Thursday, July 23, 2009

BC Privacy Commissioner issues license swiping decision

Earlier this week, the Information & Privacy Commissioner of British Columbia issued a decision (P09-01) related to the controversial practice of scanning photo IDs of patrons by bars, pubs and night clubs.

From the Commissioner's media release:


July 21, 2009

Information and Privacy Commissioner Releases Order on Driver’s Licence Scanning

VICTORIA — Information and Privacy Commissioner David Loukidelis today released Order P09-01, in response to a complaint about the scanning of a bar customer’s driver’s licence. The customer complained that, when he went to the bar, employees asked him to produce his driver’s licence, swiped it through a card reader and then required him to have his digital photograph taken. He did not receive what he considered to be a reasonable explanation for why his personal information was being collected and later complained under B.C.’s Personal Information Protection Act (“PIPA”), which regulates the collection, use and disclosure of personal information by businesses.

The OIPC investigated the complaint twice and a formal hearing was eventually held. In Order P09-01, the Commissioner has decided that section 7(2) of PIPA does not allow the organization complained about, the Wild Coyote Club, to force its customers to give up their personal information, to the extent this is now being done, as a condition of being allowed into the bar.

Section 7(2) says a business “must not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service.” The Commissioner accepted that it is “necessary” to collect personal information of certain customers for the purpose of operating a nightlife establishment, but not “to develop and maintain a personal profile containing the personal information of all customers in order to effectively track the few who may be removed from, and subsequently barred from re-entering, an establishment. Certainly, the full scope of information which is collected by Wild Coyote and the length for which it is retained is not necessary to achieve that purpose” (para. 98). The Commissioner therefore found that “a requirement for consent to the collection of personal information through the TreoScope system is a requirement for consent to the collection and use of information ‘beyond what is necessary’ for providing the service of operating a nightlife establishment in the terms I have described” (para. 98).

Section 11 of PIPA says a business “may collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances”.

The Commissioner found that, under s. 11 of PIPA, the collection of personal information was not appropriate in the particular circumstances, including given the nature and amount of personal information being collected. He found that “it is reasonable, in the case of Wild Coyote, for it to be able, in order to preserve a safe environment for customers, to identify those individuals who have been determined to be violent, or otherwise undesirable for re-entry from a safety perspective, and thus improve customer safety” (para. 127). He went on to say, however, that “much of the information collected by the TreoScope system”, including driver’s licence numbers, “does not further this safety purpose”, adding, “Moreover, I have not been provided with any reason related to improved customer safety for an establishment’s retention of any information at all relating to customers who are not involved in violent incidents” (para. 127).

As regards moving forward with a system for keeping banned customers out of bars, Loukidelis said this:

[132] Of course, I have received no submissions from the other parties on this alternative, and no details from Wild Coyote on how the system would operate if it were aimed at only maintaining a list of banned customers. As a result, I can only decide whether or not the collection as a whole, as it was being conducted at the time of the Investigation Report, complies with s. 11 of PIPA. For reasons already given, I conclude that it is not. The alternative proposed in Wild Coyote’s supplemental submissions would likely involve different considerations and cannot be addressed here.

In closing, the Commissioner said this:

[151] … I am well aware of, indeed share, public concern about gang violence and public safety in British Columbia. Some may assert that the technology involved here is synonymous with safety, such that any decision perceived to constrain ID scanning is a decision against safety. These are easy claims to make, but my duty is to apply PIPA based on the evidence and argument actually before me, which I have done.

[152] On the basis of the material before me, I have decided that it is reasonable for Wild Coyote to be able, in order to preserve a safe environment for customers, to identify those individuals who have been determined to be violent or otherwise undesirable for re-entry from a safety perspective, and thus improve customer safety. For the reasons given above, however, the collection of personal information as a whole does not comply with PIPA. In this light, and in view of the reasons given above, I invite –– indeed, strongly encourage––those involved to seek the views of this Office if they wish to find a solution for collecting personal information of a nature, and in a manner, that complies with PIPA.

Neither the Commissioner nor the OIPC will be giving interviews or commenting on this decision.

For previous posts on this topic, see the keywrd "id swiping".

No comments: