The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, January 25, 2004
A little while ago, I wrote about biometrics on drivers licenses and particularly referred to the practice of swiping driver's licenses (below). Debora Pierce, who regularly writes on law and technology issues in the Seattle Press, has an article on the topic that I just found: The Seattle Press - LAW&TECHNOLOGY: Swiping driver's licenses - instant marketing lists?:
"IN AN effort to cut down on underage drinking and smoking, many bars, clubs, and restaurants have begun to use devices that scan driver's licenses. In addition to verifying the age of the driver's license holder, the scanner also picks up all of the information in the magnetic stripe found on the backs of most driver's licenses. The obvious benefit is that underage drinking and smoking is curtailed, but that benefit comes at a price. Here is another case where technology has outpaced the law, and the casualty is privacy. "
I would suggest that the automatic swiping of driver's licenses at bars is very likely in violation of the law here in Canada. The federal privacy law, PIPEDA, requires knowledge and consent for the collection, use or disclosure of personal information. From what I understand, individuals are not being informed about why their cards are being swiped and how that information will be used. There is no "identifying Purposes", as required by Principle II. Individuals are not being given the opportunity to consent, let alone being asked to consent. If a bar refuses admission because you refuse to have your personal information harvested, they are in violation of the following sub-principles:
4.3.2 - The principle requires "knowledge and consent". Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
4.3.3 - An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified, and legitimate purposes.
If the collection is supposed to be to verify that the license has not been tampered with, it probably still amounts to a violation of Principle 4 - Limiting Collection because much more information is collected and used than is necessary for that particular purpose:
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
The Federal Privacy Commissioner hasn't, as far as I know, had a complaint about this practice but I am sure it is not too far off.
Labels: id swiping, information breaches
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.