The PIPEDA Saga, Part 1
In January 2004, some absolutely lovely Canadian legislation came into effect, known as The Personal Information Protection and Electronic Documents Act (or, more concisely PIPEDA). The whole thing is maddeningly complex from my point of view, but in short it serves to both prevent the sharing of an individual's personal information by corporations, and to allow individuals to request of Canadian corporations a complete disclosure of all personal information held by that corporation about the individual in question. At work, I am currently working on my share of a response to one of these information requests. And let me tell you, it's one royal pain in the ass.
Let me preface the remainder of this with the usual disclaimer: I Am Not A Lawyer. However, I will attempt to explain relevant bits as they've been explained to me. Hopefully I won't be too far off the mark.
My very short description of the aim of PIPEDA makes it sound great. And indeed, I believe the intentions of the group that wrote the act (apparently none of them lawyers) were admirable. The implementation leaves a lot to be desired, however. The part of the law that deals with disclosing to an individual their own personal information is the worst. We did a quick estimation last year of the person hours involved in fulfilling one of these requests; we estimated that it would cost minimum five figures in employee salary and consulting fees to do an exhaustive search of our paper records, online electronic records, and the four years of tape backups we have stored off-line... and we don't even keep that much information about people. Enough of these requests could bring a large bank -- who would keep reams of personal information -- to its knees very quickly. Mom and Pop operations don't have a chance.
The Privacy Commission, the department of the government responsible for overseeing the fair administration of this law, isn't helping matters any either. The law provides means for the corporation to charge a fair fee for the search and materials (think of the stack of paper to be handed over to the individual), however the Privacy Commission recently found that a $50 fee charged by one financial institution was "unreasonable." Given the costs likely incurred by the search, I think that ruling is just insane.
I don't mean to only be critical of this law. I think something of this sort was sorely needed. However, as I said, the implementation we have here sucks.. big time. As socialist as I am at heart, I think the pendulum has swung too far to the side of the individual. We need something more in the middle.
Over the course of a few postings here, I'm going to try to share some of the techniques we develop for handling this search. I'll likely skip over how we manage the search of our paper records, since I'm not very involved with that, but I will try to provide some technical details of our electronic searches, and hopefully (when I can get approval to do so) some of the details of our decision making process. I'm hoping this will be useful to some poor sysadmin in the future.
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
iconoplasty) wrote,
irritated
