Jim Jamieson
Province
Georgette Parsons is the chief information and privacy officer for Mountain Equipment Co-op. CREDIT: Gerry Kahrmann, The Province
As British Columbians greeted the new year, they also entered a new era of tighter privacy protection.
It’s a mixed blessing for B.C. businesses and non-profit organizations, though. They now must abide by elevated standards for how they deal with personal information they have collected from customers and members.
Most agree that increased security standards will boost consumer confidence in online commerce, in particular, but will be a challenge to smaller firms.
Bradley Freedman, a partner at Vancouver law firm Borden Ladner Gervais LLP and an expert in intellectual property and technology law, says the B.C. legislation’s enforcement mechanisms have more teeth than its federal counterpart. B.C. Privacy Commissioner David Loukidelis can conduct his own investigations, hold hearings, subpoena documents and witnesses, can make binding findings and can enforce orders with sanctions, he said.
Bill 38, the Personal Information Protection Act (PIPA) forces organizations to disclose what they know about their customers’ personal data. It also requires that businesses ask permission when collecting personal information.
The act applies to organizations and individuals who collect personal information, except data collected for non-commercial uses.
For some organizations, it will be an easy transition into more stringent guidelines around privacy protection. For others, there will be some strain — and expense.
“We feel we are in a good position to be in compliance,” said Tim Southam of Vancouver-based Mountain Equipment Co-op, which has about two million members. The names, addresses and phone numbers of those members reside in MEC’s huge database.
As well, the co-op runs a thriving online business that has grown to about five per cent of the company’s $167-million annual
revenue.
“It’s not so much developing a new program as refining our existing procedures around protecting personal information,” said Southam. “We do not sell, rent or lend our membership list to anyone . . . But this involves revisions to existing forms, taking steps that personal information is safeguarded.”
PIPA takes the place of the federal Personal Information Protection and Electronic Documents Act, which has been phasing in for several years.
As of Jan. 1, any province that did not enacted its own privacy legislation must abide by the federal act. B.C. and Alberta were the only provinces to opt for their own acts, while Quebec already had its own legislation.
Organizations that operate inter-provincially are subject to the federal legislation.
Freedman said that at its core the legislation ensures there is consent to use of personal
information.
“That’s information about an identifiable individual — for example, name, telephone number, social insurance number, bank account number,” said Freedman.
“If it’s aggregated [group], information, it’s no longer personal information and not subject to these laws. Contact information at a place of business, a business e-mail address, for example, is not considered personal information.”
The legislation — which is complaint-based — will impact many areas of business.
Employers won’t be able to outsource payroll services without the consent of employees; publishers won’t be able to sell subscribers lists; direct marketers can’t contact a consumer to hawk a product other than which has been previously purchased, unless there is consent. Retailers even have a new obligation to obscure credit card numbers on sales receipts.
B.C. Minister of Management Services Sandy Santori said the goal of the provincial legislation was to have a less complex alternative to the federal act and law that is administered in B.C.
“We felt having it under the auspices of our commissioner would be beneficial,” he said.
Complying with the legislation will clearly be more onerous on small businesses.
“We have had someone who’s on staff here who’s been working on our privacy complaince program virtually full time for two or three months now,” said Southam. “Having those kinds of resources in a small company is unlikely.”
Bill Cotter, a Vancouver-based private investigator and security consultant, said the added cost of getting up to speed with the act will eventually be borne by the consumer.
“People will say: ‘I’ve given you this information — what have you done with it?’ he said. “This is going to take time and cost money. These costs always get passed along to the consumer.”
Other obligations include maintaining the security of the information, which can range from providing a locked room to encrypting hard drives, and being liable for outsourced data.
As well, there is no grandathering of the obligations.
If an organization has a large database used for marketing, and that information was collected before (without consent), it can’t use that information unless there is consent.
© Copyright 2004 The Province
