Cameron Wigmore, Green Party Member: August 2009

August 19, 2009

ID scanning at bars banned but bars continue to violate privacy

Here's an article I submitted to the Nav.

Imagine living in a country where private corporations forced citizens to allow the scanning of their ID as a condition for entry into their businesses. Grocery stores, malls, concerts and festivals might be the sort of places where this ID scanning would occur, and the data collected could be stored by the company for a year or more. It would be simple - and in the company's best interests - to get the ID information they collect synchronized with our medical records, allowing them to prevent anyone with serious health problems from gaining entry. For liability reasons, those businesses could then refuse services to any individuals they wished, based on the criteria they decide, with information gained from our government issued IDs and maybe even medical records.

Now imagine a private company starting along this road of ID scanning, even though the provincial government's privacy commissioner has ordered it to stop. This is happening right now in B.C. at some of our local bars, and this subject is larger than just security at bars.

On July 21st '09 the Information and Privacy Commissioner David Loukidelis released Order P09-01, in response to a complaint about the scanning of a bar customer’s driver’s license. The complained was made under B.C.’s Personal Information Protection Act (“PIPA”), which regulates the collection, use and disclosure of personal information by businesses.

Here is an excerpt of the press release (see link below) that accompanied this decision.

Section 7(2) says a business “must not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service.” The Commissioner accepted that it is “necessary” to collect personal information of certain customers for the purpose of operating a nightlife establishment, but not “to develop and maintain a personal profile containing the personal information of all customers in order to effectively track the few who may be removed from, and subsequently barred from re-entering, an establishment. Certainly, the full scope of information which is collected by Wild Coyote and the length for which it is retained is not necessary to achieve that purpose” (para. 98). The Commissioner therefore found that “a requirement for consent to the collection of personal information through the TreoScope system is a requirement for consent to the collection and use of information ‘beyond what is necessary’ for providing the service of operating a nightlife establishment in the terms I have described” (para. 98).

It seems clear from the excerpt above that storing a person's ID for extended periods of time is not allowed; that doing so is beyond what could be considered reasonable. Still, after this decision was made, the local bars with this data collection system did continue to scan and store ID information. More from the press release:

Section 11 of PIPA says a business “may collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances”. The Commissioner found that, under s. 11 of PIPA, the collection of personal information was not appropriate in the particular circumstances, including given the nature and amount of personal information being collected. He found that “it is reasonable... for it to be able, in order to preserve a safe environment for customers, to identify those individuals who have been determined to be violent, or otherwise undesirable for re-entry from a safety perspective, and thus improve customer safety” (para. 127). He went on to say, however, that “much of the information collected by the TreoScope system”, including driver’s license numbers, “does not further this safety purpose”, adding, “Moreover, I have not been provided with any reason related to improved customer safety for an establishment’s retention of any information at all relating to customers who are not involved in violent incidents” (para. 127).

What this means is that it's not necessary for a company to collect and store personal information of patrons who are not violent. While the businesses obviously need to keep violent people out, it should be able to do so without having to collect and store the personal information of other patrons.

You might ask, "what about our personal safety? Isn't this a good thing?" The commissioner addresses this stating that "I am well aware of, indeed share, public concern about gang violence and public safety in British Columbia... I have decided that it is reasonable for Wild Coyote to be able, in order to preserve a safe environment for customers, to identify those individuals who have been determined to be violent or otherwise undesirable for re-entry from a safety perspective, and thus improve customer safety. For the reasons given above, however, the collection of personal information as a whole does not comply with PIPA. In this light, and in view of the reasons given above, I invite –– indeed, strongly encourage––those involved to seek the views of this Office if they wish to find a solution for collecting personal information of a nature, and in a manner, that complies with PIPA."

Loukidelis's decision to ban scanning of ID at bars upholds Section 8 of the Canadian Charter of Rights and Freedoms. To hold a prospective patron's personal information as a condition of entry into a bar is an unreasonable invasion of a person's privacy.

Our local bars were told that their efforts were too heavy handed, but they continued to scan IDs, collect personal information and store it for up to a year. Isn't it odd that the bars seemed to think they could avoid B.C.s privacy laws in an effort to curb lawlessness?

The company that gathers our personal information had been collecting more than necessary, and storing it for up to a year. The public, government and media took notice. Recognizing that this data collection system could be shut down, Owen Cameron, the owner of Vancouver-based TreoScope Technologies which created the software used to collect information, contacted the B.C. Privacy Commissioner. A compromise was met. The drivers license numbers of patrons will no longer be collected, and the data that is collected will be stored for no longer than 24 hours. This is similar to recent events in Alberta. It has been one year since Alberta's privacy commissioner ruled scanning licenses is a privacy violation and that decision was upheld by a provincial court in March.

Every society must decide what rights each individual will have, and what power or control the government or corporations may have over the citizens. Here in Canada we tend to value our personal freedoms very highly, while also appreciating the services and protection provided by our government.

recent media coverage:

A previous version of this was published in papers and can be read online here and here.

For more information:
press release (pdf link)

Order (large PDF link)

additional press release