Earlier this week, the Information & Privacy Commissioner of British Columbia issued a decision (P09-01) related to the controversial practice of scanning photo IDs of patrons by bars, pubs and night clubs.
From the Commissioner's media release:
FOR IMMEDIATE RELEASEJuly 21, 2009
Information and Privacy Commissioner Releases Order on Driver’s Licence
ScanningVICTORIA — Information and Privacy Commissioner David Loukidelis today released
Order P09-01, in response to a complaint about the scanning of a bar customer’s
driver’s licence. The customer complained that, when he went to the bar, employees
asked him to produce his driver’s licence, swiped it through a card reader and then
required him to have his digital photograph taken. He did not receive what he
considered to be a reasonable explanation for why his personal information was being
collected and later complained under B.C.’s Personal Information Protection Act
(“PIPA”), which regulates the collection, use and disclosure of personal information by
businesses.The OIPC investigated the complaint twice and a formal hearing was eventually held.
In Order P09-01, the Commissioner has decided that section 7(2) of PIPA does not
allow the organization complained about, the Wild Coyote Club, to force its customers to
give up their personal information, to the extent this is now being done, as a condition of
being allowed into the bar.Section 7(2) says a business “must not, as a condition of supplying a product or service,
require an individual to consent to the collection, use or disclosure of personal
information beyond what is necessary to provide the product or service.”
The Commissioner accepted that it is “necessary” to collect personal information of
certain customers for the purpose of operating a nightlife establishment, but not
“to develop and maintain a personal profile containing the personal information of all
customers in order to effectively track the few who may be removed from, and
subsequently barred from re-entering, an establishment. Certainly, the full scope of
information which is collected by Wild Coyote and the length for which it is retained is
not necessary to achieve that purpose” (para. 98). The Commissioner therefore found
that “a requirement for consent to the collection of personal information through the
TreoScope system is a requirement for consent to the collection and use of information
‘beyond what is necessary’ for providing the service of operating a nightlife
establishment in the terms I have described” (para. 98).Section 11 of PIPA says a business “may collect personal information only for purposes
that a reasonable person would consider appropriate in the circumstances”.The Commissioner found that, under s. 11 of PIPA, the collection of personal
information was not appropriate in the particular circumstances, including given the
nature and amount of personal information being collected. He found that “it is
reasonable, in the case of Wild Coyote, for it to be able, in order to preserve a safe
environment for customers, to identify those individuals who have been determined to
be violent, or otherwise undesirable for re-entry from a safety perspective, and thus
improve customer safety” (para. 127). He went on to say, however, that “much of the
information collected by the TreoScope system”, including driver’s licence numbers,
“does not further this safety purpose”, adding, “Moreover, I have not been provided with
any reason related to improved customer safety for an establishment’s retention of any
information at all relating to customers who are not involved in violent incidents”
(para. 127).As regards moving forward with a system for keeping banned customers out of bars,
Loukidelis said this:[132] Of course, I have received no submissions from the other parties on this
alternative, and no details from Wild Coyote on how the system would operate
if it were aimed at only maintaining a list of banned customers. As a result,
I can only decide whether or not the collection as a whole, as it was being
conducted at the time of the Investigation Report, complies with s. 11 of PIPA.
For reasons already given, I conclude that it is not. The alternative proposed in
Wild Coyote’s supplemental submissions would likely involve different
considerations and cannot be addressed here.In closing, the Commissioner said this:
[151] … I am well aware of, indeed share, public concern about gang violence
and public safety in British Columbia. Some may assert that the technology
involved here is synonymous with safety, such that any decision perceived to
constrain ID scanning is a decision against safety. These are easy claims to
make, but my duty is to apply PIPA based on the evidence and argument
actually before me, which I have done.[152] On the basis of the material before me, I have decided that it is
reasonable for Wild Coyote to be able, in order to preserve a safe environment
for customers, to identify those individuals who have been determined to be
violent or otherwise undesirable for re-entry from a safety perspective, and thus
improve customer safety. For the reasons given above, however, the collection
of personal information as a whole does not comply with PIPA. In this
light, and in view of the reasons given above, I invite –– indeed, strongly
encourage––those involved to seek the views of this Office if they wish to find
a solution for collecting personal information of a nature, and in a manner, that
complies with PIPA.Neither the Commissioner nor the OIPC will be giving interviews or commenting on this
decision.
For previous posts on this topic, see the keywrd "id swiping".
