Responding to the Crisis in Canadian Telecommunications

May 1, 2014

Tagged: , , , , ,

Categories: Articles, Christopher Parsons

By Christopher Parsons

On April 29, 2014 the Interim Privacy Commissioner of Canada, Chantal Bernier, revealed that Canadian telecommunications companies have disclosed enormous volumes of information to state agencies. These agencies can include the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Canadian Border Services Agency, as well as provincial and municipal authorities. Commissioner Bernier’s disclosure followed on news that federal agencies such as the Canadian Border Services Agency requested access to Canadians’ subscriber data over 19 thousand times in a year, as well as the refusal of Canadian telecommunications companies to publicly disclose how, why, and how often they disclose information to state agencies.

This post argues that Canadians are not powerless. They can use existing laws to try and learn whether their communications companies are disclosing their personal information to state agencies. I begin by explaining why Canadians have a legal right to compel companies to disclose the information that they generate and collect about Canadians. I then provide a template letter that Canadians can fill in and issue to the telecommunications companies providing them with service, as well as some of the contact information for major Canadian telecommunications companies. Finally, I’ll provide a few tips on what to do if companies refuse to respond to your requests and conclude by explaining why it’s so important that Canadians send these demands to companies providing them with phone, wireless, and internet service.

Why You Can Request Your Personal Information

Per Canadian privacy law, all Canadians can request that companies explain and disclose the kinds of personal information that they retain about the requesting Canadian citizen. Principle 4.9 of Schedule 1 and section 8 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), legitimizes such requests and compels organizations to respond to requests when those companies have significant connections with Canada. Obviously Canadian telecommunications companies that have their headquarters in Canada and that primarily service Canadians meet this requirement.

Using PIPEDA it is possible for Canadians to learn what information their telecommunications companies hold about them, for how long, for what purposes, and when they disclose that information. In effect, it can empower Canadians to understand how companies manage the personal information entrusted to them and then make informed decisions about whether they want to maintain that commercial relationship. Significantly, based on the disclosures from the Privacy Commissioner of Canada, it was only after a telecommunications subscriber complained about how their information might be shared that they learned their information had been disclosed to government state agencies.

A Template to Request Access

The following template can be used to compel information your telecommunications provider to disclose the personal information it collects, retains, manages, and discloses about you. The text is written without an assumption of you sending it by email or letter mail, nor is is written for specific services (i.e. for just wireless or just internet services information). As a result, you should be able to send the letter to whatever companies that are providing you with telecommunications service.

Feel free to modify the text as you deem necessary. Sections that are bolded require you to insert information, such as the company, the mailing address, your personal information, or your account information.

[Subscriber mailing address]

[Date]

[Mailing information for company]

To: [Company] Privacy Officer,

Re: [Name of Account Subscriber]

Dear Privacy Officer:

I am a subscriber to your telecommunications service, and am interested in understanding the kinds of personal information that you maintain and retain about me. So this is a request to access my personal data under Principle 4.9 of Schedule 1 and section 8 of Canada’s federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).

I am requesting a copy of all records which contain my personal information from your organization. The following is a non-exclusive listing of all information that [name of company] may hold about me, including the following:

  • All logs of IP addresses associated with me, my devices, and/or my account (e.g. IP addresses assigned to my devices/router, IP addresses or domain names of sites I visit and the times, dates, and port numbers)
  • Listing of ‘subscriber information’ that you store about me, my devices, and/or my account
  • Any geolocational information that you may have collected about me, my devices, and/or associated with my account (e.g. GPS information, cell tower information)
  • Text messages or multi-media messages (sent and received, including date, time, and recipient information)
  • Call logs (e.g. numbers dialed, times and dates of calls, call durations, routing information, and any geolocational or cellular tower information associated with the calls)
  • Information collected about me, or persons/devices associated with my account, using one of your company’s mobile device applications
  • Any additional kinds of information that you have collected, retained, or derived from the telecommunications services or devices that I, or someone associated with my account, have transmitted or received using your company’s services
  • Any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies

If your organization has other information in addition to these items, I formally request access to that as well. Please ensure that you include all information that is directly associated with my name, phone number, e-mail, or account number, as well as any other account identifiers that your company may associate with my personal information.

