Canadian Privacy Laws now favorable for the LP professional

3-part series publishing Monday, Tuesday and Wednesday

June 18, 2015 marked the introduction of major changes to the Canadian Privacy Laws, which had previously made it extremely difficult for LP professionals to share information about known criminals. Read the firsthand account of the 15-year journey to change a law that was intended to protect against crime, but in fact made it possible for the criminal to operate with anonymity to a certain degree.
 

Part 3 - Legislative Reform

On June 18, 2015 Bill S4 received Royal Assent in Canada. Essentially the language that was used to describe required changes to the Privacy Act had been accepted and was now law. The Bill was designed to address several issues related to PIPEDA, the Canadian Privacy Act which has been the topic of great frustration with Organized Retail Criminal Investigators. The Act had been in force since 2000, and over the last 15 years there has been a lot of effort made to change the act - to remove the restrictive clause which speaks to the need to obtain consent from an individual whose personal information you have, before you can share it.

So the journey began. In order to protect retailers from any possible exposure with the Office of the Privacy Commissioner of Canada, the sharing stopped. Retailers wanting to let another retailer know of the identity of an organized crime member had to first call Police, which allow for compliance to the Act under the exemption. The Police in turn had to notify the other retailer. This of course placed a burden on an already tapped-out resource, and respectfully, Police may have at times had more serious crimes to attend to. Retail crime took a back seat.

There had been many attempts over the years to change the Act; to allow for any organization conducting a lawful investigation into crime, to be able to collaborate with other organizations. The sheer essence of the criminal provision of "engaging in organized criminal activity" meant that the burden of proof was on the investigator. To be able to collaborate and prove that a group was stealing from multiple locations reinforced this argument, but collecting the data was difficult.

In 2011 the Industry Association "Retail Council of Canada" arranged a meeting with Retail, Law Enforcement and representatives from the Privacy Offices of both Canada and Ontario. Chief Bill Blair of the largest Canadian City Toronto, along with Stephen O'Keefe who was the Vice President of Loss Prevention and Risk Management for Walmart, shared many stories to attempt to sensitize the representatives of the government agencies to the nature of the issue, in that criminals were being given a quasi form of anonymity as they hid behind the restrictive nature of the Act. They heard, and they designed a fix!!! And thus was born in September 2011 - Bill C 12. The problem was that the example that was used in the original meeting dealt with a fraud issue, so the language of the proposed amendments related to "financial crime", not theft or crime in general.

Prior to receiving Royal Assent, the Federal Privacy Commissioner fulfilled her 10-year commitment. With a New Commissioner getting ready to take office, all proposed amendments being proposed were taken off the table.

The Bill subsequently died.

There were a number of meetings and phone calls that took place from 2012 to 2015 which were instrumental in embedding the exemption language in the newly created Senate Bill S4 which speaks to the broader topic of mandatory reporting of breaches.

Firstly, Stephen O'Keefe entered into a consultancy agreement with Retail Council of Canada with a mandate to address several legislative changes including the problematic Privacy Act as well as a Criminal Code of Canada provision. Like many associations, a committee of like-minded business professionals met periodically to discuss specific areas of the business. The RCC Privacy Committee was active during this period of time. However this committee was not like most of the "retailer only" groups. A representative from the Federal Privacy Office was asked to join the committee and participate. They were exposed to firsthand accounts of the issues that affected retail. Shortly after, another meeting was held, this time with the interim Commissioner present. Something different took place during this meeting which was the key to the design of Bill S4.

What seemed like a casual discussion before the formal meeting, Stephen O'Keefe described the technology that retailers had in their stores from a video broadcast standpoint. He also described how a retailer would be able to instantly convey information about an Amber Alert to all stores in the chain, and in many cases to the customers through the various systems that vendors used to air videos related to their products which can be seen occasionally on the point of sale systems. The representatives from the Privacy Office became very interested and said it was a great idea. The information about an abduction would be aired immediately across the country. In these cases time is critical to ensure the safety of a child. They were not connecting the story to the Privacy Act as it appeared to be simple small talk before the official meeting. "Great idea, but your Act doesn't allow us to do it" replied Stephen. This was the start of a 30-minute discussion into the Act whereby even those from the Office owning the piece of legislation were shocked by the restrictive nature.

Two months later Bill S4 which was an Act to introduce mandatory reporting of breaches, included language related to the exemption to obtain consent if the request for consent would compromise the process related to investigating a criminal act. PERFECT!

Under the new rules, retailers in Canada can now share information. There are recommendations and guidelines for how the information should be shared, and when the information should be destroyed if no longer used for the purpose of conducting a criminal investigation, but for the most part the bottom line is "Organized Criminals beware...there is no more anonymity in Canada if you are committing a crime".

Stephen O'Keefe is an independent consultant and works with retailers and vendors in the area of risk management and loss prevention based out of Toronto Canada. His previous experience with Walmart exposed him to many different countries and many different laws and regulations. His company Grist Mill Solutions helps clients design internal programs to operate efficiently, maximizing profitability while complying with regulations.

LPNN Filming at the RCC LP Conference
Solution Providers - Want to help make Canadian History? Click here for sponsorship opportunities.