Keeping personal information private is a joint responsibility

by Tracy Clayson
Tracy Clayson

Considering the number of data security breaches occurring in the world, even at some leading global organizations, few would claim our personal information is more secure today than it was in 2001. That’s when Canada’s federal government introduced the Personal Information Protection and Electronic Documents Act, (PIPEDA) to protect individuals from having their personal data released by organizations without their written approval and consent.

Such security breaches can be very serious, resulting in financial, professional or personal loss, identity theft, credit theft, damage to reputation and loss of career opportunities.

To deal with current data security challenges, on April 8, 2014, the Harper government introduced Bill S-4, the Digital Privacy Act, which offers several amendments to PIPEDA. It’s the third attempt to amend the original Act.

The proposed bill commits employers to report to the Privacy Commissioner any breach of security resulting in loss of, or access to, personal information as a result of failure to have established safeguards—leading to a breach that causes significant harm to one or more individual.

Among other elements, the bill contains a definition of “business contact information” to make things easier for employers to communicate with employees. Employers must now include as part of an employee’s personal information their name, business address, title and telephone number.

The bill is a positive step, and I’m pleased to see the government is trying to raise levels of consumer protection. However, I would argue that securing our personal information is something for which we all bear responsibility. Law enforcement agencies are not able to keep up with every possible weakness, leak, and failure of the nation’s systems and processes. For these agencies, there will never be adequate resources, skills and monitoring capability.

Instead, as we continue to build our communications globally and become more interconnected, we have to ensure we all take appropriate steps. Our machines, including smart phones, laptops, iPads and desktops, must run firewalls, virus and spyware protection software and be properly password-protected. Employees must also be provided with regular training on the use of information and on laws regarding use of personal information.

Organizations we deal with should also offer an opt-out so we as consumers don’t have our personal information provided to third parties for telemarketing purposes or used for other means. We have a right to decide how much information we offer.

In our industry, some companies have been accused of releasing personal information directly, impacting a person’s ability to gain employment. However, it can be noted the use of employment reference information is a key factor in selecting applicants and, further, can protect employers from hiring someone who is a liability.

The Professional Drivers Bureau of Canada, (PDBC) a privately owned data collection company, provides background checks and retains the employment records of more than 160,000 truck drivers in Canada. PDBC offers potential employers a service to expose full details of a driver’s work history, including those he/she may otherwise omit on an application. Carriers are given a credit of $5.50 by PDBC every time they offer up employment information and termination records to augment a truck driver’s file.

But the teamsters have challenged whether the business is legal, and are critical of the ethics of the PDBC, saying personal information released without permission. Is this type of service fair to individuals?

What then about the use of personal data obtained through other means, such as video surveillance at work sites, use of IP address information to gain internet usage data, legal access to personal information for litigation purposes, inappropriate use of information through its sale to third parties, GPS tracking systems in employer fleets and security breaches of organizations’ computer systems?

In the end, preventing data security breaches requires a combination of government regulation, corporate awareness and common sense among individuals. Bill S-4 is a positive step, but we all need to ensure compliance and take steps to protect ourselves.

  • Recommended reading: Cassels Brock & Blackwell’s paper “Digital Privacy Act – Everything Old Is New Again” by Bernice Karn of the firm’s Privacy Group. See:

Tracy Clayson is managing partner, business development of Mississauga, Ontario-based  In Transit Personnel.