Privacy and Individual Access to Personal Information


            The Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) provides that organizations holding personal information about an individual must provide the individual with access to the specific information it is holding, provide an account of the organizations to which it has disclosed the information, and correct said information if proven inaccurate or incomplete. Section 8(2) of the Act requires that such disclosures be made within thirty (30) days of receiving a request for the information. The Office of the Privacy Commissioner (“the Commission”) is charged with hearing PIPEDA cases and enforcing the Act.

Section 8(2) of PIPEDA – 30 Day Time Limit

            The Commission has stated that requests for access to personal information are time sensitive and that an organization should determine as quickly as possible, after receiving a request, whether it will be able to complete the request within the initial thirty (30) day time limit allowed by the Act. [1]      When a company believes that it will have insufficient time to comply with a request under PIPEDA, it must inform the individual requesting the information, in writing, no later than thirty (30) days after the request is request, of its new time limit and reasons for extending the original time limit. [2] Acceptable reasons for extending the original thirty (30) day time frame include:

            1. Unreasonable interfere with the activities of the organization, if required to provide the information within thirty (30) days;

            2. Impracticability of obtaining the consultations necessary to respond to the request within thirty (30) days; and

            3. Conversion of the personal information into an alternative format, which requires more than thirty (30) days. [3]

            In a dispute between an employee and his former employer, a railway company, the employee alleged that his former employer refused to provide him with access to his personal information. While the railway company eventually complied with the request, it was months later, and only after the former employee complained to the Commission. The Commissioner found that the railway did not meet its obligation under section 8(3) of PIPEDA and was therefore deemed, under section 8(5), to have refused the request. [4] In another decision under PIPEDA, the Commissioner found that an Internet Service Provider (“ISP”) failed to meet its obligation under the Act when it took thirty-four (34) days to provide a customer with access to his personal information. [5]


Compliance with Section 8(2) of PIPEDA

            Privy allows a privacy officer to set a thirty (30) day deadline when entering a request for personal information, in order to ensure that a response is made within the time frame, and your company is in compliance with Section 8(2) of the Personal Information Protection and Electronic Documents Act.


[1] Office of the Privacy Commissioner of Canada. Findings under the Personal Information Protection and ElectronicDocuments Act. http://www.priv.gc.ca/cf-dc/2010/2010_003_0928_e.asp
[2] Office of the Privacy Commissioner of Canada. Findings under the Personal Information Protection and ElectronicDocuments Act. http://www.priv.gc.ca/cf-dc/2010/2010_003_0928_e.asp
http://laws-lois.justice.gc.ca/eng/acts/P-8.6/FullText.html
[4]PrivacyInfo.ca.  Privacy Decisions. http://www.privacyinfo.ca/dcsn.php?v=4&d=326
[5] Privacy Info.ca. PrivacyDecisions. http://www.privacyinfo.ca/dcsn.php?v=4&d=235




Data Retention and the TJX Security Breach


Data Retention and the TJX Security Breach


In 2006 TJX, the world’s largest fashion and apparel department store chain, discovered a security breach dating back to 2004. When the damage was fully assessed in January of 2007, the breach was found to have compromised more than 94 million accounts. While the company may have been the victim of hackers, it was soon discovered that TJX could have prevented the breach from occurring at all.

In 2004, Visa, MasterCard, and other credit card issuers, developed a framework of specifications to help merchants ensure that users credit card and other personal information was kept secure. This framework is known as the Payment Card Industry Data Security Standard (“PCI DSS”). [1]  The PCI standard requires merchants to limit storage amount and retention time to “that which is required for business, legal, and/or regulatory purposes.” [2] According to several sources, TJX was not PCI DSS compliant, and its acquiring bank, Fifth Third Bank, should have required it to be.

The TJX security breach eventually cost the company over $250 million in lawsuit settlements, computer system repair, investigations, and other claims. [3] It also caused merchants, consumers, and the Payment Card Industry to take a closer look at how businesses and acquiring banks comply with the PCI DSS.

Lessons Learned


An investigation conducted by the Privacy Commissioner of Canada, reveals that among other things, TJX failed to comply with PCI standards in that it collected too much information and kept the information for too long. Concerns were raised about the company’s retention of driver’s license and other identification numbers collected when consumers returned merchandise without a receipt, as well as stolen information related to transactions dating back to 2002. [4]  The lesson for other companies to learn from this? Do not collect information you do not need, and when you do collect information, destroy it, securely of course, once it is no longer required. 


