A customer calls your company and a call-centre representative uses caller ID to pop up her electronic file and greet her by name. Bingo! The customer summons you to a closed-door review with the Privacy Commissioner of Canada.
She charges you with violating her privacy. She didn't identify herself on the call and had an unlisted number, so she assumed her identity would be anonymous. And her customer file was irrelevant: She had sought only general information when she phoned. You say you were just trying to provide good service. Your policy is that phone reps must be sure of a caller's identity before giving out confidential information. In this case, your phone rep only mentioned the customer's name.
Verdict: You lose. The commissioner rules that you violated the Personal Information Protection and Electronic Documents (PIPED) Act. You neither sought nor obtained the customer's permission to collect, use and disclose her personal information. She didn't speak about her account, so the rep had no reason to call it up.
Conclusions: You failed to apply appropriate security safeguards. Any procedures you had were not followed. Your company might disclose personal information to the wrong people. Fix this problem, or next time you may land up in court or, worse, in the newspapers.
This actually happened to a major Canadian bank in 2003. Today, the PIPED act applies only to federally regulated industries, such as banks, telcos and airlines, as well as federally chartered health organizations. But on Jan. 1, nearly every organization operating in Canada must comply with it or with provincial rules that are at least as tough. So if privacy isn't gaining space on your corporate radar, you could be risking trouble — the embarrassing departure of George Radwanski as privacy commissioner and his replacement by Robert Marleau notwithstanding. [Privacy Digest]