Collections and Privacy
Let’s look at privacy of information, and how this applies to collections, both internally and external third party collections. Information is the most powerful tool available in collections – the more information on a file, the more likely the collector or accounts receivable manager can make informed decisions on how to present, negotiate, and recover the debt.
However, privacy of information is key. The Collection Agencies Act and other statutes regarding third party collections deal centrally with the disclosure of information. Collection letters, telephone calls, answering machine messages, emails, and faxes must not violate third party disclosure, with limited exceptions.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents act was introduced in 2001 by Industry Canada, and fully came into effect January 1, 2004. It establishes rules to govern the collection, use, and disclosure of personal information in a manner that balances the right of privacy of all individuals with the need of organizations to collect, use or disclose personal information for a reasonable purpose.
The Act can be found at http://laws.justice.gc.ca/en/P-8.6/
Personal information includes the following about any consumer or individual:
· ID Numbers (including our file numbers)
· Evaluations (including credit bureau reports)
· Employment history
· Credit records and loan records
· Intentions (including credit applications)
Personal information does not include the name, title, or business address or telephone number of an employee of an organization.
Who Has To Follow PIPEDA?
This Act affects every Canadian, and every organization that does business in Canada. Organizations are, once the Act takes effect, required to obtain the individual’s consent to disclose personal information. The operating guideline is that no one will be able to make use of an individual’s personal information without that person’s permission.
If an agent is in compliance with the Collection Agencies Act, they will be in compliance with PIPEDA. Collection agencies have certain principles they are required to follow to operate as an agency:
· An agency cannot disclose any information to a third party without the debtor’s consent
· All information an agency gathers will be used for the sole purpose of collecting a debt
· Under no circumstances will any information regarding collection or debtor personal information be removed from an agency’s physical office
· Most collection agencies require all staff members will sign a non-disclosure agreement or employment contract to adhere to the Collection Agencies Act.
Responsibilities Under PIPEDA
Organizations must follow a code for the protection of personal information, which is included in the Act as Schedule 1. The code was developed by business, consumers, academics and government under the auspices of the Canadian Standards Association. It lists 10 principles of fair information practices, which form ground rules for the collection, use and disclosure of personal information. These principles give individuals control over how their personal information is handled in the private sector.
The 10 principles that businesses must follow are:
2. Identifying purposes
4. Limiting collection
5. Limiting use, disclosure, and retention
9. Individual access
10. Challenging compliance
Policies That Adhere to PIPEDA
In setting up a collection agency under the ISO 27001:2005 standards for information security, I established the following policies and guidelines to adhere to the ten principles above, and I believe every proper collection agency policy should follow the following policies.
- The agency will only use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act.
- The agency will keep personal information only as long as necessary to satisfy the purposes.
- The agency will deem any physical documentation that is not necessary to retain will be destroyed.
- Any electronic documentation that over seven years old will be archived or returned to the client.
- The agency will make every effort to protect personal information against theft, loss, or misuse, and require every staff member to do the same.
- If a debtor requests information, the agency will freely inform them of any information we have on file, including credit bureau information, collection notes, identification information such as addresses or social insurance numbers.
- If a debtor asks where the agency obtained information about them, they will freely inform them of the source of the information (be it trace work, client information, credit bureau information, etc).
- If a debtor requests any personal information, the will freely give it to them (there is some contention whether a credit bureau should be provided, as it would be a violation of the Consumer Reporting Act, although the Privacy Commissioner supports the release of a credit bureau report to a debtor under their consolidated findings -- http://www.priv.gc.ca/cf-dc/2005/291_050218_e.cfm)
I have testing for collection agents that test them against the rules of PIPEDA that apply to third party collections, and I would be happy to provide this to anyone interested, to assist with keeping staff informed on the requirements of being the custodians of personal information.
As always, I can be reached at my office at 226-444-5695.