[1] PCI Security Standards Council. PCI SSC Data Security Standards Overview. https://www.pcisecuritystandards.org/security_standards/index.php

[2] PCI Security Standards Council. PCI DSS Requirements and Security Assessment Procedures, Version 2.0. https://www.pcisecuritystandards.org/security_standards/documents.php?assocation=PCI%20DSS

[3] The Boston Globe. Cost of Data Breach at TJX Soars to $256 million. http://www.boston.com/business/globe/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/

[4] Office of the Privacy Commissioner of Canada. Speech: Preventing Data Breaches with Good Privacy. http://www.priv.gc.ca/media/sp-d/2008/sp-d_080305_e.asp




The Focused Collection Principle in the Destruction of Personally Identifying Information


Privacy and the Consumer Bill of Rights  




            The United States (“U.S.”) has long recognized the need for privacy and individuals’ right to know what personal information will be used by a company, and for what purpose it will be used.  To that end, the Obama administration has created a framework for protecting privacy, which it hopes to implement in a legally enforceable Consumer Bill of Rights. [1]The administration’s Consumer Bill of Rights applies globally recognized Fair Information Practice Principles (“FIPPs”) to the framework, providing for individual control, transparency, security, accountability, access and accuracy, focused collection, and respect for context in the collection of personally identifying information.

           

What is Personally Identifying Information?        



            The U.S. Federal Government’s definition of personally identifiable information is: “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to any individual, such as medical, educational, financial, and employment information.” [2] Personal data may include information linked to a specific computer or other device, such as a smart phone. It may also include a consumer’s location, financial account numbers, social security number, or medical condition.



Respect for Context in the Collection of Personally Identifying Information



            When a consumer provides personally identifying information to a company, he or she has the right to expect the company to use the information in ways that are consistent with the surrounding context and the reason the consumer provided the information. For example, when placing an online order, a consumer expects the company from whom he or she is ordering to use credit card information in order to charge him or her for the purchase and location information in order to ship the purchased item(s) to him or her. The consumer does not expect the company to use this information for any other purpose.

            When companies use personally identifying information in ways not consistent with the surrounding context, they may violate an individual’s rights or cause injury or discrimination based on personal attributes. The unauthorized disclose of personal information can also contribute to potentially life-disrupting identity theft. The 2006 Identity Theft Survey Report, published by the Federal Trade Commission (“FTC”), reports that approximately 8.3 million Americans were the victim of identity theft in 2005. [3] This is estimated to have caused economic losses of more than $15 billion.

            The challenge is to protect consumers’ privacy while providing companies with the information they need to continue to innovate and grow. The Respect for Context principle provides a standard for companies’ basic personal data practices. It emphasizes two things; companies should limit personal data uses to purposes that are consistent with the context in which consumers disclose the information and that the relationship between the consumer and the company may change over time in ways, which are not foreseeable at the time the personal information, is collected. Therefore, companies should update or delete personal information as it changes or becomes outdated and is no longer needed, in compliance with the focused collection principle.



The Focused Collection Principle in the Destruction of Personally Identifying Information



            The Focused Collection Principle provides companies with a framework for the retention of information and its secure destruction once it is no longer needed. It holds that a company should collect only as much information as it needs to accomplish its purpose and once accomplished, it should de-identify the information, or securely destroy it, if not obligated by law to retain it. Collecting only as much information as needed may mean following procedures to collect only non-identifying information, where possible. For example, a company that collects the unique identifier of a user’s mobile device, in order to provide a save function for gaming, may be able to use a less personal identifier in order to accomplish the same goal.



Complying with the Consumer Privacy Bill of Rights



            The Consumer Privacy Bill of Rights provides a flexible framework that allows companies discretion in deciding how to best implement the FIPPs . According to the administration, this flexibility will “help to promote innovation and encourage effective privacy protections”  by allowing companies to address privacy issues in a manner consistent with their customers and users wishes, rather than requiring them to adhere to a single, rigid set of requirements. One such innovation is Privy, a software program for privacy officers, which allows tracking of personally identifying information including how and why the information was collected and when it should be destroyed. Privy is a complete solution for collecting, using, storing, and securely destroying personal information in accordance with the Consumer Privacy Bill of Rights.









[1]Consumer Data Privacy In a Networked World - A Framework for Protecting Privacy and Promotion Innovation in the Global Digital Economy.  http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
[2] GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally
Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf

[3]Federal Trade Commission – 2006 Identity Theft Survey Report.  http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf