decision in Leon’s Furniture Limited v. Alberta.  In that case, a customer complained to the Alberta Privacy Commissioner when Leon’s insisted on recording her driver’s license number and license plate before they would let her pick up furniture that had been paid for.  The Court struck a narrow balance between an individual’s right to privacy, and a business’ need to collect information in order to effectively serve their customers.  It’s a fine line, and it can be tricky for businesses to know whether they’ve crossed it or not.

If you’ve ever wondered whether privacy laws apply to your business, they probably do, and as a business owner or operator, you should be aware of your obligations and what you can and can’t do.  It can be tempting to err on the side of collecting more customer information than is necessary; the more information you have, the easier it will be to locate someone should the need arise, or perhaps collecting more information will deter would-be fraudsters from targeting your business.

 

While there are good reasons to collect a customer’s information, Canadian privacy laws have been enacted to protect customers from the over-collection and unauthorized use of information that can be used to personally identify them.  Privacy in Ontario (except with respect to healthcare information) is protected by the Personal Information Protection and Electronic Documents Act (“PIPEDA”).  Not only does PIPEDA limit the amount of personal information you can collect, it also governs how that information can be collected, and how you are required to deal with the information you do collect.

 

What information is considered “personal information”?

The language of PIPEDA is purposely broad, and simply states that personal information is “information about an identifiable individual”.  Personal information can be someone’s age, name, identification number (including driver’s license, heath card or social insurance numbers), employee files, credit or loan records, or anything else that can be traced back to a specific person. 

 

What information am I allowed to collect?

That depends on what you need the information for.  Under PIPEDA, you must tell your customers why their information is collected.  If you collect your customers’ personal information to prevent fraud, you need to ensure they are aware of that purpose. 

Once you have identified your purpose, you can only collect information that is necessary to fulfill that purpose.  For example, when a customer is returning merchandise without a receipt, it is reasonable to collect the customer’s name and address in an effort to deter fraud.  On the other hand, Winners/Home Sense had a policy of collecting driver’s license numbers when customers returned merchandise without a receipt.  These numbers were stored in the company’s system and used to identify individuals who were making excessive returns without receipts.  Canada’s and Alberta’s Privacy Commissioners, in a joint investigation, concluded that collecting driver’s license numbers was not necessary for this purpose, especially given how valuable a driver’s license number can be to fraudsters and identity thieves.

 

Compare the Winners/Home Sense situation with Leon’s Furniture Stores in Alberta.  Many of Leon’s customers pay for merchandise and pick it up, or arrange for someone else to pick it up at a later date.  In an effort to deter fraud, and to enable them to investigate fraud after it occurs, Leon’s records the driver’s license number and vehicle license plate of individuals when they pick up merchandise.  The Alberta Court of Appeal found that collecting this information was reasonable in light of the store’s objective.

When considering what personal information your business should collect, consider whether you really need the information you are requesting, or whether a less invasive form of information might be suitable (e.g. recording a customer's name and address from their driver's license instead of collecting and storing the driver's license number itself). 

Two of the key points to remember when collecting personal information are: (1) your customers must be advised as to why you are collecting their information, and (2) you can only collect the information that is necessary to fulfill that purpose. 

How do I advise my customers?

Customers can be advised either orally or in writing.  It is important that your front-line staff understand the purpose of collecting information so that they can properly inform a customer if they are asked. 

It is crucial to remember that a customer must consent to the collection of their personal information and, in order to provide meaningful consent, they must know what is being collected and why.  It is also important to know that you cannot withhold products or services because a customer refuses to provide personal information, unless that information is absolutely necessary to provide that product or service. 

The best way to inform your customers is to establish a written privacy policy and make it accessible to your customers (e.g. on your website).  Not only is this required by PIPEDA, it’s also good business.  Making your privacy policy available to your customers shows them that you care about their right to privacy, and that you are open and transparent in the way you do business. 

The bottom line

As businesses increasingly move into the online world, customers are increasingly concerned about how their personal information is collected, used and stored.  Even offline, customers want to make sure that their information is secure and won’t be used for any unauthorized purpose. 

PIPEDA sets out ten principles for the collection and protection of personal information.  The principles discussed in this article merely scratch the surface of privacy protection.  If PIPEDA applies to your business (and chances are, it does), you should seek legal advice to ensure that you comply.  Not only is it the law, but as privacy becomes a core value for consumers, good privacy protection is a cornerstone of any successful business.

David Reid is a student-at-law with BrazeauSeller.LLP. To contact BrazeauSeller.LLP call 613-237-4000 or e-mail info@brazeauseller.com.

 

Submit a comment

Submit a comment (we keep all emails private)
Agreement

We ask that users remain courteous. You may not post insulting, discriminatory or inappropriate content, which may be removed at our discretion. We are not responsible for user content and opinions. Use of this site as well as content submission & ownership are governed by our Conditions of Use and Privacy Policy.

Member organizations should be non-profit in nature, and promote legal activities. Any organization found promoting illegal activities or commercial products or services will be deleted from the site.

I agree with these conditions.

Notice
The management of this site indicates that it is not liable for persons, organizations and / or organizations to register in order to promote and make themselves known. Moreover, the managers of this site should not be held responsible for errors or other errors that slip inside information recorded under this heading.

More

Advertising

SmartEdition logo smart

Expert bloggers

Equitas Consultants Inc.
Blogger
Ron Prehogan
Family Business Longevity: The...
Design 1st
Blogger
Kevin J. Bailey
The Backyard Inventor's Maze:
Impact Public Affairs
Blogger
Huw Williams
How to be a PR Star!

More bloggers here

CASE STUDY VIDEOS

An investment in yourself
LC Fitness Studio

No surprises, no upselling
RE/MAX Citywide Realty

Are you ready for the unexpected?
TK Financial Group

Newsletter

Please enter your email to receive our free newsletter

Subscribe to news alerts

Advertising