Alcanna’s ID-Scanning at Liquor Stores Reviewed by Information and Privacy Commissioner

October 7, 2021

The Office of the Information and Privacy Commissioner (OIPC) has issued 16 findings and five recommendations under the Personal Information Protection Act (PIPA) to Alcanna in relation to its use of Servall Data Systems’ Patronscan ID-scanning technology in liquor stores.

Summary

The investigation found that the Gaming, Liquor and Cannabis Act (GLCA) authorizes Alcanna to collect and use “name, age and photograph” in order to decide whether to grant entry to an individual. Based on knowledge or belief about an individual’s past conduct, GLCA authorizes the disclosure of this information to other licensees, and requires the information be disclosed to a police officer upon request.

Given GLCA’s provisions, the investigation found it is reasonable for Alcanna to collect and use name and age to identify someone involved in a criminal activity that needs investigating, and to identify someone involved in a prior incident of theft, robbery or violence, and it does not require consent for these purposes.

However, the investigation also found that Alcanna, through the Patronscan system, examines all the information encoded in a driver’s licence barcode, and retains gender and partial postal code in addition to name and age, which contravenes PIPA’s provisions on limited collection and use of personal information (sections 11(2) and 16(2)).

In arriving at this finding, the investigation considered that the legislature specifically considered the need to limit the collection and use of personal information to the extent that is reasonable to meet specific purposes when it amended GLCA in 2009 (formerly the Gaming and Liquor Act).

The investigation also found the privacy notice in Alcanna’s stores was inaccurate and did not provide adequate contact information in case individuals have questions about the collection of their personal information as required by PIPA (section 13(1)). The privacy notice did not accurately identify the personal information that is collected or the purposes for that collection.

There were 16 findings and five recommendations in the investigation. Alcanna and Servall committed to address each of the recommendations.

Alcanna’s use of Patronscan technology was announced in January 2020. During the news conference and in subsequent media interviews, representatives for the organizations assured reporters that the technology had been “approved” by the OIPC. The OIPC, however, was not aware of the pilot project until it was announced.

The OIPC learned that Servall relied on a 2009 privacy impact assessment review of its technology as evidence that the technology complied with PIPA, as well as previous investigations of the technology implemented in nightclubs.

However, the OIPC’s decade-old PIA review letter to Servall said, “As you know, the OIPC cannot endorse or even approve Servall’s product as ‘privacy-compliant’.” Additionally, findings from previous investigations of the technology implemented in nightclubs relied on representations by Servall that the system only collected personal information as authorized under GLCA, which the investigation found is not the case.

Quote

“Overall, this investigation highlights two important issues. The first is that it is clear the legislature intended the 2009 amendments to the GLCA to authorize licensed premises to collect some limited personal information for specific purposes related to investigating and ultimately reducing crime. However, the current language of the GLCA presents a number of practical challenges, particularly when it comes to the use of ID-scanning technologies. I intend to follow-up with government and other stakeholders on this point to articulate these challenges and discuss possible solutions.

Secondly, this investigation serves as a reminder to all businesses that the way in which technology is implemented and what features are engaged, along with several other important considerations such as context, can have substantial implications for compliance. The findings from a review by my office are only as valid as the representations and information made available to us. Additionally, acceptance of a privacy impact assessment is not a ‘seal of approval’ for marketing purposes, particularly when a technology is implemented in a new and different way in a different context.”

– Jill Clayton, Information and Privacy Commissioner