Privacy rules in collecting personal data for investigative purposes

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

Are you aware of how much companies know about you? Find out with ‘Access My Info’. IT World published this article July 11 this year introducing a website that enables organizations to query businesses about how they’re collecting and using personal data. The site aims to put the power back in Canadians’ hands, by automating their ability to find out what companies know about them.

Privacy is a sensitive issue. Only last week an insurance broker got fined $1,000 for not following MPI Privacy rules (CBC News article). The investigation found several occasions in which customer accounts were accessed for “no discernible reason,” and information was obtained without getting authorization and without recording customer comments. These are violations of privacy laws, including the Freedom of Information and Protection of Privacy Act, as well as the Personal Information Protection and Electronic Documents Act. What does this mean?

Personal Information Protection and Electronics Documents Act

The Privacy Commissioner released a publication entitled The Case for Reforming the Personal Information Protection and Electronics Documents Act (PIPEDA) in May 2013. This document proposes expanding the powers of the Privacy Commissioner in a way that should cause significant concern for fraud victims and those investigating fraud in the private sector.

Back in 2001 PIPEDA came into force with respect to federally regulated businesses. By 2004 it was phased in to affect all provincially registered business if a province did not have its own substantially similar legislation. The government primarily intended PIPEDA to protect Canadians from businesses that collected, used and disclosed their personal information for commercial purposes without their consent.

The idea behind this legislation (which was being enacted in many advanced countries around the world) was that individuals should be able to control to whom their personal information is disclosed – especially if was being sold for commercial purposes by electronic means. These were and remain laudable goals, as most Canadians do not want their personal information sold without their consent, and most Canadians do not want to receive unsolicited electronic communications from organizations that have purchased their personal information. For the most part, thankfully, the Privacy Commissioner has stuck to this mandate.

Reasons for non-consent provisions

Canadians should be concerned as to whether the Privacy Commissioner has taken an overzealous approach to privacy issues by attempting to regulate those conducting fraud investigations in the private sector and by regulating the reporting of information to the police by private organizations.

The authority of the Privacy Commissioner to regulate investigators in this way lies in section 7 of PIPEDA, which permits an organization to collect, use and disclose personal information without an individual’s consent if it is done so for the purposes of investigating some sort of legal wrong (such as fraud). The reasons for the non-consent provisions are obvious – being required to notify a fraudster that you are disclosing his or her personal information is counterproductive to:

1. Investigating those involved
2. Obtaining a recovery
3. Stopping the loss

Back in 2003 a lot of time and money was wasted by numerous organizations dealing with Industry Canada and the Privacy Commissioner’s office so that they could be listed as an “investigative body” in the regulations to PIPEDA (one of the stipulations for the disclosing of personal information of fraudsters and witnesses contained in section 7 of PIPEDA).

Then, as time went on, the Privacy Commissioner accepted complaints from persons who were subject to an investigation who alleged it was unfair that their information was disclosed without their consent (they somehow came to know of this after the fact).

Pixilated video surveillance

One of the more troublesome decisions of the Privacy Commissioner was that the images on convert video surveillance be pixilated so that the identity of the persons recorded by surveillance remained unknown. In addition to increasing the costs of investigations tremendously, this “guideline” of the Privacy Commissioner hampered an investigator’s ability to identify witnesses and it raised the issue of tampering with evidence when such images were subsequently used in legal proceedings.

It is fair to say that the legislators involved in drafting PIPEDA did not anticipate that the Privacy Commissioners (Mr. Radwanski and Ms. Stoddart) would interfere with private sector investigations to the extent they did. But the Courts have reined in the Privacy Commissioners’ ability to interfere in private investigations.

Collect evidence for investigative purposes

For example, an Ontario judge in the case Ferenczy v. MCI Medical held that the disclosure of personal information by a private investigator to his or her client was not a commercial activity for the purposes of PIPEDA, and accordingly evidence could not be excluded because of an alleged breach of federal legislation. The Privacy Commissioner was greatly dismayed with this ruling and refused to acknowledge the Court’s ruling as law.

Later a Federal Court judge in the case State Farm v. Privacy Commissioner of Canada supported the Ontario court decision, and further held that the Privacy Commissioner did not have the mandate to investigate complaints involving the collection of evidence for investigative purposes. The Federal Court went even further to state that the Privacy Commissioner is merely an ombudsman without order-making power.

“Non-consent” provisions liberalized for investigative purposes

Fraud victims come in all shapes and sizes. Some fraud victims are large institutions such as insurance companies and banks subjected to insurance schemes or commercial frauds. Others are large corporations subjected to internal thefts or external attacks on their intellectual and physical property. Others are small organizations and individuals subjected to a wide variety of misadventures.

Over the past 10 years, virtually nothing has been done by the Privacy Commissioner to enhance private and public sector law enforcement (other than voicing some concern about identity theft). Rather, the Privacy Commissioner has brought in policies that have frustrated investigations and significantly increased the costs of other investigations that still proceed.

Fraud victims and those investigating in the private sector have an interest in the “investigative body” designation being removed from PIPEDA, the section 7 “non-consent” provisions being liberalized for investigative purposes, and the Privacy Commissioner’s authority remaining that of an ombudsman. Responding to The Privacy Commissioner’s publication The Case for Reforming PIPEDA to ensure the government is aware of the concerns of fraud victims is once again necessary.

By Norman J. Groot
Read more articles at Investigation Counsel.