You are obligated to provide copies at a free or minimal cost within thirty (30) days in receipt of this message. If you choose to deny this request, you must provide a valid reason for doing so under Canada’s PIPEDA. Ignoring a written request is the same as refusing access. See the guide from the Office of the Privacy Commissioner at: http://www.priv.gc.ca/information/guide_e.asp#014. The Commissioner is an independent oversight body that handles privacy complaints from the public.

Please let me know if your organization requires additional information from me before proceeding with my request.

Here is information that may help you identify my records:

Full Name: [Name]
Account Number: [Number]
Email Associated With Account: [Email address]
Phone Number Associated with Account: [Phone number]

Sincerely,
[Name]

Contact Information

The following includes contact information for many of Canada’s telecommunications companies. It parallels the list of companies that Citizen Lab previously asked to voluntarily disclose how, how often, and why they share information with government agencies.

Bell

The Office of the Bell Privacy Ombudsman
160 Elgin St.
Ottawa ON K2P 2C4

email: privacy@bell.ca

Bell Aliant

Bell Aliant
Attn: Privacy Manager
1st Floor, Fort William Building
P.O. Box 2110
St. John’s, NL A1C 5H6

email: PrivacyManager@bellaliant.ca

Bragg Communications

Eastlink
Attn: Privacy Officer
P.O. Box 8660, Station A
6080 Young Street, 8th Floor
Halifax, NS, B3K 5M3

e-mail: privacy@corp.eastlink.ca

Cogeco

COGECO CABLE INC.
Attn: Caroline Dignard, Chief Privacy Officer
5 Place Ville-Marie, Suite 1700
Montréal, Québec, H3B 0B3

email: privacy@cogeco.com

Distributel

Distributel Communications Limited. c/o Privacy Officer
177 Nepean St. Suite 300,
Ottawa, ON, K2P 0B4

email: privacy.officer@distributel.ca

Fido

Chief Privacy Officer
Fido Solutions
800 De La Gauchetière Street West
Suite 4000
Montréal, Quebec, H5A 1K3

MTS Allstream

Allstream Privacy Officer
200 Wellington Street West, Suite 1200
Toronto, Ontario M5V 3G2

email: privacyoffice@mtsallstream.com

Primus

Primus Telecommunications Canada Inc.
Primus Legal Department c/o Privacy Officer
5343 Dundas Street West
Toronto, ON, M9B 6K5

Rogers

Chief Privacy Officer
Rogers Group of Companies
333 Bloor Street East
Toronto, Ontario, M4W 1G9

Sasktel

Chief Privacy Officer
SaskTel
13th Floor, 2121 Saskatchewan Drive
Regina , SK. S4P 3Y2

e-mail: privacy.matters@sasktel.sk.ca

Shaw

Shaw Privacy Officer
630–3rd Ave. S.W.
Calgary, AB, T3P 4L4

email: privacy@shaw.ca

TekSavvy

Privacy Ombudsman
TekSavvy Solutions Inc.
800 Richmond Street
Chatham, Ontario N7M 5J5

Fax: 519–360–1716
email: privacy@teksavvy.com

TELUS

TELUS Communications Company Privacy Request Centre
PO Box 2590, Station M
Calgary, Alberta
Canada T2P 5J6

email: privacy@telus.com

Videotron

Videotron
Attn: Alain Charlebois, Vice-President, Human Resources
612 St-Jacques Street West, 4th floor, North Tower
Montreal (Quebec) H3C 4M8

Wind Mobile

Globalive Wireless Management Corp.
Chief Privacy Officer
207 Queen’s Quay West
Suite 710, PO Box 114
Toronto, ON M5J 1A7
Canada

email: privacyofficer@windmobile.ca

Xplornet

Xplornet Communications Inc.
Attn: Chief Privacy Officer
300 Lockhart Mill Road
P.O. Box 9060
Woodstock, NB, E7M 6B5

Dealing with Non-Responses

Most Canadian companies, and their associated privacy officers, should be familiar with receiving, processing, and responding to these requests for personal information. However, you may find that companies ignore you, or actively resist disclosing information, or attempt to mislead you. Here are a few tips to try to get your personal information if you think the company that you’re working with is failing to comply with your request.

A Reminder

Many of Canada’s ISPs have significant bureaucracies and not all of them are equally resourced or staffed. As a result, sometimes things just get lost. The first thing you can do if you don’t receive a response (including an acknowledgement of receiving your request) is to send a polite note or reminder. This will, ideally, (re)initiate’s the company’s policies and bureaucratic structures to respond to your request. If thirty days go by and you don’t hear anything, then send a polite note asking why they have failed to provide you with your personal information. If you still haven’t heard from them after this reminder, then you can complain to the federal privacy commissioner.

Complaint to the Privacy Commissioner of Canada

The federal Office of the Privacy Commissioner of Canada (OPC) is a designated ombudsperson; the office effectively acts as the federal point-institution for all things privacy. If a company either refuses to disclose your information, or is providing information in a manner that you think is misleading or false (e.g. they say they’ve given you everything, but you have very good reason to believe that the company has/is collecting further information about you) then you have the option of filing a written request to the Office. In your written complaint you’ll want to explain everything that you’ve done to date: when you sent your first request, responses from the company (if there have been any), and why you have a problem with their (lack of) response. Importantly, you don’t need to be a lawyer of privacy specialist to file a complaint!

Note that the OPC does not accept complains by email so you’ll need to file by letter mail to the below address or submit via their website:

Office of the Privacy Commissioner of Canada
Place de Ville, Tower B
112 Kent Street, 3rd Floor
Ottawa, Ontario K1A 1H3
Telephone: 613–947–1698 or 1–800–282–1376
Fax: 613–947–6850

Web complaint address: https://complaint-plainte.priv.gc.ca/en/

The OPC can act as a mediator between you and the telecommunications company in question, helping all parties involved to resolve the company’s failure to disclose your information. Alternately, they can investigate the company’s practices to see if they are actively flouting federal law. Ideally, however, getting the OPC involved will mean that the company will (eventually) disclose your personal information.

Why Your Requests Matter

Beyond simply exercising your legal rights, these requests matter on both the personal and the national level. Personally, by filing these requests you will be empowered to think about whether you’re OK with the amount(s) of information that your telecommunications companies collect or record about you, the duration of time they record that information, and their willingness to explain who they share information with. In effect, you won’t be at the mercy of pundits and talking heads to explain whether the collection of data matters to your life, in the abstract, because you’ll have the data in hand to make your own decisions and reach your own conclusions.

Beyond self-empowerment, it’s important for Canadians generally to file these requests to telecommunications companies because the companies have so steadfastly refused to communicate with the experts, with government bodies, and with interested members of the press. Almost all of the ‘polite’ ways of figuring out what these companies are up to have been exhausted: it’s time, unfortunately, to compel these companies to explain why they collect data, how much of it they collect, and explain why they disclose the information. To be clear, telecommunications companies in the United States and Europe have already begun releasing ‘transparency reports’, or documents explaining how and why the companies share information with state agencies. Those reports are the result of American and European publics supporting their civil advocates and privacy officers, lending their incredibly powerful voices to the policy and legal efforts that had been ongoing for years. Canadians are amongst the most digitally connected populations on earth: now it’s time for us all to figure out who’s been monitoring, and disclosing, who we’ve been connecting to and whether existing practices need to be reined in.

Bookmark and Share

16 Comments

  1. Reality Bytes
    Posted May 1, 2014 at 2:41 pm | Permalink

    Just wanted to drop a note to say thanks for posting this.

    Will give it a try and see where it leads to.

  2. Posted May 2, 2014 at 8:57 am | Permalink

    Sent to Bell, which took almost 30 seconds (;-))

  3. M. Nosle
    Posted May 4, 2014 at 12:35 pm | Permalink

    This is great, I hope more people use this, I’m telling everyone I know about it – have you thought about connecting with PSAC and having them disseminate this template n their website, I’m sure there are many civil servants who would love to see their request results.

    Thanks for the effort and the template.
    As a subscriber to Rogers I filled it out using the following address information directly from Rogers –

    How can I contact you?
    If you have any questions about this Privacy Policy, you can contact:
    Chief Privacy Officer
    333 Bloor Street East
    Toronto, Ontario
    M4W 1G9 or email: privacy@rci.rogers.com

    As I always use a read receipt and I received the following reply:

    Your message

    To: privacy
    Subject: Request To Access My Personal Data Via PIPEDA
    Sent: Friday, May 2, 2014 11:45:36 PM (UTC) Monrovia, Reykjavik

    was read on Friday, May 2, 2014 11:49:04 PM (UTC) Monrovia, Reykjavik.

    According to MS this reflects that,
    “… the time zone setting in Microsoft Outlook Web App is incorrect. Instead of being set to the user’s current time zone, the time zone setting is set to (UTC) Monrovia, Reykjavik”.

