A reoccurring concern I come across when working with businesses on privacy assessments is the collection of personal information above and beyond what is needed by the business. There is usually some legitimate interest in the data, but the organization just hasn’t given enough thought to getting specific about exactly what personal information they need to provide their services, and if consumers have alternatives to providing the data being requested.
The recent finding from the Office of the Privacy Commissioner of Canada (OPC) against Loblaws is a great example. The investigation resulted due to complaints from Loblaws’ customers who objected to being asked to hand over sensitive personal data for a $25 gift card. Loblaws offered the cards to customers in 2018 in the aftermath of the bread price-fixing scandal. To collect their gift cards, customers had to fill in an on-line form providing details including their name and address. 10% of these customers were told in March 2018 that in order to receive the gift card, they needed either to mail or send electronically a copy of their driver’s licence or a utility bill to Loblaws. Loblaws took this step to weed out fraudulent claims.
Upon hearing from the OPC, Loblaws revised its communications to customers that same month to making it clear that the grocer was only seeking information that would confirm name and address. Loblaws also indicated on its website that customers could redact sensitive information – such as their photo or driver’s licence number – when they sent in ID. Thus, after its six-month investigation, this issue was ‘resolved’ according to PIPEDA Report of Findings #2019-003.
Regardless, such an endorsement of what would be considered adequate transparency is welcoming after all the recent concerns about transborder data flows. The OPC also examined the contracts that were in place between Loblaws and its processors and specifically lists the types of clauses that leads to a finding that the accountability requirements in PIPEDA have been met. The list of protective measures accepted by the Commissioner is a useful guide when drafting third party processing agreements. As stated in the decision:
“The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.”
Thus, in finding the language used by Loblaws in its policy and contracts to be appropriate, this decision should provide some comfort to organizations.
Just as the Ashley Madison decision provided valuable advice and insights on safeguarding personal information, I consider the Loblaws decision to offer useful tips on transfers for processing with transparency. The OPC’s investigative reports become extremely valuable for businesses when they offer guidance and insight into how the regulator is interpreting PIPEDA with respect to issues faced by many Canadian organizations.