When it comes to privacy, organizations are required to follow federal and provincial legislation which prohibits the use of personal information in an inappropriate or unreasonable manner. As part of the federal private sector, The Personal Information Protection and Electronic Documents Act (PIPEDA) determines proper conduct by organizations throughout Canada. Differently, The Privacy Act covers the personal information handling practices of the federal government itself.
My guest today is Vance Lockton, Senior Analyst for Stakeholder Relations at the Office of the Privacy Commissioner of Canada. Vance explains that the Privacy Commissioner, Daniel Therrien is an officer of Parliament and reports directly to the House of Commons and the Senate, and is independent of the government in place. Vance details the laws in place for debt collectors, how investigations under the Office of the Privacy Commissioner of Canada are conducted and provides advice for listeners for protecting your personal information.
Table of Contents
Privacy laws for collection agents
We’ve talked about collection agents on this show before. We’ve talked about how to stop collection calls and the kinds of strategies that collection agents will use to find debtors. Mark Silverthorn revealed several “dirty tricks” that some collection agencies use to collect on a debt. With that in mind, I ask Vance whether collection agents are subject to any laws when it comes to protecting your privacy.
Vance explains that there are limits on what a debt collector can and cannot do when it comes to protecting a debtors privacy. Debt collectors are subject to PIPEDA (unless regulated by a similar legislation based on province, including Quebec, Alberta and British Columbia) as well as provincial laws such as Ontario’s Collection and Debt Settlement Services Act. Vance details three specific rules that debt collectors are required to follow under PIPEDA:
- Get consent for the collection, use or disclosure of personal information;
- Protect personal information using appropriate safe guards; and
- Only collect, use or disclose personal information for the purposes that a reasonable person would consider appropriate.
However, when it comes to debt collection, there is an exception that says that information can be disclosed without consent for the purposes of collecting on a debt owed to an organization. Vance explains that this exception makes it possible for organizations, such as banks, to send debts to collections. However, he also points out that
the exception doesn’t give organizations carte blanche to disclose any information they wish, to any parties they wish.
Case summary 2004-282 put out by the Office of the Privacy Commissioner, shows one example where a debt collector revealed too much information for the purposes of collecting demonstrates unreasonable use of personal information by a debt collector. Differently, in a separate case summary, although a collector called relatives to locate the person on file, they didn’t reveal any information other than the existence of a debt and the Office found that to be a reasonable use of information. When it comes to ruling on a particular case, Vance explains that context matters and that when it comes to deciding whether privacy laws have been violated will differ based on the details and context of each situation.
What can I do if my personal information is disclosed inappropriately?
Although privacy laws exist, violations of those laws still occur. If you feel that your personal information has been disclosed in a way that goes against PIPEDA , Vance suggests that you visit their website to ask a question to their information staff or fill out their form to file a complaint under PIPEDA so that they can investigate further.
When a complaint is investigated, Vance explains that they are
working to ensure that the organization does have the appropriate practices in place; that they do have the right consideration of privacy and the understanding of privacy.
Following an investigation, Vance points out that having the ability to publish a report and name an organization as having done something negative, typically creates change when it comes to following privacy laws in Canada because most organization don’t want to be in the spotlight for negative behaviour.
How can I protect my personal information?
Although there are laws in place to protect consumers’ and debtors’ personal information, Vance explains that it’s important that we take steps to safeguard our own personal information as well. He offers up four tips that can help to protect valuable information and prevent actions like identity theft:
- Exercise caution when giving out your personal information;
- Ask questions about how your personal information will be used, shared, safeguarded and why it’s needed;
- Don’t give out more information than is necessary, for example, your social insurance number;
- Be aware of what’s out there – run a Google search on your name to see what information comes up. If it’s information you can control, have it taken down.
Read the full transcript below.
Resources Mentioned in the Show:
- Office of the Privacy Commissioner of Canada Website
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- The Privacy Act
- Privacy Legislation in Canada Fact Sheet
- Privacy Complaint Form
- Collection and Debt Settlement Services Act
Case Summaries Mentioned in the Show:
FULL TRANSCRIPT show #64 with Vance Lockton
Doug Hoyes: We’ve got a great show for you today with a guest who has a lot to say about the world of debt and finance but he isn’t an accountant or bankruptcy trustee or a financial advisor or a journalist. So, I think it’s going to be a great show with some unique perspectives. So, let’s get started. Who are you and what do you do?
Vance Lockton: So, I am Vance Lockton. I am Senior Analyst for Stakeholder Relations at the Office of the Privacy Commissioner of Canada.
