Tuesday, January 20, 2004

Article: Life of PI

You've got to hand it to ITBusiness. They've done a great job of covering the implementation of PIPEDA, with regular articles that deal with different aspects of the law. In the article entitled Life of PI, Shane Schick considers the difficulties being faced by organizations thanks to the shades of grey in the Act.

Unlike most statutes, PIPEDA has little to do with rules. It is really a collection of principles. Coming from the Canadian Standards Association Model Code for the Protection of Personal Information, it was originally drafted to be voluntary best practices to be adopted by companies. Of course, they'd adopt it for their particular business, since it was drafted to be industry neutral. Moving from best practices to law is difficult for some to handle. Most people are used to laws being relatively black and white. "You can do this and you can't do that." Instead, PIPEDA confuses people by saying things like:

The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.

The form of consent shall be commensurate with the sensitivity of the information. An example of what is "sensitive" is provided. But wait! It says any information can be sensitive depending upon the circumstances. Ok. It looks like it means the more sensitive it is, the more certain you must be that consent is informed consent and the more certain you have to be that you've actually obtained affirmative consent. Don't infer consent if the info is sensitive and don't presume consent. But in the end, the "user" is left to determine how sensitive the information is and whether the form of consent measures up.

It has been interesting to observe how people approach PIPEDA when they first read some of these provisions. They want answers and instead it is nothing but shades of grey. I have seen too many people throw up their hands, essentially saying that because they can't situate themselves in the spectrum of grey, it's futile. Others put themselves in the shoes of their more "privacy-aware" customers and think "If I were worried about my privacy, what would I want the company to do?" I prefer this approach. It is not a good idea to only try to technically comply or to do the absolute least. That's a recipe for trouble. If you can anticipate the needs/concerns/issues of the top five percent of privacy-aware customers and tailor your processes to get them onside, you should do OK. In short, err on the side of caution.

No comments: