Canadian Privacy Act 398
Nos. writes "Yesterday, I happened upon an Act that came into effect in Canada on January 1, 2004. The Personal Information Protection and Electronic Documents Act protects almost every bit of personal information not publicly available. For example, your name, race, date of birth, income, etc. are protected where your address and telephone number are not (these are generally available in the telephone book). Some of the more interesting parts of the faq include such wonderful things as: '[businesses must] supply you with a product or a service even if you refuse consent for the collection, use or disclosure of your personal information unless the information is essential to the transaction'. Definitely a step in the right direction."
What the law says and what's done in practice ... (Score:5, Informative)
Unfortunately the laws and procedures are broken every day, simply because it's so easy to do. It's very rare that somebody publicly complains when personal privacy is jeopardized and even when somebody cries foul, the public doesn't care.
It IS absolutely retroactive (Score:5, Informative)
It seems that information already collected must be dealt with according to the act. Just because you collected it last year, doesn't mean you don't need consent to use it this year. Actually, my Dentist made me sign a form for them to share/get information with outside labratories.
Re:Not retroactive? (Score:5, Informative)
Re:Toothless? (Score:5, Informative)
If someone asks for it, read the fine print. It's usually optional. If it's not optional, make sure you phone the company and ask why it's required, and make sure they know that you know that it's not necessary for them to have it. DON'T GIVE IT OUT. It's not necessary to have your SIN for companies to do a credit check on you here.
Re:2 thoughts... (Score:3, Informative)
Interesting logic, care to explain? This isn't your usual local ordinance proclaiming some random date to be [insert local sports team] day.
As to how it will be implemented, many companies ask up front where you're from. They then structure their conversation with you appropriately (or say they don't deal with Canadians).
This article [infoworld.com] from last year goes into a few of these issues:
Re:Government (Score:3, Informative)
Now it's linked in government databases to everything.
Canada's Social Insurance Numbers are basically an account number for each citizen. By law even the banks can't demand it although they can refuse service if you don't give it to them.
Re:Fake data (Score:5, Informative)
translation: (I have) (an) (ass(, (a) (new) (ass)
note that in French, the adjective (new) comes after the noun (ass), and I switched them for non-French slashdotters
HIPPA is no protection. (Score:1, Informative)
Re:Car Dealerships... (Score:5, Informative)
Police Information Systems (Score:3, Informative)
Information Practices and
Individual Privacy.
If your really interested in Ontario's laws regarding information storage, read the following article:
http://qed.econ.queensu.ca/pub/cpp/March97/Sche
Re: GoC does take privacy seriously (Score:5, Informative)
The personal details of all Canadian residents (not just citizens) are automatically classified as "Protected" and any department or agency worth their salt actually do take this sort of stuff seriously.
Any case of abuse (of people's personal data) does tend to result in being fired, period.
The federal government (outside CCRA) does avoid using SIN as much as possible because any document with that on it, has to be classified "Protected".
HRDC uses a fair bit, but as little as possible in what I've seen.
I've seen federal government forms that ask for only the last digit of your year of birth, in an attempt to prevent age decriminitation (if they don't know your actual age, they can't be accused of decriminiating based upon it) in the hiring process.
Honestly I have to say the Canadian federal government takes privacy seriously, it's an important Canadian value. Sure, some people see it as a hassle and more paperwork, but overall the vast majority do value the public's privacy and security.
BTW, do you know if there was an auditing on that database? Not all privacy enforcement is pro-active, to prevent being overly burdensome, but can flag and catch abusers. That technique is heavily used in medical privacy, and the medical files of celeberties.
Re:What the law says and what's done in practice . (Score:3, Informative)
Yes, unfortunately the law doesn't specify any about penalties. To the best of my knowledge the highest damages that has ever been awarded for a violation of the privacy rights was ~100k. Not bad, but that person was able to proof in court that he had suffered real monetary damages. Psychological distress doesn't count
Courts have been relucatant with rewarding damages. For example, the phone company published a phone number of battered women's shelter by accident. They had to close the shelter, because they couldn't guarantee the safety anymore. They had to sell the house at a loss etc. and move elsewhere. The court awarded 15k in damages. That's a joke...
Another thing that the law describes is that you may only ask for the data you need. That has led to webmaster being "abgemahnt" (like a competitor complaining, costs you some money, but all without a court) for asking the name of newsletter-subscribers (email address would have been enough)... uh well...
But guess what... Some companies just moved their computing centers to chile, because they don't have privacy laws. They export the data, do the "illegal" cross linking in chile, and then re-import the data.
It's not that simple in practice. Getting damages from a court is nice, but German courts are a bit more realistic in awarding damages. What's easier is getting a court order to have them stop. While the law doesn't specify penalties/damages, violating a court order can get you in trouble...
