by
Sapna Mahboobani
This
paper compares the online privacy statements of two leading Canadian
banks in light of the Article 29 Data Protection Working Party Opinion
on More Harmonized Information Provisions, with particular reference to
the proposed European information notice solution.
Introduction
The Article 29 Data Protection Working Party ("Working Party")
is an independent advisory body on data protection and privacy.[59]
In November 2004 the Working Party adopted an opinion aimed at
harmonizing information provisions or organizations within EU member
states.[60]
The opinions of the Working Party are of particular concern in the
Canadian context however given the fact that the EU policy of
prohibiting the transference of personal data to nations failing to
ensure an adequate level of protection.[61]
The
adoption of this Opinion signals recognition that industry attempts at
communicating information management practices have been
unsatisfactory. This requirement of the communication of a company's
information management practices finds expression in Canadian law
through the Openness principle found in Schedule 1 of the PIPED
Act.[62]
This
paper examines the online privacy notices of CIBC and Scotiabank in
relation to the Working Party Opinion. It also considers the notices of
these banks with respect to the PIPED Act.
The Working Party Opinion on Information
Notices
The
Working Party Opinion on information notices seeks to encourage a
consistent approach to informing data subjects about their rights. This
approach it contends would ease compliance, improve awareness of data
protection rights and responsibilities and enhance the quality of
information on data protection.[63]
The
proposal is centred upon the comprehension of data subjects and
supports the concept of the multi-layered notice format, calling for
the acceptance of such notices as constituting legal compliance.[64]
The
Opinion contends that the information provided to data subjects should
be in a language and layout that is easy to understand and is
appropriate for a given audience (e.g. children). The use of multiple
layers it is argued, will assist with the quality of information that
is provided, better focusing a data subject's query. Taken in sum, this
would be taken as acceptable at law.
The Opinion
proposes
three layers in the notice. The first layer, called the "short notice",
would provide individuals with ‘essential' information namely the
identity of the privacy officer (or data controller) and the purposes
of processing (except where readily apparent). The Opinion is forward
in its thinking suggesting deployment of ‘very short notices' in the
case of mobile phones and uses of pictograms where appropriate.[65]
The
second layer called the condensed notice would include relevant
information as required under the EU Data Protection Directive.[66] This is taken to
include:
·
The name of the company
·
The purpose of the data processing
·
The recipients or categories of recipients of the
data
·
Whether replies to the questions are obligatory or
voluntary, as well as the possible consequences of failure to
reply
·
The possibility of transfer to third parties
·
The right to access, to rectify and oppose
·
Choices available to the individual.
The third and last layer of the information notice would
include national legal requirements and specificities.[67]
While the last layer of is of no application in the Canadian context,
the short and condensed notice may be used as a marker for assessing
the on-line privacy notices of Canadian companies. The banking sector
is a useful industry for the purpose of this analysis as it is an
industry sector purporting to have the highest standards with respect
to privacy and a business model based on trust.
The PIPED Act and Banking
As
a federally regulated industry the PIPED Act has been of application to
the banking sector since its entry into force. The Canadian banking
industry consists of 19 domestic banks, 29 foreign bank subsidiaries
and 22 foreign bank branches across Canada. These institutions total
$1.8 trillion in assets. The customers of the banks number in the
millions including individuals, small- and medium-sized businesses,
large corporations, governments, institutional investors and non-profit
organizations.[68]
Banks
collect personal information regarding the identity of their customers
such as name, address and contact information. In addition, banks also
retain sensitive financial information about their customers such as
accounts they own, their savings, investments, credit, and debts and
even people's social insurance numbers ("SINs") that they collect for
income reporting purposes.
At common law, banks are
bound by
fiduciary obligations owed to their customers. These duties are no
doubt part of the reason that the banking industry was among the first
industries to go beyond a statement of principles and develop a
comprehensive privacy code of conduct in 1986. This code was updated
regularly in keeping with the changing requirements of the customers'
privacy needs. In fact, many of the principles in the banks' privacy
codes translated directly to the principles of the PIPED Act.
After
the implementation of the PIPED Act, there was little noticeable change
to the procedures of the banks, as the PIPED Act's guiding principles
were already reflected in the voluntary codes that the banks had
already been following.[69]
Findings of the Office of the Privacy
Commissioner
Given
the culture of respect in the banking industry for privacy, one would
have expected little or no complaints under the PIPED Act to the Office
of the Privacy Commissioner (OPC). However, banks were the respondents
in 118 findings out of the 255 made up to January 1, 2004, representing
46% of the findings. These findings dealt with improper account access,
use and disclosure, secondary marketing, over collection of personal
information, income reporting questions, security problems, access
problems, credit reporting and SIN usage.[70]
For example in
PIPED Act Case Summary #46,[71]
a bank was accused of inappropriately demanding birth dates from
applicants. The customer claimed that the bank required inappropriate
information - her birth date - when she tried to open an account over
the phone. When she inquired about the use of the birth-date, the
representative over the phone told her that it was needed for income
reporting purposes. Dissatisfied with the answer, she raised her
concern to a bank supervisor, who informed her that the birth-date was
indeed required, though not for income reporting purposes, but as
identification information when the customer subsequently contacted the
bank. The customer objected to this, stating that the bank already had
other information such as the SIN, and should not be collecting
information that could be used for demographic identification. The
commissioner found that the bank was in violation of Principle 4.3
which states that the organization should collect solely the
information that was required for the stated purpose, and felt that the
bank had enough information to identify the customer without having to
collect information. The bank was also found to be in violation of
section 5(3) which states that the organization may collect, use or
disclose information for only those purposes that a reasonable person
would consider appropriate.
In case summary
#105,[72]
a customer objected to the bank's use of the SIN for credit card
activation. Banks collect the SIN number in compliance with the Canada
Customs and Revenue Agency's income reporting requirements. The bank
had collected the SIN information when the customer had opened an
interest bearing account. The customer felt that the SIN data should
not be shared between the databases for the two accounts. And that by
using the SIN as identification for credit card activation, the bank
was using information for a purpose not previously defined. The
Commissioner found the bank in violation of Principle 4.2.4 for not
informing the customer of the intended use of the SIN and not gaining
the customer's consent. The bank was also found to be in violation of
principle 4.3.2 for not making reasonable effort in informing the
customer of the new intended use of the SIN and in violation of
Principle 4.5 for using the SIN data for a purpose not previously
identified and without the customer's consent.
The
OPC makes
available the findings of PIPED Act complaints on its web-site, however
there are still limitations to the kind of information that can be
obtained. The names of all parties in the case are withheld. Therefore,
on reading the cases, one does not know which banks were involved, and
subsequently, it is difficult to gauge if the recommendations made by
the commissioner have been followed. In some cases, the wording in the
privacy policy suggests that changes were made based on the findings of
a particular case.[73]
The
PIPED Act is modeled on a complaint driven process. It is up to the
aggrieved consumer that feels his or her privacy has been violated to
bring the case to the attention of the OPC for investigation. This in
large part is dependent on the wherewithal of the individual consumer.
The number of complaints is therefore unlikely to be in line with the
number of actual breaches of privacy taking place in this industry
sector.
Privacy Statements: Short and
Condensed Information Notices
In
light of the difficulties consumers have vindicating their rights, the
EU policy on information notices would appear to be a departure from
the consent model of privacy.[74]
A comparison of the privacy notices of CIBC and Scotiabank would tend
to suggest that Scotiabank is more aligned than CIBC with the position
of the Working Party. This is because the privacy policy of Scotiabank
follows a layered approach, with the bank's "Privacy Code"[75]
presented to the user in three layers, though the format does not
correspond to the Working Party's notion of a layered notice.
Scotiabank
provides a three-layered notice whereby the short notice provides an
overview of the scope of the code and a link to the Ten Principles of
the Code, as modeled on the Canadian Standard Association's (CSA) Model
Code for Protection of Personal Information.
The
"condensed"
layer provides a brief definition of each of the ten principles of the
code. The next layer (obtained by clicking on the corresponding
principle) provides a detailed description of the corresponding
principle and Scotiabank's implementation of each principle.
CIBC's
Privacy Policy, by contrast, is in a long notice format, with the
complete privacy policy displayed on a single scrollable screen.
Scotiabank's
Notice
The
requirements of the suggested Working Party short notice are that
information notices should provide information about the identity of
the data controller (privacy officer in the Canadian context) and the
purposes of processing. Additionally, there should be a clear
indication as to how the individual can access additional information.
While Scotiabank's Privacy Code does acknowledge the fact that senior
management of each Scotiabank Group Member is accountable for the data
that is collected, and that a person or persons who is responsible for
the overall privacy protection and compliance of the collected
information will be identified to the customer (Principle 1), it does
not explicitly provide the identity of this purpose in this document.
This information is, however, provided in the Privacy Brochure under
"The Need for Security" as the Secretary of the Privacy Committee,
along with a mailing address.
The purposes for
which the
information is collected is provided under Principle 2 - Identifying
the Purposes for Collecting Personal Information. It states that the
information collected is limited to the following purposes:
- To understand the customer's needs.
- To analyze the suitability of products or services for the
customer.
- To determine the customer's eligibility
for products and services.
- To set up, manage and
offer products and services that meet the customer's needs.
- To provide ongoing service.
- To meet
legal and regulatory requirements.
- With regards to
insurance products to investigate and adjudicate insurance
claims.
No
information is provided on the exact nature of the information required
for any of these purposes, though the Privacy Code does state that the
purpose of use of the information will be provided to the customer at
the time the information is collected, and in a manner that the
customer will understand. The Scotiabank Group staff member will be
able to explain the purposes to the customer, who will be able to ask
for information about the uses.
The Privacy Code
also states
that purposes that are not directly obvious will be explained to the
customer at the time of collection of the information. This includes
uses for references, SIN, credit information, medical information,
claims and insurance history, and information regarding accounts among
others.
The Privacy Code further states that the
customer
can access the personal information that the bank holds upon "written
request", and obtain a list of third parties to whom the information
has been disclosed (Principle 9). Policies and procedures are in place
to make this information available to the customer, and these policies
and procedures will be disclosed to the customer when requested. The
information provided to the customer will be as specific as possible in
terms of information on file, to whom the information has been
disclosed and when and how the information was disclosed. This
information will be provided to the customer free or at a cost
commensurate with the effort required to retrieve the information.
As
required by the suggested Working Party condensed layer, the Privacy
Code should provide the name of the company, the purposes of the data
processing, the recipients of the data, the reply mechanism,
possibility of transfer to third parties, possibility to rectify,
access and oppose information held by a company, and the choices
available to the individual. Additionally, information regarding
redress within the company or through the nearest data protection
agency must be provided. As such, throughout the privacy code, the
company is referred to as the Scotiabank Group Member. The definition
of Scotiabank Group Members is provided in the short notice as
"companies engaged in the following services to the public: deposits,
loans and other personal financial services; credit, charge, debit and
payment card services; full-service and discount brokerage services;
mortgage loans; trust and custodial services; insurance services;
investment management and financial planning services; and mutual funds
investment services." Further, as collectors of customer personal
information, these Scotiabank Group Members are the recipients of the
information.
The Privacy Code states that
Scotiabank will be
as specific as possible about where they obtained the information, to
whom the information was disclosed and how and when the information was
disclosed. This information will be obtained from the customer records
and will be presented to the customer in a form that will be easy for
the customer to understand, with explanations of abbreviations and
codes. The Privacy Code, however, does not specify what this form may
be. The reply will be made within a reasonable time, though this time
is not defined. The reply will also be made free to the user or at a
cost commensurate with the effort required to obtain the information.
In cases where a cost is to be incurred by the customer, the customer
will be informed of the possible charge with the option to withdraw the
request.
If a request for information is denied,
the
customer will be informed of reasons of this decision, unless
prohibited by law. The customer can challenge this decision. The
customer may also challenge the reasonableness of the cost of providing
personal information. The complaint resolution process and the person
whom the customer needs to contact in such an event is part of the
procedures of Scotiabank (Principle 10).
The
privacy code
however, does not provide any concrete information on this process or
contact information, implying that it is available to the customer in a
format easy to understand. The Privacy Code further states that the
Scotiabank Group Member will investigate all complaints that it finds
justified, and attempt to resolve it. If need be, changes will be made
to the policies and procedures to ensure that other customers are not
inconvenienced in the future. The customer is also encouraged to pursue
other resources if he is not satisfied with the way a complaint is
resolved. These different avenues are available to the customer through
the Scotiabank branch and are not provided in the Privacy Code. The
Privacy Code does state that the customer may file a written complaint
with the Federal Privacy Commissioner if he feels that the Scotiabank
Group Member's operations are not in compliance with the
code.
The
Privacy Code states that the customer will be informed at the time of
collection, that his information may be passed on to other Scotiabank
Group Members or affiliates to market other products. The customer's
consent, however, is required for this, and the customer has the option
to withdraw consent (Principle 3). The Privacy Code also provides
information for cases where the customer's consent may not be obtained
before disclosing information to third parties. While Scotiabank
records most disclosures to third parties, the Privacy Code also
outlines situations in which disclosure of information to a third party
is not recorded in the customer's file. These include disclosing
information for routine maintenance such as cheque printing, reporting
to CCRA, updating of credit information, and underwriting or claims
processing. Nowhere in the Privacy Code are the third parties listed,
though the code does indicate that the customer could request the
information from Scotiabank.
Customers are informed
that the
Scotiabank Group Member will keep personal information accurate and
current. The customer may challenge the bank in writing if any of his
information held by the bank is inaccurate or incomplete, and request
that the information be amended. The bank also relies on the customer
to keep certain information like contact data current. Scotiabank will
revise its inaccurate information and inform all third parties that
could use this information. The customer is also given the option to
challenge the bank if it refuses to amend the incorrect information
that it holds.
CIBC's
Notice
CIBC's privacy notice does not
follow a layered format.[76]
The policy is presented on a single, scrollable screen. The requisite
information is provided without the need for embedded weblinks.
Discussion of CIBC's privacy policy is therefore done in relation to
the actual content of the policy, rather than the layered property of
the notice.
The purposes for data collection are
stated as follows:
- Establish your
identification;
- Protect you and us from error and
fraud;
- Understand your needs and eligibility for
products and services;
- Recommend particular
products and services to meet your needs;
- Provide
ongoing service; and
- Comply with legal
requirements.
These
purposes are broadly defined and do not mention the kinds of
information required. The special case of the SIN is illustrated as
required for tax reporting purposes, and can be used - with the consent
of the customer - for identification purposes.
The
privacy
brochure broadly defines other recipients of the customer's information
as outside companies that may be used to process the data, and a court
of law, or other regulatory authority for legal reasons. It is also
stated that information will be shared within the CIBC group, as
permitted by law. No other recipients or categories of recipients are
identified.
The CIBC privacy policy also states
that the
customer's consent will be obtained before information about him is
collected or used. Certain cases are explicitly specified such as
checking employment, obtaining a credit report, offering products and
services and making it available (subject to legal restrictions), to
other CIBC groups.
Consent is also obtained before
collecting the SIN. The policy also states that consent can be implied
or explicit, and the customer can withdraw consent after he has given
it. Special mention is made with regards to credit reporting - the
customer cannot withdraw consent to allow the bank to update the credit
bureau as long as the customer has credit with the bank.
The
policy also provides that if the customer does not provide consent for
the collection and use of certain information, the bank will not be
able to provide certain products and services to the customer. While
these situations are not explicitly described in the policy, it does
state that the customer will be advised at the time of collection of
the information. The customer can also withdraw consent from receiving
direct marketing material, but this does not limit the information that
the customer receives with their monthly statement or in discussions
with the personal banker or customer service representative.
