The various privacy commissioners across the country are familiar with this challenge, says Elizabeth Denham, Assistant Privacy Commissioner of Canada, who spoke as part of a panel at a recent Retail Council of Canada (RCC) conference held in Mississauga, Ont.

Federal privacy legislation PIPEDA (Personal Information Protection Electronic Documents Act), which has been in force since 2004, applies coast to coast with the exception of B.C., Alberta and Quebec. Those provinces have their own privacy legislation.

“It’s critical for us for harmonize (the various points of view),” she says, adding that the federal commissioner’s office meets monthly with privacy officers from B.C., Alberta and Quebec. “It benefits businesses and it benefits Canadians to have (agreement). As much as possible, we try to harmonize our approach. It’s not perfect, but we’re doing the best we can.”

One of the biggest security issues facing retailers is managing return policies, says Sears Canada Inc.’s associate vice-president of loss prevention and safety Don Berezowski. There is potential for stolen or fraudulently obtained goods being returned to retailers illegally, particularly if retailers don’t insist on having a receipt present.

Some retailers have adopted a policy of collecting shoppers’ driver’s licence numbers at the time of purchase to better track merchandise, should it end up back in the store as a returned item.

Denham says she understands that retailers might see the value of collecting this information, but so far, no retailer has been able to prove there is a strong relationship between ID collection and a reduction in false returns. Moreover, retailers may be faced with a raft of data storage and security problems if they choose to go that route, particularly since driver licences are one of the main sources of identity theft.

Denham suggests that retailers invent their own ID system (with unique numbers assigned to customers) should they wish to track purchases and returns in this manner.

Berezowski says that retailers are often confused by the range of ID collection options: which ones are frowned upon and which are permissible. The problem is only exacerbated when front line staff have to be trained.