A few years ago, when we were giving training courses on identity theft, we realized that consumers had difficulty applying the advice we were giving them.
we were giving them. To find out why this was, and whether there was room for improvement, we had to look at privacy laws, and then ask companies about their practices and the issues behind them.
In the course of this research, we gave them a voice. Two broad categories of companies were targeted. The first category includes organizations subject to the Personal Information Protection and Electronic Documents Act (the federal law). These are mainly federal companies, which must also comply with laws specific to their sector of activity. The second group includes companies, licensees and professionals who, in Quebec, must comply with the Act respecting the protection of personal information in the private sector (the Quebec law) and sometimes other specific laws.
In the course of our interviews, we learned that merchants, not always aware that by collecting personal information, they are building a file on their customers, generally have legitimate purposes for doing so. However, some collect far more information than is necessary for their purposes. As for licensees and professionals, they refer almost exclusively to the standards applying to their sector of activity to justify their collection practices.
We sometimes noted shortcomings in the information given to consumers and in obtaining their consent. They are told little or nothing about the reasons for the collection, where their personal information will be stored, and their right to access and correct it (a right that some companies were not even aware of). There are also problems with the retention and destruction of personal information. Sometimes, documents containing personal information are left out in the open. They may also be kept for an indefinite period, or destroyed in an incongruous manner.
Among federal companies, we've noticed that smaller organizations sometimes don't have policies in place to protect their customers' personal information. This is a regrettable situation, as we found that organizations with such policies were generally more law-abiding.
How can the interests of consumers be reconciled with those of companies, licensees and professionals? Since the law provides for a judicious balance between the interests of organizations and those of consumers, compliance with the law should effectively reconcile these interests. Our recommendations are therefore aimed first and foremost at ensuring compliance with the law. However, some speakers were critical of the law. In fact, the tenor of their comments indicates that they are either unfamiliar with the law, or have misinterpreted it. In our view, compliance with the law will therefore require that the players involved also have a better knowledge of it, and be more aware of privacy issues in the private sector.