In
addition the CIBC Privacy policy explicitly states that the customer's
consent is obtained before sharing information with third parties. This
includes all subsidiaries within the CIBC group. The policy mentions
outside companies that provide the expertise to process the
information, information that is released to third parties for legal
reasons and in circumstances to protect the interests of CIBC. While
the policy assures the customer of the standards employed while
ensuring the security of the information, the policy does not
explicitly identify companies or organizations to which information
could be disclosed.
The customer is informed that
he can
access his information and verify its accuracy. This request may be
asked to be put in writing. The policy also states that certain
information may not be made available to the customer, but does not
elaborate on what types of information are covered.
The
customer can also request the names of persons and companies that the
bank had shared the customer's information with. However, this does not
include third party companies that do work for the banks like cheque
printers, or T5 reports to Revenue Canada or regular updates to the
credit bureau. All requests will be responded to within 30 days, with
explanations provided for delays, if any. CIBC will also correct any
information that the customer feels is inaccurate. If the bank has
obtained incorrect information from a credit bureau, the bank will
provide the customer with the contact information of the concerned
party so that the customer may have his or her information corrected.
The
customer is also provided information on how to make complaint. Three
steps are provided - talking to the bank directly, contacting customer
service and contacting the ombudsman of the bank.
While both
banks provide the customer with information on how the data is
collected and used, the form of presentation and content of this
information is not, at present, in compliance with the Working Party
requirements for information notices.
Implementing Layered
Notices
Online
privacy notices differ vastly between different companies, even those
in the same sector. Scotiabank and CIBC are both major players in the
Canadian banking sector yet their approach to informing their customers
about their information rights varies greatly. These notices are in
themselves difficult for the customer to grapple with. Furthermore, it
is difficult for the customer to make comparisons between notices of
the different banks, to assess the information practices of the
different companies. This is largely due to the difference in use of
language, amount of information presented to the customer, and the way
this information is structured.
The Working Party
proposes
that the language and layout used in online information notices should
be simple to understand and geared toward the target audience. The
proposal also stresses multi-layered formats for simplicity and
consistency in information notices. The adoption of such a proposal in
the banking sector would mean that online information notices would be
consistent enough with each other to allow customers to do a quick and
easy comparison of the banks' practices. If all banks, and other
industries, followed the same format, they arguably would lead to an
increase in customers' awareness of their data protection rights as
they see certain types of information regarding their data repeated in
different company notices. In addition this practice would force
companies to play by an agreed set of rules with respect to how an
organization's information management practices are communicated to the
public.
With information provided to the customer in
multiple
layers, allowing the customer to control the amount of information he
needs, the online information notices would appear less intimidating
and daunting, and would encourage customers to study the more important
and relevant details of notice.
For layered notices
to be
most effective, the banking industry needs to arrive at a common
template. Most banks collect the same types of information, and use
them for the same purposes. However, there may be differences with
respect to how the banks handle the processing of their customers'
information and disclosure of information within their subsidiary
groups. While a comparison of the information notices of these banks
should make these differences apparent, the layered notice template
that is used needs to be flexible enough to allow for this. As has been
seen by the examples of the two banks, the purposes of data collection
as reported to the customer tend to differ, even though both banks
provide the same services to their customers.
A
consistent
format for reporting purposes of collection will need to be developed
that provides the customer with enough information on why the banks
collect information. The question of understandable language is
subjective, and needs to be addressed so that all banks are consistent.
This would make it easier for the customers to distinguish between the
practices of different banks.
The information
required of
the different layers as suggested by the proposal would need to be
revised when applied to the information notices of the banking industry
in Canada.
Conclusion
In
the case of banks the
PIPED Act Openness principle suggests that organizations should be
forthcoming about their procedures and policies with respect to how
information is collected, used and disclosed. Companies give effect to
this provision through a mixed array of brochures, fine print on
application forms and online notices. This puts the organization in the
position of educator and adversary since there are instances where
disclosure will not be in the company's best interest or the customer
wishes to hold the organization accountable for failing to honour its
commitments.
