The 3+3 Project: Telus

This is the TELUS report for The 3+3 Project: Evaluating Canada’s Wireless Carriers’ Data Privacy Transparency. The 10 criteria used to evaluate carriers and the scoring rubric used for each are included in the chart below. A carrier could earn a full star, half star, or no star on each criterion. The criteria and rubric (with minor alterations as noted) are reproduced from the criteria document prepared by the IXmaps research project for the annual Keeping Internet Users In the Know or In the Dark: Data Privacy Transparency of Canadian Internet Service Providers, by Andrew Clement (Professor, Faculty of Information, University of Toronto) and Jonathan A. Obar (Assistant Professor, Faculty of Social Science and Humanities, University of Ontario Institute of Technology).  The Keeping Internet Users In the Know of In the Dark report is available here. For a fuller explanation of the criteria and the rubric used for each, please consult the full criteria document. These criteria were originally developed by the IXmaps research project for their 2013 Keeping Internet Users in the Know or in the Dark report.[1] The Centre for Innovation Law and Policy (CILP) assisted with updating them for the 2014-2015 project, including developing the scoring rubric. Where we are aware of any difference in how we have applied these criteria compared to how IXmaps applies these criteria, this is indicated in the chart. For more information about IXmaps, as well as other significant projects engaging with data privacy, please see the project overview. This report frequently makes reference to PIPEDA, the Personal Information Protection and Electronic Documents Act. This is Canadian legislation dealing with the treatment of personal information by companies while carrying on commercial activities. For more on PIPEDA, please see the project overview. Notes:

  • The TELUS Mobility Service Terms were consulted (as of January 25, 2015) but did not count towards TELUS’ final score. Part of the evaluation was related to transparency about privacy practices. Therefore, carriers only received credit for information in their privacy materials, on the theory that this was where privacy-minded users would look for privacy-related information. Where including the Service Terms would have made a difference to TELUS’ score, this is noted. The TELUS Mobility Service Terms apply to “the mobility division of TELUS”.
  • Koodo is a subsidiary or division of TELUS.
    • TELUS indicates that many of its privacy policies and practices apply to Koodo.
    • However, Koodo does not explicitly indicate in its privacy materials (or the Koodo Service Terms) that Koodo users should consult TELUS’ materials. (The closest it comes is the bare statement in the Koodo Service Terms that “the mobility division of Koodo” is “a registered business name of TELUS Communications Company” [per “What are the Koodo Service Terms?”]).
    • Part of the evaluation was how transparent privacy practices are to a carrier’s users. Therefore, Koodo received no credit for provisions and statements in TELUS materials, since Koodo users would not know to consult TELUS’ material for information relevant to them. See the Koodo report for more.

1. A public commitment to PIPEDA compliance

Full Star: The carrier explicitly indicates that it complies with PIPEDA, or similar applicable legislation, and provides substantive details of its privacy obligations, including that it only transfers personal information to third parties that provide an equivalent level of protection.
Half Star: The carrier only vaguely states that it operates according to applicable legislation or doesn’t mention third party PIPEDA-equivalent protection.
No Star: The carrier makes no indication that it complies with PIPEDA or substantially equivalent privacy legislation.
Score: Full Star
Explanation:
  • TELUS explicitly indicates that it complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), its regulations, applicable provincial privacy legislation, and applicable Canadian Radio-television and Telecommunications Commission (CRTC) regulations. It also states that it incorporates the 10 principles of the Canadian Standards Association Model Code for the protection of Personal Information published in 1996 as a National Standard of Canada.
  • Although it does not make explicit reference to third-party PIPEDA-equivalent protection, TELUS’ language in Principles 1.3 and 7.2 of the TELUS Privacy Code is sufficient when compared with the language of the PIPEDA principle underlying this criterion (Principle 1 – Accountability) to earn a full star.
  • In its 2013 Transparency Report, TELUS notes that PIPEDA is “Applicable law” in the case of certain law enforcement and government organization requests for personal information, specifically: customer names and address checks, emergency calls and Internet child exploitation emergency assistance requests.
Provisions: “Both our Privacy Code and Privacy Commitment reflect the requirements of Canada’s privacy legislation, the Personal Information Protection and Electronic Documents Act, and our own continuing commitment to customer privacy.” – TELUS’ Privacy Commitment to You (Cover page). “The TELUS Privacy Code and the privacy practices described in this Commitment are subject to the provisions of all applicable legislation and regulations.” – TELUS’ Privacy Commitment to You (Footnote 2). “The TELUS Privacy Code incorporates the ten principles of the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information (CAN/CSA-Q830-96). These principles were published in March 1996 as a National Standard of Canada and form the basis of all applicable privacy legislation in Canada, including Part 1 of the Personal Information Protection and Electronic Documents Act (Statutes of Canada 2000). The TELUS Privacy Code… was updated in September 2000 to reflect changes associated with the implementation of the federal privacy legislation referred to above, and subsequently updated to comply with provincial privacy legislation, where applicable.” – TELUS Privacy Code (Cover page). “The objective of the TELUS Privacy Code is to promote responsible and transparent practices in the management of personal information, in accordance with the provisions of the federal Personal Information Protection and Electronic Documents Act and other applicable provincial privacy legislation.” – TELUS Privacy Code (“Introduction”). “The application of the TELUS Privacy Code is subject to the requirements and provisions of Part 1 of the Personal Information Protection and Electronic Documents Act and the regulations thereunder, provincial privacy legislation (where applicable), and any applicable regulations of the Canadian Radio-television and Telecommunications Commission.” – TELUS Privacy Code (“Scope and application”). “1.3 TELUS is responsible for personal information in its possession or control. TELUS shall use appropriate means to provide a comparable level of protection while information is being processed by a third party (see Principle 7).” – TELUS Privacy Code. “7.2: TELUS shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used.” – TELUS Privacy Code.2. What legislation applies to the protection of customer privacy? TELUS’ telecommunications businesses are governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and by rules prescribed by the CRTC with respect to customer confidentiality.” – TELUS Transparency Report 2013 (“Frequently Asked Questions”). In its 2013 Transparency Report, TELUS notes that PIPEDA is “Applicable law” with regard to the following types of requests:
  • Customer name and address checks
  • Emergency calls
  • Internet child exploitation emergency assistance requests
– TELUS Transparency Report 2013 (“The types of requests TELUS receives”).

2. A public commitment to inform users of all third party data requests

Full Star: The carrier clearly indicates that it will notify a user when it has received a third party request for the user’s information, unless explicitly prohibited from doing so by law.
Half Star: A carrier does not indicate that it will notify users when it receives requests, however it indicates that users may send an inquiry in order to acquire such information.*
*Note: This criterion was applied generously: carriers who indicated users could learn about disclosures of their information were scored a half star.
No Star: The carrier makes no mention of how users may learn of third party requests for their personal information.
Score: Half Star
Explanation:
  • TELUS does not indicate that it notifies users when it receives third party data requests, however it indicates that users may send an inquiry to acquire such information.
  • TELUS further notes that where it cannot identify organizations to which personal information has been disclosed, it will “provide a list of organizations to which it may have disclosed personal information” (see Principle 9 below).
Provisions:Principle 9 – Customer and team member access to personal information TELUS shall inform a customer or team member of the existence, use, and disclosure of his or her personal information upon request and shall give the individual access to that information. A customer or team member shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. … 9.3: Upon request, TELUS shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information. In providing an account of disclosure, TELUS shall provide a list of organizations to which it may have disclosed personal information about the individual when it is not possible to provide an actual list.” – TELUS Privacy Code.

3. Transparency about frequency of third party requests and disclosures

Full Star: The carrier has published, in an annual or semi-annual report or in some other form, statistics regarding:
  • The number of requests from third parties, broken down by government (law enforcement, etc.), commercial and non-commercial entities.
  • How many requests it complied with.
  • How many accounts the requests applied to.
  • How many disclosures of information there were.
Half Star: The carrier has published SOME information but leaves many important statistics out.
No Star: The carrier has published no information relating to these types of statistics.
Note: This criterion was edited for ease of use and clarity in presentation here. In highlighting the absence of specific important statistics, we may have applied this criterion more strictly than IXmaps. However, we are not aware of any divergence with IXmaps as to the final score awarded to any carrier.
Score: Half Star
Explanation:
  • TELUS published a transparency report in 2013 that included statistics about the frequency of third party requests and disclosures including:
    • Approximate number of requests from government and law enforcement.
    • Types of requests received, and the associated lawful authority (e.g. warrants or court order). It is not entirely clear whether TELUS includes requests that were rejected for lacking lawful authority (e.g. a request where a court order was required but not provided).
  • However, TELUS omits many important statistics. In particular, the 2013 Transparency Report does not include the following statistics:
    • Breakdown by government (law enforcement, etc.), commercial and non-commercial entities: it includes law enforcement and government requests only
    • Number of requests complied with:
      • TELUS estimates 60% of requests accompanied by a court order or subpoena are fully complied with. Regarding the remaining 40%, TELUS does not distinguish between court order/subpoena cases in which partial information is given and those in which no information is given.
      • TELUS provides no information about the percentage or number of requests complied with for the other five types of request in its report.
  • Number of accounts the requests applied to
  • Number of disclosures
Provisions: Telus Chart                                         – TELUS Transparency Report 2013. “Of the 4,315 orders and subpoenas received in 2013, TELUS provided partial or no information in approximately 40% of the instances*. This was largely due to our limited retention periods which resulted in the requested information no longer being available. In many cases, TELUS challenged an order on the ground that it was either defective or overreaching. Most challenges involved asking a law enforcement agency to reduce the amount of customer information to be provided by TELUS pursuant to the order, so that the agency would receive only the information actually required for its purposes. In some cases, TELUS has gone to court to challenge orders which we believed to be overreaching. *This estimate was derived by sampling records maintained by TELUS’ Corporate Security department.” – TELUS Transparency Report 2013 (“The types of requests TELUS receives: Court Order/Subpoena”).

4. Transparency about conditions for third party data disclosures

Full Star:
(1) The carrier explicitly states the circumstances under which personal information will be disclosed to third parties.
(2) It must make clear what standard must be met by the third party in order for this disclosure to be made (e.g. whether a warrant is required).
(3) It must be clear whether or not a subscriber/user will be notified in the case that his or her information is disclosed to a third party and especially the specific conditions under which such information will be disclosed without consent.
Half Star: The carrier refers to some but not all of (1), (2) and (3) or is vague about them.*
*Note: In order to achieve consistency, this criterion was applied generously: carriers that had some discussion of when disclosure of user information could occur received a half star. A carrier would have had to fail entirely to discuss disclosure to receive no star, which none did. This criterion is likely to be revised and simplified in future years to improve consistent application and permit more meaningful distinctions between carriers.
No Star: The carrier fails to indicate any of (1), (2), or (3).
Note: Our evaluation of this criterion looked at discussion of disclosure to any third party, including sharing with affiliated companies, while IXmaps focused on disclosure when compelled by law. However, both approaches yielded the same score on this criterion.
Score: Half Star
Explanation:
  • The TELUS Transparency Report 2013 identifies 6 types of request and the “Applicable law” associated with each.
  • Both TELUS’ Privacy Commitment to You and Principle 5.1 of the TELUS Privacy Code list specific circumstances in which personal information may be disclosed.
  • Other privacy-related provisions make additional references to when and what kinds of disclosure may and may not occur.
  • TELUS came closest to earning a full star on this criterion. However, it did not meet the third requirement (clarity as to whether a user will be notified when their information is disclosed to a third party).
    • TELUS’ materials imply it will only notify users when it is actually required to by privacy legislation. However, it was not clear on this point.
    • TELUS might have scored higher without this requirement, although a lack of consistency across its many privacy documents might still have kept TELUS from earning a full star.
Provisions: “While the TELUS Privacy Code sets out the general principles that govern the collection, use and disclosure of our customers’ personal information2, we have also developed this Privacy Commitment to inform you more specifically about our privacy practices. 2 The TELUS Privacy Code does not limit the collection, use or disclosure by TELUS of information that is publicly available. This includes: (a) a customer’s name, address, telephone number, and email address, when listed in a directory or available through directory assistance; and (b) other information about the customer that is publicly available and is specified by regulation pursuant to the “Personal Information Protection and Electronic Documents Act”.” – TELUS’ Privacy Commitment to You (Cover Page & Footnote 2). “TELUS will not collect, use or disclose your personal information for any purpose other than those identified in this Commitment, your Customer Service Agreement, or our Service Terms, except with your consent (the “Identified Purposes”). For greater clarity, unless you provide express consent TELUS will not:
  • share your personal information with or sell it to third-party marketers; or
  • use your personal information to enable third-party targeted advertisements.”
– TELUS’ Privacy Commitment to You (“How do we protect your personal information?”). “Our directory publisher (Yellow Pages Group) makes available lists of published names, addresses and phone numbers to selected organizations for a fee. You may choose to be excluded from these lists (non-published names, addresses and phone numbers are automatically excluded).” – TELUS’ Privacy Commitment to You (“What are your choices?”). “TELUS only uses your personal information as described above, in our Privacy Commitment, or in our Customer Agreements and Service Terms. Unless you provide your express consent, TELUS will not:
  • Sell your personal information to third party marketers.
  • Use that information to enable third party targeted advertisements.
Moreover, TELUS does not record the content of telephone conversations made across its network (except for voicemails or calls made to our contact centres for the purposes of quality control and training), nor do we collect information about the content of the applications you use, the websites you viewed, or your internet search history (except for visits to our own sites, which we use to optimize our TELUS web properties).” – About TELUS’ Privacy Commitment (“What we don’t do”). “The Code does not impose any limits on the collection, use or disclosure of the following information by TELUS:
  • A customer’s name, address, telephone number and e-mail address, when listed in a directory or available through directory assistance
  • A team member’s name, title, business address (including business e-mail address) or business telephone or fax number
  • Other information about the customer or team member that is publicly available and is specified by regulation pursuant to the Personal Information Protection and Electronic Documents Act or provincial privacy legislation, where applicable.”
– TELUS Privacy Code (“Scope and application”). “Principle 3 – Obtaining consent for collection, use or disclosure of personal information The knowledge and consent of a customer or team member are required for the collection, use, or disclosure of personal information, except where not required by applicable privacy legislation. In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, TELUS may collect or use personal information without knowledge or consent if it is clearly in the interests of the individual and consent can not be obtained in a timely way, such as when the individual is seriously ill or mentally incapacitated. TELUS may also collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information, such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law. TELUS may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened. TELUS may disclose personal information without knowledge or consent to a lawyer representing TELUS, to collect a debt, to comply with a subpoena, warrant or other court order, or as may be otherwise required or permitted by law.” – TELUS Privacy Code “Principle 5 – Limiting use, disclosure, and retention of personal information TELUS shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. TELUS shall retain personal information only as long as necessary for the fulfillment of those purposes.” – TELUS Privacy CodePrinciple 2 – Identifying purposes for collection of personal information TELUS shall identify the purposes for which personal information is collected at or before the time the information is collected. 2.1 TELUS collects personal information of customers only for the following purposes:
  • To establish and maintain responsible commercial relations with customers and to provide ongoing service
  • To understand customer needs and preferences
  • To develop, enhance, market or provide products and services
  • To manage and develop TELUS’ business and operations, including personnel and employment matters
  • To meet legal and regulatory requirements.”
– TELUS Privacy Code TELUS’ Privacy Commitment to You, About TELUS’ Privacy Commitment, the Customer Privacy FAQ, and the TELUS Mobility Service Terms all contain similar provisions related to the purposes for which personal information is collected. As these provisions are lengthy, they can be found in Appendix B at the end of this document. Both TELUS’ Privacy Commitment to You and Principle 5.1 of the TELUS Privacy Code list circumstances in which personal information may be disclosed. As these provisions are lengthy, they can be found in full in Appendix A at the end of this document. However, to paraphrase, TELUS indicates it may provide personal information to:
  • Someone TELUS is satisfied is the user’s agent or legal representative, or an authorized user on the account
  • Other TELUS business units to improve and provide services
  • Other telecommunications companies, to provide services
  • Companies supplying customers with listing or directory services
  • Those hired by TELUS “to perform functions on its behalf, such as research or data processing”
  • Credit agencies and collection agencies (to collect money owing to TELUS)
  • Public authorities where TELUS reasonably believes there is “imminent danger to life or property”
  • TELUS partners and agents “responsible for administering special TELUS offers or programs”
  • “third parties in connection with the sale of parts of our business, the sale or securitization of assets, or the merger or amalgamation of part or all of our business with other entities. Since customer and account information will normally be a part of such transactions, we may use or disclose such information to other parties included in the transaction, as part of due diligence and/or on completion of the transaction”
  • A third party where “required or authorized by law”
The TELUS Mobility Service Terms have a similar provision. In the TELUS Mobility Service Terms, the provision gives a closed list of circumstances in which disclosure of information other than user name and address can occur without consent. The list is very similar to those found in the privacy materials (and summarized above), with the addition of disclosure to “[a] law enforcement agency if TELUS reasonably believes that you or anyone using your device is engaged in fraudulent or unlawful activities against TELUS.” The list does not include several of the circumstances listed in the TELUS Privacy Code and TELUS’ Privacy Commitment to You, suggesting either that the TELUS Mobility Service Terms are in error or that these circumstances require user consent for disclosure. Note that the TELUS Mobility Service Terms are not formally included in TELUS’ evaluation, and in any event would not have changed TELUS’ score on this criterion. The full text of the relevant provision can be found in Appendix A at the end of this document. The TELUS Transparency Report 2013 identifies 6 types of request and the “Applicable law” associated with each:

1. Court Order/Subpoena (Applicable law: Criminal Code of Canada)

2. Court orders to comply with a Mutual Legal Assistance Treaty (MLAT) request (Applicable law: The Mutual Legal Assistance in Criminal Matters Act)

3. Customer Name and Address Checks (Applicable law: PIPEDA and “CRTC rules with respect to customer confidentiality”)

  • Note that TELUS’ discussion of this type of request states: “in light of the recent decision of the Supreme Court of Canada in the case of R. v. Spencer, TELUS… now requires a court order for customer name and address information, except in an emergency or where the information is published in a directory.”

4. Emergency Calls (PIPEDA and “CRTC rules with respect to customer confidentiality”)

5. Internet Child Exploitation Emergency Assistance Requests (Applicable law: PIPEDA and Criminal Code of Canada)

  • Note that TELUS’ discussion of this type of requests states: “the Supreme Court of Canada in the Spencer case… has ruled that [disclosure of user name and address related to investigations of online child sexual exploitation] requires a court order, except in an emergency. Accordingly, TELUS has amended its practices in this regard.”

6. Legislative Demands (Applicable law: “Any federal or provincial legislation that authorizes a government body to request information from TELUS”)

The Report provides a “Description” of each type of request that provides further explanation of how each type works. As the discussion is lengthy, the full text can be found in Appendix A at the end of this document. “When does TELUS fulfil requests for customer information? TELUS will provide customer information to law enforcement agencies or other government organizations where authorized or permitted by our service terms, customer Privacy Commitment, a valid court order or other applicable laws. More than half of the disclosure requests we received in 2013 related to emergency situations. The information provided ranged from simply providing the street address of a customer who called 911, to more complex information requests such as locating a wireless device belonging to someone who was lost or in difficulty.” – TELUS Transparency Report 2013. “What is the process for responding to information requests? TELUS has a process for carefully assessing information requests received from law enforcement agencies and other government organizations:
  • A request is received and logged by TELUS’ Corporate Security department.
  • A specially trained and authorized TELUS Security team representative reviews the request to ensure it has been correctly prepared and is legally valid. In the case of emergency calls, this involves obtaining confirmation that the situation involves an imminent risk to an individual’s life, health or security.
  • If the representative has any concerns, those concerns are brought to the attention of a supervisor, TELUS’ legal department, or the agency or organization, as appropriate, for resolution.
  • Once the representative is satisfied that the request is valid, they will take appropriate steps to properly respond to the information request. For example, this could include searching relevant TELUS databases for the requested information.
– TELUS Transparency Report 2013.

5. An explicitly inclusive definition of ‘personal information’

Full Star: The carrier explicitly states all forms of data that fall under ‘personal information’. This should include subscribers/users’ IP addresses, IMSI/IMEI numbers, or MAC addresses, as well as their userIDs, meta-data (e.g. who subscriber communicated with, when and where this communication occurred), browser history (pages accessed, date of access, location when accessed), personal account information, credit card information etc.
Half Star: The carrier only implicitly states forms of data included in a definition of ‘personal information’, and/or provides a definition which (a) incorporates a closed list of what constitutes personal information that (b) excludes one or more of IP addresses, IMSI/IMSEI numbers, MAC addresses, userIDs, meta-data, browser history, personal account information, or credit card information.
No Star: The carrier gives no definition of ‘personal information’.Note: IP addresses, IMSI/IMEI numbers and MAC addresses are all used to identify individual devices connected to the Internet. This information could be used to identify individuals and track their locations. For more information, click here.
Score: Half Star
Explanation:
  • TELUS provides definitions of “personal information” in its privacy materials which include examples.
  • Although the examples are not a closed list, key elements required to do well on this criterion are not included. For example, there is no reference to IP addresses. (There is a reference to IP addresses in the TELUS Transparency Report 2013, where the retention period for this information is given. However, while this implies TELUS likely considers IP addresses personal information, it is not included in any of TELUS’ definitions of personal information.)
  • TELUS also indicates some personal information it does not collect: contents of phone calls (other than voicemails and calls to TELUS’ call center), browser history (except visits to TELUS’ own websites), Internet search history, and information about the content of applications the user has used.
Provisions:1. What personal information do we collect? The types of information we collect from our TELUS customers generally fall into one of the following categories:
  • Account and service information, such as your name, address, email, telephone number, credit card or bank information for pre-authorized payments
  • Details of the products and services you receive from us, such as your wireless device rate plan or Optik TV channel subscriptions.
  • Network performance and usage information. For example, we will note your wireless device location for specific uses, such as when you dial 911 and we provide GPS and triangulation data to the 911 operations centre. Or if we’ve had an unexpected TV channel outage, we might examine who was watching a particular channel at the time in order to issue an apology credit. We may also collect telephone log information from home phone and wireless customers in order to bill you for local and long distance calls.
Some things we don’t collect:
  • Content of telephone conversations made across our networks (except for voicemails or those calls made to our call centers for the purposes of quality control and training).
  • Information about the content of the applications you use, the websites you viewed, or your internet search history (except for visits to our own sites, which we use to optimize our TELUS web properties).”
– Customer Privacy FAQ.11. How is personal information defined under the federal Personal Information Protection and Electronic Documents Act (PIPEDA)? How is personal information defined by TELUS? Personal information is defined in PIPEDA as any information about an identifiable individual (as distinct from a corporation or other legal entity), other than the name, title or business address or telephone number of an employee of an organization. TELUS defines “personal information” as information about an identifiable client or employee, but does not include aggregated information that cannot be associated with a specific individual. For a customer, personal information includes a customer’s credit information, billing records, service and equipment, and any recorded complaints. Information about sole proprietors or partners is only considered to be “personal information” if it is information about the individuals themselves, as distinct from information about their businesses. The latter is protected by other TELUS policies and practices and through contractual arrangements.” – Customer Privacy FAQ.Personal information – Information about an identifiable customer or team member, but does not include aggregated information that cannot be associated with a specific individual. For a customer, such information includes a customer’s credit information, billing records, service and equipment, and any recorded complaints. For a team member, such information includes information found in personal employment files, performance appraisals, and medical and benefits information, but does not include the team member’s name, title, business address (including business e-mail address) or business telephone or fax numbers. Information about sole proprietors or partners is only considered to be “personal information” for purposes of the TELUS Privacy Code if it is information about the individuals themselves, as distinct from information about their businesses. The latter is protected by other TELUS policies and practices and through contractual arrangements.” – TELUS Privacy Code (“Definitions”).What we don’t do TELUS only uses your personal information as described above, in our Privacy Commitment, or in our Customer Agreements and Service Terms. Unless you provide your express consent, TELUS will not:
  • Sell your personal information to third party marketers.
  • Use that information to enable third party targeted advertisements.
Moreover, TELUS does not record the content of telephone conversations made across its network (except for voicemails or calls made to our contact centres for the purposes of quality control and training), nor do we collect information about the content of the applications you use, the websites you viewed, or your internet search history (except for visits to our own sites, which we use to optimize our TELUS web properties).” – About TELUS’ Privacy Commitment. “Moreover, TELUS does not collect information about the websites you viewed (except visits to our own websites, which we use to optimize our TELUS web properties), your Internet search history or the content of the applications you use.” – TELUS’ Privacy Commitment to You (“How do we protect your personal information?”). “1. How long does TELUS keep my information? TELUS keeps customer information only as long as necessary to comply with the law and to fulfill our business purposes. For example … TELUS retains logs of Internet Protocol (IP) addresses for a period of 90 days for network management purposes.” – TELUS Transparency Report 2013 (“Frequently Asked Questions”).

6. The normal retention periods for personal information

Full Star: The carrier discloses how long personal information is routinely retained for, specifying retention time periods for each data type.
Half Star: The carrier only states the retention period for limited types of information. For example, a company may state that it retains consumers’ browsing history for 2 weeks, but provides no information on call log retention.
No Star: The carrier either provides no information on data retention periods OR provides a statement so vague as to not inform the consumer beyond what PIPEDA requires. For instance, “[Our company] shall retain personal information only as long as necessary for the fulfillment of the purposes for which it was collected.” (Example wording is from Bell’s privacy policy.)
Score: Half Star
Explanation:
  • In addition to stating that it keeps information as long as necessary for the fulfilment of the purposes for which it was collected, to comply with the law, and to fulfill their business purposes (which statement does not inform the user beyond PIPEDA requirements), TELUS states, in the TELUS Transparency Report 2013, the retention period for specific (though limited) types of information:
    • Bills
    • Call detail records
    • Logs of IP addresses.
  • TELUS’ provision of the retention period for three specific types of information made it the strongest carrier on this criterion.
  • TELUS also indicates some personal information it does not collect at all: contents of phone calls (other than voicemails and calls to TELUS’ call center), browser history (except visits to TELUS’ own websites), Internet search history, and information about the content of applications the user has used. Note, however, that this discussion is separate from the discussion of retention periods (and is not something IXmaps considered in their evaluation).
  • However, the normal retention periods for certain important information is still missing: text messages, for example, and customer financial information.
Provisions:Principle 5 – Limiting use, disclosure, and retention of personal information TELUS shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. TELUS shall retain personal information only as long as necessary for the fulfillment of those purposes. … 5.4: TELUS shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a customer or team member, TELUS shall retain, for a period of time that is reasonably sufficient to allow for access by the customer or team member, either the actual information or the rationale for making the decision. 5.5: “TELUS shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.” – TELUS Privacy Code.1. How long does TELUS keep my information? TELUS keeps customer information only as long as necessary to comply with the law and to fulfill our business purposes. For example, TELUS retains copies of customer bills for approximately seven years to satisfy legal requirements. TELUS also retains call detail records for billable calls made by our customers on our network for a period of up to 14 months for network management and billing purposes. As another example, TELUS retains logs of Internet Protocol (IP) addresses for a period of 90 days for network management purposes.” – TELUS Transparency Report 2013 (“Frequently Asked Questions). “Some things we don’t collect:
  • Content of telephone conversations made across our networks (except for voicemails or those calls made to our call centers for the purposes of quality control and training).
  • Information about the content of the applications you use, the websites you viewed, or your internet search history (except for visits to our own sites, which we use to optimize our TELUS web properties).”
– Customer Privacy FAQ “1. What personal information do we collect?”). “Moreover, TELUS does not record the content of telephone conversations made across its network (except for voicemails or calls made to our contact centres for the purposes of quality control and training), nor do we collect information about the content of the applications you use, the websites you viewed, or your internet search history (except for visits to our own sites, which we use to optimize our TELUS web properties).” – About TELUS’ Privacy Commitment (“What we don’t do”). “Moreover, TELUS does not collect information about the websites you viewed (except visits to our own websites, which we use to optimize our TELUS web properties), your Internet search history or the content of the applications you use.” – TELUS’ Privacy Commitment to You (“How do we protect your personal information?”).

7. Transparency about where personal information is stored and/or processed

Full Star: The carrier clearly indicates the storage and/or processing locations of user’s data and whether data storage and/or processing has been outsourced to a foreign company. This should include whether data may be stored in, or otherwise subject to other jurisdictions, what those jurisdictions are, and what sort of disclosure such data may be subject to.
Half Star: The carrier only indicates that there is a possibility that data may be stored and/or processed subject to a foreign jurisdiction. No jurisdiction is noted or details are not provided.
No Star: The carrier fails to clearly indicate whether or not data may be stored and/or processed such that it may be subject to a foreign jurisdiction.
Score: Half Star
Explanation:
  • TELUS mentions that personal information may be stored and processed outside Canada, and “may be available to government agencies under applicable law” but without providing any details on specific jurisdictions.
  • Note that TELUS does not highlight the fact that information stored and processed outside Canada may be subject to the laws of other jurisdictions.
Provisions: “Personal information collected by TELUS may be stored and processed in Canada or another country. In either case, the information is protected with appropriate security safeguards, but may be available to government agencies under applicable law.” – TELUS’ Privacy Commitment to You (“How do we protect your personal information?”). “7.4: TELUS may store and process personal information in Canada or another country. In either case, the personal information is protected with appropriate security safeguards, but may be available to government agencies under applicable law.” – TELUS Privacy Code. The TELUS Mobility Service Terms indicate that “You acknowledge that while roaming outside Canada the storage, treatment and transfer of your personal information and data may be subject to regulation different from the regulation in Canada.” Note that the TELUS Mobility Service Terms were not formally included in TELUS’ evaluation, however, and in any event would not have changed TELUS’ score on this criterion.

8. Transparency about where personal information is routed

Full Star: The carrier clearly indicates whether Canadians’ personal domestic communication data might be routed through the United States or otherwise subject to foreign jurisdiction while in transit. It clearly indicates the geographical locations where domestic communication is routed and what jurisdictions it is subject to. Similarly, it indicates whether or not communications with third countries is subject to U.S. jurisdiction.
Half Star: The carrier is vague about the geographical locations or jurisdictional exposure of personal data routing.
No Star: The carrier gives no indication of the geographical locations or jurisdictions where personal data is routed.
Score: No Star
Explanation:
  • TELUS gives no indication as to the geographical locations or jurisdictions through which personal data is routed.
Provisions: None

9. Domestic Canadian routing when possible

Full Star: The carrier clearly states on its privacy pages a policy of domestic Canadian routing when possible, and indicates the concrete measures it takes to achieve this goal. A carrier that verifiably peers openly at all the Canadian IXPs in its service region(s) will also receive a full star. Only Canadian carriers are eligible for a full star, as foreign carriers by definition subject the data they carry to non-Canadian jurisdictions.
Half Star: The carrier is vague about its policies for ensuring Canadian routing of domestic traffic and the measures it takes to ensure this. In the absence of a clear policy statement, a carrier (whether Canadian or foreign) that peers openly at some but not all Canadian public IXPs in its operating regions will earn a half star.
No Star: The carrier gives no indication of any policy or concrete measures to promote domestic routing when possible, nor does it peer openly at any Canadian public IXPs.
Note: Due to minor changes in wording during the evaluation process, we may have applied this criterion more strictly than IXmaps. However, we are not aware of any divergence with IXmaps as to the final score awarded to any carrier.
Score: No Star
Explanation:
  • TELUS gives no indication that it promotes domestic routing where possible.
  • TELUS has been invited to the Calgary Internet Exchange (http://yycix.ca/), but as of January 25, 2015, had not accepted the invitation.
  • TELUS does not peer openly at any Canadian Public IXPs as of January 25, 2015. In addition to the Calgary Internet Exchange, the IXPs reviewed were:
    • Manitoba Internet Exchange: http://www.mbix.ca/
    • Échange Internet de Montréal: http://www.qix.ca/en/
    • Toronto Internet Exchange: http://www.torix.ca/
    • Ottawa Internet Exchange: http://www.ottix.net/
    • Halifax Internet Exchange: http://hfxix.ca/
Provisions: None For an explanation of IXPs and open and conditional peering, see the project overview.

10. Open advocacy for user privacy rights

Full Star: The carrier makes clear reference on its privacy pages to its support for user privacy rights via at least one of the following:
  • Involvement in public debates over mass state surveillance;
  • Involvement in privacy or surveillance related legislative initiatives (e.g. the current Bill C-13 on lawful access);
  • Defending user privacy rights in court; or
  • Ties to advocacy organizations or initiatives promoting user privacy rights.
  Half Star: The carrier has defended user privacy rights politically, in court or legislatively, but there is no reference to this in its privacy pages.   No Star: There is no readily available public evidence that the carrier has taken a positive pro-privacy position in any of the above areas.   Note: While this criterion was edited for ease of use and clarity in presentation here, we are not aware of any divergence with IXmaps with regard to application.
Score: Full Star
Explanation:
  • TELUS has fought for privacy rights at the Supreme Court of Canada (SCC) (R v TELUS Communications Co. 2013 SCC 16). This case was referred to in the 2013 Transparency Report which is linked directly from the TELUS Privacy Page.
  • TELUS updated its policies after the Supreme Court ruling in R v Spencer, 2014 SCC 43, (a case about online privacy and disclosure by ISPs) to require court orders in more disclosure situations. It highlighted this change in the TELUS Transparency Report 2013. Although Spencer could be said to require this change, not all companies have made such a declaration, and the recently-passed Bill C-13 removes liability for carriers who voluntarily disclose customer information where the law does not prohibit such disclosure. (For discussion, see Alex Boutilier & Paul McLeod, “Supreme Court ruling hasn’t stopped police from warrantless requests for data” The Toronto Star (17 September 2014), online: <http://www.thestar.com>[2] and Christine Dobby, “Rogers to require warrants for police requests” The Globe and Mail (16 July 2014), online: <http://www.theglobeandmail.com>[3])
  • TELUS also refers in the TELUS Transparency Report 2013 to a practice of challenging court orders in some circumstances. However, these statements alone – in the absence of the references to R v TELUS and to TELUS’ policy change post-Spencer – would likely have been too vague to merit a full star.
  • TELUS (alongside Rogers) is also currently fighting a “tower dump” order, involving information about 40,000-50,000 TELUS and Rogers customers, in R v Rogers Communications Partnership, 2014 ONSC 3853, but this is not (yet) mentioned in its privacy materials. TELUS should refer to this case in its 2014 Transparency Report.
Provisions and other sources:When will TELUS challenge a court order? TELUS will challenge any court order that we believe goes beyond what a judge is authorized to order under applicable legislation, such as the Criminal Code. For example, TELUS recently challenged a general court order obtained by a law enforcement agency requiring the provision of text message data on a nearly real-time basis, and successfully pursued the matter all the way to the Supreme Court of Canada. The resulting Supreme Court decision enhanced the privacy rights of TELUS customers and other Canadians. – TELUS Transparency Report 2013. This is referring to the case R v TELUS Communications Co. 2013 SCC 16. See further discussion of this case below. “In many cases, TELUS challenged an order on the ground that it was either defective or overreaching. Most challenges involved asking a law enforcement agency to reduce the amount of customer information to be provided by TELUS pursuant to the order, so that the agency would receive only the information actually required for its purposes. In some cases, TELUS has gone to court to challenge orders which we believed to be overreaching.” – TELUS Transparency Report 2013 (“The types of requests TELUS receives: Court Order/Subpoena”).4. How do you strike the right balance between protecting your customers’ privacy rights and fulfilling these information requests? We take great care to safeguard personal information and ensure that our customers’ privacy and confidentiality are preserved wherever possible. While some people may think that telecommunications companies hand over customer information to law enforcement agencies and government organizations without question, TELUS challenges information requests when we believe the request goes beyond what is lawful. We only release confidential customer information when we are satisfied it is appropriate to do so.” – TELUS Transparency Report 2013 (“Frequently Asked Questions”). References to post-Spencer policy change: “[I]n light of the recent decision of the Supreme Court of Canada in the case of R. v. Spencer, TELUS… now requires a court order for customer name and address information, except in an emergency or where the information is published in a directory.” – TELUS Transparency Report 2013 (“The types of requests TELUS receives: Customer Name and Address Checks”). “[T]he Supreme Court of Canada in the Spencer case… has ruled that [disclosure of user name and address related to investigations of online child sexual exploitation] requires a court order, except in an emergency. Accordingly, TELUS has amended its practices in this regard.” – TELUS Transparency Report 2013 (“The types of requests TELUS receives: Internet Child Exploitation Emergency Assistance Requests”). R v TELUS Communications Co., 2013 SCC 16:
  • TELUS challenged police’s use of a general warrant to require production of ongoing and future text messages.
  • The messages in question had not yet been sent or received at the time of the law enforcement request: police were asking TELUS to produce, daily or nearly so, messages sent or received by two users over a then-upcoming period of time (as well as user information identifying the senders and recipients of the messages to and from these users).
  • TELUS argued this amounted to an interception of private communications (even though the texts would technically be retrieved from where they were stored by TELUS in a computer database) meaning police needed authorization under the Criminal Code’s wiretap authorization provisions.
  • The SCC quashed the general warrant.
  • It is worth noting, however, that the case arose in part because of TELUS’ unusual storage and transmission practices: other carriers do not (or at least, at the time, did not) store text messages in computer databases as part of the transmission process.
  • In addition, the case revealed that, at least at the time, TELUS retained text messages for 30 days, unlike other service providers. (TELUS is legally allowed to do this, and evidently said the purpose was “troubleshooting customer problems”: 2013 SCC 16 at paragraph 58.)
– Information from R v TELUS Communications Co., 2013 SCC 16 (available on CanLII). For a discussion of the case, see Christine Dobby, “Supreme Court quashes general search warrant for future text messages”, Financial Post (27 March 2013) <http://www.financialpost.com>.[4] Regarding the “Tower Dump” Order (R v Rogers Communications Partnership, 2014 ONSC 3853):
  • The Peel Regional Police obtained a “tower dump” production order for the information of TELUS and Rogers customers attempting connections through any of 21 TELUS towers or 16 Rogers towers.
  • 40,000-50,000 persons could be affected.
  • The goal was “to further an investigation by identifying persons using cell phones in the vicinity of known criminal activity.” (R v Rogers Communications Partnership, 2014 ONSC 3853 at paragraph 1).
  • TELUS and Rogers applied to quash the orders under s. 24(1) of the Canadian Charter of Rights and Freedoms: “Anyone whose rights or freedoms, as guaranteed by this Charter, have been infringed or denied may apply to a court of competent jurisdiction to obtain such remedy as the court considers appropriate and just in the circumstances.”
  • “Rogers and Telus brought their Charter applications asserting the general proposition that production orders are obtained without due regard for the privacy interests of their customers. Litigating that issue, they submit, will provide guidance to the police and telecommunications industry in the future.” (R v Rogers Communications Partnership, 2014 ONSC 3853 at paragraph 24).
  • Cell towers record whenever a user makes or attempts a communication (including a call, text, or email). Towers in cities cover 1-2 kilometres, and in the country 10-25 kilometres.
  • The information provided under the orders would include, for all users making or attempting a communication:
    • Which tower they were using,
    • Their name and address, and
    • Their billing information, possibly including banking and credit card information.
  • Where the recipient of a communication was also a TELUS or Rogers subscriber, that person’s information, including the tower they were using, would also need to be provided.
  • The orders did not include:
    • How the information would be safeguarded.
    • Restrictions on the use of the information (i.e. it could be kept and used in other investigations).
  • The Peel Regional Police successfully applied to revoke the original order saying they would be satisfied with a more limited order. (Whether their application for this second order was successful is not clear.)
  • However, the Charter challenge to the original orders will proceed.
– Information from R v Rogers Communications Partnership, 2014 ONSC 3853 (available on CanLII). “Telus issued an emailed statement Friday that said the Vancouver-based company only provides confidential customer information to law enforcement agencies or other third parties in response to valid court orders or other applicable law. “Importantly, as we have done in this case, TELUS will contest orders we believe overreach in order to protect the privacy rights of our customers and other Canadians,” the statement said” – David Paddon (The Canadian Press), “Ontario judge to examine Telus-Rogers’ Charter of Rights challenge”, The Toronto Star (25 July 2014), online: The Toronto Star <http://www.thestar.com/>.[5] Google searches used in seeking public evidence of a pro-privacy position (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.)
  • TELUS “user privacy” (January 23, 2015).
  • Telus “privacy” (January 23, 2015).
  • TELUS privacy (January 25, 2015).
  • TELUS “customers’ privacy” (January 23, 2015).
  • TELUS transparency (January 25, 2015).
  • TELUS “personal information” (January 25, 2015).
  • TELUS “customer information” (January 25, 2015).
  • TELUS “subscriber information” (January 25, 2015).
  • TELUS disclosure (January 25, 2015).
  • TELUS “lawful access” (January 25, 2015).
  • TELUS “warrant” (January 25, 2015).
  • TELUS “legal authority” (January 25, 2015).
  • TELUS “Bill C-13” (January 25, 2015).
  • TELUS “Supreme Court” (February 6, 2015).
Searches used in seeking case law where TELUS defended user privacy rights in Canadian courts (The most recent search date is given next to each search term. Material up to 5 years old was reviewed.) Westlaw Canada:
  • Telus less TWU back to 01/01/2010 (January 25, 2015).*
Quicklaw:
  • TELUS Communications in Case Name, for Previous 5 years (January 25, 2015).
  • “TELUS Communications” & intervener for Previous 5 years (January 25, 2015).
CanLii:
  • "TELUS Communications" January 25, 2015
*Note: “TWU” was excluded because of the high volume of results produced by searching “Telus” alone. TWU stands for Telecommunications Workers Union, and was excluded with the goal of excluding labour disputes from the results.

Appendix A: Provisions related to Transparency about conditions for third party data disclosures (Criterion #4)

When do we disclose personal information?
  • There are a variety of circumstances where we may need to disclose some personal information about our customers. Subject to applicable CRTC regulations, we may disclose personal information, on a confidential basis with the information to be used only for the purpose for which it was disclosed, to:
    • a person seeking information as an agent of a customer, such as a customer’s legal representative, or as an authorized user under his or her account, if we are satisfied that the person is authorized to receive the information;
    • other TELUS business units to help us serve our customers better and to provide them with services from different parts of our company;
    • another telecommunications company for the efficient and cost-effective provision of telecommunications services, such as the information required to facilitate the porting of services between carriers;
    • a company involved in supplying a customer with telecommunications or directory related services, for example, Yellow or White Page listings;
    • a company or individual hired by TELUS to perform functions on its behalf, such as research or data processing;
    • a third party to evaluate a customer’s creditworthiness or to collect an account;
    • a credit-reporting agency;
    • a public authority or agent of a public authority if, in the reasonable judgment of TELUS, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information. If a customer dials 911, for example, we will provide the customer’s name, telephone number, address and other location information to the emergency agency;
    • our program partners or to third-party agents responsible for administering special TELUS offers or programs;
    • third parties in connection with the sale of parts of our business, the sale or securitization of assets, or the merger or amalgamation of part or all of our business with other entities. Since customer and account information will normally be a part of such transactions, we may use or disclose such information to other parties included in the transaction, as part of due diligence and/or on completion of the transaction; or
    • a government institution or other third party in response to a court order or if otherwise required or authorized by law.”
– TELUS’ Privacy Commitment to You (“When do we disclose personal information?”).   “Principle 5 – Limiting use, disclosure, and retention of personal information TELUS shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. TELUS shall retain personal information only as long as necessary for the fulfillment of those purposes. 5.1: Subject to applicable CRTC regulations, TELUS may disclose a customer’s personal information, on a confidential basis with the information to be used only for the purpose for which it was disclosed, to:
  • a person seeking information as an agent of a customer, such as a customer’s legal representative or as an authorized user under his or her account, if TELUS is satisfied that the person is authorized to receive the information;
  • other TELUS business units to help TELUS serve its customers better and to provide them with services from different parts of the company;
  • another telecommunications company for the efficient and cost-effective provision of telecommunications services;
  • a company involved in supplying a customer with telecommunications or directory-related services;
  • a company or individual hired by TELUS to perform functions on its behalf, such as research or data processing;
  • a third party to evaluate a customer’s creditworthiness or to collect an account;
  • a credit-reporting agency;
  • a public authority or agent of a public authority if, in the reasonable judgment of TELUS, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information. If a customer dials 911, for example, TELUS will provide the customer’s name, telephone number, address and other location information to the emergency agency;
  • TELUS’ program partners or third-party agents responsible for administering special TELUS offers or programs;
  • third parties in connection with the sale of parts of TELUS’ business, the sale or securitization of assets, or the merger or amalgamation of part or all of TELUS’ business with other entities. Since customer and account information will normally be a part of such transactions, TELUS may use or disclose such information to other parties included in the transaction, as part of due diligence and/or on completion of the transaction; or
  • a government agency or other third party, if required to meet legal and regulatory requirements.”
– TELUS Privacy Code.The types of requests TELUS receives:
  • Court Order/ Subpoena:
    • Description: An order or subpoena is a legal demand signed by a judge directing TELUS to provide customer information. The information may be associated with any of our TELUS services, including wireline, wireless or Internet. Most orders and subpoenas require TELUS to provide historic information, such as telephone records. A small minority of the court orders require TELUS to provide real-time information; for example, the content of a telephone call (by means of a wiretap) or the location of a cell phone. Court orders obtained by law enforcement agencies are often referred to as “warrants”.

Of the 4,315 orders and subpoenas received in 2013, TELUS provided partial or no information in approximately 40% of the instances*. This was largely due to our limited retention periods which resulted in the requested information no longer being available. In many cases, TELUS challenged an order on the ground that it was either defective or overreaching. Most challenges involved asking a law enforcement agency to reduce the amount of customer information to be provided by TELUS pursuant to the order, so that the agency would receive only the information actually required for its purposes. In some cases, TELUS has gone to court to challenge orders which we believed to be overreaching.

*This estimate was derived by sampling records maintained by TELUS’ Corporate Security department.

    • Applicable law: Criminal Code of Canada.
 
  • Court orders to comply with a Mutual Legal Assistance Treaty (MLAT) request:
    • Description: These requests take the form of a court order issued by a Canadian court pursuant to the Mutual Legal Assistance in Criminal Matters Act. Typically, these are requests for aid from a law enforcement agency in another country related to a criminal investigation, and require an order from a Canadian court. We don’t respond to requests that come directly from foreign agencies, but will provide information if ordered to by a Canadian court.
    • Applicable law: The Mutual Legal Assistance in Criminal Matters Act.
 
  • Customer Name and Address Checks:
    • Description: Requests to provide basic customer information, such as customer name and address. These are usually done in order to identify an individual associated with a telephone number. Previously, it was understood that such disclosure was permitted under Canadian law and TELUS’ service terms. However, in light of the recent decision of the Supreme Court of Canada in the case of R. v. Spencer, TELUS has changed its practice and now requires a court order for customer name and address information, except in an emergency or where the information is published in a directory.
    • Applicable law: Personal Information Protection and Electronic Documents Act (PIPEDA), CRTC rules with respect to customer confidentiality; see also applicable TELUS Service Terms and customer Privacy Commitment.
 
  • Emergency Calls:
    • Description: These are usually urgent requests for help locating or assisting an individual where their life, health or security is at risk. For example, TELUS will provide police or other emergency responders with location information for a wireless device belonging to someone who is lost or in danger. In these cases we only provide the information needed to respond to the emergency.

TELUS is the incumbent local exchange carrier (the traditional home phone service provider) in British Columbia, Alberta and Eastern Quebec and is responsible for providing technical support for 911 services in those areas. TELUS handles a large number of calls from 911 call centers (32,618 in 2013) and local police and other emergency responders (24,130 in 2013) in order to support 911 and emergency services.

    • Applicable law: PIPEDA and CRTC rules with respect to customer confidentiality.
 
  • Internet Child Exploitation Emergency Assistance Requests:
    • Description: In response to police requests, TELUS disclosed the name and address of a customer using an IP address to help the police investigate a case of online child sexual exploitation. Previously, it was understood that such disclosure without a court order was permitted under Canadian law and TELUS’ service terms. However, the Supreme Court of Canada in the Spencer case (referred to above) has ruled that such disclosure requires a court order, except in an emergency. Accordingly, TELUS has amended its practices in this regard.
    • Applicable law: PIPEDA, Criminal Code of Canada.
 
  • Legislative Demands:
    • Description: A request for information by a government body, where TELUS is required by applicable legislation to provide the information. For example, pursuant to the Income Tax Act, the Canada Revenue Agency may require TELUS to disclose certain customer information.
    • Applicable law: Any federal or provincial legislation that authorizes a government body to request information from TELUS”
– TELUS Transparency Report 2013. (Note that TELUS presents this information in a table. It has been reformatted here but the content has not been otherwise altered.) “All information that TELUS keeps with respect to you and your service, other than your name and address, is confidential. Unless you provide your express consent or unless disclosure is required under the law, your information may not be disclosed by TELUS to anyone, other than:
  • You or a person who, in the reasonable judgement of TELUS, is seeking the information as your agent;
  • Another telecommunications company, but only if the information is used to establish or to efficiently provide telecommunications service, if the disclosure is made on a confidential basis, and if the information is used solely for that purpose;
  • An affiliate involved in supplying you with telecommunications and/or broadcasting services, provided the information is required for that purpose and disclosure is made on a confidential basis with the information used only for that purpose;
  • A directory or listing service company for the purpose of listing your name, address and phone number if you consent and if that company agrees to use the information only for that purpose;
  • An agent used by TELUS to evaluate your credit or collect outstanding balances owed to TELUS by you, if the agent requires the information and agrees to use the information only for that purpose;
  • A public authority or its agent if TELUS reasonably believes that there is imminent danger to life or property that could be avoided or minimized by disclosure of the information;
  • A law enforcement agency if TELUS reasonably believes that you or anyone using your device is engaged in fraudulent or unlawful activities against TELUS.
By “express consent”, we mean:
  • Written consent;
  • Oral confirmation verified by an independent third party;
  • Electronic confirmation through the use of a toll-free number;
  • Electronic confirmation via the Internet;
  • Oral consent, where an audio recording of the consent is retained by TELUS; or
  • Consent through other methods, as long as an objective documented record of your consent is created by you or by an independent third party.
For complete details about our legal obligations and liabilities with respect to your privacy, please refer to the TELUS Privacy Policy available at TELUSmobility.com/privacy. TELUS’ liability for disclosure of information contrary to these TELUS Service Terms is not limited by the limitation of liability set out above. You may inspect any TELUS records related to the provision of your service, provided that you pay TELUS’ related extraordinary costs. You may request that your name and address not be included on any list provided to any other person or used by TELUS. Subject to the above, you agree that TELUS may collect, use and dispose personal information about you for the purposes identified in the TELUS Privacy Commitment as it may be amended from time to time. You can view this commitment at telusmobility.com/privacy. You also authorize TELUS to obtain information about your credit history from credit reporting agencies and credit grantors (including other TELUS companies) from time to time, and consent to the disclosure of your credit history with TELUS to them at any time.” – TELUS Mobility Service Terms. (Note that the TELUS Mobility Service Terms and this provision were not formally a part of TELUS’ evaluation.)

Appendix B: Provisions related to purposes for which information is collected

(Relevant to Criterion #4 [Transparency about conditions for third party data disclosures])

Why do we collect personal information?
  • If you are a TELUS customer, TELUS has some basic information about you. We understand that some of this information is private, which is why we collect personal information only for the following purposes:
  • To establish and maintain a responsible commercial relationship with you and to provide ongoing service. For example, when you apply for services, we collect information that allows us to confirm your identity and credit history so that we can accurately bill and collect for the products and services that you receive from us. We may collect credit card or bank account information if you prefer the convenience of pre-authorized payment for services.
  • To understand your needs and preferences. We maintain a record of the products and services you receive from us, and we may ask for additional information so that we can serve you better. For example, we will ask for your email address, if you wish to pay your bills electronically.
  • To develop, enhance, market or provide products and services. For example, we look at how our customers use our products and services, so that we can understand how to improve them. From time to time, we may review and analyze your use of our products and services to help us provide better product recommendations and special offers that we think will interest you.
  • To manage and develop our business and operations. For example, we analyze customer usage of our networks and facilities to help us manage them efficiently and plan for future growth. Telephone calls to or from TELUS service representatives may be monitored or recorded for quality assurance purposes.
  • To meet legal and regulatory requirements. For example, we may collect information in response to a court order, or to satisfy a request by the Canadian Radio-television and Telecommunications Commission, herein referred to as the CRTC, for information about a customer complaint and how it was resolved.” – TELUS’ Privacy Commitment to You.
What we do TELUS collects and uses some personal information about you, the products and services we provide to you, and your use of those products and services. We collect and use personal information for various reasons, including the following ones:
  • To set up your account. For example, when you apply for service, we collect information that allows us to confirm your identity and, if necessary, to run a credit check.
  • To provide our services. For example, we track your Optik TV channel subscriptions in order to know which channel signals we may transmit to your TV set-top-box.
  • For billing purposes. For example, we collect telephone log information from home phone and wireless customers in order to bill you for local and long distance calls. We may also collect credit card or bank account information if you prefer the convenience of pre-authorized payments.
  • To understand your needs and preferences. For example, we will ask for your email address if you prefer to receive electronic communications, such as eBills.
  • To meet legal and regulatory requirements, such as responding to a court order.
Additionally, we also use customer information:
  • To optimize our service delivery and operations. For example, we note how many customers are using a wireless site at what times of the day to help us plan for future investment in new infrastructure. We will also note your wireless device location for specific uses, such as when you dial 911 and we provide GPS and triangulation data to the 911 operations centre. Or if we’ve had an unexpected TV channel outage, we might examine who was watching a particular channel at the time in order to issue an apology credit.
  • To develop and enhance our products and services. For example, we look at high-speed internet usage data to improve network reliability and modem stability.
  • To market our products and services, make recommendations, and provide you with special TELUS offers. For example, we might examine your wireless calling patterns to recommend a new monthly plan that saves you money. Or we might recommend a new TELUS TV application that we think you’ll enjoy. You may opt out of receiving these offers from us at any time.”
– About TELUS’ Privacy Commitment.5. Why do we collect personal information? TELUS collects and uses some personal information about you, the products and services we provide you, and your use of those products and services. We collect and use personal information for various reasons, including the following ones:
  • To set up your account. For example, when you apply for service we collect information that allows us to confirm your identity and if necessary, to run a credit check.
  • To provide our services. For example, we track your Optik TV channel subscriptions in order to know which channel signals we may transmit to your TV set-top-box.
  • For billing purposes. For example, we collect telephone log information from home phone and wireless customers in order to bill you for local and long distance calls. We may also collect credit card or bank account information if you prefer the convenience of pre-authorized payments.
  • To understand your needs and preferences. For example, we will ask for your email address if you prefer to receive electronic communications, such as eBills.
  • To meet legal and regulatory requirements, such as responding to a court order.
Additionally, we also use customer information:
  • To optimize our service delivery and operations. For example, we note how many customers are using a wireless site at what times of the day to help us plan for future investment in new infrastructure. We will also note your wireless device location for specific uses, such as when you dial 911 and we provide GPS and triangulation data to the 911 operations centre. Or if we’ve had an unexpected TV channel outage, we might examine who was watching a particular channel at the time in order to issue an apology credit.
  • To develop and enhance our products and services. For example, we look at usage data on our high-speed internet service to improve reliability and stability.
  • To market our products and services, make recommendations, and provide you with special TELUS offers. For example, we might examine your wireless calling patterns to recommend a new monthly plan that saves you money. Or we might recommend a new TELUS TV application that we think you’ll enjoy. You may opt out of receiving these offers from us at any time.” – Customer Privacy FAQ.
Why does TELUS collect my personal information?
  • We collect your information to:
  • Establish and maintain a commercial relationship with you and provide ongoing service;
  • Understand your needs and preferences;
  • Develop, enhance, market or provide products and services;
  • Manage and develop our business and operations;
  • Meet legal and regulatory requirements.”
– TELUS Mobility Service Terms. (Note that the TELUS Mobility Service Terms and this provision were not formally a part of TELUS’ evaluation.)

Appendix C: Sources

TELUS’ Privacy Commitment to You
  • Applies to: “TELUS Corporation and its subsidiary companies, as they may exist from time to time, including those subsidiaries or divisions that carry on business under the names TELUS, TELUS Communications Company, TELUS Mobility, TELUS Quebec, Koodo, Black’s and PC Mobile” (per Endnote 1 in TELUS’ Privacy Commitment to You).
  • TELUS’ Privacy Commitment to You specifies it does not apply to TELUS Health (per Endnote 1).
  • TELUS’ Privacy Commitment to You specifies that the TELUS Privacy Code does not apply to “TELUS corporate customers. … such information is protected by other TELUS policies and practices and through contractual arrangements.” (per Endnote 2). This implies that TELUS’ Privacy Commitment to You also does not apply to corporate customers, although this is not stated.
  • Last consulted January 25, 2015.
TELUS Privacy Code
  • Applies to: “TELUS Corporation and its subsidiary companies, as they may exist from time to time. These include, without limitation, the subsidiaries or divisions which carry on business under the following names: TELUS, TELUS Communications Company, TELUS Mobility, TELUS Québec, Koodo, Black’s and PC Mobile” (per the definition of “TELUS”).
  • The TELUS Privacy Code specifies it does not apply to TELUS Health (per “Introduction,” “Scope and application,” and the definition of “TELUS”).
  • The TELUS Privacy Code specifies it “does not apply to information regarding TELUS’ corporate customers; however, such information is protected by other TELUS policies and practices and through contractual arrangements.” (per “Scope and application”), however “[i]nformation about sole proprietors or partners is… considered to be “personal information” for purposes of the TELUS Privacy Code if it is information about the individuals themselves, as distinct from information about their businesses.” (per the definition of “Personal Information”).
  • Last consulted January 25, 2015.
TELUS Transparency Report 2013
  • Applies to: “TELUS’ telecommunications businesses, including wireline, wireless and Internet.” (per the cover page).
  • Last consulted January 25, 2015.
About TELUS’ Privacy Commitment
  • About TELUS’ Privacy Commitment does not specify its application. However, it does state that:
    • That TELUS’ Privacy Commitment to You “continues to extend across our brands” which “ “[i]nclud[e] TELUS Mobility, TELUS Quebec, Koodo, Black’s and PC Mobile” (per “What’s new?” and Footnote 1).
    • That TELUS’ Privacy Commitment to You does not extend to TELUS Health (per Footnote 1).
  • It has been assumed for the purposes of this report that About TELUS’ Privacy Commitment applies to the same entities as TELUS’ Privacy Commitment to You.
  • Last consulted January 25, 2015.
About TELUS: Privacy
  • This document is a landing page that links to TELUS’ privacy materials. It does not specify what is included in “TELUS” as it uses the term. However, it does not contain provisions that were relied on in this report.
  • Last consulted January 25, 2015.
Customer Privacy FAQ
  • The Customer Privacy FAQ does not specify its application. However, reading the document makes it clear that it applies to TELUS wireless services, among others. For instance, it gives as an example of personal information that may be collected: “we will note your wireless device location for specific uses, such as when you dial 911 and we provide GPS and triangulation data to the 911 operations centre”. (per “What personal information do we collect?”).
  • Last consulted January 25, 2015.
Press Release Archive on TELUS website back to 2009: http://about.telus.com/community/english/news_centre/news_releases
  • Last consulted January 25, 2015.
News articles and relevant court cases (see Criterion #10 [Open advocacy for user privacy rights])

 

[1] Andrew Clement & Jonathan A. Obar, “Keeping Internet Users in the Know or in the Dark: Data Privacy Transparency of Canadian Internet Service Providers” (27 March 2014), online: IXmaps & New Transparency Projects <http://ixmaps.ca/>. The report is available online at <http://ixmaps.ca/transparency/img/DataPrivacyTransparencyofCanadianISPs.pdf>.

[2] http://www.thestar.com/news/canada/2014/09/17/supreme_court_ruling_hasnt_stopped_police_from_warrantless_requests_for_data.html

[3] http://www.theglobeandmail.com/report-on-business/rogers-now-requires-warrants-for-all-police-inquiries/article19634702/

[4] http://business.financialpost.com/2013/03/27/supreme-court-quashes-general-search-warrant-for-future-text-messages/?__lsa=fded-4584

[5] http://www.thestar.com/news/canada/2014/07/25/ontario_judge_to_examine_TELUSrogers_charter_of_rights_challenge.html