Through an investigation, Alberta’s privacy commissioner found that Alcanna was storing too much personal information by scanning customers’ ID and wasn’t providing adequate details in its privacy notices to customers who have questions or concerns about the collection of their personal data.
Alcanna Inc., owner of the Liquor Depot, Ace Liquor, Wine and Beyond and Nova Cannabis brands, launched a pilot project in January 2020. It installed an identification-scanning entry system from company PatronScan at several locations across Alberta. The goal was to reduce the number of violent robberies at liquor stores.
Nine Alcanna liquor stores in Edmonton and Calgary have the Patronscan technology installed.
In an investigation report published Thursday, the Office of the Information and Privacy Commissioner released 16 findings and five recommendations under the Personal Information Protection Act (PIPA) to Alcanna in relation to its use of Servall Data Systems’ Patronscan ID-scanning technology in liquor stores.
Alcanna and Servall committed to address each of the recommendations, the OIPC news release said.
In fact, all five recommendations have already been acted on, a spokesperson for Alcanna told Global News on Thursday afternoon.
“A lot of this has already been done almost a year ago,” said Taylor Mann, director of corporate investigations for Alcanna.
He said Servall stopped collecting any personal data aside from name and age in February 2021. Alcanna also updated its privacy notices in stores as of February 2021 and “has agreed to recommendations two through five,” Mann said.
The five recommendations in the OIPC report were:
- Alcanna cease collecting personal information beyond those information elements specified in the GLCA.
- Alcanna modify the notices posted in its stores to meet requirements under section 13(1) of PIPA.
- Alcanna develop and implement policies and procedures for the Project system if it continues using it, or before it implements it in additional stores.
- Alcanna revise its contract with Servall to address the gaps highlighted in this report, including accountability for personal information collected, used and disclosed as part of the Project, and to clarify the roles of the parties.
- Alcanna consider how long it needs to retain personal information it collects in the Project to reasonably meet its legal and business purposes, and adjust its retention period accordingly.
Mann said since adding Patronscan, Alcanna has seen about 94 per cent total reduction in theft and 100 per cent reduction in robberies at those locations.
“I think the stats clearly speak for themselves,” he said.
Get daily National news
“It’s working amazing from a preventative standpoint, for sure… The staff feel much safer going to work.”
“I think we have a lot of good going for us,” Mann said, adding Alcanna is grateful for the OIPC recommendations.
He said Alcanna has been offering assistance to the OIPC investigator since the beginning and reviewed the 46-page report when it was available.
Gender, partial postal code retained
The investigation found that the Gaming, Liquor and Cannabis Act (GLCA) authorizes Alcanna to collect and use “name, age and photograph” in order to decide whether to grant entry to an individual.
GLCA also authorizes the disclosure of this information to other licensees, and requires the information be disclosed to a police officer upon request.
So, Alcanna collecting customers’ name and age “is reasonable,” the OIPC found. That information can be used to identify someone involved in a criminal activity and does not require consent, the report explained.
However, OIPC found that Alcanna, through the Patronscan system, “examines all the information encoded in a driver’s licence barcode, and retains gender and partial postal code in addition to name and age, which contravenes PIPA’s provisions on limited collection and use of personal information.”
“Overall, this investigation highlights two important issues,” said Jill Clayton, Information and Privacy Commissioner.
“The first is that it is clear the legislature intended the 2009 amendments to the GLCA to authorize licensed premises to collect some limited personal information for specific purposes related to investigating and ultimately reducing crime.
“However, the current language of the GLCA presents a number of practical challenges, particularly when it comes to the use of ID-scanning technologies.
“I intend to follow-up with government and other stakeholders on this point to articulate these challenges and discuss possible solutions,” she said.
Privacy notice inadequate
The OIPC investigation also found the privacy notice in Alcanna’s stores “was inaccurate and did not provide adequate contact information in case individuals have questions about the collection of their personal information as required by PIPA.
“The privacy notice did not accurately identify the personal information that is collected or the purposes for that collection.”
Technology not ‘approved’ by OIPC
Clayton also pointed out that “acceptance of a privacy impact assessment is not a ‘seal of approval’ for marketing purposes, particularly when a technology is implemented in a new and different way in a different context.”
When Alcanna announced it would be using Patronscan technology in January 2020, company representatives said it had been “approved” by the OIPC, Thursday’s news release said.
“The OIPC, however, was not aware of the pilot project until it was announced.
“The OIPC learned that Servall relied on a 2009 privacy impact assessment (PIA) review of its technology as evidence that the technology complied with PIPA, as well as previous investigations of the technology implemented in nightclubs.”
However, years ago, OIPC had told Servall: “The OIPC cannot endorse or even approve Servall’s product as ‘privacy-compliant.'”
“This investigation serves as a reminder to all businesses that the way in which technology is implemented and what features are engaged, along with several other important considerations such as context, can have substantial implications for compliance,” Clayton said.
“The findings from a review by my office are only as valid as the representations and information made available to us.”
Clayton said she has some concerns with how the current GLCA legislation is worded and how it could apply to data-collection technologies in the future, in terms of how much personal data can be collected and for how long.
Comments