The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, May 31, 2004
The Office of the Privacy Commissioner has just published a handy guide for organizations facing investigations under PIPEDA. For companies in this unhappy position and the lawyers who advise them, this brief guide will probably be very useful:
An individual has filed a complaint against your organization with the Office of the Privacy Commissioner of Canada.
What happens now?
Our Investigations and Inquiries Branch will review the complaint and an investigator will be assigned to the case.
What is the investigator's role?
The investigator's job is to gather the facts related to the complaint and make recommendations to the Commissioner. These recommendations are based on an analysis of the facts within the framework of the Personal Information Protection and Electronic Documents Act. ..."
Labels: information breaches
Saturday, May 29, 2004
I was recently invited to give a presentation to the Annual General Meeting of the Medical Society of Nova Scotia on the impact of PIPEDA on physicians. (See presentation: PIPEDA and Physicians - MSNS AGM 2004.)
Since last year, I have been working with National Privacy Services and the Medical Society to design an easy-to implement solution for busy physicians. In our experience, most physicians don't have the time or the inclination to design their own compliance program. And as small business people with tightening revenue, physicians don't have the resources to engage a privacy lawyer to assist them. (Perhaps as important, most doctors don't know about the law, let alone what they need to do to address it.)
The final product is the Physician's Privacy Manual, which includes a complete suite of products that a physician can implement in his or her practice. The Manual includes:
The procedures and tools contained in the Physician's Privacy Manual have been extensively field tested in private practices and subjected to review by a wide range of physician focus groups. For more information, contact National Privacy Services at http://www.privlaw.com or (toll free) at 1-877-PRIVLAW.
The British Columbia Privacy Commissioner has released a statementthat he will begin an inquiry into the impact of the US Patriot Act on the privacy of British Columbians. Specifically, he is concerned that US federal authorities will have access to personal information of British Columbians if a US company is used as the outsourced service provider for various public services.
Here are links to articles from Google News:
Pending inquiry, government should halt its plan to give private ...
BCGEU, Canada - 11 hours ago
The provincial government should immediately halt plans that would put private information on every British Columbians into the hands of US firms, pending a ...
BC privacy watchdog seeks US government, FBI input in Patriot Act ...
Canada East, Canada - 14 hours ago
VICTORIA (CP) - The FBI and US Attorney General John Ashcroft are being asked to contribute to a British Columbia study of the US Patriot Act. ...
Patriot Act probe begins
CBC British Columbia, Canada - 14 hours ago
VICTORIA - BC's Privacy Commissioner has launched a review of the impact of the US Patriot Act on government plans to contract out the Medical Services Plan to ...
BC privacy czar to study US Patriot Act
CTV, Canada - 12 hours ago
VICTORIA — The FBI and US Attorney General John Ashcroft are being asked to contribute to a British Columbia study of the US Patriot Act. ...
Friday, May 28, 2004
A recent story from Baltimore, MD, highlights the vulnerability of personal information and the need for vigilance. People trust their doctors to maintain their confidentiality, but this trust can be betrayed by unscrupulous employees.
POSTED: 8:47 am EDT May 27, 2004
BALTIMORE -- You trust your doctor to maintain your health but what about your privacy?
Patients from one doctor's office thought their personal information was protected. They were wrong.
WBAL-TV 11 News I-Team reporter Barry Simms discovers how easily your security can be breeched.
Anne Knoeller thought her personal information was secure until an unusual phone call...
Knoeller: "He said check your credit report."
The caller -- a Baltimore County police detective. He told her, "your information's been taken out of a doctor's office."
She was shocked. The alleged thief -- a medical assistant trusted with private patient information. 21-year-old Chanell Cole of Baltimore worked at Hunt Manor Medical Associates in Phoenix. The practice is affiliated with the Greater Baltimore Medical Center....
Wednesday, May 26, 2004
Privacy International has filed a complaint against GMail, Google's new web-based e-mail service that offers 1GB of storage. The complaint has been filed in a number of jurisdictions, including Canada.
Privacy International: "PI intensifies pressure on Google's Gmail service
Privacy International has filed a complaint asking the privacy and data protection commissions in France,Germany, the Netherlands, Greece, Italy, Spain, Czech Republic, Belgium, Denmark, Sweden, Ireland, Portugal, Poland, Austria,Australia and Canada along with the European Commission and the EU Commissioners internal Article 29 Data Protection Working Group to investigate the serious privacy problems that Google's Gmail service poses."
The most reported aspect of the privacy concerns revolve around Google's intention of serving ads that are based on the content of e-mails. There is also a concern related to the amount of storage offered and the risks that may be associated with it.
See the following media coverage:
London Free Press: Business Section - Google faces fight on privacy: "Google's free e-mail service, Gmail, has come under attack by privacy rights groups that claim it violates privacy laws in many countries. Many Internet service providers (ISPs) offer free e-mail with a limited amount of space to store messages. Gmail's generous 1GB storage capacity comes at a price -- the user's exposure to targeted advertisements based on the contents of their e-mails.
Google's free e-mail storage capacity is more than 100 times that offered by established rivals such as Yahoo and Hotmail. The service is promoted as a means for a user to create a centralized and permanent e-mail archive.
Privacy International filed complaints against Gmail with privacy regulators in Australia, Canada and 15 countries in Europe. "
SignOnSanDiego.com > News > Technology -- Google's free Gmail service comes under fire overseas: "Google's free e-mail service Gmail is under fresh fire from an international privacy rights group that said the soon-to-be-launched service violated privacy laws across Europe and elsewhere.
Privacy International, which has offices in the United States and Europe, said it filed complaints with privacy and data-protection regulators in Europe, Canada and Australia. It had already filed an initial complaint in Britain. "
Bits & Bytes for April 22, 2004: "Google Pressured On Privacy
Yet more Google news: the search giant's plans to include contextually targeted ads in its still-in-beta free e-mail service, Gmail, have drawn more fire.
The search giant intends to have its technology scan the content of e-mail messages, and target ads accordingly. The plan has generated privacy concerns and widespread criticism.
The free consumer service comes with 1 gigabyte of storage and the ability to easily search through old messages. The price of that is letting the company apply its highly successful keyword-advertising infrastructure to the content of the messages. Privacy International is the latest group to protest on grounds of privacy. The group filed a complaint Monday asking privacy and data protection commissions in sixteen countries to investigate potential invasion of consumers' privacy.
The international electronic privacy watchdog complained that the proposed service violates several statutes of the European Union's Data Protection law.
Google says what's drawing concern is what computers are capable of doing, not what the company does in reality. 'We pride ourselves in protecting users' data and holding ourselves to the highest standard,' said Wayne Rosing, VP of engineering for Google.
'We do not keep that data in correlated form, it's separated in various ways and we have policies inside the company that do not allow that kind of correlation to happen. We consider any program or programming that correlates user data with user identity to be a violation of trust and we do not do that,' said Rosing."
Monday, May 24, 2004
eNews: "Website of the Month
Looking for more details about how recent privacy legislation changes are affecting how you do business? Be sure to bookmark David Fraser�s Canadian Privacy Law blog. This online journal presents the writings of a Canadian privacy lawyer. Here, Fraser outlines the developments in privacy law containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws. www.pipeda.blogspot.com."
Labels: information breaches
From today's Toronto Star:
How to make `do not call' list work
Doesn't just the sight of the word make your blood boil? Not that all telemarketers are bad, it's just that the very word conjures up the image of dinner-time interruption and an uncomfortable phone conversation that usually ends with the handset crashing to its base.
To its credit, the Canadian Marketing Association is trying its best to separate itself from insensitive, rogue marketers who insist on bothering us at the worst of times and, despite our pleas, call back over and over again, or worse, defiantly challenge us when we say, 'Sorry, not interested.'
The problem is, the CMA only has 800 members - all big, respectable companies with reputations to protect and enough sense to listen when we ask to be removed from their respective calling lists."
Today's Toronto Star reports the results of a study comparing the privacy practices of Canadian and US companies:
Compliance, security are aims in states
In Canada, privacy seen as good business
Canadian and U.S. companies have vastly different attitudes and motivations when it comes to protecting the privacy of their customers, according to a cross-national study to be released this week.
