Saturday, January 15, 2005

Handling customer complaints under PIPEDA

Anybody reading the Canadian media before Christmas couldn't help but notice the huge amount of coverage given to a stream of faxes sent by a number of branches of a particular bank that kept on finding their way to a junkyard in West Virginia. The story took off and other complainants came out of the woodwork. Other banks were also the subject of stories, all related to mishandling of sensitive personal information (PIPEDA and Canadian Privacy Law: Bank faxes saga continues; involves other banks, too). Further examples of misdirected personal information are appearing in the media (see - Customer privacy concerns continue at CIBC). The most obvious thing to learn from these incidents is that people need to be very careful when faxing customer information. Or mailing it. But what is not as obvious is that none of these stories should have ever made it as far as they did. Not only was customer information mishandled, but more importantly (from the bank's point of view), the customers were mishandled.

I've touched on this before (PIPEDA and Canadian Privacy Law: Two magic words, big effects ...), but it bears repeating. Where the banks (and most organizations that end up at the unpleasant end of a privacy complaint) went wrong is the way they acted when their misstep was brought to their attention: (i) they did little to assure their customers, (ii) they did not appreciate the gravity of the situation, and (iii) they did not escalate the issue to the proper level. From what I understand of the faxing fiasco, the faxes went from a wide range of branches to one unintended recipient. Calls to the branches may have elicited a response, but they were not reported to a higher authority who would get a sense of the big picture and realize that there was a problem and it was chronic. Each branch did not know that dozens of other branches were making the same mistake and nobody was tracking the issue. When it comes to privacy breaches, one person in senior management must be apprised of the situation. Only that person will know if it was an one-off incident or whether the screw-up is pervasive. Secondly, employees of organizations need to be resensitised to the importance of the personal information they handle. It may not be important to the company, but that is irrelevant. It is important to the customer, so it must be treated appropriately. I happened upon an example of this at Ottawa airport night before last. Sitting in the restaurant, the woman at the table next to me got up to go. She must have been an airline employee because she left behind a copy of a manifest for a flight from Halifax to Ottawa. Being a nosy sort, I picked it up. I recognized a few names on the list, including a particular superior court judge who would not have been impressed. It told me that the person in seat 23A was 73 years old and needed help to get on and off the plane (why the put her in a window seat at the back of the plane should be the subject of a different sort of complaint). It also listed who ordered kosher meals.

To some, this is sensitive personal information and should not have been left lying around. But I think that people who deal with sensitive personal information all the time become numb to the fact that it really is sensitive and needs to be properly protected. I am sure that all lawyers know of colleagues who can be pretty casual when talking about clients. I've certainly heard some doozies about testimony about intimate matters that was probably humiliating to the person to reveal, but really had no effect on the lawyers since they've seen it all. When the information is routine, you start treating it routinely. I have heard from dozens of managers and business owners who say that they don't have to worry about privacy law because the information they handle isn't "sensitive." Well, in many cases it is, but the company has forgotten that it is sensitive or may be sensitive to their clients. All businesses need to think about information through the eyes of their clients. Even more, they need to think about it through the eyes of their most sensitive, paranoid clients. Personal information is important and must be treated accordingly.

Finally, each customer concern must be treated seriously. Most people don't complain routinely. Some may be chronic complainers, but most are not. If a client takes the time to complain about how their information was handled, they only have done so because it matters to them. If you treat the complaint casually, it can easily get out of control. If they don't get satisfaction from the organization, with the respect and priority they think it deserves, they will take their complaint to the privacy commissioner or, worse yet, to the media. I've read all the published findings on the Commissioner's website. Initially, would sometimes think that some people complain about truly trivial things. I scratched my head at more than a few. Then I began to wonder more and more often how the organization ever let the complaint get to the Office of the Privacy Commissioner in the first place. When a complaint gets that far, particularly about something "trivial", it is most likely because the organization didn't fix the "trivial problem" and let it get out of control. If you fix it as soon as it happens, that's it. No complaint. No problem.

I've dealt with customer concerns on behalf of clients. In almost every case, they are resolved favourably if you take the concern seriously, give it due priority, treat the customer with respect, and ultimately fix their problem.

To give an example, I was involved with a concern/complaint about a consent form that had been prepared for a client. This particular client was in a large industry but was the only location in their city that was visibly tackling the privacy issue. The customer called with some questions and was immediately referred to the privacy officer. Initially, the customer sounded a little indignant. He had read the form and had a problem with one of its provisions. We were satisfied with the correctness of the document, but the customer didn't seem to be amenable to our explanation. Since we were right, we could have told him that and walked away. But that wouldn't have ended the matter, since he knew enough about PIPEDA to make it likely that he'd buy a stamp and complain to the Commissioner. So we figured that if he was asking questions, there were probably a dozen or so customers who had the same question but didn't contact the client. Rather than fight it, we redrafted the form to make it more clear. We even asked the customer for his opinion of the new form and he approved. In the end, rather than have a potential complaint on our hands, the customer actually sang the client's praises around town leading to more business. Not only was a complaint avoided, but we managed to improve the customer's relationship with the client.

Privacy is not just a legal compliance issue. As an increasing portion of customers are concerned with the protection of their personal information and whether they can trust the companies they deal with, privacy is a critical customer relations issue. If you don't appreciate that fact and begin to look at your business through your customers' eyes, you are at much greater risk of having a complaint go to the Privacy Commissioner. That involves expense, a risk of bad publicity and a lost customer.

One further thought: I'm often asked by my clients about who should assume the role of privacy officer for their company. If they are a large company, they often think it should be their in-house counsel. At first blush, this seems sensible since a lawyer has the tools to understand and apply the law. I always say that it depends upon the individual lawyer. Many lawyers reflexively get defensive and switch into denial mode. (Or at least begin denying until they have a chance to investigate.) Because this is a customer service issue as well as a legal issue, the privacy officer needs to be customer-friendly. Not all lawyers have this trait. Automatic denials and switching to "damage control" tend to escalate matters, while empathy, understanding and focusing on a solution for the customer will calm the situation. A lawyer with privacy expertise should always be consulted, because this is a legal, risk-management issue. Few employees have the knowledge of PIPEDA to fully understand the company's obligations and the risk it faces in a particular situation.

No comments: