Handling customer complaints under PIPEDA

Handling customer complaints under PIPEDA

Anybody reading the Canadian media before Christmas couldn't help but notice the huge amount of coverage given to a stream of faxes sent by a number of branches of a particular bank that kept on finding their way to a junkyard in West Virginia. The story took off and other complainants came out of the woodwork. Other banks were also the subject of stories, all related to mishandling of sensitive personal information (PIPEDA and Canadian Privacy Law: Bank faxes saga continues; involves other banks, too). Further examples of misdirected personal information are appearing in the media (see TheStar.com - Customer privacy concerns continue at CIBC).

The most obvious thing to learn from these incidents is that people need to be very careful when faxing customer information. Or mailing it. But what is not as obvious is that none of these stories should have ever made it as far as they did. Not only was customer information mishandled, but more importantly (from the bank's point of view), the customers were mishandled.

I've touched on this before (PIPEDA and Canadian Privacy Law: Two magic words, big effects ...), but it bears repeating. Where the banks (and most organizations that end up at the unpleasant end of a privacy complaint) went wrong is the way they acted when their misstep was brought to their attention: (i) they did little to assure their customers, (ii) they did not appreciate the gravity of the situation, and (iii) they did not escalate the issue to the proper level.

From what I understand of the faxing fiasco, the faxes went from a wide range of branches to one unintended recipient. Calls to the branches may have elicited a response, but they were not reported to a higher authority who would get a sense of the big picture and realize that there was a problem and it was chronic. Each branch did not know that dozens of other branches were making the same mistake and nobody was tracking the issue. When it comes to privacy breaches, one person in senior management must be apprised of the situation. Only that person will know if it was an one-off incident or whether the screw-up is pervasive.

Secondly, employees of organizations need to be resensitised to the importance of the personal information they handle. It may not be important to the company, but that is irrelevant. It is important to the customer, so it must be treated appropriately. I happened upon an example of this at Ottawa airport night before last. Sitting in the restaurant, the woman at the table next to me got up to go. She must have been an airline employee because she left behind a copy of a manifest for a flight from Halifax to Ottawa. Being a nosy sort, I picked it up. I recognized a few names on the list, including a particular superior court judge who would not have been impressed. It told me that the person in seat 23A was 73 years old and needed help to get on and off the plane (why the put her in a window seat at the back of the plane should be the subject of a different sort of complaint). It also listed who ordered kosher meals.

To some, this is sensitive personal information and should not have been left lying around. But I think that people who deal with sensitive personal information all the time become numb to the fact that it really is sensitive and needs to be properly protected. I am sure that all lawyers know of colleagues who can be pretty casual when talking about clients. I've certainly heard some doozies about testimony about intimate matters that was probably humiliating to the person to reveal, but really had no effect on the lawyers since they've seen it all. When the information is routine, you start treating it routinely. I have heard from dozens of managers and business owners who say that they don't have to worry about privacy law because the information they handle isn't "sensitive." Well, in many cases it is, but the company has forgotten that it is sensitive or may be sensitive to their clients. All businesses need to think about information through the eyes of their clients. Even more, they need to think about it through the eyes of their most sensitive, paranoid clients. Personal information is important and must be treated accordingly.

Finally, each customer concern must be treated seriously. Most people don't complain routinely. Some may be chronic complainers, but most are not. If a client takes the time to complain about how their information was handled, they only have done so because it matters to them. If you treat the complaint casually, it can easily get out of control. If they don't get satisfaction from the organization, with the respect and priority they think it deserves, they will take their complaint to the privacy commissioner or, worse yet, to the media. I've read all the published findings on the Commissioner's website. Initially, would sometimes think that some people complain about truly trivial things. I scratched my head at more than a few. Then I began to wonder more and more often how the organization ever let the complaint get to the Office of the Privacy Commissioner in the first place. When a complaint gets that far, particularly about something "trivial", it is most likely because the organization didn't fix the "trivial problem" and let it get out of control. If you fix it as soon as it happens, that's it. No complaint. No problem.

I've dealt with customer concerns on behalf of clients. In almost every case, they are resolved favourably if you take the concern seriously, give it due priority, treat the customer with respect, and ultimately fix their problem.

