The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Sunday, August 19, 2007

Why businesses need to ask themselves "What's the worst that can happen?" 

Many businesses deal with personal information that they would not consider "sensitive" personal information. Names, addresses, delivery instructions, maybe payment information. Other than credit card data (which isn't retained, right?), most is seen to be routine, mundane transactional data.

But businesses need to constantly ask themselves what is the worst that can happen if personal information is disclosed? Or if any of their usual practices could somehow cause their customers harm of any kind. Privacy goes well beyond preventing fraud and identity theft. Personal information is powerful and what might be perfectly mundane to most may cause particular individuals real problems.

There's a story out of Texas that provides a great illustration of what can go wrong and how businesses should be thinking about their practices. A Texas resident is suing 1-800-FLOWERS for a million bucks because they sent him a card thanking him for his patronage. Nothing offensive there, right? But the thank you card was read by his soon-to-be ex-wife and it showed that the plaintiff had sent a dozen long-stemmed roses to someone else. What had been an amicable separation went sideways and she has significantly upped her demands. (See: Married Man Sues Florist for Revealing Affair: Man Sues for $1 Million After Wife Discovers He Bought Flowers for His Girlfriend.)

You may think he is a cheating weasel who deserves everything he gets. But, assuming the article is correct, was it really his florist's job to drop a dime on him? Simply put, no it isn't.

Some time ago, a cellular phone carrier in Ontario provided a customer's billing records to his wife because she said she was doing the monthly bills and couldn't understand some of the charges. He was having an affair and the bills told the tale. (National Post, 27 September 2003.)

I've heard of a clinic in Nova Scotia that called to ask a question about scheduling a patient's vasectomy and, when the patient wasn't home, asked his wife. No harm done in that case, but what if the spouse didn't know about the man's plans? What if it wasn't his wife who answered, but a friend, housekeeper, etc?

A while ago, the Alberta Privacy Commissioner "named and shamed" a pharmacist for disclosing a patient's prescriptions to the patient's spouse. The question related to tax records, but it did disclose psychiatric prescriptions.

What does all of this mean? Many of these disclosures are made in good faith with no intention to harm anyone. On the contrary, most are made to be helpful. But for some customers/patients, these disclosures can have disastrous consequences. Every business that collects, uses or discloses personal information has to be mindful of this.

Labels: , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs