Get new episodes right on your device by following us wherever you get your podcasts:
Click for the podcast transcript
So many aspects of our lives happen online these days, from shopping to work to banking, and digital privacy is more important than ever. Our guest this week is Aggie Zander, Vice President of Governance, Enterprise Programs and Global Privacy Officer at Scotiabank. She’ll break down some of the laws governing customer privacy here in Canada, what we should keep an eye out for when asked to accept one of those terms of service agreements and what the Bank is doing to protect their customers’ data.
Key moments this episode:
1:22 — Why is privacy such an important issue in 2023?
2:40 — What should we look out for in those terms of service agreements?
4:34 — Are there certain red flags people should look for when they’re asked for information?
5:37 — How Scotiabank makes sure customers’ data is safe
7:20 — What is the key thing people should take away when it comes to online privacy?
Stephen Meurice: You know those terms of service agreements? Pages and pages of legal text you scroll through, or maybe you don’t, and finally tap ‘okay’ so you can use an app, update your phone or even set up a video game for your kid. When’s the last time you actually read one of those? I mean, who does that?
Aggie Zander: Okay. You got me there. [laughs] I'm going to say I'm probably called a nerd because I do read them. And that's probably inherent in the work I do.
SM: That reader of fine print is Aggie Zander and the work she does is protecting customer privacy at Scotiabank – so, yeah, I guess it makes sense she reads the terms of service. And we’re glad she does, because she’s our guest today and she’ll tell us not only what we should keep an eye out for next time we see one of those service agreements, but also shed some light on the state of digital privacy in 2023.
AG: Privacy is really important right now because it’s all about data. And you’re the best advocate for your personal information.
SM: Aggie is the Vice President of Governance, Enterprise Programs and Global Privacy Officer at Scotiabank. She’ll break down some of the laws governing customer privacy here in Canada, what red flags to look out for and outline what the Bbank is doing to protect their customers’ data. I’m Stephen Meurice and this is Perspectives. Aggie, thanks so much for joining us today.
AZ: Thank you for having me.
SM: So your job is all about protecting the privacy of Scotiabank's customers. What would you say is the biggest threat to people's privacy now? And I mean, not just in financial services, but in general. Why is privacy such an important issue?
AZ: Today, everything is digital. Everything is done online. We've all heard the term big data. There is a lot of data out there. There is more data now than ever. And we have AI coming into play. So we definitely have to make sure that we're protecting our personal information.
SM: People are constantly asked to provide all kinds of information whenever they sign up for anything on the Internet. Are there regulations for the kind of private information companies can ask for and then what they can do with it?
AZ: Absolutely. There are many privacy laws in Canada. We have federal public sector laws and we have private sector laws and we have substantially similar laws in certain provinces. All of these laws protect the use, collection and disclosure of personal information, provide obligations for organizations on what can be collected, how you can use this information, and what can be shared. Companies cannot just ask for information without a valid business purpose. There's a lot of teeth in it now, from a privacy perspective.
SM: Another way that people often encounter privacy issues or become aware of them is when you're signing up for almost anything. It comes with a terms of service agreement that you have to click, ‘I agree to.’ Before you'll actually be able to access the service or the product. Speaking for myself and I suspect an awful lot of people, they just scroll through until they see the, ‘I Accept’ button. Are there any guidelines around those? I mean, do you personally read those terms of service agreements before you click on the button?
AZ: Okay. You got me there. [both laugh] I'm going to say I'm probably called a nerd because I do read them. And that's probably inherent in the work I do. At the end of the day, it's really important that companies are very clear on their privacy policies and agreements. They shouldn't be complicated. They should be clear, simple and easy to understand.
SM: So, what are the specific things that you look for when you're reading through those agreements? What are the red flags for you?
AZ: For me, the first thing — is there data sharing with third parties? I want to know if data's being shared externally. The second piece I look for in an agreement is accountability. Do they have a privacy officer in place? Do they have a privacy program? I want to make sure that somebody in that organization is accountable for protecting my personal information.
SM: Okay. And the data sharing that you talked about, are there circumstances in which that's legitimate? How do you know the difference between what's legitimate sharing of information with a third party and what's something that you should be worried about?
AZ: Well, third party might be legitimate on what you're applying for with a product or service that they have to share with this third-party. So it's all about being transparent to the customer, advising them and getting their consent to share that information.
SM: So being specific about why they're sharing it and who they're sharing it with and why.
AZ: Yeah. Absolutely.
SM: And when people are online, whether you're shopping or signing up for a subscription or whatever, are there certain red flags that people should be looking for in terms of the type of information you're being asked for? How does a person keep their own data safe? Should you be suspicious of everything that you do online, basically?
AZ: It all depends really on the product or service, right? It all comes to what is reasonable and you're the best one to be able to judge that. Organizations can't just randomly ask for anything. It has to make reasonable sense for the product or service that you're applying for.
SM: Okay. And I'm sure many of our listeners hear all the time about privacy breaches, where digital user data ends up in the wrong hands. What lessons can people take away from those kinds of examples, or is it more lessons that businesses should be taking from those types of behaviours?
AZ: I think the key is for businesses, we have to monitor activity. We have to make sure we give access to information only to individuals who need it for their roles.
AZ: So I think those are key things.
SM: Right. In a big organization like Scotiabank, how do you ensure those things are happening? It seems like a tall order to be monitoring the activities of people who might have access to the information and the processes that take place. How do you do that?
AZ: At Scotiabank, any new initiative that collects or discloses personal information goes through a privacy impact assessment. So we look at all the data elements that are being used, what has to be disclosed, consent language that's built into the initiative before it's launched to make sure that we're managing the privacy risk. With respect to access, we go on data minimization access. You only get access to information that you need to conduct your role. And at the end of the day, we also do training and education on those parts to make sure people are well aware of protecting privacy.
SM: Right. As everybody knows, banks do ask people for a certain amount of information, some of it sensitive or they might consider it to be confidential in order to be able to access the bank's services. Why does the bank need that information?
AZ: First, we collect information to verify who you are. We need to make sure we're dealing with the right individual at the end of the day. We also are required to collect and use personal information to meet other legal and regulatory requirements, for example, anti-money laundering regulations and know your client requirements. As an individual, you want the banks to authenticate you. Organizations have this obligation to validate your identity.
SM: Right. So the Bbank has regulations that it needs to follow around those things. They're required to get this information from their clients in order to provide the service.
SM: And before we wrap here, what do you want people to take away from this? What's the key message that people should think about when they're thinking about protecting their own privacy online and in conducting their own business?
AZ: Yeah. I definitely say to people, only share information that you're comfortable with. Don't feel pressured to share information and ask questions. You're the best advocate for your personal information because your personal information belongs to you.
SM: Aggie, thanks so much for joining us. We really appreciate you taking time to talk to us today.
AZ: Thank you.
SM: I’ve been speaking with Aggie Zander, Vice President of Governance, Enterprise Programs and Global Privacy Officer at Scotiabank. The Perspectives podcast is made by me Stephen Meurice, Armina Ligaya and our producer Andrew Norton.