Alberta Participates in Global Privacy Sweep on ‘Internet of Things’

September 22, 2016

Alberta’s connected devices fared well, but six in ten “Internet of Things” gadgets don’t properly tell customers how their personal information is being used, an international study has found.

The Office of the Information and Privacy Commissioner (OIPC), along with 24 privacy regulators around the world, looked at internet-connected devices to consider how well organizations communicate privacy matters to their customers. In Alberta, the review focused on smart meters used by utility companies for billing and insurance companies’ usage-based insurance (UBI) programs for vehicles.

Generally, in Alberta, the results were positive and privacy issues and risks were adequately communicated.

Earlier this year insurance companies were permitted to offer UBI policies to customers in Alberta. Before being allowed to enter the Alberta market, the Superintendent of Insurance (Alberta Treasury and Finance) required insurance providers to submit privacy impact assessments (PIAs) to the OIPC for review and acceptance prior to implementation. To date, three such PIAs have been accepted by the OIPC.

Meanwhile, both smart meter programs analyzed were encrypting the transmission of information between the smart meters and meter readers, and the information was non-identifiable until which time that it was matched to customer identification in a secure environment.

“The ingenuity and advancements in the Internet of Things in such a short time is astonishing, and in many ways these devices do provide a variety of benefits,” said Information and Privacy Commissioner Jill Clayton. “But the exponential increase of what are essentially surveillance devices does give pause to consider what impacts they may have on privacy rights. This review provides an opportunity for me and fellow privacy regulators to identify best practices, trends and gaps in understanding for businesses and consumers.”

Internationally, the report showed that of the more than 300 devices reviewed:

  • 59 per cent failed to adequately explain to customers how their personal information was collected, used and disclosed
  • 68 per cent failed to properly explain how information was stored
  • 72 per cent failed to explain how customers could delete their information off the device
  • 38 per cent failed to include easily identifiable contact details if customers had privacy concerns

The work was coordinated by the Global Privacy Enforcement Network, and follows previous sweeps on online services for children, website privacy policies and mobile phone apps.

The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of 51 privacy enforcement authorities in 39 jurisdictions around the world.