What’s significant about the Loblaw report

I finally got around to reading the @PrivacyPrivee report of findings on Loblaw’s manner of authenticating those eligible for a gift card. The most significant (or at least enlightening) thing about the report is that the OPC held that residential address, date of birth, telephone number and e-mail address were, together, “sensitive.” It did so in assessing the adequacy of the contractual measures Loblaw used in retaining a service provider for processing purposes. It said:

  1. The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.
  2. As outlined above, the additional ID’s requested by the Program Administrator were collected through a secure channel (if online) or by mail, verified and then destroyed.
  3. In our view, given the limited, albeit sensitive, information that was shared with the Program Administrator, as well as the limited purposes and duration for which that information would be used, Loblaw’s detailed contractual requirements were sufficient to ensure a level of protection that was comparable to that which would be required under the Act. Therefore, in our view, Loblaw did not contravene Principle 4.1.3 of Schedule 1 of the Act.

Residential address, date of birth, telephone number and e-mail address is a set of basic personal information. In analyzing it, one must recall the “contact information” that the Ontario Superior Court of Justice said was not “private” enough to found a class action claim in Broutzas.

Don’t be misled, though. The OPC made its finding because Loblaw was engaged in authentication, and collected a data set precisely geared to that purpose. The potential harm – identity theft – was therefore real, supporting finding that the data set as a whole was sensitive. Context matters in privacy and data security. And organizations, guard carefully the data you use to identify your customers.

Case Report – LSAC allowed to substitute submission of photos for fingerprints

You may have heard about the federal Privacy Commissioner’s May 29th report on the Law School Admission Council’s practice of collecting fingerprints from LSAT test takers.  Her office recommended that LSAC cease the practice but allowed it to substitute a practice of collecting test takers’ photographs.

There are some notable findings in the report.  Namely:

  • the OPC rejected LSAC’s argument that it was engaged in educational rather than commercial activity, finding that its core activities provided a service to its member law schools;
  • the OPC held that fingerprints are more sensitive than voice prints and less sensitive than one’s photographic image; and
  • the OPC made another comment de-emphasizing the significance of cross-border transfers of personal information.

The report also highlights the difficulty of sustaining a collection practice based on deterrence alone.  The case for deterrence is often logically compelling, but proving that collecting information effectively deters misconduct is hard.  (For more on this theme, see the IPC/Ontario’s recent surveillance report.)  LSAC had not once used a fingerprint to identify whether fraudulent test since it started collecting them in the mid-1970, so it was difficult for the LSAC to justify its practice on any ground other than deterrence.  It also claimed that it simply wanted to assure its members that it was doing all it could to ensure the security of the test.  The OPC seemed to accept this purpose as legitimate, but not compelling enough to justify collection of fingerprints. The LSAC proposed collecting photographs as a step-down solution mid-way through the investigation, and the OPC held that this alternative would achieve the appropriate balance because images are “marginally” less sensitive.

Report of Findings:  Law School Admission Council Investigation (29 May 2008, OPC).