The Office of the Privacy Commissioner of Canada released its Report of Findings into the Loblaws matter this week. This case was first reported in the news several months ago when people complained they had to provide a fair amount of personal information in order to authenticate themselves if they wanted to receive a compensatory gift card as part of the bread price-fixing fiasco. So, suffice it to say, they were an already-irritated bunch.
It turns out that, after all the hoopla, Loblaws didn’t really do too much wrong in this case. I cannot say I am surprised. In a few instances, they did ask for people to provide their driver’s license as part of the authentication process and failed to adequately inform them that they could redact all the information on the license except for the name and address. As they got better with their communications (isn’t it almost always about better communications?), people were informed of other ways they could prove proof of address.
So, the news amounts to an overcollection of information — namely, the driver’s license number — but for me, there are other nuggets in the OPC’s report that are worth focusing on.
First, the OPC quotes from the Loblaws privacy statements and endorses the language used to explain how the personal information was being processed in other countries. It’s one of the first instances that I can think of when the OPC has provided an example of language for these messages that it considers adequate. I’m particularly glad with this because if the OPC reports more often in this manner, we’ll be able to learn what language meets requirements and what language fails to meet the test.
Similarly, the OPC examined the contracts that were in place between Loblaws and its processors. While the specific contractual language is not repeated, the OPC does provide a shopping list of clauses that were contained in the contracts. Paragraph 41 of the report says:
“The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.”
Moreover, the OPC endorses these clauses as having met the accountability requirements in the Personal Information Protection and Electronic Documents Act. The European DPAs have long provided input on what specifically needs to be in a contract, and it’s good to see the OPC providing an example in this case.
I guess, in a perfect world, they might even go a step further and provide a precedent contract for us privacy pros to use when negotiating with our processors. But, regardless, this is definitely a step in the right direction, and I hope for more of this type of guidance in future Reports of Findings. On that note, I can’t help but notice that the Loblaws case summary is numbered 2019-003. If that means we have only had three reported cases this entire year, I’m disappointed because, in my mind, they can be a really excellent way of getting meaningful guidance out there.