The study, the first to compare the corporate privacy practices of comparable Canadian and U.S. firms, found that Canadian businesses see their privacy practices as an opportunity to improve relations with customers, while their U.S. counterparts viewed privacy measures more as a way of complying with legislation and avoiding civil lawsuits.
Indeed, 61 per cent of surveyed Canadian companies linked 'good privacy practices' to customer trust and brand loyalty, compared to only 17 per cent of U.S. companies."
Saturday, May 22, 2004
Unlike most "privacy seminars" (which I have found to be rambling, too theoretical and disjointed), NPSi's offering is very practical, hands-on and leaves attendees with solid skills and tools to either begin the compliance process for their organizations or to increase their competence in critical skills.
For more information, check out NPSi's training schedule or the links to the individual sessions above.
Labels: information breaches
Friday, May 21, 2004
beSpacific: Blog on Canadian Privacy Law Issues
Attorney David T.S. Fraser's blog on the Personal Information Protection and Electronic Documents Act and Canadian privacy law issues provides a wealth of resources, commentary and links, frequently updated, from his home base in the wonderful city of Halifax.
Labels: information breaches
On 30 March 2004, the Canadian cabinet passed an order-in-council adding to the list of bodies with "invetigative body" status under PIPEDA.
Organizations that receive this designation are able to take advantage of the consent exceptions contained in Section 7 of PIPEDA that specifically apply to investigative bodies. In particular, Section 7(3)(d) and (h.2) allow certain disclosures of personal information without consent:
(3) For the purpose of clause 4.3 of Schedule 1, and despite that note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is …
(d) Made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization
(i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or
(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs; …
(h.2) made by an investigative body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; or … .
The amendments add a number of professional regulators to the list, as well as private investigators.
See the full text at the Canada Gazette web site:
"Vol. 138, No. 8 - April 21, 2004
SOR/2004-60 30 March, 2004
PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT
Regulations Amending the Regulations Specifying Investigative Bodies
P.C. 2004-327 30 March, 2004
Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(1)(a.01) of the Personal Information Protection and Electronic Documents Act (see footnote a), hereby makes the annexed Regulations Amending the Regulations Specifying Investigative Bodies. "
Labels: information breaches
Wednesday, May 19, 2004
I recently blogged about PIPEDA and Video Surveillance, particularly in the insurance claims process. We are finally getting some guidance from the courts on how PIPEDA will be applied in litigation.
Since the Personal Information Protection and Electronic Documents Act (“PIPEDA”) came into full effect on January 1, 2004, insurers have been concerned about what impact this legislation might have on their claims handling processes and the ability of claims personnel to order video surveillance of claimants. There has been a fair amount of uncertainty and, while the issues are not entirely resolved, we are beginning to receive some guidance on how the courts will deal with the intersection between privacy rights and litigation.
The Ontario Superior Court of Justice recently issued a decision in the matter of Ferenczy v. MCI Medical Clinics. In this case, the insurer ordered video surveillance of the claimant, which was used at trial to impeach the claimant’s testimony. An objection was raised by the Plaintiff’s counsel on the basis that the video surveillance was conducted in violation of PIPEDA and should therefore be inadmissible in court. In the absence of the jury, Justice Dawson considered this issue and reached a number of notable conclusions.
PIPEDA applies with respect to personal information that is collected, used or disclosed in the course of “commercial activities.” When the law applies, it requires the knowledge and consent of the individual concerned for the collection, use or disclosure of his or her personal information. There are a number of exceptions to the consent principle contained in Section 7 of the statute.
Justice Dawson concluded that litigation of third-party claims is not “commercial activity” for the purposes of PIPEDA. (Please note that this is likely not the case for a first-party claim, such as under a disability policy or for Section B benefits.) Justice Dawson also concluded that, if PIPEDA applied, the Plaintiff implicitly consented to the collection of personal information via video surveillance by the act of putting forward the claim. Finally, Justice Dawson also concluded that the exception to the consent principle contained in Section 7(1)(b) was applicable.
