July 27, 2001

Secretary General
Canadian Radio-Television and Telecommunications Commission
Ottawa, Ontario
K1A 0N2

RE: PUBLIC NOTICE CRTC 2001-60-1
Confidentiality provisions of Canadian Carriers

1. As part of its mandate, the Office of the Information and Privacy Commissioner/ Ontario (IPC) comments on the privacy implications of emerging or existing information practices and services. In keeping with this mandate, we would like to comment on whether the written consent of customers should continue to be required in order to allow carriers and their affiliates to share customer information.

2. Does the current written consent rule place Canadian carriers at a competitive disadvantage compared to competitors such as cable companies? How should the Commission balance the privacy concerns with the issue of competitive equity?

3. In our view, privacy protections should never be sacrificed in favour of competitive equity. If a level playing field is sought, then privacy safeguards should be harmonized to the most appropriate standards, rather than to the lowest common denominator.

4. Should a Canadian carrier be permitted to disclose confidential customer information to an affiliated company without the written consent of the subscriber?

5. In our view, Canadian carriers should only be permitted to disclose confidential customer information to an affiliated company with the express consent of the subscriber. The appropriate form of the consent (i.e., written versus oral) depends on the circumstances in which the consent is being sought. If the carrier's primary mode of contact with its customers is by telephone, then it would be appropriate to obtain consent orally over the telephone. If the primary mode of contact is electronic, then it would be appropriate to obtain consent electronically. What is important is that there be a written record of an express consent having been given.

6. If such disclosure is permitted, should it be subject to any restrictions? For example, should such disclosure only be permitted for the purpose of allowing the affiliated company to market or provide its products and services to the subscriber?

7. In obtaining the express consent of the individual for the disclosure of personal information, carriers should set out the specific purposes for which the information may be disclosed. Disclosure should be permitted only for those specific purposes.

8. If written consent is not required:

i) What type of consent (e.g., express or implied) would be sufficient to allow a Canadian carrier to disclose to an affiliated company confidential subscriber information?

ii) Assuming express consent is required, what measures would be adequate for obtaining express consent for such use and disclosure?

iii) What are the circumstances that would indicate implied customer consent to allow a carrier to disclose the customer's confidential information to affiliated companies?

9. In our view, express consent would be necessary to allow a Canadian carrier to disclose to an affiliated company confidential subscriber information.

10. Before it can be considered to be valid, consent for the disclosure of confidential subscriber information must:

• relate to the specific information being disclosed;
• be informed;
• be given voluntarily; and
• not be obtained through misrepresentation or fraud.

11. Consent to the disclosure of information is informed if the individual who gives the consent has, at the time of giving the consent, the information that a reasonable person would require in the circumstances to make a decision. The information that a reasonable person would require includes:

• The name of the party who will receive the information;
• The purpose of the disclosure;
• The nature and extent of the information to be disclosed;
• The reasonably foreseeable consequences and benefits of giving or withholding consent to the disclosure.

12. In addition, consent should be time limited and revocable by the individual at any time.

13. The Personal Information and Electronic Documents Act provides some guidance on what is appropriate in terms of the form of the consent (i.e., express or implied) and the way in which it is sought (i.e., in writing or orally). Both the form of the consent and the manner in which it is sought may vary depending upon the circumstances and the type of information. The type of consent and the way in which it is sought should take into consideration the sensitivity of the information, the reasonable expectations of the individual, and the circumstances in which the information is being collected. An organization should generally seek express consent when the information is likely to be considered sensitive. However, the federal legislation does not require consent to be in writing. For example, consent may be given orally when information is collected over the telephone. Where it has been given orally, there must be a written record of an express consent having been given.

14. In our view, confidential subscriber information is sensitive personal information. For example, it could be used to identify the names and addresses of all friends, family members and business associates who are in contact with the individual by telephone. Accordingly, express consent for the use and disclosure of this information should be required under all circumstances. A requirement to obtain express consent in writing is an additional safeguard that would help to ensure that there is a written record of an express consent having been given. A written consent also provides the best evidence that the consent is, in fact, truly informed and valid. However, written consent may not be appropriate or necessary in all circumstances. Provided that individuals are adequately informed about what they are consenting to and there is a written record of an express consent having been given, it is our view that carriers should be permitted to seek consent in the form that is appropriate in the circumstances.

15. In addition, where the individual has provided consent, the disclosure of subscriber information should be on a need to know basis. The information should only be disclosed to those individuals who require the information for the specific purposes to which the individual has consented. In addition, the disclosure should be limited to the minimum amount of personal information that is required to fulfill the specified purposes.

16. In our view, implied customer consent for the disclosure of subscriber information would not be appropriate under any circumstances.

17. In the approved tariffs of incumbent local telephone companies, the term "affiliate" is defined as any person controlling or controlled by the same person that controls the company and includes a related person. Is this definition sufficient for the current purposes and, if not, what would be a sufficient definition of an affiliate?

18. In our view, this definition is not sufficient for the current purposes. It is not clear what is intended by the inclusion of "a related person" in the definition of an "affiliate." This could be construed to mean any person who has any relationship with the affiliate. An ambiguous definition of this nature would lead to a correspondingly ambiguous consent. For example, if the consent were to specify that confidential customer information might be disclosed to an affiliate of the carrier, this would mean not only the affiliate, but also any individual with a relationship with the affiliate. To avoid ambiguity, the definition of an affiliate should be made as narrow and specific as possible.

19. Information stored in a centralized database:

i) If confidential customer information shared among affiliated companies is stored in and accessed from a centralized database, does that raise any particular privacy issues?

ii) Should there be any restrictions on the collection and storage in this manner of confidential subscriber information? If so, what should they be?

iii) Should access to such database be subject to any conditions? If so, what should they be?

20. Storing confidential subscriber information in a centralized database with shared access poses a number of privacy issues. Technological and procedural privacy and security measures would have to be implemented to ensure that only the minimal amount of personal information is accessed by authorized persons, on a need-to-know basis, for the purposes to which the individual has consented.

21. In addition, since the risk of privacy breaches can never be totally eliminated, individuals who consent to the disclosure of their personal information among affiliates should be made aware of the benefits and risks of having their personal information stored on a shared central database and provided with an opportunity to refuse to have their personal information made available in this manner.

Thank you for considering our views on this matter.

Sincerely yours,

Ann Cavoukian, Ph.D.
Commissioner

September 26, 2001

Secretary General
Canadian Radio-Television and Telecommunications Commission
Ottawa, Ontario
K1A 0N2

RE: PUBLIC NOTICE CRTC 2001-60-1
Confidentiality Provisions of Canadian Carriers

1. The Office of the Information and Privacy Commissioner of Ontario was asked to respond to the following four Commission's interrogatories.

2. 100.

The Companies, CWTA and TELUS (and other parties) propose that the Commission use the following definition of affiliates:

Where one company is a subsidiary of another, both companies are subsidiaries of the same company, or two companies are affiliated with a third company at the same time.

AT&T proposes that the Commission use the definition of related parties, instead of the above definition:

Related parties exist when one party has the ability to exercise, directly or indirectly, control, joint control or significant influence over the other. Two or more parties are related when they are subject to common control, joint control or common significant influence. Related parties also include management and immediate family members.

If the Commission granted the requested relief, what would be the implication of using one definition over the other in terms of efficiency of sharing information on one hand and contributing to the protection of privacy of subscribers on the other hand?

3. To the extent that individuals are asked to consent to the sharing of personal information among affiliated companies, the definition of an affiliate must be sufficiently clear to ensure that consumers understand exactly how their personal information will be shared. The definition of an affiliate should also take into consideration other requirements of the Personal Information and Electronic Documents Act. For example, subsection 5(3) requires that personal information be collected, used or disclosed only for purposes that a reasonable person would consider are appropriate under the circumstances. Since the disclosure of personal information among affiliated companies must meet this "reasonable person" test, the term "affiliate" should be defined accordingly.

4. 101.

Provide your definition of sensitive customer information and provide examples? Address how the form of consent (i.e. implied or express) should vary according to the sensitive nature of the information?

5. The perceived sensitivity of information varies from one individual to another and from one context to another. As stated in the Personal Information Protection and Electronic Documents Act, some information (e.g., medical records and income records) is almost always considered to be sensitive; but depending on the context, any information can be sensitive. For example, some individuals consider their telephone number to be sensitive personal information and subscribe to unlisted number service.

6. The sensitivity of the personal information is only one factor to consider in determining the appropriate form of consent (e.g., implied or express). In accordance with guidelines from the federal Privacy Commissioner, the form of consent should take into consideration:

a. the reasonable expectations of the individual;
b. the circumstances surrounding the collection; and
c. the sensitivity of the information involved.