To give an example, I was involved with a concern/complaint about a consent form that had been prepared for a client. This particular client was in a large industry but was the only location in their city that was visibly tackling the privacy issue. The customer called with some questions and was immediately referred to the privacy officer. Initially, the customer sounded a little indignant. He had read the form and had a problem with one of its provisions. We were satisfied with the correctness of the document, but the customer didn't seem to be amenable to our explanation. Since we were right, we could have told him that and walked away. But that wouldn't have ended the matter, since he knew enough about PIPEDA to make it likely that he'd buy a stamp and complain to the Commissioner. So we figured that if he was asking questions, there were probably a dozen or so customers who had the same question but didn't contact the client. Rather than fight it, we redrafted the form to make it more clear. We even asked the customer for his opinion of the new form and he approved. In the end, rather than have a potential complaint on our hands, the customer actually sang the client's praises around town leading to more business. Not only was a complaint avoided, but we managed to improve the customer's relationship with the client.

Privacy is not just a legal compliance issue. As an increasing portion of customers are concerned with the protection of their personal information and whether they can trust the companies they deal with, privacy is a critical customer relations issue. If you don't appreciate that fact and begin to look at your business through your customers' eyes, you are at much greater risk of having a complaint go to the Privacy Commissioner. That involves expense, a risk of bad publicity and a lost customer.

One further thought: I'm often asked by my clients about who should assume the role of privacy officer for their company. If they are a large company, they often think it should be their in-house counsel. At first blush, this seems sensible since a lawyer has the tools to understand and apply the law. I always say that it depends upon the individual lawyer. Many lawyers reflexively get defensive and switch into denial mode. (Or at least begin denying until they have a chance to investigate.) Because this is a customer service issue as well as a legal issue, the privacy officer needs to be customer-friendly. Not all lawyers have this trait. Automatic denials and switching to "damage control" tend to escalate matters, while empathy, understanding and focusing on a solution for the customer will calm the situation. A lawyer with privacy expertise should always be consulted, because this is a legal, risk-management issue. Few employees have the knowledge of PIPEDA to fully understand the company's obligations and the risk it faces in a particular situation.

at 2:36 PM
Labels: , , , ,

0 comments:

Post a Comment

  • Health Care Reform Explained from B... Dan Roam at the Back of the Napkin Blog sums up the current health care reform effort in this four part health care series, Healthcare Napkins All. Great back of the...
  • Why We Need A Health Care Revolutio... Dr. Val Jones' road to revolution provides her personal perspective on the current state of our health care system and why we all need to work for change.Don't miss the...
  • The important lesson from sandcastl... As I return to West Virginia after a week spent at the beach -- this post by Jim Carrol, Futurist, Trends & Innovation Expert, caught my attention. Much of my week on...
  • A little Nick: I'm a liberal an... Law blogger posts online: Don't miss reading this post by my favorite hospital blogging CEO, Nick Jacobs over at Nick's Blog. Much of what Nick has to say strikes a chord with me and this post is...
  • Executive Order Impacts Health Care... Law blogger posts online: President Bush signed an Executive Order on August 22 requiring federal agencies to do more to inform public health care consumers about the cost and quality of health...
  • eHealthWV: West Virginia EHR Public... Law blogger posts online: As a part of West Virginia's participation in the Health Information Security and Privacy Collaborative (HISPC), West Virginia Medical Institute and its partners launch...
  • Physicians vs. Patient: Rating-Perm... Interesting post from the WSJ Health Blog on Medical Justice's new ratings-permission contracts (press release on service).This new service offered by Medical Justice...
  • Just when you thought it was safe: ... Law blogger posts online: I’ve blogged previously about just how much I hate browser toolbars and nothing much has changed in the four years that have passed. Call me nosey, but when I’m...
  • Governor Manchin Approves Cardiac C...The West Virginia Health Care Authority website indicates today that Governor Manchin approved the final revised certificate of need Cardiac Catheterization Standards.
  • A Law Actually Interview with… Litt... Next up in the interview chair is Gemma from Little Tiny Pieces. Little Tiny Pieces is an interesting name?  What it inspired it; does it have any hidden meanings?...
  • Let the voting commence!... Law blogger posts online: Yes, after two long weeks of nominations, the shortlist for the 2010 Blawggies has been decided and voting for the awards can officially begin! The polls will remain...
  • Is blogging good for your health?... Law blogger posts online: Is blogging good for your health?This Boston Globe article, Cancer blogs become part of treatment, indicates that blogging about your condition has a positive impact.The...
  • ADVANCE Magazine - Article on EHRs ... Recently I was interviewed for an article looking at the legal issues involved in the developing world of EHRs and PHRs written by Beth Walsh for ADVANCE Magazine. The...