The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, February 26, 2005
In his blog today, Canadian technology lawyer Rob Hyndman asks: "Momentum Building Against Database Aggregation of Personal Data?"
I'm very interested to see how the latest round of incidents are going to play out in the United States. Apparently the Bank of America incident specifically involves the personal information of US legislators who carry a special Visa card for government employees. This may hit a little close to home for those with their hands on the levers of power.
There's an interesting dynamic in the United States at the moment. Consumers are increasingly worried about identity theft. The growth of this sort of crime is spurred by the inadequate security of personal information and security breaches (such as Choice Point and BoA). Agglomerating all this sensitive financial information by data aggregators dramatically increases the risk of significant consequences if security is breached.
But, at the same time, there is pressure to have higher quality personal information available to so-called legitimate businesses, such as credit grantors.
This data is also used to prevent credit fraud (see PIPEDA and Canadian Privacy Law: Identity-verifying questions are getting personal). Biometrics and big databases can also be used to positively verify the identity of those applying for credit. If, for example, there were a reliable database of biometric identifiers available to financial institutions, a credit card company can make sure that someone applying for credit in the name of Bob Smith is the Bob Smith and not someone who happened to snatch a pre-approved credit card mailout from Bob's mailbox.
(As an aside, I think that ID theft would drop dramatically if it were illegal to open a credit facility for anybody whose identity is not positively identified.)
There's also a sense that these databases are useful to prevent terrorism and lesser crimes. They are routinely used to run background checks and, according to Choice Point, law enforcement are significant customers of these systems. There will be continued pressure to make these databses available for such use.
We will never see the end of these databases, but I am waiting to see how the contrary pressures will eventually play out.
So what's the solution? I think the ten principles from the Canadian Standards Association Model Code for the Protection of Personal Information are a good start (see the Code as Schedule I to PIPEDA), coupled with a positive obligation to report any breach of security related to one's personal information.
The exceptions to the ten principles of the CSA Model Code that are in PIPEDA are generally sensible, recognizing that there are circumstances where consent should not be required or where access can be denied.
But will the US implement anything like this on a national basis? Probably not, but if they want my opinion they are welcome to it.
Labels: cardsystems, identity theft, information breaches, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.