Re:So it happens... (Score:3, Informative)
Re:Toothless? (Score:1, Informative)
If you go to buy a car and they ask for your SIN you can decline since it is by law not required.
You only need to provide your SIN when it pertains to income. eg. Employer company/bank in which you hold investments (stock brocker). They may only use this information for taxation purposes.
Even the CCRA, the canadian IRS does not use the SIN as a key in their database, because again the SIN is not unique, there are several people in canada with the same SIN numbers, it was designed that way because like the original intent of the SSN it is not an ID number, just a number to aid in income tax and pensions.
Re:Serious (Score:5, Informative)
Yeah, it is truly bizarre -- if the business is making money off the product.
Sometimes, the business is making -- or plans to make -- the majority of its money off selling your name or your "eyeballs" (viewership).
Some MBA has convinced ShopShack that the real money is in selling its customers to other businesses, and MBAstard realizes that you just want to make the purchase and get on with your life. So a policy is made that the shop won't sell without getting your information, wagering that, having waited in the check-out line, rather than go to the trouble to buy elsewhere, you'll just do as you're told like a good little consumer.
The only effective response to this is to make the cost of doing this as high as possible for the business by
It's not easy, and it's not convenient, but if you want to keep your privacy, you need to make it uncomfortable and costly for those who want to take it from you. make it costly enough, and the stores will stop doing this crap.
Re:Not retroactive? (Score:3, Informative)
The abolition of slavery was considered the work of religious radicals too, who had this wild notion that all those slaves were human beings and their book said it was wrong to keep human beings in bondage, but not every abolitionist was religious. The right to live, like the right to not be a slave, is something that plenty of people can grasp without the guidance of Holy texts.
So, at the end of the day, like most things, the problem can be blamed directly on religious people. In this case, American Christians.
At the end of the day, I find that most problems can be blamed on the intollerent. You know, like some American Christians... also, exactly like you.
Re:Not retroactive? (Score:3, Informative)
Failure to comply is a serious issue and may result in (now stealing from our website):
- Legal liability
- Industry and government sanctions
- Charges of deceptive business practice
- Fines and criminal records for your employees
- Severe damage to your reputation and brand
- Damage to your key business relationships
- Loss of business, financial penalties
- Customer and employee distrust.
I do believe this is a good piece of legislation. I look forward to seeing it applied and tested over the next year or two. Then we'll know if it's actually an affective piece of legislation.
Re:Toothless? (Score:3, Informative)
A credit report in canada can be produced with none of the above information you have mentioned. The core information for a credit report in canada is your name and date of birth and maybe a credit card or bank account number.
If a company in Canada tries to force you to give up your SIN for ANY PURPOSE other than that necessary to report income to the CCRA they can have serious problems even prior to this most recent privacy legislation.
Add to that the simple fact that the SIN is not a unique number. Yes there are more than one canadian with the same SIN number. The CCRA (Canadian IRS) does not even use it for a unique key. Instead they use a large composite key of multiple pieces of information about you so that they know it is in fact you.
Why do you think identity theft in Canada is a shadow of the problem in the US?
In the US the SSN is everything. You are your SSN. In Canada you are identified by a much larger set of information that makes it substantially more difficult to impersonate you and also to prove when someone tries to impersonate you.
If you would like to know more about the law and that it should be taken seriously by all Canadian businesses check out Blake, Cassels and Graydon one of Canadas oldest and largest law firms has some excellent information on the privacy legislation what it means to canadian companies.
http://www.blakes.com/english/publications/focus/
Oh and the law has already been used to protect peoples privacy.
There was one case in which a canadian bank (canadian banks have been under PIPEDA since 2001) accidently wrote "bankrupt" on a womans address label on a bank statement letter she recieved. She complained to the bank and they were going to give her a $20 gift certificate, she complained then to the privacy commisioner and the bank was ordered to pay the woman over $2000 in damages.
This is for one single automated mistake that resulted in the mailman seeing that the woman was bankrupt. Imagine if 1000 Canadians had recieved a letter with that mistake, that is $2 million.
PIPEDA has teeth.
Violate Citizens rights and be exposed publicly (Score:2, Informative)
This right to publish a companies dirty secrets alone is a significant deterent to companies who abuse citizens privacy not to mention the significant cash penalties that could result.
Also keep in mind that PIPEDA is one of the few ways in canada where a class action type lawsuit can be brought, something that almost never happens in Canada.
For more information on what this law means to canadian business check out...
http://www.blakes.com/english/publications/focus/
Here's an example (Score:4, Informative)
Parking lot [canoe.ca] complaints [canoe.ca]
825 complaints in 18 months in one city against one company. The data was sold by the government to the parking company.