7. In these proceedings, no distinction was made among the various types of information that may be subsumed under confidential subscriber information. But, it is our understanding that confidential subscriber information would include credit information, calling records, and other personal information that is clearly sensitive. In our initial submission in this proceeding, a rationale was provided for considering confidential subscriber information to be sensitive personal information. For example, this information could be used to identify the names and addresses of all friends, family members and business associates who are in contact with the individual by telephone. Accordingly, this office suggested that express consent for the disclosure of this sensitive information would be appropriate in all circumstances.

8. However, it is conceivable that consumers may not consider all of the information subsumed under the broad category of confidential subscriber information to be sensitive. Depending on the circumstances surrounding the collection (e.g., the specified purpose for the collection) and the reasonable expectations of the individual, another form of consent (i.e., implied consent) might, in some cases, be appropriate for sharing that portion of the subscriber's information that is clearly not sensitive. The reasonable expectations of the individuals would depend on a variety of factors including the relationship between the affiliated companies and the nature of the products and services provided by the affiliated companies. The sharing of confidential subscriber information on the basis of implied consent among affiliated companies would only be appropriate to the extent that the information is clearly not sensitive and a reasonable person would consider the sharing to be appropriate under the circumstances.

9. 106.

Comment on Call-Net's submission (31 July 2001, re: PN 2001-60), paragraphs 7-8-9.

10. Call-Net suggested that affiliated companies should be able to share subscriber information without direct consent provided that the Commission approves the sharing.

11. Given the wide array of companies that could potentially fall within the definition of an "affiliate," there may be some merit in having the Commission approve, on a case-by-case basis, the affiliated companies that may share confidential subscriber information. However, approval by the Commission does not negate the requirement for informed consent for the collection, use and disclosure of personal information set out under the Personal Information Protection and Electronic Documents Act.

12. 109.

Should the Commission grant the requested relief,

a) provide comments on the appropriate means to inform existing subscribers about the change in the Terms of Service?
b) provide comments on the appropriate mechanisms by which they would be able to opt-out?

13. Existing subscribers should be informed in writing of the changes in the Terms of Services. For examples, subscribers could be informed through billing inserts.

14. In our view, as a general rule, opt-out consent would not be an appropriate mechanism for obtaining consent for the sharing of confidential subscriber information among affiliated companies. Instead, subscribers should be provided with an opportunity to opt-in by checking off a box on the billing insert sent to inform them of the change in the Terms of Service. In addition, subscribers could be provided with an opportunity to opt-in through any mechanism by which the subscriber normally communicates with the company (e.g., telephone, fax, e-mail, or in-person).

Thank you for considering our views on this matter.

Sincerely yours,

Ann Cavoukian, Ph.D.
Commissioner

July 27, 2001

Secretary General
Canadian Radio-Television and Telecommunications Commission
Ottawa, Ontario
K1A 0N2

RE: PUBLIC NOTICE CRTC 2001-60-1
Confidentiality provisions of Canadian Carriers

1. As part of its mandate, the Office of the Information and Privacy Commissioner/ Ontario (IPC) comments on the privacy implications of emerging or existing information practices and services. In keeping with this mandate, we would like to comment on whether the written consent of customers should continue to be required in order to allow carriers and their affiliates to share customer information.

2. Does the current written consent rule place Canadian carriers at a competitive disadvantage compared to competitors such as cable companies? How should the Commission balance the privacy concerns with the issue of competitive equity?

3. In our view, privacy protections should never be sacrificed in favour of competitive equity. If a level playing field is sought, then privacy safeguards should be harmonized to the most appropriate standards, rather than to the lowest common denominator.

4. Should a Canadian carrier be permitted to disclose confidential customer information to an affiliated company without the written consent of the subscriber?

5. In our view, Canadian carriers should only be permitted to disclose confidential customer information to an affiliated company with the express consent of the subscriber. The appropriate form of the consent (i.e., written versus oral) depends on the circumstances in which the consent is being sought. If the carrier's primary mode of contact with its customers is by telephone, then it would be appropriate to obtain consent orally over the telephone. If the primary mode of contact is electronic, then it would be appropriate to obtain consent electronically. What is important is that there be a written record of an express consent having been given.

6. If such disclosure is permitted, should it be subject to any restrictions? For example, should such disclosure only be permitted for the purpose of allowing the affiliated company to market or provide its products and services to the subscriber?

7. In obtaining the express consent of the individual for the disclosure of personal information, carriers should set out the specific purposes for which the information may be disclosed. Disclosure should be permitted only for those specific purposes.