The Working Party proposal on
information
notices would consolidate the process of disseminating information
about its information management practices as well as provide the banks
with a consistent means of implementing the PIPED Act Openness
principle in the online context.
By providing the
banks with
guidelines on how relevant information needs to be presented to
customers, it removes some of the decision making process from the bank
itself, making it easier to formulate an understandable privacy notice.
As such, the Working Party proposal serves as a good complement to the
Openness principle in educating customers about their privacy
rights.
[36]"Opinion
1/2005 of the Working Party on the Protection of Individuals with
Regard to the Processing of Personal Data set up by Directive 95/46/EC
of the European Parliament and of the Council of 24 October 1995", WP
103 of the Working Party, issued 19 January 2005.
[37]
The Working Party was set up under Article 29 of Directive 95/46/EC.
Its tasks are set out in Article 30 of Directive 95/46/EC and Article
14 of Directive 97/66/EC.
[38]
The European Data Protection Directive includes a provision that
prevents the transmission of any personal information outside of the
European Union unless the recipient country has legislation in place
that would offer substantially similar protections: see Directive
95/46/EC of the European Parliament and of the Council of 24 October
1995 on the protection of individuals with regard to the processing of
personal data and on the free movement of such data.
[39]
It was in response to the European Directive 95/46/EC that the Canadian
government introduced legislation that would be considered by Europe to
be sufficiently similar to the Directive.
[40]
"Opinion 3/2004 of the Working Party on the Protection of Individuals
with Regard to the Processing of Personal Data set up by Directive
95/46/EC of the European Parliament and of the Council of 24 October
1995", WP 88 of the Working Party, issued 11 February 2004.
[41]
As at 2 May 2005, a copy of the Commitments was not publicly available
due to ongoing negotiations between the European Commission and Canada.
[42]
The CBSA's authority to obtain and collect such information is s. 107.1
Customs Act, and the Passenger Information (Customs) Regulations, and
paragraph 148(1)(d) of the Immigration and Refugee Protection Act, and
regulation 269 of the Immigration and Refugee Protection
Regulations.
[43] "Advance Passenger
Information/Passenger Name Record" Canada Border Services Agency Fact
Sheet, January 2005.
[44] "Advance Passenger
Information/Passenger Name Record" Canada Border Services Agency Fact
Sheet, January 2005.
[45]
The Opinion states that Canada ensures an adequate level of protection
with respect to API and PNR transferred from airlines to the CBSA in
relation to those flights defined in s. 107.1 of the Customs Act, which
requires commercial carriers to provide the CBSA with API/PNR data
relating to all persons on board commercial conveyances bound for
Canada.
[46] "Opinion 3/2004,
supra note
5.
[47] See s. 2 of the Commitments, cited
in the Opinion, supra note 1.
[48]
Article 6(1)(c) of Directive 95/46/EC provides that personal data must
be "adequate, relevant and not excessive in relation to the purposes
for which they are collected and/or further processed."
[49] See art. 8 (1), Directive
95/46/EC.
[50] See ss. 8 and 9 of the Commitments,
cited in the Opinion, supra note 1.
[51] See ss. 2-15, 16-19 of the
Commitments, cited in the Opinion, supra note 1.
[52] See s. 30 of the Commitments, cited
in the Opinion, supra note 1.
[53]
Jetsgo ceased operations on or about 11 March 2005. The issue of
Jetsgo's obligations regarding personal information about individuals
in its possession is not discussed in this paper although the use and
disclosure rules of the PIPED Act affect the manner in which Jetsgo
uses and releases that information following the cessation of its
operations.
[57]
See J. Lawford "Consumer Privacy under PIPEDA: How Are We Doing?"
November 2004 (Public Interest Advocacy Centre: Ontario), at
7.
[58] See Lawford,
supra, at
12.
Final Report 