Vip
Re:It IS absolutely retroactive (Score:4, Informative)
However, being a dentist, the transaction may well require an address to send a bill to.
If you're willing to pay at the desk, in cash, you can tell him no, and suggest that if he refuses based on that, you will contact the government of Canada for a PIPEDA infraction.
Re:Toothless? (Score:2, Informative)
As I understand it, use of the SIN for other than employment and taxation uses is illegal.
Re:The tale of Ray Diosack and Mike Rocenter (Score:3, Informative)
The PIPDA's been on the books for two years. It only came into effect for non-government agencies Jan. 1st. It's been in effect for crown corporations, agencies, and federally regulated industries for quite a while.
One of the stipulations of the act is that they have to inform you why they're collecting the information.
Re:What the law says and what's done in practice . (Score:3, Informative)
This is actually a EU directive [eu.int]. Or actually, two different ones. One dealing with regular privacy (enforced since 1998), and one with online privacy (enforced since last year). Seemingly when you read the text of the directive, it has a lot of teeth, but in practice they make exceptions every time someone asks. Like when the US insisted on having every bit of available information on EU citizens flying into the US (including the kind of meal they took, and how they paid for their ticket). The EU after some haggling made an exception that allows some, but not all, of the passenger information to pass to the US.
At least, a privacy law, even if it's not being enforced, is still better than no privacy law.
Re:It IS absolutely retroactive (Score:3, Informative)
As to 'giving the dentist consent to use the data how he wants'... the PIPA act (and I think with PIPEDA as well; I'd have to double check) requires the dentist, business, etc. to inform you exactly what the data is to be used for before you give your consent. Not quote 'how he wants', but spelled out in some detail so you know where it's going to go. Name so we know who you are; contact information so we know how to get a hold of you (eg. Recall reminders [though you are required to give the option of opting-out], manufacturer issues recall on certain filling material so have to call up all the patients about it, etc.), to send bills to if applicable; insurance information if applicable; medical information that may affect treatment or ability to treat, etc.
Most of this basically stays in-house. Insurance information will go back and forth between the office and the insurance company; medical information only if consultation with another dentist/doctor/etc. is required; specifics of treatment with the laboratory so they can fabricate prostheses. If you want to know what happens to it and why a dentist, business, or whatnot needs it, do ask, since they will be required to tell you exactly what it's for. If they can't show you why it's required, then you don't have to give it. For dental work, if you don't provide sufficient medical information that I can decide that you can be treated safely, then obviously I can't treat you. No billing information, then you'll have to pay up front. In my line of work, most of it is pretty obvious. I suppose things could get messier with banks and larger corporations.
Personally, I've been more concerned about the extra loops that I have to go through just to get work done more so than the act's impact on my ability to keep my information private.
That is the most absurd thing I've ever heard. (Score:3, Informative)
Do you even [wikipedia.org] know [wikipedia.org] what [wikipedia.org] socialist [infoshop.org] means [parecon.org]?
bacchusrx.
Re:Race? (Score:3, Informative)
The typically usage for "race" is actually voluntary disclosure whether you are member of a visual minority for the purposes of "employment equity" status for hiring preference.
The recent US name was "affirimative action" hiring.
It gets quite funny with security id cards that try to describe appearance (the form on file) without actually offending anybody where the actual only purpose is to ensure that Jill's id card is only used by Jill.
AND! You can curse on the radio! (Score:3, Informative)
Yes, while much of the US has their shorts in a knot over Janet Jackson's nipple, and the FCC wants even more draconian penalties for college radio stations that dare to broadcast the word f*ck, Canada rolls along, worrying about neither.
Trust me, 3PM on a school day is the best time to listen to hardcore punk rock!
Re:Radio Shack (Score:4, Informative)
He lied. The bypass is built into the register software. Complain to RS Corporate is this happens.
From http://corpinfo.radioshack.com/CompanyInfo/Ethics
[Getting off their mailing list]:
"Customers who prefer not to receive offers, promotions and other information, may call 800-415-3200, e-mail at www.radioshack.com or write at RadioShack Circulation, 100 Throckmorton, Suite 300, Fort Worth, Texas 76102."
[Not giving personal data]:
"Rest assured RadioShack values its customers regardless of whether or not they choose to provide us with their name and address."
[From elsewhere on the site]:
Ethics Team at RadioShack
Phone: RadioShack Hotline: (800) 826-3915
Email: ethics@radioshack.com
Fax: (817) 415-3922
Mail: RadioShack Ethics Team
100 Throckmorton Street, Suite 813
Fort Worth, Texas 76102
I've never had any such problem myself. Anytime they or anyone else asks me for such things I look them straight in the eye and give them a clear and firm "No.", loud enough to make sure it's understood that I could have said it louder.