Main menu
- People
- Curriculum & Programs
- Events
- TIP Group
- Archives
- Sponsors
- Contact
This is the Bell report for The 3+3 Project: Evaluating Canada’s Wireless Carriers’ Data Privacy Transparency. The 10 criteria used to evaluate carriers and the scoring rubric used for each are included in the chart below. A carrier could earn a full star, half star, or no star on each criterion. The criteria and rubric (with minor alterations as noted) are reproduced from the criteria document prepared by the IXmaps research project for the annual Keeping Internet Users In the Know or In the Dark: Data Privacy Transparency of Canadian Internet Service Providers, by Andrew Clement (Professor, Faculty of Information, University of Toronto) and Jonathan A. Obar (Assistant Professor, Faculty of Social Science and Humanities, University of Ontario Institute of Technology). The Keeping Internet Users In the Know of In the Dark report is available here. For a fuller explanation of the criteria and the rubric used for each, please consult the full criteria document.
These criteria were originally developed by the IXmaps research project for their 2013 Keeping Internet Users in the Know or in the Dark report.[1] The Centre for Innovation Law and Policy (CILP) assisted with updating them for the 2014-2015 project, including developing the scoring rubric. Where we are aware of any difference in how we have applied these criteria compared to how IXmaps applies these criteria, this is indicated in the chart. For more information about IXmaps, as well as other significant projects engaging with data privacy, please see the project overview.
This report frequently makes reference to PIPEDA, the Personal Information Protection and Electronic Documents Act. This is Canadian legislation dealing with the treatment of personal information by companies while carrying on commercial activities. For more on PIPEDA, please see the project overview.
Notes:
1. A public commitment to PIPEDA compliance |
|
---|---|
Full Star: The carrier explicitly indicates that it complies with PIPEDA, or similar applicable legislation, and provides substantive details of its privacy obligations, including that it only transfers personal information to third parties that provide an equivalent level of protection.
Half Star: The carrier only vaguely states that it operates according to applicable legislation or doesn’t mention third party PIPEDA-equivalent protection. No Star: The carrier makes no indication that it complies with PIPEDA or substantially equivalent privacy legislation. |
Score: Full Star
Explanation:
Provisions: “In March 1996, the new Canadian Standards Association Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 (the “CSA Code”), was published as a National Standard of Canada. In August 2000, the Bell companies revised the Bell Privacy Policy (formerly, the Bell Code of Fair Information Practices), to describe in detail how we subscribe to the principles of the CSA Code and the requirements of the Personal Information Protection and Electronic Documents Act, which came into force in 2001.” – Bell Privacy Policy (“Introduction”) (Accessed Jan 3, 2015). “The application of the Bell Privacy Policy is subject to the requirements or provisions of the Personal Information Protection and Electronic Documents Act, the Regulations made there under, and any other applicable legislation, regulations, tariffs or agreements (such as collective agreements), or the order of any court or other lawful request.” – Bell Privacy Policy (“Scope and Application”) (Accessed Jan 3, 2015). “1.3 The Bell companies are responsible for personal information in their possession or control, including information that has been transferred to a third party for processing. The Bell companies shall use appropriate means to provide a comparable level of protection while information is being processed by a third party (see Principle 7).” – Bell Privacy Policy (Accessed Jan 3, 2015). “7.2 The Bell companies shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information, the purposes for which it is to be used, limits on the number of persons whose job function requires access to the information, and the physical and procedural security measures required to safeguard that information.” – Bell Privacy Policy (Accessed Jan 3, 2015). |
2. A public commitment to inform users of all third party data requests |
|
Full Star: The carrier clearly indicates that it will notify a user when it has received a third party request for the user’s information, unless explicitly prohibited from doing so by law.
Half Star: A carrier does not indicate that it will notify users when it receives requests, however it indicates that users may send an inquiry in order to acquire such information.* *Note: This criterion was applied generously: carriers who indicated users could learn about disclosures of their information were scored a half star. No Star: The carrier makes no mention of how users may learn of third party requests for their personal information. |
Score: Half Star
Explanation:
Provisions: “Principle 9 - Customer and Employee Access to Personal Information The Bell companies shall inform a customer or employee of the existence, use and disclosure of his or her personal information upon request and shall give the individual access to that information. A customer or employee shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.... 9.3 Upon request, the Bell companies shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, the Bell companies shall provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.” – Bell Privacy Policy (Accessed Jan 3, 2015). (Note that the Bell Privacy Policy numbers two clauses as 9.3. This is the first of them.) |
3. Transparency about frequency of third party requests and disclosures |
|
Full Star: The carrier has published, in an annual or semi-annual report or in some other form, statistics regarding:
Half Star: The carrier has published SOME information but leaves many important statistics out. No Star: The carrier has published no information relating to these types of statistics. Note: This criterion was edited for ease of use and clarity in presentation here. In highlighting the absence of specific important statistics, we may have applied this criterion more strictly than IXmaps. However, we are not aware of any divergence with IXmaps as to the final score awarded to any carrier. |
Score: No Star
Explanation:
Provisions and other sources: “BCE Inc. and Shaw Communications Inc. have not released [transparency] reports; nor have they shared plans to do so. BCE, owner of Bell Canada, will say only that it complies with the law; Shaw has not responded to requests for comment.” – Christine Dobby, “Telus joins transparency push by sharing demands for customer info”, The Globe and Mail (18 September 2014), online: The Globe and Mail <http://www.theglobeandmail.com>.[2] |
4. Transparency about conditions for third party data disclosures |
|
Full Star: (1) The carrier explicitly states the circumstances under which personal information will be disclosed to third parties.(2) It must make clear what standard must be met by the third party in order for this disclosure to be made (e.g. whether a warrant is required).(3) It must be clear whether or not a subscriber/user will be notified in the case that his or her information is disclosed to a third party and especially the specific conditions under which such information will be disclosed without consent.Half Star: The carrier refers to some but not all of (1), (2) and (3) or is vague about them.**Note: In order to achieve consistency, this criterion was applied generously: carriers that had some discussion of when disclosure of user information could occur received a half star. A carrier would have had to fail entirely to discuss disclosure to receive no star, which none did. This criterion is likely to be revised and simplified in future years to improve consistent application and permit more meaningful distinctions between carriers.No Star: The carrier fails to indicate any of (1), (2), or (3).Note: Our evaluation of this criterion looked at discussion of disclosure to any third party, including sharing with affiliated companies, while IXmaps focused on disclosure when compelled by law. However, both approaches yielded the same score on this criterion. |
Score: Half Star
Explanation:
Provisions: “Principle 3 - Obtaining Consent for Collection, Use or Disclosure of Personal Information The knowledge and consent of a customer or employee are required for the collection, use or disclosure of personal information, except where inappropriate. 3.1 In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. For example, the Bell companies may collect or use personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is a minor, seriously ill or mentally incapacitated. The Bell companies may also collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law. The Bell companies may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened. – Bell Privacy Policy (Accessed Dec 24, 2014). The Bell companies may disclose personal information without knowledge or consent to a lawyer representing the companies, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required by law.“ – Bell Privacy Policy (Accessed Dec 24, 2014). “Principle 5 - Limiting Use, Disclosure and Retention of Personal Information The Bell companies shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. The Bell companies shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected. 5.1 In certain circumstances personal information can be collected, used or disclosed without the knowledge and consent of the individual. (see Principle 3.1) 5.2 In addition, the Bell companies may disclose a customer’s personal information to: a) another telecommunications company for the efficient and effective provision of telecommunications services; b) a company involved in supplying the customer with communications or communications directory related services; c) another person for the development, enhancement, marketing or provision of any of the products or services of the Bell Companies; d) an agent retained by the Bell companies to evaluate the customer’s creditworthiness or to collect a customer's account; e) credit grantors and reporting agencies; f) a person who, in the reasonable judgment of the Bell companies, is seeking the information as an agent of the customer; and g) a third party or parties, where the customer consents to such disclosure or disclosure is required by law.” – Bell Privacy Policy (Accessed Dec 24, 2014). “Principle 2 - Identifying Purposes for Collection of Personal Information The Bell companies shall identify the purposes for which personal information is collected at or before the time the information is collected. 2.1 The Bell companies collect personal information only for the following purposes: a) to establish and maintain responsible commercial relations with customers and to provide ongoing service; b) to understand customer needs and preferences, and determine eligibility for products and services; c) to recommend particular products & services to meet customer needs; d) to develop, enhance, market or provide products and services; e) to manage and develop their business and operations, including personnel and employment matters; and f) to meet legal and regulatory requirements. … 2.3 Unless required by law, the Bell companies shall not use or disclose, for any new purpose, personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the customer or employee.” – Bell Privacy Policy (Accessed Dec 24, 2014). “We collect information to:
