Introduction

A central theme of this project has been a consideration of the extent to which privacy policies satisfy the requirement of "openness" pursuant to the PIPED Act. Organizations make information about their policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. An organization may make brochures in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.

However in many instances this communication is motivated by a desire to obfuscate the consumers' attempt to understand an organizations' information management practice rather than clarify expectations as between company and consumer. This research has focused on the approach to communicating privacy policy and practice by organizations in the airline, telecommunications, banking and retail sectors. We selected the first three industries because they are federally regulated and the PIPED Act has applied to them since its enactment.

This principle contemplates the consumer being able to ascertain information about the organization's business practice with respect to the use collection and disclosure of personal information without unreasonable effort on the part of the individual. However, in many instances consumers (and even trained researchers!) experience considerable difficulty understanding a given organization's information management practices.

Our work involved creating a 26-point questionnaire and contacting the privacy information officers in the industries mentioned above to learn about the effectiveness of communicating privacy statements to the public. Our project team's research was significantly disadvantaged by University research ethics board requirements. However a number of chief privacy officers were willing to be interviewed and this served to inform our research. In future research we hope to make use of research instruments of the type designed in this project to provide more a more quantitative research output.

Four papers were written based on the industry sectors examined. Each paper considers a current issue facing the industry and discusses the ways in which a given organization's information management practices are communicated to the public.

The first paper titled: "Mathew Englander - Toonie or Loonie? - Assessing the impact of the Englander v. Telus decision" explores privacy in the telecommunications sector through an analysis of the leading PIPED Act case of Englander v Telus Communications Inc. In this case the court finds that identifying the purpose of collection, use and disclosure of personal information, while varying according to circumstances, must take place at the time of collection in the first instance. The Court suggests that corporate communications to the consumer can be the basis of a finding of ‘tacit consent' should if it is eventually demonstrated that customers are aware of the brochures etc. at the time they subscribe.

Making more information available and accessible to consumers may, given the depersonalized relationship between consumers and corporations, eventually serve to abrogate consent in this context. The Englander case is in many respects an examination of different perspectives on privacy. The case also exposes the internal contraction of the PIPED Act, an act seeking to assuage both industry business interests as well as the privacy concerns of individuals. Without commitment to providing context-specific analysis and naming respondents in cases that are ‘in the public interest' the seeds of further confusion are likely to be sown.

The second paper in this report considers the online privacy statements of four Canadian airlines in light of the Article 29 Data Protection Working Party Opinion on the level of protection ensured in Canada for the transmission of Passenger Name Record (PNR) and Advance Passenger Information (API) from airlines, and the requirements of the PIPED Act. A discussion of the Working Party Opinion was considered important in this area because of the considerable influence the Working Party has on data protection in non-EU countries. The specific commitments of the Canadian Border Services Agency are currently the subject of negotiation with the EU and are currently not being made available to the public. However a comparison was made between the Working Party Opinion and the obligations placed on the airline industry pursuant to the PIPED Act. In the case of airlines the Working Party Opinion highlights a lack of uniformity in the approach taken by airlines in communicating their information management practices. The absence of enforcement powers within the Office of the Privacy Commissioner results in an inconsistent implementation of the PIPED Act and the basis of systemic privacy violations.

In the third paper, a comparison is made between the online privacy notices of two leading Canadian banks CIBC and Scotiabank in the light of the Article 29 Data Protection Working Party Opinion on more harmonized information provisions with particular reference to the proposed European information notice solution. The proposed information notice is significant from the perspective of "openness" because it seeks to improve awareness of data protection rights and responsibilities as well as enhance the quality of information on data protection. It does this through a three-tier notice system, the first layer providing ‘core' information and the second and third more relevant information that is required by the EU Data Protection Directive and the national law respectively. Taken together, these would be deemed to constitute a legal notice.

A comparison of two leading Canadian banks reveals stark differences in the manner through which information management practices are communicated to the public. CIBC has its privacy policy in a long format, where as Scotiabank makes use of embedded links. While both banks would likely fail to satisfy the EU information notice requirements, Scotiabank's notice was found to be more user-friendly. It was concluded that the harmonization of information notices is likely to result in greater ease of comparison between information management practices because companies are forced to make use of an accepted information template and make information delinquencies more difficult to conceal.

The fourth and final paper examines the issues concerning the protection of personal information within the retail business sector in Canada. This paper considers the extent to which retail businesses' web site privacy statements address concerns associated with the collection, use and disclosure of personal information in this context. The paper points out that the PIPED Act fails to distinguish between industry sectors other than by differentiating federal works from other forms of commercial activity. These latter undertakings are the subject of provincial jurisdiction and the legal remit of the federal government to legislate in this area is at present unclear.

In addition the PIPED Act does not distinguish between small and large retail industries instead imposing positive obligations on all organizations. This paper concludes by suggesting that the retail sector is following the lead of the federal undertakings, but this may well be a movement in the wrong direction. It recommends the publication of detailed privacy manuals as a means of providing consumers with a meaningful basis upon which to assess the companies' information privacy practices and hold them to account.