Doug Hoyes: Thanks for being here Vance. What is the Office of the Privacy Commissioner of Canada? What do you guys do?
Vance Lockton: So, the Privacy Commissioner of Canada, his name is Daniel Therrien at the moment. He’s an Officer of Parliament so that means he reports directly to the House of Commons and the Senate; he’s independent of the government of the day. So, the election didn’t change our boss.
We oversee compliance with two acts. The Privacy Act, which covers the personal information handling practices of Federal government department and agencies and PIPEDA, the personal Information Protection and Electronic Documents Act, which is the federal private sector privacy law. And that’s the one that I’ll speaking to during this discussion.
Doug Hoyes: And what is the difference between the Privacy Commissioner of Canada and the Privacy Commissioner of Ontario, or is there such a thing?
Vance Lockton: There is such a thing. So, there is an Information Privacy Commissioner of Ontario. It’s essentially a jurisdictional difference. So, we oversee commercial activity in the province of Ontario. The Information Privacy Commissioner of Ontario oversees collection of information by health institutions, universities, schools as well as municipal and provincial governments.
Doug Hoyes: Got you, so there is a bit of a difference there. Well, I mean this a show about debt so perhaps we can start by talking how your work intersects with the world of debt. And I’m thinking in particular about collection agents ’cause that’s a topic we’ve discussed many times on the show before. And it’s, I’m guessing, an area that people tend to get upset about and have complaints about. And so, I guess let me start by asking you from a privacy point of view are there any limits or what are the limits on what a debt collector is able to do.
Vance Lockton: In general, debt collectors will be subject to the provisions of PIPEDA, unless the operate in certain other provinces that have substantially similar legislation, such as Quebec, Alberta and British Columbia at the moment. But that act is a principle’s base law that kind of sets out the ground rules for how private sector organizations can collect users and disclose personal information.
So, for example, any organization subject to law, including debt collectors, would generally be required to obtain consent for the collection, use or disclosure of personal information. And they’re required to protect personal information using appropriate safe guards as a list of ten of these principles. And there’s also an overarching clause that personal information may only be collected, used and disclosed for purposes that quote, a reasonable person would consider appropriate under the circumstances.
So, that’s kind of the general principles based that debt collectors are controlled by federally. Now provincially there are other laws that they’d be subject to; Ontario has their collection and debt settlement services act that sets out certain limits. But again, because our office doesn’t oversee that I’m not really in a position to speak to the details of it. But there’s some good resources online for both debt collectors and debtors that set out the principles of that. And I’ll provide a link for that for your show notes.
Doug Hoyes: Yeah, that would be great. Our show notes will be available at hoyes.com, so anything we talk about today we can reference there and people – anybody listening we’re more than happy to have you go there and click on the links and get more information.
So, you used the phrase, I’m paraphrasing a bit here but you said reasonable and appropriate in the circumstances. So, if I’m a debt collector for example, I’m supposed to have consent and I’m supposed to protect whatever private information I get, but whatever I do it has to be reasonable and appropriate in the circumstances. So, can you talk practically about what does that actually mean? So, what would be reasonable and appropriate or what would definitely not be reasonable and appropriate when it comes to private information of people?
Vance Lockton: So, I’ll start with one interesting piece. So, while there’s the general requirement form for consent for disclosure of information, there is actually an exception with our law specifically speaking to debt collection that says that information can be disclosed without consent for the purposes of a collecting of a debt owed to the individual to the organization. So, again, that’s what kind of allows banks to disclose information to debt collectors and things along those lines. Again, that exception doesn’t give organizations carte blanche to disclose any information they wish, to any parties they wish.
And just kind of by way of example we’ve got – one of the things that our office does is publish what we call case summaries. So, just kind of interesting points of law, we put them on our site, it’s priv.gc.ca and I’ll kind of give some links to specific cases here.
An example of kind of the overstepping that we’ve seen is, case summary 2004-282 and we kind of saw that a bank, this happened to be a bank, was calling and complaining this company just to ask in order to start a process of garnishing this person’s wages. But during those calls the bank’s collectors disclosed again much more information than was necessary for that purpose. So, we were given evidence of a voicemail recording that was stated – I’m paraphrasing now – I don’t know what type of company you’re running but given the complainant history of not paying bills I can’t really say I’m surprised by your lack of professionalism.
So, we – hearing things like that, our assistant commissioner at the time recognized in her findings that the debt collector has to be able to disclose some information to an employer when seeking to, for example to garnish a debtor’s wages. But here the bank had gone too far. So, I mean they had revealed the debtor’s payment history, the amount of money owed, the fact that the debtor’s credit card was suspended from future use. And we kind of said none of those pieces were necessary to match the purpose of starting to garnish this person’s wages. So, that’s kind of where we will be looking is, what is the purpose for making a call or making a particular disclosure and is that reasonable first of all? And then second of is the information that’s being revealed beyond that which is necessary to serve that purpose?
