The Office of the Privacy Commissioner of Canada recently released a guidance document to help cannabis retailers and purchasers understand privacy rights and obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA).
Adapted from the document prepared by the Office of the Information and Privacy Commissioner for British Columbia, this guidance document provides clarification regarding topics such as the collection of personal information, the safeguarding of personal information, and privacy policies.
As you may recall, on October 17, 2018, cannabis became legal in Canada. However, it is illegal in many jurisdictions outside of Canada. Consequently, the personal information related to cannabis transactions is very sensitive. Even if a person purchases cannabis lawfully in Canada, that person may be denied entry into certain jurisdictions or experience other adverse consequences.
To that end, it is important to protect the personal information of cannabis consumers. “Personal information” is broadly defined – “information about an identifiable individual” can consist of several attributes, some of which include names, dates of birth, phone numbers, addresses, driver’s license numbers, medical information, physical descriptions, social insurance numbers, financial information which can be in the form of credit card information.
Collection of personal information
It is important to note that PIPEDA requires organizations to limit the collection of personal information to that which is necessary for the identified purposes. These purposes must be in line with what a reasonable person would consider appropriate in the circumstances. The sensitivity of the information and the context are important factors to be considered when collecting the information, and organizations must obtain meaningful consent before collecting personal information. I discussed in previous posts some of the Privacy Commissioner’s guidance documents regarding inappropriate data practices here and meaningful consent here.
It important to keep in mind that details differ across Canadian jurisdictions when it comes to what cannabis retailers are required to collect during transactions that are in-person, so it is important to check with local requirements. Further, there are some situations where cannabis retailers need to collect more personal information such as in an instance where a consumer uses a credit card. Another example of a situation where retailers may need more information from consumers is when the retailer has a membership club or email list for consumers who provide email addresses to sign up. In these circumstances, retailers are recommended to consider collecting only the minimum amount of personal information required to achieve the specific purpose.
Additionally, retailers must be aware that if they use video surveillance in their store for monitoring purposes, they are likely to capture the personal information of consumers in the form of images and voices. The document states:
“Retailers should only use video surveillance if less privacy-intrusive measures cannot achieve the same ends. If retailers choose to use video surveillance, they must notify individuals with signage that is clearly visible to anyone before entering the store. That way, individuals can choose to shop elsewhere if they do not want the retailer to collect their personal information”
These principles are outlined in the Privacy Commissioner’s guidelines for overt video surveillance in the private sector here.
With respect to online purchasing of cannabis, several pieces of personal information will be collected such as names, dates of birth, home addresses, credit card numbers, purchase histories, and email addresses. The Privacy Commissioner recommends that consumers remain aware that providing personal information through online formats creates additional risks. Taking the time to consider these risks is important, especially if individuals are concerned about reducing the likelihood of data breaches and minimizing disclosure to foreign governments in jurisdictions where cannabis use is not legal.
The Privacy Commissioner recommends that retailers: collect the least amount of personal information possible; refrain from recording personal information, where possible; consider collecting email addresses, but not names, for mailing lists or memberships; and determine whether less privacy intrusive alternatives to video surveillance are appropriate and only use video surveillance as a last resort.
Moreover, the Privacy Commissioner recommends that consumers consider the following: when purchasing cannabis, do not provide the retailer with more personal information than necessary; if you are concerned about using your credit card, and the option is available, consider using cash to purchase cannabis; if you are providing personal information to join a membership club or mailing list, consider the risks involved, and ask how your personal information will be stored.
Safeguarding personal information
It is critical for retailers to securely store the personal information of cannabis consumers. In addition, retailers must have and provide the contact information of a Privacy Officer who is responsible for ensuring compliance with PIPEDA. The main reason for achieving secure storage of the information is to prevent unauthorized access, disclosure, use, copying, or modification.
How is this accomplished? Retailers must use physical, technological, and organizational security measures to store personal information.
Physical security measures include: locking or restricting access to locations with records containing personal information (for instance, in filing cabinets and management offices); and using appropriate security measures such as cross-shredding documents when destroying personal information.
Technological security measures in computer systems include: using unique electronic user IDs for each staff member or purchaser; having strong passwords; using encryption; having firewalls; and deleting personal information once it is no longer needed.
Organizational safeguards include: restricting employee access to personal information they do not need to access to perform their job duties; having mandatory staff training; and using security screening of staff.
Also, when determining what security arrangements to make, retailers must consider the sensitivity of the information. And since the personal information can only be used for the specific purpose for which it was originally collected, and can only be used for as long as necessary to fulfill that purpose, retailers must remember that when the purpose is no longer relevant, the personal information must be securely destroyed.
That is not all – retailers are also recommended to conduct regular risk assessments and compliance monitoring to decide whether program controls need to be updated and to ensure compliance with PIPEDA.
Finally, it is important to mention that data storage in the Cloud or in proprietary software will likely trigger the transfer or storage of personal information to locations outside of Canada, which could be accessed by foreign law enforcement agencies; the potential for foreign governments to access personal information is a concern for cannabis consumers, and when the information is stored on servers outside of Canada, additional privacy protections will likely be required.
Privacy policies
Organizations must create policies and practices in order to meet their obligations under PIPEDA, and this includes creating processes for responding to complaints about the organization’s management of personal information. The Privacy Commissioner recommends that, in order to build trust and mitigate privacy risks, organizations ensure that management and staff understand and are committed to following these policies and procedures. This can be accomplished by having management emphasize that the protection of personal information is a company priority, ensure that all staff are trained in the policies and procedures, and confirm that these policies and procedures are being followed on a daily basis. In fact, the Privacy Commissioner has created a document discussing enhancing accountability through the use of privacy management programs here.
When explaining the importance of providing sufficient information to consumers for the purposes of achieving meaningful consent, the Privacy Commissioner stated,
“Retailers who have websites, and especially those with a membership login, should in particular ensure that they inform visitors to the webpage about any additional personal information collected (such as tracking cookies and website analytics) and the reasons for collection”
The Privacy Commissioner recommends that retailers: ensure adequate physical, technological, and organizational security measures are in place to safeguard personal information, and that these measures recognize and respond to the sensitivity of this information; designate a privacy officer; create internal policies and train staff on them; and visit the Privacy Toolkit for Businesses link here.
The Privacy Commissioner recommends that consumers: speak with the organization’s Privacy Officer if you have concerns about a retailer’s collection, use, storage, disclosure, or disposal of your personal information; and ask retailers whether they store your personal information on servers outside of Canada, and opt to only purchase cannabis from those who keep your personal information in Canada.
What does this mean for employers?
Certainly, cannabis retailers who have staff must be aware of these above-mentioned requirements. Not only do they have to properly collect and secure the personal information of cannabis consumers, but as employers, they must also create clear policies and procedures dealing with the protection of personal information. It is not enough to just make the policies and procedures – employers must establish a tone from the top for employees and emphasize the importance of privacy and protection of personal information. This can be accomplished by having training sessions on company privacy policies and procedures, and consistently enforcing them to send the message that privacy is not to be taken lightly.
For those employers who are not retailers of cannabis products, there are many things to take from the above mentioned guidelines. For instance, just as cannabis retailers are recommended to make the protection of personal information of priority in their organizations, so too are other employers – having solid policies and procedures, training employees in these policies and procedures, and consistently enforcing these policies and procedures are something to which all employers can aspire.