In an effort to give individuals control over how their information is handled by private organizations, many countries that have enacted comprehensive privacy laws that include a collection limitation principle. In this article, we will look at how Canada’s privacy law, The Personal Information Protection and Electronic Documents Act (PIPEDA), limits the collection of personal information. PIPEDA consists of ten privacy principles that undergird the rules for the collection, use, and disclosure of personal information. Specifically, the privacy principle number four establishes the responsibilities and limits an organization has when collecting personal information from individuals. If PIPEDA applies to your organization, this article will help you understand your responsibilities when collecting personal information.
How to remain compliant with limiting collection when your organization adopts identification and authentication processes
While identification and authentication have different definitions, an organization might have both identification and authentication processes and thus each process must be appropriately designed. That is to say, your organization must strike the balance between collecting enough information about an individual to authorize a transaction, without collecting, using, or retaining information that is not necessary for that purpose.
Identification allows an organization to ascertain an individual’s identity by certain characteristics including, for example, their name, birthday, or address. These are known as identity attributes. Identification ensures that an organization can remember a specific individual. Authentication is different. Authentication occurs when an individual presents themselves to an organization, or their website, and claims to be a customer with whom the business has a relationship. It is the responsibility of the business to authenticate that claim. A common way for an organization to have an individual authenticate their identity is a password.
PIPEDA accounts for the fact that there is no single approach to identification and authentication. However, the Office of the Privacy Commissioner of Canada overseeing implementation of PIPEDA recommends that organizations only identify when necessary. Organizations need to decide if identification is necessary to complete a transaction with an individual. If the transaction can be authorized in a way that ensures the same quality of security without collecting any personal information, then the organization should not identify an individual, unless there is a legal requirement to do so. If an organization does need to identify individuals to authorize a transaction, then they must do so using the least amount of information required. For example, the Office of the Privacy Commissioner of Canada caution’s organizations from using individuals’ driver’s license number or social insurance number as identifiers. After numerous complaints by Canadians to provincial Privacy Commissioners regarding organizations collecting and recording their drivers license numbers, the federal and provincial Privacy Commissioners have taken the stance that examining an individual’s identification card, without recording its contents is sufficient. The rationale behind this best practice goes back to the principle that organizations should collect the least amount of personal information possible to satisfy a legitimate business activity. And, because organizations have a duty under PIPEDA to protect the personal information they collect, organizations could subject themselves to litigation if they don’t protect that personal information.
Similarly, an individual should only be authenticated by an organization when it is necessary for the purpose of the transaction. If an individual does need to be authenticated, personal information should only be disclosed to that person once the organization is assured that the individual is who they say they are. Organizations should maintain reliable audit records of the authentication process including the date, time, and the outcome. The audit records, however, should not include the authentication information itself.
The intersection between the collection limitation principle, openness, and consent
In addition to the limiting collection principle specifying that collection of personal information must be narrowed to that which it is needed for, the limiting collection principle also establishes that information must be collected by fair and lawful means. Irrespective of the format organizations use to collect personal information, all organizations must identify the purpose for doing so, and obtain consent from the individual. First, this requires organizations to properly train their employees so they know how to explain to individual’s the purpose behind the type of information that is being collected from them. This intersects with the privacy principle of openness under PIPEDA. In addition to being open and transparent, an organization must obtain proper consent. The policy rationale behind obtaining consent is to reduce the likelihood of organization’s using deception or ambiguity when construing the purpose for which personal information is collected. An individual’s consent must be meaningful which will necessitate the organization to be clear in communicating the specific type of information that they will collect from an individual. Thus, it becomes clear that by potentially violating the collection limitation principle, an organization could also violate other privacy principles including openness and consent under PIPEDA.