Privacy and Individual Access to Personal Information
The Canadian Personal Information
Protection and Electronic Documents Act (“PIPEDA”) provides that organizations
holding personal information about an individual must provide the individual
with access to the specific information it is holding, provide an account of
the organizations to which it has disclosed the information, and correct said
information if proven inaccurate or incomplete. Section 8(2) of the Act
requires that such disclosures be made within thirty (30) days of receiving a
request for the information. The Office of the Privacy Commissioner (“the
Commission”) is charged with hearing PIPEDA cases and enforcing the Act.
Section 8(2) of PIPEDA – 30 Day Time Limit
The Commission has stated that requests
for access to personal information are time sensitive and that an organization
should determine as quickly as possible, after receiving a request, whether it
will be able to complete the request within the initial thirty (30) day time
limit allowed by the Act. [1]
When a company believes that it will
have insufficient time to comply with a request under PIPEDA, it must inform
the individual requesting the information, in writing, no later than thirty
(30) days after the request is request, of its new time limit and reasons for
extending the original time limit. [2]
Acceptable reasons for extending the original thirty (30) day time frame
include:
1. Unreasonable interfere with the
activities of the organization, if required to provide the information within
thirty (30) days;
2. Impracticability of obtaining the
consultations necessary to respond to the request within thirty (30) days; and
3. Conversion of the personal
information into an alternative format, which requires more than thirty (30)
days. [3]
In a dispute between an employee and
his former employer, a railway company, the employee alleged that his former
employer refused to provide him with access to his personal information. While
the railway company eventually complied with the request, it was months later,
and only after the former employee complained to the Commission. The
Commissioner found that the railway did not meet its obligation under section
8(3) of PIPEDA and was therefore deemed, under section 8(5), to have refused the
request. [4]
In another decision under PIPEDA, the Commissioner found that an Internet
Service Provider (“ISP”) failed to meet its obligation under the Act when it
took thirty-four (34) days to provide a customer with access to his personal
information. [5]
Compliance with Section 8(2) of PIPEDA
Privy allows a privacy officer to
set a thirty (30) day deadline when entering a request for personal
information, in order to ensure that a response is made within the time frame,
and your company is in compliance with Section 8(2) of the Personal Information
Protection and Electronic Documents Act.
[1] Office of the Privacy Commissioner of Canada. Findings under the Personal Information Protection and ElectronicDocuments Act. http://www.priv.gc.ca/cf-dc/2010/2010_003_0928_e.asp
[2] Office of the Privacy Commissioner of Canada. Findings under the Personal Information Protection and ElectronicDocuments Act. http://www.priv.gc.ca/cf-dc/2010/2010_003_0928_e.asp
http://laws-lois.justice.gc.ca/eng/acts/P-8.6/FullText.html
[4]PrivacyInfo.ca. Privacy Decisions. http://www.privacyinfo.ca/dcsn.php?v=4&d=326
[5] Privacy Info.ca. PrivacyDecisions. http://www.privacyinfo.ca/dcsn.php?v=4&d=235
Data Retention and the TJX Security Breach
Data Retention and the TJX Security Breach
In 2006 TJX,
the world’s largest fashion and apparel department store chain, discovered a
security breach dating back to 2004. When the damage was fully assessed in
January of 2007, the breach was found to have compromised more than 94 million accounts.
While the company may have been the victim of hackers, it was soon discovered
that TJX could have prevented the breach from occurring at all.
In 2004, Visa,
MasterCard, and other credit card issuers, developed a framework of
specifications to help merchants ensure that users credit card and other
personal information was kept secure. This framework is known as the Payment
Card Industry Data Security Standard (“PCI DSS”). [1]
The PCI standard requires merchants to limit
storage amount and retention time to “that which is required for business,
legal, and/or regulatory purposes.” [2]
According to several sources, TJX was not PCI DSS compliant, and its acquiring
bank, Fifth Third Bank, should have required it to be.
The TJX
security breach eventually cost the company over $250 million in lawsuit
settlements, computer system repair, investigations, and other claims. [3]
It also caused merchants, consumers, and the Payment Card Industry to take a
closer look at how businesses and acquiring banks comply with the PCI DSS.
Lessons Learned
An
investigation conducted by the Privacy Commissioner of Canada, reveals that among
other things, TJX failed to comply with PCI standards in that it collected too
much information and kept the information for too long. Concerns were raised
about the company’s retention of driver’s license and other identification
numbers collected when consumers returned merchandise without a receipt, as
well as stolen information related to transactions dating back to 2002. [4] The lesson for other companies to learn from
this? Do not collect information you do not need, and when you do collect
information, destroy it, securely of course, once it is no longer required.