Lawyers in our privacy and insurance law groups have been recently involved with a number of PIPEDA complaints against insurers initiated by plaintiff’s counsel. While the complaints are not yet resolved, insurers would be well advised to anticipate that such complaints may become commonplace until these matters are clearly resolved by the Privacy Commissioner or the Federal Court. It is possible that the Privacy Commissioner’s conclusions will differ from those of Justice Dawson, further complicating matters for insurers.
PEI is introducing a law to faciliate sharing of prescription data ...
New drug tracking laws introduced
WebPosted May 17 2004 08:17 AM ADT
CHARLOTTETOWN � The Binns government is making moves to allow pharmacies to share information more freely. In part, the new law would help pharmacies identify people who are abusing prescription drugs.
The goal is to stop people from getting prescriptions from more than one doctor, or having multiple prescriptions from more than one pharmacy."
Labels: information breaches
Tuesday, May 11, 2004
There has been no shortage of spilled ink (or spilled electrons) on the impact of the US Patriot Act on the privacy of Americans. One aspect of the law has raised the ire of the Privacy Commissioner of British Columbia. He alleges that the law puts Canadian privacy at risk because it reaches into American companies that handle Canadian personal information, in Canada:
"U.S. Patriot Act worries Privacy Commissioner
WebPosted May 11 2004 02:28 PM PDT
VICTORIA - B.C.'s Privacy Commissioner is asking the provincial government for extra money to examine the ability of U.S. authorities to access confidential information in Canada
The U.S. Patriot Act allows American law enforcement agencies to access private information held by U.S. companies.
That could include include information held by Canadian subsidiaries of U.S. companies. "
ITBusiness.ca reports on a new initiative launched by Canada's Industry Minister:
"As part of a wider effort to crack down on senders of fraudulent e-mail, the federal government Tuesday announced the creation of a new spam task force.
Among other initiatives, the task force of public- and private-sector representatives will review the use of existing anti-fraud laws as well as any 'regulatory and legislative gaps' that might inhibit law enforcement agencies from bringing spammers to justice.
The task force�s overall goal is to identify measures to reduce or control spam.
'The government must ensure that existing legislation' addresses the spam problem, Industry Minister Lucienne Robillard told an Ottawa audience. "
Labels: information breaches
Saturday, May 08, 2004
From today's Yahoo News:
"Computer System at U.C. San Diego Hacked
Fri May 7,11:55 PM ETAdd U.S. National - AP to My Yahoo!
SAN DIEGO - Hackers broke into the computer system of the University of California, San Diego, compromising confidential information on about 380,000 students, teachers, employees, alumni and applicants.
Investigators urged those affected to guard against identity theft.
Hackers infiltrated four computers that stored Social Security (news - web sites) and driver's license numbers in the university's business and financial services department. Investigators are unaware of any illegal use of the data.
University officials discovered the security breach April 16 after noticing a spike in traffic on the network.
In December, more than 178,000 San Diego State University students, alumni and employees had personal information exposed by hackers who broke into a university computer server. The FBI (news - web sites) and campus police investigation found computers used for the hacking were on the East Coast.
Last month, the San Diego Supercomputer Center, which is on the UCSD campus, was infiltrated by a hacker, although officials said no critical information was lost. "
Thursday, May 06, 2004
Over the last few months, I've written a couple of blog entries about swiping drivers' licenses and the information that discloses. Today's Boston Globe has a funny spin on some consequences for people who voluntarily swiped their licenses instead of credit cards:
"Computer glitch gives out free gasoline
May 5, 2004
PITTSFIELD TOWNSHIP, Mich. -- You can pump, but you can't hide. Some motorists in Michigan have found out the hard way that you can't just gas and go.
They discovered that because of a computer glitch they could swipe their drivers' licenses instead of credit cards to gas up for free at the pumps outside the Meijer chain.
A total of 107 people figured it out, many of them students from nearby colleges in Ypsilanti and Ann Arbor.
In some cases people got as many as 15 fillups over a three-week period. Meijer got hosed for thousands.
But it turns out the information from each transaction with a drivers' license was stored on computer and police are tracking down the culprits."