    They don’t seem to have any technological problems coughing-up countless subscribers’s private (?)information but can’t seem to set the time correctly on their Outlook Web App. I wonder what else Rogers can’t get straight?

    Thanks again

    M

  4. Chris
    Posted May 5, 2014 at 2:54 pm | Permalink

    Vonage Canada’s Privacy Officer may be contacted at:

    Attention: Vonage Canada Corp. c/o Privacy Officer
    23 Main Street
    Holmdel, NJ 07732
    USA
    E-mail: vc_privacyofficer@vonage.com
    Phone: 732-226-3319

  5. andres
    Posted May 5, 2014 at 8:55 pm | Permalink

    great stuff, i’m getting right on this.

    Thanks,
    =a

  6. Brandon
    Posted May 5, 2014 at 9:31 pm | Permalink

    Anyone happen to have the privacy Email for Start Communications?

  7. Patrick Boivin
    Posted May 6, 2014 at 2:43 pm | Permalink

    I took it upon myself to add a bullet for my own request, that I added at the end of the list in my letter to Bell:

    •List of all organizations with whom the data related to my accounts have been shared with, including the number of times these data have been shared, the time and dates of such data sharing and the amount of money received in exchange of such data.

  8. Marc W.
    Posted May 6, 2014 at 6:20 pm | Permalink

    Can you make one request for all members in a family (husband, wife and children), or must these be one per person?

    Also, perhaps consider correcting a minor typo in the first sentence of the form letter, from:
    “I am subscriber to your telecommunications service…”
    to:
    “I am a subscriber to your telecommunications service…”

    Thanks, great post!
    -Marc

  9. ConcernedCitizen
    Posted May 8, 2014 at 12:34 am | Permalink

    Thank you for posting this template. I sent mine off to Shaw immediately! I can’t wait to see what information they have disclosed without my knowledge. Out of curiosity, how are the results delivered? Are they mailed out? Sent as a PDF?

    Thanks again for your hard work.

    ConcernedCitizen

  10. Bobby Bittman
    Posted May 22, 2014 at 10:33 am | Permalink

    I just sent my request to Koodo. They called me back and walked me through their policies for each point (what they retain and for how long). They also indicated that if they pull the information that I requested, they would now need to retain it for 7 years, regardless of their existing policy, to comply with PIPEDA. I’m not sure how comfortable I am with my info being held for 7 years rather than less than 2 years for most of the items. I instead requested that they provide me with a letter indicating how long each item is retained.

    Does anyone have a different experience?

  11. Another Citizen
    Posted May 28, 2014 at 3:05 am | Permalink

    Seconding Marc’s question about how to deal with families sharing a telecommunications service.

    Also, any chance we could get sample letters for other industries? After listening to the CANADALAND podcast, I am curious if other organizations like my bank maintain interesting records on me, as well as what the appropriate channels are to make requests of government agencies like the CRA for their files.

  12. David E. Schellenberg
    Posted May 29, 2014 at 11:06 pm | Permalink

    My thanks also to Citizenlab for providing this information.

    I have sent the template email to MTS.
    Two weeks later I received a phone call from someone at MTS asking me why I had sent this request.
    I spelled it out in full.
    She wouldn’t tell me if many people had made such requests. She also said that MTS may not be able to provide the answer within the legislated time (what is that, by the way?) and may have to ask for an extension.

    Dave S.

  13. Christopher Parsons
    Posted May 30, 2014 at 10:33 am | Permalink

    They have 30 days to respond, but are permitted to ask for extensions. More information is available, here: http://www.priv.gc.ca/leg_c/interpretations_05_access_e.asp

  14. David E. Schellenberg
    Posted June 6, 2014 at 5:06 pm | Permalink

    Now I got a letter saying:
    “Due to the extent of your request, we will not be in a position to respond to your request within the 30 day limit”
    They say I can expect a response by July 2.

    Dave S.

  15. Dave
    Posted July 9, 2014 at 9:57 am | Permalink

    Can you please create a request form for ColbaNet? I sent them a request almost a month ago and have yet to receive any response or acknowledgement.

  16. Ryan
    Posted July 14, 2014 at 8:21 pm | Permalink

    I got a response from Rogers (Fido).

    Other than the customer service log, they did not provide any other useful information.

    They completely avoided answering this question: “Any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies”, by just copy/pasting some parts of the PIPEDA law as the answer to my question!?!

    What now?

Post a Comment

Your email is never shared. Required fields are marked *

*
*