The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Wednesday, February 20, 2008

Alberta Commissioner forbids license scanning 

In a long awaited decision, the Information and Privacy Commissioner of Alberta has ordered a nightclub to cease scanning drivers licenses. The practice is an unreasonable collection of personal information and is not justified under the Personal Information Protection Act.

From the decision, the Commissioner didn't see the connection between the collection of drivers license information and the supposed purposes for collecting it:

[para 31] From my review of the evidence and the parties’ submissions, I find that, at best, the Organization offers conjecture that collecting driver’s license information of patrons may act as a deterrent to violent behaviour. The Organization did not submit any evidence to establish that collecting the Complainant’s driver’s license information, or that of other patrons, is in any way a deterrent to violent behavior. In addition, it did not provide any evidence regarding the causes of violence in bars or statistics relating to the incidence of violence in bars before and after the implementation of a driver’s license collection program. I draw the inference that the Organization is unable to produce any evidence to draw a correlation between violence, patron safety, and collecting driver’s license information. As a result, the Organization has failed to establish any reasonable relationship between collecting driver’s license information and any of its stated purposes for scanning driver’s licenses. I am therefore unable to conclude that the Organization has a reasonable purpose within the meaning of section 11 when it scans patrons’ driver’s licenses.

[para 32] For these reasons, I find that the Organization did not comply with the requirements of either section 11(1) or (2) when it scanned the driver’s license information of the Complainant, as its collection of personal information is not reasonable related to its purpose....

On the topic of whether putting up a poster results in informed consent:

[para 53] The Complainant’s evidence is that his driver’s license was scanned before he could raise an objection. He had assumed that the Organization’s employee would check his birth date, but she instead scanned the information on the license into a database. The Organization does not challenge the Complainant’s version of events, but points to a poster it has now posted for patrons explaining why it collects driver’s licenses and what it does with them. It argues that this poster satisfies the requirements of section 13(1).

[para 54] As noted above, the poster explains that its collection practice is intended “to encourage our patrons to behave responsibly and deter those who are seeking to ruin your experience with us, from entering the venue.” The poster is not clear about the purposes of the Organization in collecting the information and does not warn patrons that information will be retained for a period of 7 – 10 days or longer by the Organization.

[para 55] I find that the poster is misleading and does not provide sufficient information for patrons to provide informed consent to the Organization’s collection of personal information. In addition, the Organization provided no evidence that the poster was in place when it scanned the Complainant’s driver’s license. In fact, paragraph 8 of the Organization’s affidavit establishes only that the notice was posted on August 24, 2006, the date of the affidavit.

[para 56] I find that the Complainant did not consent to the scanning of the information on the face of his driver’s license, other than to permit the Organization employee to confirm his date of birth. I also find that the Organization did not provide adequate notice to the Complainant of its collection of his personal information. As none of the provisions of 14 apply, and because an individual cannot consent to the unreasonable collection of personal information, I find that the Organization was required to provide notice of its collection and did not. As a result, I find that the Organization contravened section 13 of the Act when it collected the Complainant’s personal information.

The Calgary Sun reports that the owner of the bar is considering appealing and is "furious" about the decision: The Calgary Sun - Bar owner furious after licence checks halted.

Labels: , , , ,

2/20/2008 09:19:00 PM  :: (5 comments)  ::  Backlinks
Comments:
This has interesting implications not only in Canada but abroad. In New York, for instance, ID scanning is widespread, ostensibly to prevent fake IDs from being used. But a bar owner would have to be stupid not to take advantage of the data for marketing purposes - seeing which events attract which types of crowds, for instance. And that's not to speak of the security implications, where an unscrupulous bar employee might have access to the personal information of a customer they are attracted to.
 
This decision has interesting ramifications, not only in Canada but abroad, where ID scanning is widespread. In New York, for instance, the technology is used ostensibly to prevent fake ID from being used to enter a bar. It would be the negligent bar owner, however, who would not mine the data at least to determine who is coming to the bar at what time, and for which show. Further, what about the unscrupulous employee who is interested in one of the customers, and uses the database to retrieve their information?
 
Interestingly enough… the news article doesn’t tell the even half of the story!

There are dozens of bars in Alberta that use this system.

Besides the fact that they once scanned my ID without permission, they store it and transmit it without having any government oversight as to the security and protection of the information. Why on earth would a bar bouncer need this information?
At the incident in question, I was asked for my ID to enter the club. I assumed it was to determine my age. Without any visible warning or verbal mention, the bouncer immediately took it and scanned the entire card digitally!

(Note: The first rule in the Alberta privacy laws state that they have to gain a person's permission before gathering/storing this information).

I got upset then, but didn’t really say anything because I heard the bars had this system to protect themselves.

I was then told it was a $10 cover charge to enter the bar, and I told them I wasn’t interested because I was only planning to stay for about 10 minutes while we waited for a movie to start.

I then asked them to remove my information from their system, and they refused. I told them I wanted to speak with the manager, and the bouncer told me he was the manager. (I knew he wasn’t because he seemed to be stretching the truth about a lot of things he was saying).

As I walked out, the manager walked in and I told her I wanted my information removed from their system. She refused, and told me to leave or else they would call the police!

Needless to say, I was totally flabbergasted and felt very violated and concerned over possible identity theft.

They don’t scan it when you leave, so they don’t even know if you were even there during any sort of “incident” anyways. Had there been an incident there that night I would have been considered as a potential “suspect” even though I never set a foot into the bar!

I eventually got the number for Barlink, and sent them a request to remove my information from their system. They never responded to my request (it was over 8 months ago).

There are reports that someone high up in the Police Department has been involved or assisting this corporation in getting their systems into the bars and helping them stay out of the limelight.
Personally, I think this should be illegal, and that someone should be investigating Barlink itself (and the people helping them maintain this illegal operation), and not just one bar (the ruling and investigation so far has only been against ONE bar).

The management of Barlink has already stated that it is “business as usual” with them. They do not think there is anything wrong with what they are doing, and feel they are above the law!
 
I'd like to see this banned in BC as well. Why not the entire country? Drivers-license-scanning in Vancouver is becoming rampant, and it's absolute BS. Check my writeup about my latest experience at a club: http://darkvancouver.yuku.com/topic/6075
 
This is also becoming more common in Australia and it is high time our Privacy Commissioner put a stop to it. The potential for identity fraud is huge - not to mention that we have a legal right to be able interact with a business anonymously.

To think that only "bad guys" have a problem with this practice is ridiculous. We all want to be able to control access to sensitive personal information and having a digital copy of my drivers licence out there somewhere is not a good way to start! I am amazed at all the young guys and girls who willingly hand over their documents to be scanned; although it is true that most of them have no idea it is occurring as they are not told or given any opportunity to object.
 
Post a Comment

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs