Ontario Information and Privacy Commissioner Ann Cavoukian has ordered the collection and destruction of a large amount of data that many Ottawa residents were unaware the police was monitoring -- used-goods store records.
In Ottawa, people selling used goods to secondhand stores were required to provide personal information that was tied to their names. Courtesy of an Ottawa bylaw and Regina-based customer information software vendor Business Watch International (BWI), this information was funneled directly into the databases of the Ottawa Police Service, who made the data accessible to other police departments across the country.
Over 250,000 transactions and 44,000 identifiable persons were in that database, which was managed by BWI, whose executives declined to comment.
A case against Cash Converters of Oshawa (who have similar bylaws requiring this practice) earlier this summer resulted in portions of their bylaw being struck down.
In the wake of this case, a complaint was registered with the Ontario privacy commissioner's office, causing her to issue the cease-and-desist (and destroy) order to the City of Ottawa and Ottawa Police Department. Said Cavoukian: "Innocent people sell used goods and then appear in a police department database?
"It's untenable... It's the first step down the road to surveillance. With this information used in an improper way, it can do real harm, which is why we're taking such a firm stance on this. The police and state can't ask for such information unless and offense has been committed, otherwise it's a police state."
Cavoukian said that, in Edmonton (which has similar bylaws), a policewoman was fired after only a few days on the job, as an extensive background check turned up that she had sold some items to a pawnshop years ago.
So, while the police claim it is a useful source of information, said John Lawford, counsel for the Public Interest Advocacy Centre, it is also surveillance that violates their privacy.
"They shouldn't invade the privacy of all Canadians for that -- it's an unreasonably broad net of suspicion," said Philippa Lawson, the Ottawa-based Canadian Internet Policy and Public Clinic director.
"This fits in with the continuing of the increasing trend of law enforcement and government trying to conscript private enterprise and businesses into collecting personal information," said David T.S. Fraser, a privacy lawyer with Halifax-based firm McInnes Cooper.
Lawson said, "It turns them into agents of the state. It's large-scale state surveillance."
Fraser said the software market for these types of customer information or data storage systems are a growth area. Examples of this growing trend include the extensive information required by airlines, and the contentious no-fly lists. Also included in the trend are bars that use machines to scan identification.
While this practice screens out fake IDs and minors, it can also retain information on people, like what bars they've been kicked out of, according to Fraser.
More troublingly, he said, is the tendency of bars to subscribe to networks of these machines, tracking people through their identification cards.
"This information is increasingly networked, where people sign up to a service that operates a database (that stores information on patrons)," he said. This practice is also popular in the retail sector, where information on the number of returns (and the personal information required to make a return) is stored indefinitely.
This makes Cavoukian's ruling significant, as it could force vendors similar to Business Watch International to shut down any operations in Ontario. "And it's a pretty significant province," said Fraser. And, since other provinces have relatively similar privacy issues on their hands, this ruling could spawn a similar one in other provinces, he suggested.
The commissioner is calling for data minimisation that would decrease the possibility of it being used inappropriately, adding that the ever-improving technology is a major threat. She said, "It's the IT element that is the most attractive element to use for multiple (and inappropriate) purposes. It makes data so transferable, so transmittable that it's difficult to control and restrict."
When it comes to the actual development of this software, Fraser said that it's important for vendors to exercise better caution when developing customer information or data storage technologies, as, he said, privacy issues tend to get overlooked, or are often left to the other party (who themselves assume it's been taken care of, too).
"You need to ask, 'Do I have the consent of these people?' Consent goes a long way, but it has to be informed consent. Not just for thing A, but for B, C, and D, too," said Cavoukian. "And if the information doesn't have personal identification (linking the person to the information), then the sky's the limit."
Lawford said that this ruling, which, he said, will most likely meet with opposition in the form of a judgment review or appeal from the Ottawa Police Department, is laying the foundation for a future where, he hopes, software vendors will be more careful, with the larger data vendors getting together and auditing their practices. Then, if they have been violating the law, they can get an indemnity.
"Then they'll make sure that they comply in the future," he said.