Doug Hoyes: So, if I’m a debt collector and somebody owes money and I want to garnishee somebody’s wages, obviously I’ve got to go to court and get a judgment and everything; I can’t just do it. But I mean let’s assume that I’ve done that, I’ve got a judgment I just don’t know where the employer is, I think I found the employer. So, I can phone up the employer and I can say, does so and so work here?
Vance Lockton: Right.
Doug Hoyes: That would be reasonable and appropriate in the circumstances to ask that question.
Vance Lockton: Right and again we have to say just given our roles and oversight body we can’t give, in essence, advance rulings on a particular matter. I mean we kind of have to say it, as I keep saying, the context matters. So, it’s hard to speak in generalities. But yeah, something like that. We’ve seen cases where again, on our site we can point to cases where we kind of say a bank has a customer who’s loan has gone into default. They can’t find him so they call his ex-wife and they call his ex-wife’s lawyer and they call his daughter. Just again, all in an attempt to find this or to be able to locate this individual and again they didn’t reveal anything beyond the existence of a debt and obviously the fact that it relates to this person. And we kind of found that to be reasonable. We kind of said that’s a reasonable amount of information to have disclosed for the purpose of trying to find this person.
Doug Hoyes: So, trying to find a person is one thing, but where in the case you sighted they went over the line was where they started disclosing more information than necessary, such as the guy hasn’t made his credit card payments for years and his credit card’s been suspended and that’s not necessary to track the person down, and therefore, that’s not reasonable in the circumstances.
Vance Lockton: Right.
Doug Hoyes: So, what is the penalty, then? So, let’s say I’m a consumer who has been aggrieved by what you just talked about. I do owe money to a bank and I haven’t paid, but that particular bank has called my employer and released a whole lot of information that they shouldn’t have. What steps should I as a consumer then take?
Vance Lockton: So, if you visit our website there’s right on the front page of our website there’s a link that says “need our help?” And on that site there’s contact for both our information centre if you just want to raise – ask a question to one of our information staff. And there’s also a link to file a complaint under PIPEDA. So, there’s a simple form to fill out that you would just describe the issue that you’re having describe why you feel that there was a problem with the particular disclosure that was made and we would then investigate the matter.
Doug Hoyes: And really yours is, I would characterize it then, as complaint driven organization?
Vance Lockton: Yes, we are a complaint driven organization. We do have the ability to have Commissioner initiated complaints as well. So, if there is an issue that comes to our attention that we haven’t directly received a complaint about, we do have the ability to have our Commissioner initiate a complaint. But generally 95 or more percent of our complaints are ones we receive from individuals.
Doug Hoyes: Which kind of makes sense because it’s impossible for you to be out there watching every single thing that goes on in Canada; you’re not Big Brother, people have to bring these things to your attention in order for you then to take action.
So, I do what you say, I go to the website, priv.gc.ca, I click on either English or French and I click on the need our help button, I fill out the complaint form. Your organization then would investigate it and then let’s take this case that you quoted, the bank obviously was in the wrong. Well, that’s what you decided, your organization decided, so, what happened to the bank, then? What was the upshot of it?
Vance Lockton: So, what happens next at that point, once we’ve issued our findings, we have the ability to go through a few steps. So, what we’re trying to do through our findings and through the complaint process in general, is come to a resolution. So, we are working to ensure that the organization does have the appropriate practices in place; they do have the right consideration of privacy and the understanding of privacy.
Then in the case that we cited there wasn’t a lot of follow up that happened, partially because the debt collectors in question no longer worked for the bank by the time the complaint was finished. However, there is the option, with any report actually, to then take action through the federal courts, whether that’s attempting to recover damages if damages can be established or enforce changes, enforce recommendations that we’ve made. So, the follow up for us, the follow up that we have available at any complainant has available, is immediately federal court.
We’ve also seen a number of instances where our reports are used by individuals if it’s established that they’re aggrieved, that they’ve taken that as a piece of evidence in a small claims court action or in an attempt to reach a settlement independently with the organization that has aggrieved them. Again, those aren’t formal mechanisms; those are just kind of things that we’ve seen happen in the past.
Doug Hoyes: And I would assume that a lot of the success you have is really in the category of moral suasion. That by highlighting this as an activity that isn’t appropriate, I suspect when you go to a big Canadian bank and say hey your collectors are doing that, they’re response is probably to say you know what, that isn’t right, you’re right, we’re going to stop doing it.
