The Office of the Information and Privacy Commissioner (OPIC) of Canada published the results of its investigation on Thursday to Alcanna Inc.’s liquor stores in Alberta. The investigation found that Alcanna’s use of ID scanning technology was against the Personal data protection law of Alberta (PIPA) by collecting more than appropriate levels of personal information.
The investigation opened on January 23, 2020, amid widespread privacy concerns in the media, after Alcanna announced the launch of an ID scanning pilot project in three Edmonton liquor stores. The project would use Servall Data Systems Inc.’s Patronscan technology. The project required individuals to scan the barcode on the back of their driver’s license to enter liquor stores and aimed to stop the increasing incidents of theft, robbery and violence in Alcanna’s shops.
The OPIC noted that while Section 69.2 of the Alberta Gambling, Alcohol, and Cannabis Act (GLCA) allowed the recording of a person’s name, age and photo before a person was allowed to enter licensed premises, Alcanna collected additional information on gender and partial postcodes for “more precise identification”. Although the system does not retain all of the information about the driver’s license barcode, it first decodes and processes it to extract the relevant information.
The OPIC determined that the limited amount of time it collects such information and the additional collection, use and disclosure of gender and zip code information is beyond what is reasonable to serve the stated purpose of identifying individuals, involved in criminal activities.
The OPIC also found that while Alcanna was exempted from consent to the collection of name, age and photo information under the GCLA, it did not obtain proper consent to the collection, use and disclosure of additional gender and zip code information.
As a result, Alcanna’s project violates Sections 11 (2), 16 (2) and 19 (2) of the PIPA. The OPIC recommended that the company stop collecting personal data beyond the elements permitted by the GLCA.
Jill Clayton, the data protection officer, stated:
“… this investigation serves as a reminder to all organizations that the way technology is implemented and what features are used, along with several other important considerations such as context, can have a significant impact on compliance.”