BC’s Privacy Commissioner to audit private liquor and cannabis retailers
On November 25th BC’s Information and Privacy Commissioner Michael McEvoy announced that his office will review BC’s licensed private sector liquor and cannabis retailers’ privacy practices under the office’s Audit and Compliance Program. The news release can be read here.
The Office of the Information and Privacy Commissioner ( the “OIPC“) did not release a timeline for the investigation or the issuance of its findings.
British Columbia’s Personal Information Protection Act establishes a regime that governs the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Every organization in British Columbia, including private liquor stores and cannabis retailers, is responsible for the personal information it collects, uses, and discloses. Every organization must designate someone within the organization to be responsible for ensuring compliance with the legislative requirement.
The Audit and Compliance Program
The Audit and Compliance Program measures organizations or industries’ compliance with BC’s information and privacy laws and makes recommendations to improve privacy and access practices, policies, guidelines, and legislation.
Some of the areas assessed by Audit & Compliance include:
- Management policies and procedures
Reviewing an entity’s protection of privacy programs and information and data sharing agreements.
- Collection, use, disclosure and retention practices
Assessing the collection, use, disclosure and retention of personal information by the entity; whether appropriate notice and consent has been obtained; and whether the entity limits collection, use, disclosure and retention of personal information to only what they need to administer a program or business.
- Protections and safeguards
Examining an entity’s access, disclosure or protection provisions; their administrative, technical and physical safeguards; staff knowledge and training related to privacy and the protection of personal information; and whether and how an entity protects personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.
- Accountability and compliance monitoring.
Evaluating how the entity monitors compliance with its privacy policies and procedures; accountability practices; how it handles privacy-related complaints; whether they conduct internal or external audits of safeguards; and whether they analyze breaches that may have occurred.
How will the audit be conducted?
In order to objectively identify locations and topics for assessment, the OIPC staff will interview stakeholders, conduct analysis of internal files (complaints, requests for review and breaches), review information collected from other entities, and consider other investigations and policy projects recently completed, currently underway or about to be initiated.
The OIPC will notify involved entities in advance of an assessment and provide information outlining the intention to conduct an assessment as well as a general outline of the scope, objectives, methodology and anticipated timelines.
Each assessment has unique requirements and objectives but store owners and management should expect an assessment will likely involve some combination of:
- interviews with senior staff;
- an inspection of the premises, with attention to programs that collect personal information and safeguards employed by the store (for example: inspection of electronic programs or databases, reviews of security procedures, or examination of physical security measures);
- file reviews based on the nature of the business (for example, inspection of client files, access logs, communications, etc.); and
- questionnaires to assess knowledge and awareness of, satisfaction with, or attitudes toward privacy policies and processes.
Prior to public release, the Commissioner will send a final copy of the full report (and, if applicable, the executive summary for public distribution) to the entities involved in the examination. In most cases, the Commissioner will provide a news release relating to the assessment and the final report.
An example of a recently completed compliance review of medical clinics can be read here.
Is your establishment ready for examination?
If you own or operate a private liquor store (wine store, special wine store, licensee retail store (LRS)) or cannabis retail store, consider the array of personal information your establishment may collect:
- Dates of birth (customer loyalty database, or other ID checking software)
- Images of individuals captured by video surveillance
- Device identifiers for those who access your store website
- Customer contact and delivery information
- Credit card or other banking information
- Particulars of the nature and quantity of alcohol or cannabis purchased by individuals.
Are you and your staff familiar with PIPA? Have you appointed a compliance person?
If you or your organization has questions or concerns about a pending assessment or its PIPA obligations generally, contact Dan Coles at Owen Bird.
*Alcohol & Advocacy publishes articles for information purposes only. They are not a substitute for legal advice, and persons requiring such advice should consult legal counsel.