Interview with Purolator

July 2004

Terry McQuay, Nymity's President, recently interviewed Dave Lantz, Legal Counsel at Purolator Courier Ltd., regarding Purolator's experience as a “federal work” in complying with the Personal Information Protection and Electronic Documents Act (PIPEDA). As Canada's leading overnight courier company, Purolator operates Canada's largest dedicated air express fleet, has an extensive service network, with over 12,500 employees, including more than 4,000 couriers and over 140 operations locations.

Nymity: Dave, what process did Purolator follow to comply with PIPEDA?

Lantz: When we began to assess the impact of PIPEDA on Purolator’s business, we identified a number of steps that would launch us into our privacy compliance initiative. These steps, included:

1. appointing a senior executive as Purolator’s Privacy Compliance Officer,
2. issuing a privacy questionnaire to identify what personal information was collected, how it was collected, where it was stored and who had access to the information,
3. closing any privacy gaps that were identified from the responses to the privacy questionnaire ,
4. updating Purolator’s Privacy Statement (available at www.purolator.com) to reflect the requirements of PIPEDA,
5. creating an internal Privacy Guide as a tool and reference for employees,
6. appointing and training department privacy representatives, and
7. training employees on Purolator’s privacy initiative.

Nymity: How did you identify the personal information that Purolator collected?

Lantz: We created a privacy questionnaire, tailored to Purolator’s business operations, which addressed the collection, use and disclosure of personal information belonging to Purolator’s employees and customers. Once the privacy questionnaires were completed, we evaluated the responses, identified any possible gaps and developed and implemented a strategy for eliminating the identified gaps.

Nymity: Why did you create a single questionnaire for employee and customer personal information?

Lantz: Purolator is committed to protecting the personal information of its employees and customers. Purolator believes that acting responsibly in the collection, use and disclosure of personal information is a prerequisite to continued customer and employee confidence and is a key element of customer and employee loyalty. To be consistent with this objective, our privacy questionnaire was devised to address both customer and employee personal information.

Nymity: Which of Purolator’s business units were asked to complete the privacy questionnaire?

Lantz: In order to obtain a complete picture with respect to the collection, use and disclosure of personal information, the privacy questionnaire was submitted to the senior executives responsible for each of Purolator’s business units. The business units consisted of Human Resources, Information Systems, Corporate Sales, Customer Service, Operations, Marketing and Finance.

Nymity: Why did you create a separate employee Privacy Guide in addition to your corporate Privacy Statement?

Lantz: Our corporate Privacy Statement articulates Purolator’s privacy commitment to its customers. The purpose of the Privacy Statement is to inform customers about Purolator’s practices regarding personal information which may be provided by customers through their use of or access to our websites, shipping services, related products or otherwise collected by Purolator.

The employee Privacy Guide is an extension of Purolator’s Privacy Statement and is to be used as an employee guide to respond to or handle (i) customer privacy issues, and (ii) employee privacy issues. The purpose of the Privacy Guide is to set out internal practices and procedures for protecting the personal information of our customers and employees.

Nymity: Please describe the structure of your privacy group.

Lantz: Purolator’s privacy team consists of our Privacy Compliance Officer, a department privacy representative for each of Marketing, Human Resources, Operations, Information Services, Customer Service, Corporate Sales, Payroll, Customer Administration and Procurement and myself. The department privacy representatives, together with our Privacy Compliance Officer and myself meet on a quarterly basis to discuss any new or ongoing privacy related issues.

Nymity: What privacy tools do you provide to your privacy group?

Lantz: Each department privacy representative and the Privacy Compliance Officer has received a Privacy Compliance Initiative Manual. The manual consists of:

1. the training presentation provided to the department privacy representatives,
2. Purolator’s Privacy Statement,
3. Purolator’s Privacy Guide,
4. a document titled Responsibilities of Department Privacy Representatives,
5. responses to the privacy questionnaire, and
6. a list of each department privacy representative.

Nymity: How did you conduct employee privacy training?

Lantz: The privacy training and awareness was presented by myself together with the Privacy Compliance Officer to the department privacy representatives. Following this training and awareness tutorial, each department privacy representative was given a copy of the training materials in order to customize a similar training and awareness presentation for their respective departments.

Nymity: Please comment on Case 71 where an individual complained that a courier company had improperly collected their personal information by demanding their electronic signature upon delivery of parcels and then posted the signatures on the company Web site without consent.

Lantz: I believe that Case 71 caused many courier and transportation companies throughout Canada to evaluate their existing privacy policies and procedures. Mostly because signature confirmation of delivery is a critical tool used by companies within our industry to satisfy senders and recipients that a package has been delivered. The collection of electronic signatures in online tracking systems has become a worldwide standard.

At the time the Commissioner’s findings were released, Purolator had a number of security safeguards in place with respect to electronic signatures. These safeguards included limiting access to individuals who had Purolator’s randomly generated bill of lading number (intended to prevent anyone who didn’t have the number in front of them to randomly access someone else’s information), fuzzy distortion of electronic signatures, background-security watermark, the option to sign a paper based route sheet and the option to request that the electronic signature be removed from our website. As part of Purolator’s ongoing privacy compliance initiative and in response to the Commissioner’s findings regarding the consent principle, we added a statement below the line on our scanners which capture each electronic signature. The consent statement says “I agree signature may be viewed online”.

Nymity: What is the privacy clause in Purolator's standard form customer agreement?

Lantz: As an organization, the personal information that we collect from customers is generally limited to the information contained on a bill of lading – keep in mind that we do not know what is in a package and therefore we do not collect information about the details of its contents. As well, most of the receivers of our packages are corporate customers and likely would not be caught by the definition of personal information. However, in those situations where the bill of lading does contain personal information, it is the responsibility of the customer tendering the package to us to obtain any required consents. Purolator will use the personal information for its intended purpose (e.g. the pickup and delivery service) and act reasonably to safeguard the information. Set out below is the language that we use in our customer agreements which addresses this issue.

In the event that a bill of lading in respect of shipments tendered by Customer to Purolator contains personal information (i.e., information about an identifiable individual) Purolator shall (i) limit its use, disclosure and retention of the personal information to that reasonably required for the purposes of providing the services pursuant to this Agreement; and (ii) use commercially reasonable efforts to safeguard the personal information while it is in its possession or under its control. Customer shall, prior to Purolator receiving the personal information, obtain any consent that may be required from any individual in respect of Purolator’s collection, use or disclosure of the information as described above.

Nymity: Do you believe that privacy is a competitive differentiator?

Lantz: Yes, I do. In an industry as competitive as ours or in any customer-focused industry, organizations need to take steps to distinguish themselves from the rest of the pack. While Purolator is Canada’s leading overnight courier company, we are always considering opportunities to optimize the loyalty and confidence of our customers and employees. Purolator engaged its privacy compliance initiative prior to the recent increase in the public’s concerns over its privacy. This allowed Purolator to be the industry leader in meeting its customers’ privacy needs and maintain its competitive advantage throughout our industry.

Nymity: What do you see impacting the national landscape of privacy in the future?

Lantz: There is a growing level of uncertainty that has surfaced as a result of the Quebec government’s constitutional challenge, which is expected to reach the Supreme Court of Canada in late 2004 or in the beginning of 2005. The findings of the court could have a tremendous impact on businesses’ privacy compliance programs should the court determine that each province has the jurisdiction to enforce privacy laws rather than the federal government (i.e. PIPEDA). Such a ruling would create significant confusion and undue costs as organizations would need to re-evaluate their privacy programs and consider complying with separate and distinct provincial privacy laws in each province they conduct business.

Nymity: In closing, with three and half years of compliance with PIPEDA, what recommendations do you have for organizations that have had to comply with PIPEDA since January 2004?

Lantz: I believe it is important to setout the steps your organization will take in order to meet the privacy requirements outlined in PIPEDA. The process that we implemented at Purolator was an effective, comprehensive and efficient approach to satisfying the privacy challenge. Of the steps outlined in our approach, I believe the most critical aspect that has led to the success of our privacy program, was our emphasis on employee training and awareness. Company efficiencies will be maximized and the process will be streamlined, once employees recognize the importance of privacy compliance and are given the tools to handle privacy related issues. Customers and employees will be satisfied that their privacy concerns have been met professionally and diligently.