There are a number of curious features to the Privacy Notice splash page for Canada’s new online tool for making access to information (ATIP) requests.
The online tool is certainly a welcome development and nothing in this post is meant to detract from that important effort. However, there are a number of issues raised by the Privacy Notice accompanying the tool that are worth considering and debating when considering how to structure and implement privacy notices.
The online tool contains a “Privacy Notice” on the first page that is more than 530 words long. That doesn’t include all of the information that the reader is directed to by way of hyperlinks or references.
Personally, I don’t think 530 words even when combined with hyperlinks is excessive, although it should be borne in mind that this is for a single tool on a single portal!
What is curious is that the Privacy Notice is not the totality of the privacy terms. There are also “Terms and Conditions” in the footer of the webpage. However, there is no indication in the Privacy Notice that those Terms and Conditions might also contain a “privacy notice”, which is different from and contains additional information regarding information collected by users of the website.
So here’s the question – should all privacy information be in one place? If you split it up, should you be sure to cross-reference it? Would anyone be misled into thinking the Privacy Notice was all there is, given its prominence?
2. Express Consent
Another interesting feature is that the user must also expressly click wrap his or her agreement to the front page Privacy Notice by checking a box that states:
I have read, understood and agree with the above Privacy Notice.
Why must the user expressly agree to the Privacy Notice?
This is not a feature of the paper form, nor is it a feature of the Terms and Conditions, which also contains a “privacy notice”.
What does the express agreement to some, but not all, of the “privacy terms” accomplish? Does the “express consent” feature of the Privacy Notice splash page give a user the false sense that this is all there is?
Another interesting feature of the Privacy Notice is that the Privacy Notice leaves the user to figure out his or her legal rights. The Privacy Notice is plainly worded, but much of the detail is in the hyperlinks or in clauses that are external to the Privacy Notice. Of course, the Privacy Notice is not governed by the federal Personal Information Protection and Electronic Documents Act and so we aren’t really comparing apples to apples if we are comparing the Privacy Notice to what you might find in the private sector. However, the following examples are worth considering:
Retention. The user is told that personal information ”will be kept for the period of time identified in standard Personal Information Bank PSU 901 (Access to Information and Privacy).” The hyperlink isn’t particularly illuminating. If the user accesses it, the user will be told:
For information about the length of time that specific types of common administrative records are maintained by a federal government institution, including the final disposition of those records, please contact the institution’s Access to Information and Privacy Coordinator.
Disclosure. The user is told that information “may be shared with other organizations only in accordance with paragraph 8(2) of the Privacy Act.” A hyperlink elsewhere in the Privacy Notice takes the user to the whole of the Privacy Act. From there, the user is on his or her own. That would be like a private sector entity saying. We disclose your information in accordance with s.7(3) of PIPEDA – here’s a link to the Act – figure it out.
That’s not to say that the Privacy Notice isn’t an improvement over the paper form. The paper form does not even disclose to the user the handling practices of the user’s personal information once the form is submitted. All the paper form states is:
The personal information provided on this form is protected under the provisions of the Access to Information Act and the Privacy Act.
Is this disclosure adequate? Are private sector organizations just over-complicating matters?
There is one last interesting feature of the Privacy Notice. Apparently, if “you are concerned about the confidentiality of information, including your personal information, in transit, you should consider sending it directly to a government institution by secure means.” The recommendation? Mail. This seems to be an odd thing to say, given that the portal to make the online request is supposed to be a secure portal with 128 bit encryption.