Vance Lockton: Right and that is kind of our strongest power. And one of the things that are able to do is we almost have the potential for what we’d call a marketplace impact of we have the ability, following a complaint the commissioner is able to publicly report on the personal information practices of a public or private sector organization. So, should we determine that it’s in the public interest for individuals to understand that this is how this organization is treating personal information; we have the ability to again name – publish the file and name the organization.
Doug Hoyes: And that’s what really brings them more into line, I guess, rather than having some federal court case on it. If I’m a big bank I don’t really want my name associated with something negative. So, I’m probably going to come into line and it’s kind of marketplace regulation I guess, is what it really is. You don’t have to use the courts as much just putting it out there. So, that’s probably a very good model I would think.
I want to ask you about another court case or maybe not a case one of your case files, good old 2015-002, which is referenced on your website. In this particular case there was a company that operated a website and if I understand correctly they republished Canadian court decisions, tribunal decisions, that sort of thing, which contained people’s personal information. And your organization had some issues with what they were doing. Are you familiar with that case and do you have any comments on it?
Vance Lockton: I am. I – funny enough I happened to be the investigator on it.
Doug Hoyes: So you’re very familiar then.
Vance Lockton: Yeah. So, with that case the organization was collecting court documents from what we’ll call more legitimate legal sources and republishing them online. And the primary difference between what they were doing and what some of these other legal sources were doing is that they were allowing those documents to be indexed by search engines.
So, it kind of change the accessibility as opposed to somebody having like a legal researcher kind of going to one of these sites and trying to find case history on a particular issue. Now we are seeing issues where individuals could be just doing a quick search for their own name or search for the name of a friend or what have you. And all of a sudden within the top few results of their site they were seeing their bankruptcy file listed or a custody case or a divorce hearing. A lot of very kind of sensitive interactions with the court system were being published. And to top that off we had this organization that was saying, well if you don’t like that you can pay us a fee and will take that page down off our website so that it no longer appears in the search results.
Doug Hoyes: Blackmail.
Vance Lockton: Yeah, yeah. We try not to use the blackmail, extortion term but it’s kind of – there’s this implication that we try to make that’s essentially what it was.
Doug Hoyes: Well fortunately, I got my own radio show here so I can say whatever I want you see. I’m not limited by any specific rules. So, and the point is, I guess, this was publicly available information. So, if I knew where to look for it I could find it. And your example of a divorce case, so we’re arguing over splitting of assets, child custody, whatever, so a lot of facts have to come out as a result of that. Obviously those are court records the court has them. But that’s totally different from then putting them in to a place on the internet that Google can index them.
Vance Lockton: Right. And we recognize there’s a legitimate reason for these documents to be published in the first place. I mean there is strong rationale for having open courts that publish their decisions so there is that level of transparency and oversight for courts. The Canadian judicial council itself actually said in its rules for making those publications they said the intent isn’t to associate that with search results for an individual’s name. We’re trying to create court transparency; we’re not trying to saddle an individual with all the details of his divorce or bankruptcy for a memorial.
Doug Hoyes: Yeah and so what you’re saying is there’s a big difference between information being published online and information being published associated with my name, online.
Vance Lockton: Right. So, there is a differentiation within our legislation of what’s called publicly available information. The term probably doesn’t mean what most people think it means. So, there are again exceptions to the collection use and disclosure requirement for consent when we’re talking about publicly available information. But that term, that publicly available information, only refers to, very strictly defined to generally things that governments have published so court records or phone book records of things like that. First of all, there’s a limited definition of the term and second of all the exceptions of how that information can be used only apply when that information is used for a purpose consistent with that for which it was initially published.
Doug Hoyes: Got you. Well, that’s very interesting. I’m going to take a quick break here and I’d like to come back and ask you a bit about how social media fits into this. So, we’ll take a quick break and I’ll be right back with Vance Lockton, you’re listening to Debt Free in 30.
Let’s Get Started Segment
It’s time for the Let’s Get Started segment here on Debt Free in 30. My guest today is Vance Lockton, who is with The Office at the Privacy Commissioner of Canada.
So let’s talk practically, then. What advice would you give to consumers regarding keeping their information private? Obviously there’s a whole bunch of information out there, all over the internet. You can’t keep everything private, but what are some basic general principle advice you would give people to keep your information private?
