TORONTO — The Canadian Imperial Bank of Commerce is trying to figure out how to change its privacy policy so that it will only collect information from customers who have granted express consent, rather than a negative opt-in.
The
change could affect everything from the vast financial information CIBC holds in its databases to the application forms for all its products like loans and mortgages. The bank has not determined what steps it will have to take to move to express consent, but one of its senior executives said it is a critical part of its effort to comply with Canada’s privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
“”We’re talking about it now,”” said Leighton Reid, CIBC’s senior counsel with the Legal and Compliance Division, “”but it’s like moving the Titanic around.””
Reid was speaking as part of a panel that discussed how privacy laws affect Canadian companies convened by the law firm Gowlings Lafleur Henderson LLP Tuesday. He said that while the bank has been working on privacy issues for more than 10 years, it continues to review its strategy.
Express consent would require a definitive “”yes”” or “”no”” from customers before an organization could collect and store personal information. For most situations, many banks and federally-regulated companies rely on a negative opt-in approach — customers must specifically request their information to be removed from a database or mailing list, usually by calling a phone number or mailing a form back to an organization.
“”I think we are gradually moving to an express consent culture within the banking industry,”” Reid said.
Not fast enough for the office of Canada’s Privacy Commissioner, George Radwanski, who was represented on the panel by general counsel Heather Black. “”I can’t speak for the commissioner, but I think I can say with pretty good certainty that he hates negative opt-ins. He really hates them,”” she said. “”Negative opt-ins are too easy for companies to do.””
PIPEDA, which came into effect for federally-regulated companies like banks last year, does not explicitly prohibit opt-in or opt-outs. The law (formerly known as Bill C-6), is based in part on voluntary guidelines established by the Canadian Standards Association in the mid-1990s. Reid said banks like the CIBC also followed code developed by the Canadian Bankers’ Association in 1990. CIBC then followed up by establishing a committee to look at areas of personal privacy banking customers face. “”What you really need are the product people and the internal audit people who really know what’s in the application form, what kind of information is collected and where it goes,”” Reid said.
Privacy, as the committee learned, can have an impact on many strategic initiatives in large organizations, Reid added, even the interior design of CIBC’s branch offices. “”We’ve been moving to an open concept design for years,”” he said, “”but when the cubicle walls are being lowered and you’re putting people on speakerphone, you’ve potentially got conversations being overheard.””
CIBC’s privacy code included an amended customer consent clause that appears on all its application forms and a booklet (“”Your Privacy Is Protected””) that is given to all new customers. This has since been modified after the introduction of PIPEDA, which has more detailed requirements in areas like access to information rights.
Other issues at CIBC included training its more than 40,000 employees on the privacy policies and developing policies for its subsidiaries and its operations in other countries like the United States and Britain.
Reid said if he had any advice for other companies, it would be to address systems issues as soon as possible so that organizations can properly capture customers’ privacy preferences. “”They have to be recorded somewhere,”” he said. “”Systems and applications forms will do you in because you’ll wait until the eleventh hour before the law comes into effect.””
Black said organizations like the CIBC are wise to prepare early. “”If you follow the CSA code, you’ll generally keep out of trouble,”” she said. “”We’re all potential complainants — we all have relationships with these companies, the banks, the video store. You should know what kind of information they’re collecting and what they’re doing with it. Your customers are asking these same questions of you.””
Health-care organizations had to comply with PIPEDA at the beginning of this year. All other national organizations will have to comply by 2004.
Comment: [email protected]