8. If written consent is not required:

i) What type of consent (e.g., express or implied) would be sufficient to allow a Canadian carrier to disclose to an affiliated company confidential subscriber information?

ii) Assuming express consent is required, what measures would be adequate for obtaining express consent for such use and disclosure?

iii) What are the circumstances that would indicate implied customer consent to allow a carrier to disclose the customer's confidential information to affiliated companies?

9. In our view, express consent would be necessary to allow a Canadian carrier to disclose to an affiliated company confidential subscriber information.

10. Before it can be considered to be valid, consent for the disclosure of confidential subscriber information must:

• relate to the specific information being disclosed;
• be informed;
• be given voluntarily; and
• not be obtained through misrepresentation or fraud.

11. Consent to the disclosure of information is informed if the individual who gives the consent has, at the time of giving the consent, the information that a reasonable person would require in the circumstances to make a decision. The information that a reasonable person would require includes:

• The name of the party who will receive the information;
• The purpose of the disclosure;
• The nature and extent of the information to be disclosed;
• The reasonably foreseeable consequences and benefits of giving or withholding consent to the disclosure.

12. In addition, consent should be time limited and revocable by the individual at any time.

13. The Personal Information and Electronic Documents Act provides some guidance on what is appropriate in terms of the form of the consent (i.e., express or implied) and the way in which it is sought (i.e., in writing or orally). Both the form of the consent and the manner in which it is sought may vary depending upon the circumstances and the type of information. The type of consent and the way in which it is sought should take into consideration the sensitivity of the information, the reasonable expectations of the individual, and the circumstances in which the information is being collected. An organization should generally seek express consent when the information is likely to be considered sensitive. However, the federal legislation does not require consent to be in writing. For example, consent may be given orally when information is collected over the telephone. Where it has been given orally, there must be a written record of an express consent having been given.

14. In our view, confidential subscriber information is sensitive personal information. For example, it could be used to identify the names and addresses of all friends, family members and business associates who are in contact with the individual by telephone. Accordingly, express consent for the use and disclosure of this information should be required under all circumstances. A requirement to obtain express consent in writing is an additional safeguard that would help to ensure that there is a written record of an express consent having been given. A written consent also provides the best evidence that the consent is, in fact, truly informed and valid. However, written consent may not be appropriate or necessary in all circumstances. Provided that individuals are adequately informed about what they are consenting to and there is a written record of an express consent having been given, it is our view that carriers should be permitted to seek consent in the form that is appropriate in the circumstances.

15. In addition, where the individual has provided consent, the disclosure of subscriber information should be on a need to know basis. The information should only be disclosed to those individuals who require the information for the specific purposes to which the individual has consented. In addition, the disclosure should be limited to the minimum amount of personal information that is required to fulfill the specified purposes.

16. In our view, implied customer consent for the disclosure of subscriber information would not be appropriate under any circumstances.

17. In the approved tariffs of incumbent local telephone companies, the term "affiliate" is defined as any person controlling or controlled by the same person that controls the company and includes a related person. Is this definition sufficient for the current purposes and, if not, what would be a sufficient definition of an affiliate?

18. In our view, this definition is not sufficient for the current purposes. It is not clear what is intended by the inclusion of "a related person" in the definition of an "affiliate." This could be construed to mean any person who has any relationship with the affiliate. An ambiguous definition of this nature would lead to a correspondingly ambiguous consent. For example, if the consent were to specify that confidential customer information might be disclosed to an affiliate of the carrier, this would mean not only the affiliate, but also any individual with a relationship with the affiliate. To avoid ambiguity, the definition of an affiliate should be made as narrow and specific as possible.

19. Information stored in a centralized database:

i) If confidential customer information shared among affiliated companies is stored in and accessed from a centralized database, does that raise any particular privacy issues?

ii) Should there be any restrictions on the collection and storage in this manner of confidential subscriber information? If so, what should they be?

iii) Should access to such database be subject to any conditions? If so, what should they be?

20. Storing confidential subscriber information in a centralized database with shared access poses a number of privacy issues. Technological and procedural privacy and security measures would have to be implemented to ensure that only the minimal amount of personal information is accessed by authorized persons, on a need-to-know basis, for the purposes to which the individual has consented.

21. In addition, since the risk of privacy breaches can never be totally eliminated, individuals who consent to the disclosure of their personal information among affiliates should be made aware of the benefits and risks of having their personal information stored on a shared central database and provided with an opportunity to refuse to have their personal information made available in this manner.

Thank you for considering our views on this matter.

Sincerely yours,

Ann Cavoukian, Ph.D.
Commissioner