Your personal information will not be used for any other purpose without your consent.” – “How does Bell respect my privacy?” (“Your personal information: How and why does Bell collect personal information?”) (Accessed Jan 16, 2015). “Does Bell share personal client information with outside organizations? We do not provide personal information to any party outside of the Bell companies except in limited circumstances in which it is necessary for us to do so. These third parties may include:
When we provide personal information to third parties, we give only the information that is required under the specific circumstances. That information is used only for the purpose stated and is subject to strict terms of confidentiality. The employees of the companies that we share this information with must meet and respect our privacy standards.” Directory listing information Please note that, pursuant to federal legislation, publicly available information, including a directory listing of your name, address and telephone number, may be collected, used and disclosed by organizations without your consent. If you prefer not to have your listing information provided to select organizations, please contact us. Sharing information among the Bell companies Occasionally we may share information between the Bell companies to help understand your information, communication and entertainment needs, and to provide you with relevant information to meet those needs. Option to opt out If you don't want your information shared among the Bell companies, please contact us. Legal and emergency exceptions It' s important to note that in certain circumstances, we may collect, use or disclose personal information without your knowledge or consent. For example:
– “How does Bell respect my privacy?” (“Does Bell share personal client information?”) (Accessed Jan 16, 2015). |
5. An explicitly inclusive definition of ‘personal information’ |
|
Full Star: The carrier explicitly states all forms of data that fall under ‘personal information’. This should include subscribers/users’ IP addresses, IMSI/IMEI numbers, or MAC addresses, as well as their userIDs, meta-data (e.g. who subscriber communicated with, when and where this communication occurred), browser history (pages accessed, date of access, location when accessed), personal account information, credit card information etc.Half Star: The carrier only implicitly states forms of data included in a definition of ‘personal information’, and/or provides a definition which (a) incorporates a closed list of what constitutes personal information that (b) excludes one or more of IP addresses, IMSI/IMSEI numbers, MAC addresses, userIDs, meta-data, browser history, personal account information, or credit card information.No Star: The carrier gives no definition of ‘personal information’.Note: IP addresses, IMSI/IMEI numbers and MAC addresses are all used to identify individual devices connected to the Internet. This information could be used to identify individuals and track their locations. For more information, click here. | Score: Half Star
Explanation:
Provisions: “Personal information - information about an identifiable individual but not aggregated information that cannot be associated with a specific individual.
– Bell Privacy Policy (“Definitions”) (Accessed Dec 24, 2014). “What is “personal” information? Personal information can include:
– “How does Bell respect my privacy?” (“Your personal information”) (Accessed Jan 16, 2015). |
6. The normal retention periods for personal information |
|
Full Star: The carrier discloses how long personal information is routinely retained for, specifying retention time periods for each data type.Half Star: The carrier only states the retention period for limited types of information. For example, a company may state that it retains consumers’ browsing history for 2 weeks, but provides no information on call log retention.No Star: The carrier either provides no information on data retention periods OR provides a statement so vague as to not inform the consumer beyond what PIPEDA requires. For instance, “[Our company] shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.” (Example wording is from Bell’s privacy policy.) | Score: No Star
Explanation:
Provisions: “5.6 The Bell companies shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a customer or employee, the Bell companies shall retain, for a period of time that is reasonably sufficient to allow for access by the customer or employee, either the actual information or the rationale for making the decision. 5.7 The Bell companies shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.” – Bell Privacy Policy (Accessed Dec 24, 2014). |
7. Transparency about where personal information is stored and/or processed |
|
Full Star: The carrier clearly indicates the storage and/or processing locations of user’s data and whether data storage and/or processing has been outsourced to a foreign company. This should include whether data may be stored in, or otherwise subject to other jurisdictions, what those jurisdictions are, and what sort of disclosure such data may be subject to.Half Star: The carrier only indicates that there is a possibility that data may be stored and/or processed subject to a foreign jurisdiction. No jurisdiction is noted or details are not provided.No Star: The carrier fails to clearly indicate whether or not data may be stored and/or processed such that it may be subject to a foreign jurisdiction. | Score: Half Star
Explanation:
