by David McKendry
CAMagazine, Sept. 1996
Republished with permission

Concerned about your personal privacy? So are telemarketers, scam artists, databases, big business and governments - though perhaps not always for the same reasons

Illustration by John Collier

What is privacy? Not so long ago, it was a physical nuisance issue - somebody taking a shortcut across a lawn or a door-to-door salesperson pitching scrub-brushes. Today, privacy has another meaning thanks to the pervasive collection and use of personal information. The physical nuisance dimension is being overtaken by the desire of individuals to control the use of their personal data. And consumers are beginning to realize that their information is worth money - money that is ending up in somebody else's pocket.

What types of personal information are being collected? Just about everything under the sun. Your name is wanted for databases from the moment you are born: birth is the time to sell to your parents; death is the time to sell to your survivors. The time between the two is the time to sell to you. Businesses, governments and employers are following your data trail, collecting your personal information for marketing, managing public services and evaluating your work performance. In recent years, companies have demanded an ever-increasing volume of information from consumers. Many organizations have "unbundled" services into separate (and more lucrative) offerings - a process that typically requires consumers to reveal more about themselves in the bargain. At the same time, the greater variety of options increases choice and lowers prices - benefits that consumers relish.
Other market trends that have helped to bring privacy issues to the fore include:

• The erosion of boundaries between industries, which raises the spectre of database matching (where an individual's profile is constructed from databases of personal information that have been created for unrelated purposes). For example, lifestyle profiles can be created by matching databases that contain information about frequent flyer records, credit card purchases, vehicle registrations, car rentals, health-care records, warranty registrations, music club purchases, video rentals, charitable donations, magazine subscriptions, and land registry records. As an example of how this erosion between industry boundaries has affected the collection of data, one need look no further than corporate giant AT&T, the world's second-largest telephone company. Today, the company is also the second-biggest provider of credit cards in the United States. As a result, AT&T now collects additional information from all its customers - credit information for telephone accounts and vice-versa.
  
  
• The death of brand loyalty, which has forced companies to stalk elusive consumers with databases filled with personal information. In an attempt to stay ahead of the competition, Kraft General Foods has compiled a database of more than 30 million users of the company's products. The goal is to sell Kraft items more successfully using direct marketing techniques.
  
  
• The development of new telephone and data management systems (such as bar-code scanners, CD-ROM technology and parallel computers), which make it possible to store, transmit and process vast amounts of personal information. Thanks to increased computing power, Fingerhut Co., a U.S. mail-order firm, is expanding its collection of customer data to two trillion characters. New technology does more than profoundly increase the opportunities to use personal information. It also enhances the possibility of errors. The 1990 Newsweek story "Can we Trust our Software?" reported: "Software is the invisible Achilles' heel of the computer revolution... as programs grow massive, errors become inevitable." An important facet of privacy in the 1990s is the accuracy of personal information.

As a result of these and other recent trends, consumer unease about privacy has become rampant. A 1993 survey by Ekos Research Associates Inc. highlighted the change in perception: "Canadians are significantly less concerned about uninvited calls and advertising mail than, for example, data matching." The survey concluded, "There is a pervasive sense that personal privacy is under siege from a range of technological, commercial and social threats." A 1994 survey for Equifax Canada Inc. conducted by Louis Harris and Associates, Inc., found that 70 per cent of Canadians believed that "consumers have lost all control over how personal information about them is circulated and used by companies" - an increase from 64 per cent in a 1992 survey.

These fundamental changes in the marketplace raise concerns that businesses, consumer groups and governments are struggling to address. While companies attempt to accommodate the public's growing concerns about privacy, consumers are aggressively protecting the uses to which their personal information can be put. Governments are also entering the arena, with new legislation designed to protect the public's right to privacy. The emergence of codification and standards offers yet another opportunity in the area of assurance services - good news for chartered accountants and other professionals in the business of reporting on compliance. The new dimensions of privacy have profound implications for the way we do business today and in the future. As organizations demand ever-increasing quantities of personal information, the public is expressing an ever-stronger desire to control - and be compensated for - the collection of such data.

Whose Privacy?

Although the concept of privacy may have an air of simplicity, the right to be left alone is part of an extremely complex set of issues. Does it mean that a telephone subscriber has the right to see the number of a calling party on a screen before he or she answers the telephone? Or does it mean that a calling party has the right to block his or her telephone number from being transmitted for display? The answer depends on who you ask. Individuals supporting and opposing Caller ID, the telephone companies' service that displays the numbers of calling parties, have one thing in common. Both groups cite the protection of their privacy as the reason for their support or opposition.

After a call by Bell Canada's telemarketers, a subscriber with an unlisted number complained to Bell's regulator, the Canadian Radio-television and Telecommunications Commission (CRTC), that her privacy had been invaded. "What about privacy and fairness for the Canadian consumer?" she asked. The CRTC answered by telling companies to "cease immediately their practice of placing calls to customers with unlisted numbers for the purposes of promoting new products, services or discount plans."

Other telemarketers have also had to change the way they do business. In 1993, the CRTC received more than 6,000 complaints about telemarketing practices. A year later the Commission gave consumers the right to insist that they not be telemarketed by live voice calls and facsimile messages - a little-known but significant decision that went a long way toward giving telephone subscribers the right to be left alone.

Other organizations are also changing the way they do business to accommodate the public's growing concerns about privacy. For example, the Microsoft Network, a global online service, has been designed to comply with the European Union's (E.U.) 1995 privacy directive. The directive provides guidelines to European countries about the collection and use of personal information. Participating governments have three years to bring their privacy laws up to the E.U. standard, which becomes effective in 1998.

The E.U. directive will affect the way that business is done in Canada and other countries outside the European Union. It places restrictions on the transfer of personal information from European countries to jurisdictions lacking an adequate level of privacy protection. Apart from Quebec, Canada does not have overall privacy laws, although this situation is likely to change. Earlier this year, Industry Minister John Manley announced that he would "bring forward proposals for a legislative framework governing the protection of personal data in the private sector." Officials from Manley's department expect privacy legislation to be tabled in Parliament by November 1997. To the extent that privacy laws exist today, they apply only to certain categories of personal information such as consumer credit information.

Meanwhile, an Act Respecting the Protection of Personal Information in the Private Sector came into force on Jan. 1, 1994, in Quebec. The act applies to information "whatever the nature of its medium and whatever the form in which it is accessible," and gives investigative and dispute-resolution powers to the Commission d'accès à l'information. By October 1, 1998, a committee of Quebec's National Assembly will consider whether amendments to the act are required. Quebec's legislation is one of the options now under consideration by Industry Canada as a basis for federal privacy legislation.

The E.U. restrictions contain important loopholes from Canada's perspective - for example, the legislation does not require equivalent protection in other countries, it only requires adequate protection. In addition, transfers of personal information from the E.U. are allowed to countries that do not ensure adequate privacy protection under certain circumstances. However, the circumstances are not so broad that Canadian companies can afford to ignore the E.U.'s privacy laws in business that involves European personal information.

Privacy is seen as a human right in Europe. The North American approach to privacy tends to be more pragmatic, viewing personal information as an economic good to be bartered. As Evan Hendricks, publisher of the Privacy Times newsletter, observed recently, "[Offering to pay for personal information gives] people real choices about what's more important to them: is it money, discount opportunities or privacy." In 1990, futurist Alvin Toffler wrote about interest-free information loans by customers, noting that "the consumer pays for every purchase twice over: first with money and a second time by providing information that is worth money."

Toffler's view certainly rang true for a marketing manager at a large American telecommunications company. In Ram Avrahami's suit against U.S. News & World Report, he claimed the magazine broke the law when it sold his name and address to another magazine. According to a story written by G. Bruce Knecht in the Oct.13, 1995 edition of The Wall Street Journal, "[Mr. Avrahami] isn't claiming his privacy was violated; he claims the sale of his name violated his property rights. In short, Mr. Avrahami believes he owns his name - and he contends that if companies want to sell it, he should have the right to either prevent the sale or to be compensated for it." The case has major implications for database marketing, an approach that collects personal information to build profiles of individuals.

Many sources of information are available for this purpose. For example, a recent issue of Direct Marketing News advertised the following lists of individuals:

• Carswell Tax & Accounting: Canadian lawyers, tax specialists, and accounting professionals (9,120 names).
  
  
• Toronto Blue Jays Mail Order Buyers: Canadian fans who attended games (188,327 names).
  
  
• Chuck E. Cheese's Children's List: Children ages one to 12 who have joined the Birthday Club (87,503 names).
  
  
• Gerber (Canada) Inc.: Parents of children from birth to age eight (275,446 names).
  
  
• Nutri System Weight Loss Club: Past clients who spent an average of $1,000 for the program (138,846 names).

Human right? Economic good? The bottom line for businesses is that privacy is a volatile brew - a consumer issue that combines rights and money. That fact was certainly not lost on Computer City's San Diego outlet. Earlier this year, Robert Beken, one of the store's customers, asserted his privacy rights and attached a dollar value to them. The store had to pay $1,000 to Mr. Beken, who was sent advertising mail in spite of his written request not to be placed on Computer City's mailing list, a request he wrote on the back of his cheque at the time of purchase, stating that Computer City would be required to pay him $1,000 if his name was put on the list or if he was sent advertising mail.

What are good privacy practices?

