PEI’s Privacy Commissioner made several recommendations to PEI Cannabis Management Corporation (PEICMC) after a nearly two-year review of the organization’s privacy and consumer data protection policies.
The investigation started on October 20, 2018, two days after the first PEI Cannabis stores opened, after customers raised concerns about the way they were checking identification cards. At the outset, the stores were scanning the code on the back of ID cards to verify that they were real, however, customers were concerned about what data was being saved, who could see it, and what was being done with it.
According to PEICMC, the data collection wasn’t intentional, but it was happening.
“They were not meant to retain or track any data, but an IT specialist examined the scanners and found some data was being kept for 24 hours inside the device,” PEICMC said in an email to CBC. “This data was immediately wiped and settings were changed so as not to keep data in the future.”
The scanners were immediately discontinued, but this discovery promoted more investigation into how the organization could better protect the data of their customers.
According to Privacy Commissioner Karen Rose, the corporation is using reasonable measures to protect personal information, however, she did make some recommendations.
The report recommended a few changes to the website, such as not requiring customers to give their birthday to enter, and making the Privacy Policy available for users to read before they enter the website. It also suggested that they change their indoor signage letting customers know that they’re being filmed, and adding more resources for customers if they want to know why they are being filmed and who has access to that data.
Rose also suggested that they continue with regular training to employees so that they know how to keep customers’ personal information safe, as well as test their system every once in a while to make sure it is still effective.
According to PEICMC Director of Operations Zach Currie, the company has already implemented the changes and plans to place a larger focus on cyber-security in the future.