Often, collection activity requires interacting with personal information about a consumer, in order to research, contact or collect from that consumer. Whether you are in an internal receivables department, third party collection agency, or you are a legal agent for a creditor, we are all bound by rules protecting a consumer's personal information from misuse.
On the other side of the fence, consumers are understandably concerned about how their personal information is gathered and used -- at a push of a button, I can pull a credit report on a consumer showing seven years of purchasing behaviour, or access title ownership of their home, or google anything they may have ever put up on the internet.
In Canada, we have PIPEDA -- a federal act that determines what personal information can be gathered and used by a company.
What Is PIPEDA?
The
Personal Information Protection and Electronic Documents Act (PIPEDA) was
introduced in 2001 by Industry Canada, and fully came into effect January 1,
2004. It establishes rules to govern the
collection, use, and disclosure of personal information in a manner that
balances the right of privacy of all individuals with the need of organizations
to collect, use or disclose personal information for a reasonable purpose.
The
act can be found at http://laws.justice.gc.ca/en/P-8.6/
Personal
information includes the following about any consumer or individual:
- Name
- Age
- Income
- ID Numbers (including file numbers, account numbers, etc)
- Evaluations (including credit bureau reports)
- Employment history
- Credit records and loan records
- Intentions (including credit applications)
Personal
information does not include the name, title, or business address or telephone
number of an employee of an organization.
Who
Has To Follow PIPEDA?
This Act affects
every Canadian, and every organization that does business in Canada. Organizations
are, once the Act takes effect, required to obtain the individual’s consent to
disclose personal information. The
operating guideline is that no one will be able to make use of an individual’s
personal information without that person’s permission.
However,
Principle 4.3 of the Act stipulates that the knowledge and consent of the
individual are required for the collection, use, or disclosure of personal
information, except where inappropriate. This principle is modified by section
7(3)(b), which states that for the purpose of clause 4.3, an organization may
disclose personal information without the knowledge or consent of the
individual only if the disclosure is for the purpose of collecting a debt owed
by the individual to the organization.
This allows a creditor or their agent certain latitude within the
requirements of PIPEDA.
PIPEDA &
Collection Agencies
All creditors should
have already received the individuals consent to disclose personal information
in a credit application or the initial stages of their relationship with the consumer,
and all information gathered by the creditor from the consumer or relating to
the consumer should have been on a voluntary basis, and within the scope of the
Act.
After a consumer’s
file comes to a collection agency, there is an exception to PIPEDA that you may
disclose personal information without that individual’s knowledge or consent to
collect a debt – this isn’t blanket permission to do so indiscriminately
without regard for the consumers’ privacy, but certainly allows the focused
pursuit of the debt itself. This must be
done without disclosing the debt itself to an outside party – but for the
locating of a consumer, verification of certain information on hand such as an
address or consumer identity, leaving messages to attempting to reach the
consumer, or the execution of a judgment.
Organizations must follow a code for the
protection of personal information, which is included in the Act as Schedule 1.
The code was developed by business,
consumers, academics and government under the auspices of the Canadian
Standards Association. It lists 10 principles of fair information practices,
which form ground rules for the collection, use and disclosure of personal
information. These principles give individuals control over how their personal
information is handled in the private sector.
The
10 principles that businesses must follow are:
1.
Accountability
2.
Identifying
purposes
3.
Consent
4.
Limiting
collection
5.
Limiting
use, disclosure, and retention
6.
Accuracy
7.
Safeguards
8.
Openness
9.
Individual
access
10.
Challenging
compliance
Information
gathered independently from the consumer that refers to public records
(bankruptcy, judgments, property ownership, telephone numbers, etc) may be
legitimately collected for the use of collection of a debt.
When
pulling a credit bureau report on a consumer, there must be permissible purpose
under the consumer protection act of your relevant province, permission given
by the consumer in relation to a credit application, or an exception under 4.3
of PIPEDA regarding the pursuit of a debt.
If
executing a court action to acquire judgment against a consumer, some
interaction with outside parties may be necessary to have a consumer served
with papers, or executing a judgment, but some discretion is necessary. Another party might be served documents, for
example, but they should be in a sealed envelope or addressed to a specific
outside party such as a payroll manager receiving a garnishment order.
A Credit Management
Policy That Adhere to PIPEDA
To
adhere to the ten principles above, a credit department should follow the
following policies set down by management:
- The company will only use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act.
- The company will keep personal information only as long as necessary to satisfy the purposes.
- Any physical documentation that is not necessary to retain will be destroyed.
- Any electronic documentation that over seven years old will be archived, destroyed, or returned to the original creditor.
- The company will make every effort to protect personal information against theft, loss, or misuse, and require every staff member to do the same.
- If a consumer requests information, the company will freely inform them of any information on file, including credit bureau information, collection notes, identification information such as addresses or social insurance numbers.
- If a consumer asks where a company obtained information about them, they will freely inform them of the source of the information (be it trace work, client information, credit bureau information, etc).
- If a consumer requests any personal information, the company will freely give it to them (including documentation supporting the debt, credit bureau reports, payment history, note lines, copies of correspondence, etc).
PIPEDA and the
Collection Agencies Act
If a collection agent
is in compliance with the Collection Agencies Act regarding disclosure of
information to third parties, they will be in compliance with PIPEDA. Our industry has certain principles we are
required to follow to operate as an agency. As an example, our firm's policies include:
- An agency cannot disclose any information to a third party without the debtor’s consent
- All information an agency gathers will be used for the sole purpose of collecting a debt
- Under no circumstances will any physical information regarding collection or debtor personal information be removed from the agency’s office without signed permission.
- All agency staff members should sign a non-disclosure agreement that dictates adherence to the Act.
The
Privacy Commissioner’s Relevant Findings
There have been a number of inquiries and complaints by consumers to the Privacy Commissioner in regards to creditors and collection agencies using personal information in pursuit of a debt. Below are links to selected
cases from the commissioner referring to credit and collections
practices that are excellent research points for credit management and collections staff.
Conclusion
If
you are a credit manager that wants to know your rights and options regarding the
collection and use of consumer data, we would be pleased to assist you in
reviewing your current processes. Feel
free to contact myself at our Cambridge office.
Blair
DeMarco-Wettlaufer
Kingston
Data and Credit
Cambridge,
Ontario
226-444-5695
226-444-5695
Great Article! Thanks for posting!
ReplyDelete