[1] PCI Security Standards Council. PCI SSC Data Security Standards Overview.
https://www.pcisecuritystandards.org/security_standards/index.php
[2] PCI Security Standards Council. PCI DSS
Requirements and Security Assessment Procedures, Version 2.0. https://www.pcisecuritystandards.org/security_standards/documents.php?assocation=PCI%20DSS
[3] The Boston Globe. Cost of Data Breach at TJX Soars to $256 million. http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/
[4] Office of the Privacy Commissioner of Canada. Speech: Preventing Data Breaches with Good Privacy.
http://www.priv.gc.ca/media/sp-d/2008/sp-d_080305_e.asp
The Focused Collection Principle in the Destruction of Personally Identifying Information
Privacy and the Consumer Bill of Rights
The United States (“U.S.”) has long
recognized the need for privacy and individuals’ right to know what personal
information will be used by a company, and for what purpose it will be
used. To that end, the Obama
administration has created a framework for protecting privacy, which it hopes
to implement in a legally enforceable Consumer Bill of Rights. [1]The
administration’s Consumer Bill of Rights applies globally
recognized Fair Information Practice Principles (“FIPPs”) to the framework,
providing for individual control, transparency, security, accountability,
access and accuracy, focused collection, and respect for context in the
collection of personally identifying information.
What is Personally
Identifying Information?
The U.S. Federal Government’s definition of personally
identifiable information is: “any information about an individual maintained by
an agency, including (1) any information that can be used to distinguish or
trace an individual‘s identity, such as name, social security number, date and
place of birth, mother‘s maiden name, or biometric records; and (2) any other
information that is linked or linkable to any individual, such as medical,
educational, financial, and employment information.” [2]
Personal data may include information linked to a specific computer or other
device, such as a smart phone. It may also include a consumer’s location, financial
account numbers, social security number, or medical condition.
Respect
for Context in the Collection of Personally Identifying Information
When
a consumer provides personally identifying information to a company, he or she
has the right to expect the
company to use the information in ways that are consistent with the surrounding
context and the reason the consumer provided the information. For example, when
placing an online order, a consumer expects the company from whom he or she is
ordering to use credit card information in order to charge him or her for the
purchase and location information in order to ship the purchased item(s) to him
or her. The consumer does not expect the company to use this information for
any other purpose.
When
companies use personally identifying information in ways not consistent with
the surrounding context, they may violate an individual’s rights or cause
injury or discrimination based on personal attributes. The unauthorized
disclose of personal information can also contribute to potentially
life-disrupting identity theft. The 2006 Identity Theft Survey Report, published
by the Federal Trade Commission (“FTC”), reports that approximately 8.3 million
Americans were the victim of identity theft in 2005. [3]
This is estimated to have caused economic losses of more than $15 billion.
The
challenge is to protect consumers’ privacy while providing companies with the information
they need to continue to innovate and grow. The Respect for Context principle provides
a standard for companies’ basic personal data practices. It emphasizes two
things; companies should limit personal data uses to purposes that are
consistent with the context in which consumers disclose the information and
that the relationship between the consumer and the company may change over time
in ways, which are not foreseeable at the time the personal information, is
collected. Therefore, companies should update or delete personal information as
it changes or becomes outdated and is no longer needed, in compliance with the
focused collection principle.
The
Focused Collection Principle in the Destruction of Personally Identifying
Information
The
Focused Collection Principle provides companies with a framework for the
retention of information and its secure destruction once it is no longer
needed. It holds that a company should collect only as much information as it
needs to accomplish its purpose and once accomplished, it should de-identify
the information, or securely destroy it, if not obligated by law to retain it. Collecting
only as much information as needed may mean following procedures to collect only
non-identifying information, where possible. For example, a company that
collects the unique identifier of a user’s mobile device, in order to provide a
save function for gaming, may be able to use a less personal identifier in
order to accomplish the same goal.
Complying
with the Consumer Privacy Bill of Rights
The Consumer Privacy Bill of Rights
provides a flexible framework that allows companies discretion in deciding how
to best implement the FIPPs . According to the administration, this
flexibility will “help to promote innovation and encourage effective privacy protections”
by allowing companies to address privacy
issues in a manner consistent with their customers and users wishes, rather
than requiring them to adhere to a single, rigid set of requirements. One such
innovation is Privy, a software program for privacy officers, which allows
tracking of personally identifying information including how and why the
information was collected and when it should be destroyed. Privy is a complete
solution for collecting, using, storing, and securely destroying personal
information in accordance with the Consumer Privacy Bill of Rights.
[1]Consumer Data Privacy In a
Networked World - A Framework for Protecting Privacy and Promotion Innovation
in the Global Digital Economy. http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf
[3]Federal Trade Commission –
2006 Identity Theft Survey Report. http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf