Media Centre

PIPEDA in relation to retail loss prevention techniques

Retail Loss Prevent Conference

September 19, 2006
Toronto, Ontario

Address by Kris Klein
Legal Counsel, Office of the Privacy Commissioner of Canada

Introduction

Thank you for the opportunity to be here today.

This is a good opportunity for the Office of the Privacy Commissioner to reach out to an industry that can obviously advance privacy interests in Canada. While the immediate gut reaction to the topic of privacy law and the need to prevent retail loss might conjure images of competing interests, I am going to argue that the two can actually work hand in hand, and actually, each interest can help the other out to positively affect your organization’s bottom line. I’m going to do this by explaining where the privacy law comes from – by understanding where it comes from, you can better understand how it fits into what it is you want to do. I’ll also take three broad areas that I identified as being relevant to your conference today. That is, I am going to try and address two issues that I’m sure you have thought of when it comes to trying to prevent retail loss: the first issue I’ll tackle is the use of the “new” technology referred to as RFIDs. The second issue I will look at is the use of video surveillance to prevent loss.

History of legislation, why it’s here.

The enactment of PIPEDA is part of a broader international movement to give individuals better control over their personal information in the hands of business. Since the 1970s, several countries of the European Union have passed legislation regulating the collection, use and disclosure of their personal information. International bodies such as the United Nations, the Organisation for Economic Cooperation and Development and the Council of Europe have also produced international agreements on the protection of personal information in the hands of the private sector.

In Europe, the European Union Data Protection Directive requires countries that are members of the European Union to limit the sharing of information about citizens of EU countries with businesses in other countries. In general, the Directive requires EU countries to refuse to allow transfers personal information to countries outside the EU unless those countries adequately protect the information.

That, in part, is why PIPEDA was enacted – to assure the European Union that Canada was serious about protecting personal information from Europe that comes into the hands of Canadian businesses. Unless Canada was able to give this assurance, businesses in the European Union would have great difficulty sharing personal information with Canadian organizations. This could have seriously hurt these Canadian organizations, including organizations in the retail sector. Fortunately, the European Commission decided in 2001 that PIPEDA provided an adequate level of protection to personal information. As a result, EU countries and businesses are free to transfer personal information to organizations in Canada that are subject to PIPEDA, various public sector laws provincially, and some provincial private sector laws.

PIPEDA helps both organizations and consumers in another way. Clear rules to protect the handling of personal information will build consumer trust and confidence in participating with traditional and on-line retail stores in Canada. For example, retail customers want to know that their privacy is protected when they're shopping on-line – not to mention when they pop into their favourite electronic store to pick-up those double AA batteries required for their child’s latest “must-have” gizmo. PIPEDA will help the marketplace – both the old bricks and mortar one as well as the new, virtual, on-line one – by increasing the confidence of consumers that their privacy is being protected.

The privacy protections in PIPEDA are largely based on a code for the protection of personal information that was developed by Canadian businesses, academics, consumers and government through the Canadian Standards Association. That code was called the Model Code for the Protection of Personal Information. We call this the CSA Model Code for short. PIPEDA therefore reflects the consensus of several business groups within Canadian society. In fact, the CSA Model Code forms the most critical part of PIPEDA and is found in the Schedule to the Act.

Loss prevention techniques:

Before moving on to the two techniques I want to talk about I want to emphasize the following:

1. Spend some time thinking about whether or not the technique you chose requires you to collect personal information. It’s only in those cases where you do that privacy legislation has to be considered.
2. If it does involve the collection, use or disclosure of personal information, the purposes for that have to be what a reasonable person would consider to be appropriate in the circumstances.
3. The collection, use and disclosure, if not done with knowledge or consent, must be done in accordance with one of the permissive situations found in section 7 of PIPEDA. Most notably, and by way of example, paragraph 7(1)(b) of that section allows the non-consensual collection of personal information if it is reasonable to expect that the collection with the knowledge or consent would compromise the availability or accuracy of the information and the collection is reasonable for purposes related to investigating a contravention of the laws of Canada or a province.

RFID

The idea of "smart chips" or radio frequency identification (RFID) isn't new. More than three years ago, the microscopic electronic tags – that emit signals and can be embedded into everything from clothes to cereal boxes – were being touted as an innovative way to keep track of inventory, make sure shelves are stocked with popular items and even prevent shoplifting. At that time, we raised concerns about RFIDs as a form of technology that could be open to potential abuse. We argued that the chips would have the potential to be easily linked to credit card numbers or other personal ID. That could lead to the creation of consumer profiles that would tell stores what you buy and where you shop.

RFIDs could also be used to track your whereabouts.

Today, some have advocated for the use of the chip to track their individual products. In response the Commissioner has publicly stated: "One of the primary concerns of this office is the deployment of RFID technology in Canada because it has such an implication to be integrated into daily life, in clothes, in objects, in food and things we take from the supermarket to our home."

In some ways, RFIDs are an extension of the bar codes that are now commonplace on nearly everything we buy, but the ability of smart chips to monitor an individual's movements and buying habits is more akin to something out of Big Brother. RFIDs, of course, can do this because they supply information back whenever they’re read and because they can be used to get information about individual products – not just pallets of inventory. In fact, they could also be embedded surreptitiously into not only a product, but an animal or even a person.

Specifically, Privacy Commissioner Stoddart is concerned that since consumers may not even be aware the chips are embedded in products, it may allow individuals to be monitored without their knowledge. As well, items purchased in a store could be linked to your credit card number or loyalty card and, from there, a profile could be created about your buying habits. And information compiled through RFIDs about your preferences and even details about your personal health could be passed along to a third party.

What it boils down to is this: RFIDs have the ability to reveal personal information about an individual. Once this is admitted and recognized, then a responsible organization will be able to tailor its use of RFIDs to make sure the technology does not end up being used in a way that violates privacy.

Video Cameras

Video surveillance of public places subjects everyone to scrutiny, regardless of whether they have done anything to arouse suspicion. At the very least it circumscribes, if it does not eradicate outright, the expectation of privacy and anonymity that we have as we go about our daily lives.

The medium’s very nature allows retailers to observe and monitor the movements of a large number of persons, the vast number of whom are law-abiding citizens, where there aren’t necessarily any reasonable grounds to be capturing a record of their activities. When video surveillance was done live, or even when the system used tapes, an operator had to watch each event to make a judgement about an individual. The result was that the volume of work kept misuse down to a minimum. Now we have digital systems. These systems have facial recognition ability and pattern recognition software that can massage the vast stream of images, so the actual use of the data increases, even if it is not by human operators. The likelihood of images being retained for further data mining increases simply because the workload is now potentially manageable. The risk of systematized observations of groups or persons now exists, simply because it is technically feasible. On top of all this, fear of terrorism and street crime has driven the numbers of cameras up, as public officials seek to assuage the fears of citizens and gain control of the uncontrollable.

Proliferation of video-surveillance raises a concern that inferences will be drawn about people, that the data will be used for trivial or discriminatory purposes. People are well aware of the presence of cameras, in fact there is a brisk trade in fake cameras because they are promoted as being as effective as real ones in deterring bad behaviour. For these reasons, there is good reason to believe that video surveillance of public places by the police, other law enforcement authorities and now even retailers has a chilling effect on behaviour – and by extension on rights and freedoms.

All that to say, does PIPEDA prevent the use of video cameras outright? No. Instead, the law provides guidance on when it is appropriate to use this type of loss prevention technique. Our office has developed guidelines on the issue of the use of video cameras to monitor people in public places. While they were originally designed as a tool for law enforcement, I suggest that they are mostly applicable to any organization that is contemplating using video cameras.

1. Video surveillance should only be deployed to address a real, pressing and substantial problem.
The problem to be addressed by video surveillance must be pressing and substantial, of sufficient importance to warrant overriding the right of innocent individuals to be free from surveillance in a public place. Accordingly, concrete evidence of the problem to be addressed is needed. This should include real evidence of risks, dangers, crime rates, etc. Specific and verifiable reports of incidents of crime, public safety concerns or other compelling circumstances are needed, not just anecdotal evidence or speculation.

2. Video surveillance should be viewed as an exceptional step, only to be taken in the absence of a less privacy-invasive alternative.
Less privacy-invasive alternative ways of addressing the identified problem should be chosen unless they are not feasible or significantly less effective.

3. The impact of the proposed video surveillance on privacy should be assessed before it is undertaken.
Some sort of study or analysis aking to a privacy impact assessment of the proposed video surveillance should be conducted to determine the actual or potential kind and degree of interference with privacy that will result, and the ways in which adverse effects will be mitigated.

4. consultation with employees/unions and customers might be appropriate prior to any decision to introduce video surveillance.

5. The video surveillance must be consistent with applicable laws.

6. The video surveillance system should be tailored to minimize the impact on privacy.
The surveillance system should be designed and operated so that the privacy intrusion it creates is no greater than absolutely necessary to achieve the system’s goals. For example, limited use of video surveillance (e.g., for limited periods of day, public festivals, peak periods) should be preferred to always-on surveillance if it will achieve substantially the same result.
If you are doing it surreptitiously you better have good evidence that it is reasonable in the circumstances and you better be sure that you fall under the exception in section 7 that allows for the non-consensual collection of personal information.

7. The public (or whomever is being watched) should be advised that they will be under surveillance.
The public should be informed with clearly written signs at the perimeter of surveillance areas, which advise that the area is or may be under surveillance, and indicate who is responsible for the surveillance, including who is responsible for compliance with privacy principles, and who can be contacted to answer questions or provide information about the system.

8. Fair information practices should be respected in collection, use, disclosure, retention and destruction of personal information.
The information collected through video surveillance should be minimal; its use should be restricted, its disclosure controlled, its retention limited, and its destruction assured. If a camera is manned, the recording function should only be turned on in the event of an observed or suspected infraction. If a camera records continuously, the recordings should be conserved for a limited time only, according to a retention schedule, unless they have captured a suspected infraction or are relevant to a criminal act that has been reported to the police. Information collected through video surveillance should not be used for any purpose other than the purpose that has explicitly been stated. Any release or disclosure of recordings should be documented.

9. Excessive or unnecessary intrusions on privacy should be discouraged.
Surveillance cameras should not be aimed at or into areas where people have a heightened expectation of privacy: for example, windows of buildings, showers, washrooms, change rooms, etc. If cameras are adjustable by an operator, reasonable steps should be taken to ensure that they cannot be adjusted or manipulated to capture images in areas that are not intended to be under surveillance.

10. System operators should be privacy-sensitive.
The operators of surveillance systems, including operators hired on contract, should be fully aware of the purposes of the system, and fully trained in rules protecting privacy.

11. Security of the equipment and images should be assured.
Access to the system’s controls and reception equipment, and to the images it captures, should be limited to persons authorized in writing. Recordings should be securely held, and access within the organization limited to a need-to-know basis.

12. The right of individuals to have access to their personal information should be respected.
People whose images are recorded should be able to request access to their recorded personal information. Under PIPEDA, they have a right of access. Severing the personal information in a recording (including technological blurring or blocking of the identities of others) may be necessary to allow individual access. Policies and procedures should be designed to accommodate these requests.

13. The video surveillance system should be subject to independent audit and evaluation – particularly in cases where the implementation is on a large or systemic scale.
The system’s operations should be subject to frequent audit, and its effectiveness should be evaluated regularly to identify unintended negative effects. Audit and evaluation should be conducted by persons or organizations independent of the management and direction of the video surveillance system. Audits should ensure compliance with the policy governing the system, including ensuring that only pertinent information is collected, that the system is used only for its intended purpose, and that privacy protections in the system are respected. Evaluation should take special note of the reasons for undertaking surveillance in the first place, as determined in the initial statement of the problem and the public consultation, and determine whether video surveillance has in fact addressed the problems identified at those stages. Evaluation may indicate that a video surveillance system should be terminated, either because the problem that justified it in the first place is no longer significant, or because the surveillance has proven ineffective in addressing the problem.

14. The use of video surveillance should be governed by an explicit policy.
A comprehensive written policy governing the use of the surveillance equipment should be developed. The policy should clearly set out:

• the rationale and purpose of the system
• the location and field of vision of equipment
• the rationale and purpose of the specific locations of equipment and fields of vision selected
• which personnel are authorized to operate the system
• the times when surveillance will be in effect
• whether and when recording will take place
• the place where signals from the equipment will be received and monitored, and
• the fair information principles applying to recordings, including security, use,
• disclosure, retention and destruction
• rights of individual access to personal information captured, and
• rights to challenge compliance

The policy should identify a person accountable for privacy compliance and privacy rights associated with the system. The policy should require officers, employees and contractors to adhere to it, and provide sanctions if they do not. It should provide a process to be followed in the event of inadvertent privacy and security breaches. Finally, it should provide procedures for individuals to challenge compliance with the policy.

15. The public should have a right to know about the video surveillance system that has been adopted.
You should recognize that individuals will want information about video surveillance systems. They may seek to know, for example, who has authorized the recording, whether and why their images have been recorded, what the images are used for, who has access to them, and how long they are retained. You must be prepared to provide this information.

Conclusion – the 4 most important things to remember:

1. In choosing a retail loss prevention technique, ask whether or not you’re collecting personal information. If you are, do you need to make the technique work? For example, RFIDs can be used in a way that no personal information is collected.
2. If you are collecting personal information in the technique that you choose, the law requires two tests to be met:
1. The collection of personal information must be what a reasonable person would consider to be appropriate in the circumstances: Cameras in a bank – probably yes; video cameras in a tanning salon private chamber – probably no.
2. The collection, if not done with knowledge or consent, must be done in accordance with one of the permissive situations found in section 7(1) of PIPEDA. Most notably, paragraph (b) of that section allows the non-consensual collection of personal information if it is reasonable to expect that the collection with the knowledge or consent would compromise the availability or accuracy of the information and the collection is reasonable for purposes related to investigating a contravention of the laws of Canada or a province.
3. Loss prevention – whether by preventing illegal activity or by reducing errors – is doable within the framework of PIPEDA.
4. In fact, doing it within the framework and ensuring that customers know that you are is beneficial. It builds trust in you, your product and your brand name… and that’s the best way to positively affect your bottom line.