Labels: information breaches
Today's Globe and Mail has an article about "black boxes" in recent cars that, if I undersand them correctly, record data for the five seconds before tha airbags inflate. Much of the coverage related to them (See Google News Search) has focused on the privacy aspects of these devices.
"EDR could be either an eye-glazing acronym or the difference between you and the other driver paying huge sums of money or going to jail. And it's getting lots of attention since a Montreal man was sentenced to 18 months on evidence from his car's event-data recorder.
The revelation of the existence for a decade of the automotive event-data recorder is almost as momentous in traffic-law and civil-court terms as finding DNA was in criminal law.
If your vehicle has airbags, if you have a smart adjuster or lawyer and providing you don't drive like a maniac, proving who is in the wrong can be a lot easier.
But, if you're a little paranoid, certain that there is a Big Brother and that you're the object of his attention, and you drive on the wild side, you could see the EDR as part of a conspiracy to stick it to Canadian drivers."
Monday, May 03, 2004
From the Canadian Press wire:
"Audit finds sensitive information about Canadians improperly handled by RCMP
Sun May 2, 3:36 PM ET
OTTAWA (CP) - Sensitive tax and customs files shared with RCMP investigators could go astray due to lax procedures within the national police force, an internal audit reveals.
Auditors found widespread confusion over the classification of documents, an outdated list of RCMP personnel with security clearances and ignorance of rules for handling information from customs and revenue officials.
The February audit report, obtained by The Canadian Press under the Access to Information Act, points to heightened public fears about such personal information falling into the wrong hands.
'The issue of privacy rights and the use and exchange of information collected by the federal government has received much attention over the last few years,' says the report. "
Labels: information breaches
Sunday, May 02, 2004
The Christian Science Monitor has published an article on issues related to the privacy of children's information, particularly information that is compliled for marketing purposes. The United States already has legislation that deals with the privacy of kids' information online (the Children's Online Privacy Protection Act), but there is -- at present -- no regulation of offline collection and marketing. This will change if a legislative initiative by Senators Wyden and Stevens is passed by congress (see http://thomas.loc.gov/cgi-bin/bdquery/z?d108:s.2160:.
Hey kid - you wanna buy a ... | csmonitor.com:
"With Gary Ruskin at its helm, Commercial Alert has gained recent attention on Capitol Hill for its "Parents' Bill of Rights."
The document includes nine provisions to help parents combat commercial influences, one of which calls for banning advertising aimed at children under 12 and two of which have already been introduced in the US Senate.
The first bill under consideration requires fast-food chains to disclose basic nutritional information, and the other, introduced last month by Sens. Ron Wyden (D of Oregon) and Ted Stevens (R of Alaska), would ban list brokers without parental permission from collecting data about children 16 and under - everything from ethnicity and family income to hobbies - and selling it to advertisers and marketers.
This practice extends even to the diaper set, which is especially alarming to parents. But no matter what the child's age, parents consider these lists an invasion of privacy.
"Parents are flabbergasted and angry when they learn that their child's information could be sold on the Internet," says Chris Fitzgerald, press secretary for Senator Wyden.
"These list brokers work by stealth," says Mr. Ruskin. "No one even knows this is happening. Children are naturally more trusting than adults, and that trust is often easy to exploit."
Repeated calls to two of the best-known list brokers, American Student List and Student Marketing Group, were not returned. But Doug Wood, general counsel to both the Association of National Advertisers and the Advertising Research Foundation, spoke up in list brokers' favor. Banning them, he says, would be discriminatory and a violation of the First Amendment.
He doesn't even favor an "opt out" feature similar to the Do Not Call Registry for telemarketers."There would be a huge rush of parents who sign up out of ignorance," Mr. Wood explains. "Some of the things they sell to kids are valuable. The fact that we are a nation of sellers is not necessarily a bad thing."
But Wood, who has three children, does concede that list brokers might want to tweak their approach: "They could do themselves a favor by being more open," he says.
The Children's Listbroker Privacy Act will be heard sometime before October, says Courtney Schikora, press secretary for Senator Stevens. That may not be soon enough for some activists, but most are encouraged that politicians are listening.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.