Privacy concerns and values are still in an evolutionary state. Good privacy practices have developed - and will continue to develop?as the marketplace adapts to electronic commerce and new services and technology. According to Industry Canada, "privacy protection and network security" is one of the four principles that will guide the development and implementation of the information highway.

Earlier this year, Canada became the first country to adopt a national standard for the protection of personal information. The voluntary standard was developed by a committee of consumer, business, government, and labour representatives under the auspices of the Canadian Standards Association (CSA International). The CSA code (see right sidebar) is "state of the art," and establishes privacy protection principles in 10 key areas, including consent for the collection, use, or disclosure of personal information.

The CSA principles have been approved as the national standard by the Standards Council of Canada. Other important organizations have also given their support to the CSA's privacy code. The federal government's blue-chip Information Highway Advisory Council recommended in September 1995 that the code serve as the basis of privacy legislation. According to the council, "Legislation would require sectors or organizations to meet the standard of the CSA model code, while allowing the flexibility to determine how they will refine their own codes."

Industry Minister John Manley responded to the council earlier this year when he announced that he will introduce privacy legislation for the private sector. According to his officials, the CSA code is one of the options being considered as a basis for federal privacy legislation. Indeed, the CSA privacy standard appears to have the inside track. A Department of Justice official told the CSA privacy committee in June of this year, "Legislation will not be based on standards that are much different from the CSA standard."

The Canadian Direct Marketing Association has also called on the government to enact a set of privacy principles in legislation that would meet the privacy standard set by CSA International or the privacy guidelines created in 1984 by the Organization for Economic Cooperation and Development. The OECD guidelines were used as the basis for the development of the CSA standard.

A few businesses have already taken the plunge, developing services and privacy codes that they claim comply with the CSA International standard. According to Stentor, the company's OnWatch management and certification service (designed to protect the privacy of information on the Internet), employs the CSA principles. In March 1996, the Canadian Bankers Association (CBA) announced a privacy code that the association claims "meets and exceeds" the CSA International standard. The CBA has given the banks one year to implement the provisions of the new code.

The emergence of privacy codes, policies and practices (whether they are voluntary or derived from legislation) offers new challenges and new opportunities for auditors. Organizations will need to demonstrate that they are in compliance with their voluntary codes. Compliance with good privacy practices contributes to a company's competitive advantage in a marketplace that places value on a customer's ability to control personal information.

The public sector market may be one of the first to explicitly require good privacy practices. David Flaherty, British Columbia's Information and Privacy Commissioner, said earlier this year that he "encourages all provincial and local government agencies to insist that outside contractors processing personal information also adhere to the provisions of the [CSA] code."

Like British Columbia, several provinces and the federal government have privacy legislation and privacy commissioners. With the exception of Quebec, the legislation and the commissioners' mandates are generally restricted to the public sector.

Demonstrated compliance with good corporate privacy practices may also "unlock" access to personal information. A 1995 survey conducted by Ekos Research Associates Inc. for two consumer groups found that 79 per cent of Canadians "don't mind companies using personal information as long as the person knows about it and can stop it."

Although customers and other stake-holders will take some comfort that a business has a good voluntary code, real credibility will only be available to businesses that can prove they are in compliance with their code. And who better than external auditors to report on compliance?

All of this is more than the rattle and hum of a privacy subculture. The market for privacy audits is unfolding - so goes the privacy issue, so goes the market for privacy audits. For example, Telstra Corporation Limited, an Australian telecommunications company with annual revenues of $14 billion, has appointed Price Waterhouse as the company's independent privacy auditor. As part of the engagement, the firm is expressing an opinion about Telstra's compliance with the company's voluntary privacy code. Price Waterhouse is also expressing an opinion about the adequacy of the code in relation to domestic and international privacy practices.

Closer at hand, IMS Canada retained Coopers & Lybrand to audit the company's privacy "processes and procedures" in order to add "weight and credibility" to the company's Privacy Pledge, a statement of the company's position with respect to information privacy. IMS supplies market research to the pharmaceutical industry and others. The company collects information about doctors' prescribing practices from pharmacies. According to Coopers & Lybrand's audit report, IMS "neither collects nor maintains on file patient name, address, social insurance number or other data that could likely compromise the anonymity of a patient." However, the company was drawn into a privacy controversy earlier this year when some doctors objected to pharmacies selling information about their individual prescribing practices.

The privacy issue is here to stay. New challenges are being created for Canadian businesses in a market that places a high value on the use of personal information and a high value on privacy. Consumers, governments and businesses are starting to balance these competing values through initiatives such as the CSA's privacy code. When a company strikes the balance, the story will be told by auditors.

David McKendry, CA, is the director of the privacy consulting practice for Price Waterhouse in Ottawa and the chair of the committee that developed the Model Code for the Protection of Personal Information for the Canadian Standards Association.