The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

Privacy Calendar

Links

RSS FEED for this site

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Thursday, January 29, 2004

Sorry, but implementing privacy laws may upset some customers.

New laws, such as Alberta's new privacy law, often cause disruptions. There's a letter in the Edmonton Journal from an Epcor customer who is irate that she was not able to get information about her bill without her husband's OK. It appears that the account is in his name and EPCOR now has a policy that they won't give out information without the OK of the person whose name is on the account. I guess that seventeen years ago, when the account was opened, it didn't make any sense to put both names on it. More current practice that I've seen for new accounts is to ask the customer if they want an other person to have access to the account information. At least that was the case when I last set up an account with Aliant, my local phone company.

I have some sympathy for the writer of the angry letter:

"When I gave her my name she told me that due to the new provincial legislation regarding privacy and the disclosure of information to third parties, she could not talk to me. My husband was not at home at the time. I asked to speak to a supervisor and was given the same information.

I am livid. This account was established 17 years ago when we moved into our home and in fact our account is on Epcor's authorized payment withdrawal plan (we have a joint bank account).

The supervisor informed me that while we may have a joint account she still cannot talk to me. My husband would have to call Epcor and authorize them to add my name as a contact for our account! When he did call, they asked him for his date of birth for verification purposes. Turns out they have my date of birth on file.

I do not believe Epcor's practice is in the spirit of the new legislation. In fact, I called Shaw earlier this week where the account is also in my husband's name and had no problem talking with customer service about my account. "

While I may have some sympathy for her, the company in question is between a rock and a hard place, and it is better to err on the side of caution. They can't really rely on implied consent in this case, but one call from her husband should fix it.

I'm sure customers would be equally livid if they went through the experience of the guy in Missisauga Ontario whose ex-spouse received his cell-phone details without his consent, which were subsequently used against him and his mistress. (I can't find any other info on the story since the National Post took the September 27, 2003 story offline.) Philandering spouses usually don't get much sympathy, but the phone company was clearly in the wrong. It wouldn't take much imagination to imagine what sort of damage such a disclosure might have caused if it the records at issue were the calls made by an abused wife and the phone company had released records to an abusive spouse. Anybody thinking about what to do about releasing personal information really needs to weigh the inconvenience factor against the worst-case risk of harm. In light of the unfortunately reality out there, businesses really need to avoid accidentally giving the wrong people the tools to stalk, steal identities and commit violence. Unfortunately, nobody becomes aware of the disasters avoided.

Labels: information breaches