Terrorists don’t drive

Why Canada’s privacy laws need more bite


It is very easy to become cynical regarding Canada’s privacy laws; many Canadians would simply say: “Don’t bother, there isn’t any privacy anymore...”


In dealing with 30+ different financial institutions on a day-to-day basis, I am finding a wide disparity in the policies and procedures regarding data collection and privacy issues.


Canadian deposit taking institutions (banks, trust companies and credit unions) have been over collecting and using our personal and confidential information inappropriately and perhaps illegally[1] for years and it did not merit much of a reaction from the Office of the Privacy Commissioner other than a moderate “Tsk, tsk” amidst concerns of data over-collection. 


Although we might criticize the financial institutions for being overzealous with Canadian's personal and confidential information, the Office of the Privacy Commissioner appears resigned to playing a minor role in government by merely finger wagging at possible violators.

The Office of the Privacy Commissioner has no real teeth and their rulings are non-binding. In speaking with many financial institutions about these issues, some seem to be privately snickering behind their sleeves – Canada’s privacy laws are only disclosed at the bottom of their corporate web sites. Or perversely, deposit taking institutions cite privacy regulations when it is not appropriate to do so.[2]

Privacy rules at financial institutions are centered primarily on the safeguarding of collected information. Privacy Officers appear to be doing very little in the way of not collecting information that is not needed for the operation of their businesses – one of the very basic and important tenets of privacy law that every Privacy Officer should be following.

Identity theft is becoming an increasing threat. Computer hacks of Home Depot, Target, America’s largest bank – JPMorgan Chase and even the CRA (formerly known as Revenue Canada), means that data can be and is being stolen. These and other incidents involve over a billion customer data breaches.

Despite the epidemic of data and identification theft, corporations (including financial institutions) still aren’t getting the message; information can’t be stolen if it is not collected in the first place.

Will Canada’s newest Privacy Commissioner address the issue of data over collection or the possible misuse of Canadian’s personal and confidential information? In my view this is highly doubtful as the Office of the Privacy Commissioner with their limited powers has their hands shackled. Not much of a bark and also, it appears - no bite.

[1] Legal? Illegal? Under federal law, RRSPs and other registered plans are supposed to be completely exempt from record keeping and client identification requirements (except on suspicion of terrorist or money laundering activity) but almost all deposit taking financial institutions disregard the law and will insist on collecting this exempted information despite the laws passed by Parliament (see Department of Justice link below). If an investor refuses to divulge such identification; are financial institutions violating the laws of the land and/or the privacy rights of the individual? Good question. In my view, institutions are testing (if not skirting) the boundaries of strict anti-money laundering and privacy laws by over collecting personal and confidential information that is exempted and is not required.

[2] Please refer to a previous story where a bank delayed a registered plan transfer to another financial institution citing “privacy concerns”.

Related articles:

GICs are a dangerous game: http://wealthadviser.ca/newsletters-8/222-gics-are-a-dangerous-game.html


Proceeds of Crime (Money Laundering) Terrorist Financing Regulations (PCMLTFR) 


Paragraph 62.2 (i):


FINTRAC Guideline 6G (exemptions for registered plans):





Joomla Template: from JoomlaShack