Provisions: “5.3 In some cases personal information collected by the Bell companies may be stored or processed outside of Canada to provide you with service or to support Bell operations, and may therefore be subject to the legal jurisdiction of these countries. The information is provided only after detailed contracts are set out with the companies that provide us with these services. Moreover, the information may only be used for the purposes of providing the services in question. When outsourcing certain functions, the Bell companies strive to minimize the personal information stored or processed outside of Canada. Wherever possible, the Bell Companies anonymize any personal information stored or processed outside Canada, such that the data cannot be associated with identifiable individuals. (See Principle 7 Security Safeguards)” – Bell Privacy Policy (Accessed Dec 24, 2014). Principle 7 does not directly relate to criterion or refer to the anonymization of data. For complete Principle 7 text, see Appendix A. “Does Bell store customer information outside of Canada? In some cases, personal information collected by the Bell companies may be stored and processed outside of Canada to provide you with service or to support Bell operations. While the information may be subject to the legal jurisdictions of these countries, the companies that provide us with these services have obligations to protect such information. For example, the information is typically provided only after detailed contracts are set out with the companies that provide us with these services. Moreover, the information may only be used for the purposes of providing the services in question.” – “How does Bell respect my privacy?” (“Your personal information”) (Accessed Jan 16, 2015). |
8. Transparency about where personal information is routed |
|
Full Star: The carrier clearly indicates whether Canadians’ personal domestic communication data might be routed through the United States or otherwise subject to foreign jurisdiction while in transit. It clearly indicates the geographical locations where domestic communication is routed and what jurisdictions it is subject to. Similarly, it indicates whether or not communications with third countries is subject to U.S. jurisdiction.Half Star: The carrier is vague about the geographical locations or jurisdictional exposure of personal data routing.No Star: The carrier gives no indication of the geographical locations or jurisdictions where personal data is routed. | Score: No Star
Explanation:
Provisions: None |
9. Domestic Canadian routing when possible |
|
Full Star: The carrier clearly states on its privacy pages a policy of domestic Canadian routing when possible, and indicates the concrete measures it takes to achieve this goal. A carrier that verifiably peers openly at all the Canadian IXPs in its service region(s) will also receive a full star. Only Canadian carriers are eligible for a full star, as foreign carriers by definition subject the data they carry to non-Canadian jurisdictions.Half Star: The carrier is vague about its policies for ensuring Canadian routing of domestic traffic and the measures it takes to ensure this. In the absence of a clear policy statement, a carrier (whether Canadian or foreign) that peers openly at some but not all Canadian public IXPs in its operating regions will earn a half star.No Star: The carrier gives no indication of any policy or concrete measures to promote domestic routing when possible, nor does it peer openly at any Canadian public IXPs. | Score: No Star
Explanation:
Provisions: None For an explanation of IXPs and open and conditional peering, see the project overview. |
10. Open advocacy for user privacy rights |
|
Full Star: The carrier makes clear reference on its privacy pages to its support for user privacy rights via at least one of the following:
Half Star: The carrier has defended user privacy rights politically, in court or legislatively, but there is no reference to this in its privacy pages. No Star: There is no readily available public evidence that the carrier has taken a positive pro-privacy position in any of the above areas. Note: While this criterion was edited for ease of use and clarity in presentation here, we are not aware of any divergence with IXmaps with regard to application. |
Score: No Star
Explanation:
While Bell is to be commended for speaking on the record when other carriers evidently did not, it was decided that this was not sufficient to grant Bell a half star:
Provisions and Other Sources: Henry v. Bell Mobility, 2014 FC 555 (available on CanLII): A 2014 civil case against Bell arising from breach of PIPEDA. Bell did not dispute the breach, but argued the case on quantum of damages. Regarding the Bill C-30 Statement and Working Group: “Few service providers want to talk on the record about [Bill C-30], but BCE Inc.’s Bell Canada issued this statement:
– Howard Solomon, “Government unveils new lawful access legislation” IT World Canada (14 February 2012), online: IT World Canada <http://www.itworldcanada.com>[3]
– Anna Mehler Paperny, “Telcos in talks with Ottawa to shape Internet 'spy' bill: documents” The Globe and Mail (29 June 2012), online: The Globe and Mail http://www.theglobeandmail.com[4]
– Michael Geist, “Shelving Bill C-30 Didn't Save Your Privacy” TheTyee.ca (26 February 2013), online: TheTyee.ca <http://thetyee.ca>[5]
– Michael Geist, “How Canada’s telecoms quietly backed Internet surveillance bill” The Toronto Star (21 May 2012), online: The Toronto Star http://www.thestar.com[6]
– Michael Geist, “How Canada’s telecoms quietly backed Internet surveillance bill” The Toronto Star (21 May 2012), online: <http://www.thestar.com>
– Steve Anderson, “Big Telecom Companies and Government Officials Held Secret Online Spying (C-30) Forum” OpenMedia.ca (22 May 2012), online: OpenMedia.ca <https://openmedia.ca>[7] Please note: this OpenMedia.ca blog post relies on the Geist “How Canada’s telecoms quietly backed Internet surveillance bill” article in the Toronto Star quoted above. Regarding Bell’s Relevant Advertising Program: Note: Bell’s own news release announcing this program (“Bell to deliver online advertising relevant to customers while protecting their data”, 23 October 2013) can be found online at http://www.bce.ca/news-and-media/releases/show/bell-to-deliver-online-advertising-relevant-to-customers-while-protecting-their-data?page=1&month=10&year=2013.
– Curtis Rush, “Privacy commissioner launches probe into Bell's new data collection” The Toronto Star (23 October 2013), online: The Toronto Star <http://www.thestar.com>[8]
– Ian Munroe, “Bell data collection part of ‘disturbing trend’”, CBC News (30 October 2013), online: CBC <http://www.cbc.ca>[9]
– “CRTC asked to stop Bell Mobility’s “Relevant Ads” Program”, Public Interest Advocacy Centre (undated), online: Public Interest Advocacy Centre <http://www.piac.ca>.[10]
– Christine Dobby, “Public interest groups file CRTC complaint over BCE’s customer tracking policy”, The Financial Post (27 January 2014), online: The Financial Post <http://www.financialpost.com>.[11]
– Christine Dobby, “Bell agrees to stop tracking data from users who opt out”, Globe Advisor (18 February 2015), online: Globe Advisor <https://secure.globeadvisor.com>.[12] Google searches used in seeking public evidence of a pro-privacy position (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.) “Bell privacy” (December 24, 2014). Bell privacy (February 24, 2015). Bell transparency (February 24, 2015). Bell “personal information” (February 24, 2015). Bell “customer information” (February 24, 2015). Bell “subscriber information” (February 24, 2015). Bell disclosure (February 24, 2015). Bell “lawful access” (February 24, 2015). Bell “warrant” (February 24, 2015). Bell “legal authority” (February 24, 2015). Bell “Bill C-13” (February 24, 2015). Searches used in seeking case law where Bell defended user privacy rights in Canadian courts (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.) Westlaw Canada: “Bell privacy” (December 24 2014). Quicklaw: “Bell privacy” (January 23, 2015). CanLii: “Bell privacy” (January 23, 2015). Note: “Privacy” was added as a search term because of the high volume of results produced by searching “Bell” alone. |
Appendix A: Bell Privacy Policy Principle 7“Principle 7 - Security Safeguards The Bell companies shall protect personal information by security safeguards appropriate to the sensitivity of the information.7.1 The Bell companies shall protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures. The Bell companies shall protect the information regardless of the format in which it is held. 7.2 The Bell companies shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information, the purposes for which it is to be used, limits on the number of persons whose job function requires access to the information, and the physical and procedural security measures required to safeguard that information. 7.3 All employees of the Bell companies with access to personal information shall be required as a condition of employment to respect the confidentiality of personal information.” Accessed Jan 3 2015. This Principle is referenced by the provisions relevant to Criterion #7 (Transparency about where personal information is stored and/or processed) but does not in fact provide relevant information. Appendix B: SourcesBell Privacy Policy
“How does Bell respect my privacy?”
News releases on the BCE Inc. website back to 2009: http://www.bce.ca/news-and-media/releases
News articles and one relevant court case (see Criterion #10 [Open advocacy for user privacy rights]). |
[1] Andrew Clement & Jonathan A. Obar, “Keeping Internet Users in the Know or in the Dark: Data Privacy Transparency of Canadian Internet Service Providers” (27 March 2014), online: IXmaps & New Transparency Projects <http://ixmaps.ca/>. The report is available online at <http://ixmaps.ca/transparency/img/DataPrivacyTransparencyofCanadianISPs.....
[2] http://www.theglobeandmail.com/report-on-business/telus-joins-transparen...
[3] http://www.itworldcanada.com/article/government-unveils-new-lawful-acces...
[4] http://www.theglobeandmail.com/technology/tech-news/telcos-in-talks-with...
[5] http://thetyee.ca/Mediacheck/2013/02/26/Shelving-Bill-Did-Not-Save-Privacy/
[6] http://www.thestar.com/business/2012/05/21/how_canadas_telecoms_quietly_...
[7] https://openmedia.ca/blog/big-telecom-companies-and-government-officials...
[8] http://www.thestar.com/business/tech_news/2013/10/23/privacy_commissione...
[9] http://www.cbc.ca/news/technology/bell-data-collection-part-of-disturbin...
[10] http://www.piac.ca/our-specialities/crtc-asked-to-stop-bell-mobilitys-re...
[11] http://business.financialpost.com/2014/01/27/public-interest-groups-file...
[12] https://secure.globeadvisor.com/servlet/ArticleNews/story/gam/20150218/R...