The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, April 05, 2005
A new finding released by the Office of the Privacy Commissioner of Canada deals with the theft of a bank laptop containing personal information. A laptop was stolen from a bank employee's car in an underground parking garage. The info was on the laptop so that a financial advisor could market additional services to the complainant. After the laptop was stolen, the bank proactively notified the individuals whose information was compromised.
One affected individual complained that the bank violated PIPEDA's "use" and "safeguard" principles. Oddly, the Assistant Commissioner found that the bank had his implied consent to "use" the information, but then criticised the bank for not following the Commissioner's guidelines for getting adequate consent. No surprise, the bank fell down on the job of safeguarding personal information.
Commissioner's Findings - PIPEDA Case Summary #289: Stolen laptop engages bank's responsibility - February 3, 2005 - Privacy Commissioner of Canada:"Application: Principle 4.5, which states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law; and Principle 4.7, which stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
On the matter of inappropriate use of his personal information, the Assistant Privacy Commissioner noted that the reason the complainant's personal information was on the laptop was that the bank intended to market other bank products and services to him. The bank had sent the complainant two privacy notices that described this practice and offered clients the opportunity to have their names suppressed from the bank's marketing lists. As the complainant had not requested suppression, it would appear that the bank had his implied consent to include his name on such a list, and was acting in accordance with Principle 4.5. When the complainant informed the bank after the theft of the laptop that he wanted his name removed from the list, the bank suppressed it.
She therefore concluded that the use complaint was not well-founded.
As for the safeguards, the Assistant Commissioner noted that, with respect to laptop computers, the bank had policies and procedures in place that required passwords and safe physical storage of the computers. Although these policies and procedures appeared to meet the requirements of Principle 4.7, the financial planner in this instance did not follow the bank's recommendations regarding physical security, and left the laptop unattended on the seat of her vehicle. The Assistant Commissioner therefore found the bank in contravention of Principle 4.7.
The Assistant Commissioner concluded that the safeguard complaint was well-founded.
Further Considerations
In reviewing the bank's privacy policy, the Assistant Commissioner noted that it requires the customer to obtain and complete the appropriate form to have his or her name suppressed from the bank's marketing lists. In previous complaints dealing with the issue of opt-out consent to use personal information for secondary purposes (such as marketing), the Office determined that the organization must provide for an immediate and convenient method whereby customers can opt-out, such as a 1-800 number or a check-off box. The Assistant Commissioner commented that requiring a customer to fill out an application form did not meet the reasonable expectations of most individuals, namely, that an immediate, easy and inexpensive means of withdrawing consent to the optional collection, use and disclosure of their personal information be provided. She therefore recommended that the bank review its opt-out procedures with a view to ensuring that they fully meet the guidelines established by this Office and report back to her on its progress in this regard."
Labels: information breaches, laptop, pipeda findings, privacy
The Canadian Privacy Law Blog is licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.