Vance Lockton: So, I think that’s actually a very important question. I was kind of looking through some of the back issues of this show and I kind of saw your episode 57 as far as I saw was a guy, Blair Demarco-Wettlaufer, who introduced the two of us. And he kind of made the point that even if there were limitations on what debt collectors could do, it doesn’t necessarily mean all agencies are going to follow those; I’m assuming he wasn’t talking about his own agency. But we’ll kind of just give him that one.
So again, I think it’s very important that individuals do take steps to protect themselves while our office works towards ensuring organizations comply with privacy laws. So, we have a number of resources available for individuals on our site and I’ll give a few links to those like our fact sheet on identity theft. But a lot of our advice almost comes down to just that level of caution that individuals should have. And that individuals shouldn’t be afraid to ask questions. I think one of the best protections you can really have is if you’re asked to provide personal information, ask how it will be used, why it’s needed, how it will be shared, how it will be safeguarded. Don’t give out more information than is necessary. And be particularly careful about your social insurance number ’cause that’s a very important key to your identity. So, it’s limiting as much as you can that kind of flow of information is going to be kind of the best possible first step.
The second step I would say is, you know, a lot of – it’s interesting we’re not necessarily talking sophisticated industry specific tools that are being used to locate people. Often it is Google, it is Facebook, so all I have to say is log out of your accounts or go to a library computer or something like that and do a Google search for your name or your name and your city or various combinations like that and see what comes up about you. If it’s information you’re not comfortable with that comes up, if you’ve posted it try to take it down. If somebody else has posted it, ask them to take it down. If it’s on a website, you don’t know who’s posted it, ask that website to take it down.
So, kind of going through those steps and just kind of being very aware of what’s out there about you and not being afraid to ask questions about how your information is used and simply making those requests saying you know what website, I’m not comfortable with that information being up there, would you mind taking it down? There are a lot of reasonable people in this world who will make that decision and say yes, that’s fine, I understand that I’ll take it down for you.
Doug Hoyes: Well and you’re right a lot of the stuff that’s posted I posted it myself. So if it’s something in my Twitter feed or something then I can obviously take it down. And you’re right show 57 was the one where we had Blair Demarco-Wettlaufer on and he is a collection agent who he did explain how he uses things like Google to find people. So, it is pretty basic stuff that leads people to us and that’s why you got to be aware of the obvious stuff. You did mention social insurance numbers and that’s something you shouldn’t give out. A social insurance number is only for the benefit of the Federal government. Am I correct on that, that’s what it exists for?
Vance Lockton: Right. So, it essentially exists as a reference for the Canada Revenue Agency. So, the idea is basically that is the primary reason why a bank they have to request your social insurance number, things like that is they’re doing reporting to Canada Revenue Agency.
Again, we don’t get – we have our guidance about – for organizations about collecting social insurance numbers and things like that. Unless for us, we’re kind of saying for organizations, unless you can establish that you have a clear legislative need to be collecting that information, then it needs to be either not collected or very clear that it is optional for that information to be collected.
Doug Hoyes: Yeah if I’m filling out a cell phone contract, that has nothing to do with Revenue Canada, taxes, anything like that. Probably something I shouldn’t be divulging. Obviously, if I’m going to the bank to open a bank account and they’re going to be paying me interest, which is going to be taxed, then obviously they have a need for it. So, I think you’re absolutely right, ask questions, that is probably the most basic advice there is. And if we all did that a lot more frequently we’d probably be able to stay out of a lot more trouble. I really appreciate you joining me today, Vance. Thanks very much for being here.
Vance Lockton: Thanks for having me.
Doug Hoyes: Thanks for being with me. That was the Let’s Get Started segment here on Debt Free in 30. I’ll be back in a moment to wrap it up.
Doug Hoyes: Welcome back, it’s time for the 30 second recap of what we discussed today. On today’s show Vance Lockton from Office at the Privacy Commissioner of Canada gave us some examples of the meaning of the phrase reasonable and appropriate in the circumstances as it relates to the privacy of personal information in Canada. That’s the 30 second recap of what we discussed today.
I was glad to have Mr. Lockton on the show today because he shared an interesting perspective on how information you may think is private may be used by various organizations, including bill collectors. I completely agree with his advice. Whenever anyone asks you for personal information, ask how it will be used and don’t ever give out more information than is necessary. A social insurance number, for example, is an identifier number for Canada Revenue Agency. So, there is never a reason to give your SIN out over the phone to anyone. It’s private information and you should keep it private to protect your identity.
That’s our show for today. Full show notes are available on our website, including links to everything we discussed today, so please go to our website at hoyes.com, that’s h-o-y-e-s.com for more information. Thanks for listening. Until next week, I’m Doug Hoyes, that was Debt Free in 30.