"Identity Thief", a movie about – what else,
identity theft – opens in theatres this February; but will it
make the Privacy Commissioner's list of "top 10" privacy films?
Most Canadians have some awareness of identity theft, and there
are resources – including online tip sheets prepared by the
offices of the federal and provincial privacy commissioners –
available to help individuals take steps to protect themselves.
In 2010, Bill S-4 amended the Criminal Code of Canada
to create 3 new offenses related to identity theft: obtaining and
possessing identity information of another person with the
intention to commit an offence; trafficking in identity
information; and unlawfully possessing or trafficking in
government-issued identity documents.
Notwithstanding the high level of awareness surrounding identity
theft – so well-established as a cultural phenomenon that it
forms the premise of a Hollywood movie – situations arise
that remind us how easy it can be to assume another person's
identity, and how important it is for us to be careful and for the
companies we share our personal information with to be diligent
about proper disclosure.
In an August 2012 finding (#2012-004 ) under the Personal Information Protection and Electronic
Documents Act (PIPEDA) ,the Privacy Commissioner of Canada
considered a situation where a victim's cell phone company had
disclosed his billing and call history information to a female
caller who – while impersonating the victim –was able
to change the victim's basic account information including his
name, his gender and his personal identification number. The
company's standard protocols, including proper authentication
procedures, were ignored by its representative during the call.
The victim learned of the disclosure and made an access request
to the company for his personal information and a transcript of the
phone call. The company's initial response was slow, citing
"confusion" as the reason for delay.
The company eventually sent the victim a transcript of the call
and the Commissioner was satisfied the access issue was resolved.
To address the non-compliant disclosure, the Commissioner directed
the company to review "Getting Accountability Right with a Privacy
Management Program" (April 2012), a joint document of the
Privacy Commissioners of Canada, Alberta and BC:
The Report of Finding #2012-004 sends a message that companies
must take active steps to prevent identity theft and to respond in
a timely manner to an access request.
The report also includes a "Lessons Learned" section
(excerpted below) which is a good reminder for companies and their
Some Lessons Learned (emphasis added)
Disclosing the personal information of an account holder
requires the consent of that
Before discussing or divulging any personal account information,
organizations must first properly authenticate and validate
the identity of the requester.
Access to personal information requests must be responded to by
the organization no later than 30 days after receipt of
the individual's request. If the organization requires an
extension to fulfill the request, it must send a notice of
extension to the individual no later than thirty days after the
date of the request.
While security policies and procedures are essential, their
effectiveness depends on how diligently and
consistently an organization follows them.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).