Often, collection activity requires interacting with personal information about a consumer, in order to research, contact or collect from that consumer. Whether you are in an internal receivables department, third party collection agency, or you are a legal agent for a creditor, we are all bound by rules protecting a consumer's personal information from misuse.
On the other side of the fence, consumers are understandably concerned about how their personal information is gathered and used -- at a push of a button, I can pull a credit report on a consumer showing seven years of purchasing behaviour, or access title ownership of their home, or google anything they may have ever put up on the internet.
In Canada, we have PIPEDA -- a federal act that determines what personal information can be gathered and used by a company.
What Is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) was introduced in 2001 by Industry Canada, and fully came into effect January 1, 2004. It establishes rules to govern the collection, use, and disclosure of personal information in a manner that balances the right of privacy of all individuals with the need of organizations to collect, use or disclose personal information for a reasonable purpose.
The act can be found at http://laws.justice.gc.ca/en/P-8.6/
Personal information includes the following about any consumer or individual:
- ID Numbers (including file numbers, account numbers, etc)
- Evaluations (including credit bureau reports)
- Employment history
- Credit records and loan records
- Intentions (including credit applications)
Personal information does not include the name, title, or business address or telephone number of an employee of an organization.
Who Has To Follow PIPEDA?
This Act affects every Canadian, and every organization that does business in Canada. Organizations are, once the Act takes effect, required to obtain the individual’s consent to disclose personal information. The operating guideline is that no one will be able to make use of an individual’s personal information without that person’s permission.
However, Principle 4.3 of the Act stipulates that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. This principle is modified by section 7(3)(b), which states that for the purpose of clause 4.3, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is for the purpose of collecting a debt owed by the individual to the organization. This allows a creditor or their agent certain latitude within the requirements of PIPEDA.
Organizations must follow a code for the protection of personal information, which is included in the Act as Schedule 1. The code was developed by business, consumers, academics and government under the auspices of the Canadian Standards Association. It lists 10 principles of fair information practices, which form ground rules for the collection, use and disclosure of personal information. These principles give individuals control over how their personal information is handled in the private sector.
The 10 principles that businesses must follow are:
2. Identifying purposes
4. Limiting collection
5. Limiting use, disclosure, and retention
9. Individual access
10. Challenging compliance
Information gathered independently from the consumer that refers to public records (bankruptcy, judgments, property ownership, telephone numbers, etc) may be legitimately collected for the use of collection of a debt.
When pulling a credit bureau report on a consumer, there must be permissible purpose under the consumer protection act of your relevant province, permission given by the consumer in relation to a credit application, or an exception under 4.3 of PIPEDA regarding the pursuit of a debt.
If executing a court action to acquire judgment against a consumer, some interaction with outside parties may be necessary to have a consumer served with papers, or executing a judgment, but some discretion is necessary. Another party might be served documents, for example, but they should be in a sealed envelope or addressed to a specific outside party such as a payroll manager receiving a garnishment order.
A Credit Management Policy That Adhere to PIPEDA
To adhere to the ten principles above, a credit department should follow the following policies set down by management:
- The company will only use or disclose personal information only for the purpose for which it was collected, unless the individual consents, or the use or disclosure is authorized by the Act.
- The company will keep personal information only as long as necessary to satisfy the purposes.
- Any physical documentation that is not necessary to retain will be destroyed.
- Any electronic documentation that over seven years old will be archived, destroyed, or returned to the original creditor.
- The company will make every effort to protect personal information against theft, loss, or misuse, and require every staff member to do the same.
- If a consumer requests information, the company will freely inform them of any information on file, including credit bureau information, collection notes, identification information such as addresses or social insurance numbers.
- If a consumer asks where a company obtained information about them, they will freely inform them of the source of the information (be it trace work, client information, credit bureau information, etc).
- If a consumer requests any personal information, the company will freely give it to them (including documentation supporting the debt, credit bureau reports, payment history, note lines, copies of correspondence, etc).
PIPEDA and the Collection Agencies Act
If a collection agent is in compliance with the Collection Agencies Act regarding disclosure of information to third parties, they will be in compliance with PIPEDA. Our industry has certain principles we are required to follow to operate as an agency. As an example, our firm's policies include:
- An agency cannot disclose any information to a third party without the debtor’s consent
- All information an agency gathers will be used for the sole purpose of collecting a debt
- Under no circumstances will any physical information regarding collection or debtor personal information be removed from the agency’s office without signed permission.
- All agency staff members should sign a non-disclosure agreement that dictates adherence to the Act.
The Privacy Commissioner’s Relevant Findings
There have been a number of inquiries and complaints by consumers to the Privacy Commissioner in regards to creditors and collection agencies using personal information in pursuit of a debt. Below are links to selected cases from the commissioner referring to credit and collections practices that are excellent research points for credit management and collections staff.
If you are a credit manager that wants to know your rights and options regarding the collection and use of consumer data, we would be pleased to assist you in reviewing your current processes. Feel free to contact myself at our Cambridge office.
Kingston Data and Credit