Online privacy: Avoiding pitfalls

B.C.’s new guidelines include: providing enough information so visitors know what personal information is being collected; informing visitors if you’re using cookies to collect personal information; making sure visitors know they can access their personal information; and writing the privacy policy in plain language.

“There are challenges to doing this,” says Timothy Banks, a privacy expert at the Toronto branch of global law firm Dentons LLP. “But the reality is that the client/advisor relationship is built on trust and the confidentiality of personal information, so you don’t want to make a misstep simply because you’re not paying sufficient attention to what should go into your disclosure.”

It’s also clear that these types of reminders are likely to become more common in the future. B.C.’s new guidelines follow the first ever international sweep of business websites by the Global Privacy Enforcement Network, held this past May in conjunction with privacy regulators around the world. The sweep was intended to duplicate what companies are telling their customers about the amount and type of personal information collected on their websites.

The B.C. privacy commissioner and the Privacy Commissioner of Canada released the results of this sweep for their jurisdictions in mid-August. (B.C., Alberta and Quebec have regulations that are substantially similar to the federal rules.) The results for B.C. showed that 45% of a sample of 250 websites doing business in the province did not have an online privacy policy, more than twice the global average. Where there were policies, many didn’t provide enough information to users about the type and amount of personal information being collected.

Both the B.C. and federal commissioners said the sweep indicates that companies need to make their privacy policies clearer and more accessible to the public. “What companies need to do [across Canada],” says Banks, “is make more meaningful disclosure on how they’re complying with the law and what controls, if any, they are giving the consumer with respect to how [the company with the website is] using their personal information.”

In a separate initiative, the federal privacy commissioner issued a paper last May that proposes more teeth for the Personal Information Protection and Electronic Documents Act. Two years ago, Ottawa tabled Bill C-12, which includes more enforcement powers under that act, but that bill has not moved forward.

Also driving the pressure for change are two recent episodes in which unencrypted laptops were left unattended, says Éloïse Gratton, a privacy specialist at law firm McMillan LLP in Montreal. Human Resources and Skills Development Canada, for one, discovered late last year that a non-encrypted hard drive containing sensitive personal and financial information could not be found.

And, most notably for the financial services industry, a staff member at the Investment Industry Regulatory Organization of Canada lost an unencrypted device containing the personal information of more than 50,000 clients of brokerage firms. Says Gratton: “It just seems that some organizations aren’t taking these [privacy] laws seriously enough.”

Among the enhanced powers requested by the national privacy commissioner are financial penalties for violations of privacy rules. The proposals also call for mandatory notification and reporting of breaches to the privacy commissioner and the obligation to demonstrate accountability – which will affect advisors, says Gratton: “If there is a security breach, then the risk of harm is automatic – risk of identity theft, etc. [Employers] are going to have to take this law a little bit more seriously and make sure their employees are aware of these laws and the way that they manage client information is in compliance with this law.”

Alberta law already includes mandatory notification of a breach, ensuring employees must disclose a breach to the commissioner. The result, says Gratton, has been stronger prevention: “What they’ve seen in Alberta is that suddenly businesses are investing more resources in prevention – training their employees and making sure they are aware of these privacy laws. They’re trying to make sure that people invest in preventive measures rather than trying to fix a mistake after it’s happened.”

On a more day-to-day level, some issues have arisen over the use of the free, ubiquitous Gmail service offered by Google Inc. Gmail users may have received a jolt in June when reports came out that Google said in court documents that Gmail users had no expectation of privacy when using their Gmail. But Banks said the reports were misinterpreted and actually involved non-Gmail users connecting to Gmail users.

Banks said this issue is a reminder that email runs through a number of processes and can be inspected, even superficially, to get basic data, such as targeted advertising.

Banks says advisors can look at inexpensive alternatives for more secure ways of sending sensitive information. Be sure, he suggests, that when clients ask that sensitive email be sent to their workplace, usually for the sake of convenience, that they have made this preference clear.

To improve privacy in this situation, advisors may want to put sensitive data in a password-protected attachment.

The contents of the attachment may still be hacked, says Banks: “But it does mean you have put up a fairly simple barrier” to hinder or stop snooping.

© 2013 Investment Executive. All rights reserved.