The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Thursday, September 30, 2004

Column: Privacy Legislation Is Needed, Even If It Hurts 

Instead of complaining about the inconvenience of forms, privacy staements and the like, as many columnist have done, Wayne Rash has written a column about the benefits of mandatory privacy. In this column, he recounts his "encounters" with changed brought about due to privacy laws and finds comfort in them:

Wayne Rash: Privacy Legislation Is Needed, Even If It Hurts:

"...What was happening was that the companies I dealt with have made security of my information mandatory, whether I liked it or not. They're doing this because they're required to by a federal law referred to by its acronym HIPAA. The financial community has a similar requirement named after the sponsors of that relevant law, called Sarbanes-Oxley. The bipartisan team knew that protecting the information vital to investors would take more than vague statements in annual reports, and as a result mandated a series of steps that among other things ensured the security of financial data.

Again, the law was requiring companies to take steps in security that they otherwise wouldn't take. The reason, of course, is that financial officers tend to look on security as a cost center and as a result are reluctant to provide necessary funding, explaining why corporate security efforts have been so difficult to put into place. The fact that federal law requires such steps eliminates that problem in areas where it applies.

The fact that the laws result in yet more paperwork for me, or in the requirement to queue up five feet away from the pharmacy counter are minor inconveniences to me, but in reality they are a small part in a much larger plan. I can't overhear the conversations of others. My doctor or my broker can't send information to third parties without my consent. And companies have to safeguard my data.

Most of those steps would never have been taken without laws requiring them. Worse, most people would have viewed security in the same manner as the Blackberry user I sat next to. She could have tilted her screen so I couldn't see, but she obviously didn't think about it. People in general think about security very little. Problem is, some of those who think about it very little really should be thinking about it a lot, but they're not...."

In my view, Wayne Rash is a kind of spokesperson for the many quiet consumers who may not be standing on streetcorners applauding, but are silently appreciative of the efforts that companies are being forced to undertake to protect consumer privacy. And, companies should note, consumers like Wayne Rash vote with their wallets.


Article: CRTC puts new rules on hold 

The Toronto Star has an article in today's edition about the CRTC suspension of the changes to the Canadian telemarketing regulations: - CRTC puts new rules on hold:

"Strict rules imposed on telemarketers in May have been put on hold pending the outcome of a regulatory review.

The Canadian Radio-television and Telecommunications Commission has decided to reconsider its new rules in response to a complaint filed in August by the Canadian Marketing Association.

The association, with 800 members that include major financial institutions, telephone operators and media companies, argued that the high cost of complying with the regulations will put many smaller phone marketers out of business and result in job loss across an industry that employs 270,000...."

Labels: , ,

USA Patriot Act "national security letters" provision is thrown out by Court 

The ACLU has been successful in challenging the portion of the USA Patriot Act that allows the FBI to compel the production of records without court authorization. Parry Aftab has a number of good blog entries about it, including her analysis of the decision. Take a look at Patriot Act Provision is thrown out by Court - effective date is delayed 60 days to allow government time to appeal, The Decision in ACLU v. Ashcroft, and Overview of the Section 2709 Patriot Act decision. While you're there, bookmark her excellent blog.

Labels: , ,

Wednesday, September 29, 2004

Canadian government proposes regulations to require disclosure of employee data without consent for policing employment insurance program 

Human Resources and Skills Development Canada has proposed amendments to the Employment Insurance Regulations to ensure that HRSDC has access to employee payroll information to detect fraud and abuse of the Employment Insurance Program. The National Post has a large front page story on this, saying that the fraud detection program has been on hold for nine months because of fears of transgressing federal and provincial privacy laws. I would have suggested that this information collection without consent was already allowed under PIPEDA, the Alberta Personal Information Protection Act and BC's Personal Information Protection Act. Better to be safe than sorry ...

Canada Gazette:



The purpose of the proposed amendment to the Employment Insurance Regulations is to ensure that earnings verification programs conducted by Human Resources and Skills Development Canada (HRSDC), formerly Human Resources Development Canada, in cooperation with employers, satisfy the requirements of federal and provincial legislation pertaining to the disclosure of personal information.

As of January 1, 2004, subsection 7(3) of the federal Personal Information Protection and Electronic Documents Act (PIPEDA), applies to employers who fall under federal jurisdiction (i.e. airlines, banks, interprovincial transportation, radio and television broadcasting or telecommunications industries). Under the Act, these employers may not disclose personal information about an employee to HRSDC without the employee's consent unless HRSDC can demonstrate that it has the lawful authority to obtain this information. In addition, Quebec, British Columbia and Alberta have enacted privacy protection legislation requiring HRSDC to have lawful authority before it can obtain employee information from private sector employers in those provinces without employee consent. Similar legislation is being developed in other provinces.

With the implementation of the above-mentioned privacy legislation, regulatory clarification is required to ensure the ongoing functions of two verification programs administered by the Employment Insurance (EI) program: the Automated Earnings Reporting System (AERS) and the Report on Hirings (ROH) Program. These voluntary programs involve the comparison of EI claim files with current employee information provided to HRSDC by employers. HRSDC's lawful authority to obtain this information needs to be made explicit as a result of PIPEDA implementation. The AERS and ROH programs are currently under suspension (since January 1, 2004) and will be reinstated once the Regulations comes into effect.

Both the AERS and the ROH programs were developed in the late 1970s following recommendations made by stakeholders representing employers and employees. The level of participation has been considerable among employers because these programs are cost-effective and they help to alleviate the significant paper burden of requests for payroll information employers would otherwise receive.

Employees working for participants of AERS and the ROH benefit because the overpayment of EI benefits is minimized keeping financial hardship for the claimant to a minimum if repayments are required. This also means that subsequent administrative penalties or prosecutions are less likely because HRSDC is aware of the problem at the outset. As well, deterrence is achieved by encouraging participating employers to advise their employees that they participate in the AERS or ROH program. HRSDC provides employers with posters and inserts for use in informing employees that they share payroll and hiring information with HRSDC.

The proposed Regulations safeguards the privacy of Canadian workers and at the same time, it reduces the potential for making EI payments to claimants who are not lawfully entitled to receive them. The only information available to HRSDC that is collected from the verification programs, is information matching employees subject to an overpayment.

AERS and ROH are early intervention measures and serve as major deterrents to fraud and abuse of the EI program. HRSDC considers the use of regular and ongoing verification programs as crucial control mechanisms that assist HRSDC in meeting its obligations with respect to sound management practices and its fiduciary responsibility under the Employment Insurance Act.

To support the continuation of these voluntary verification programs, it is proposed that section 55.1 of the Employment Insurance Regulations be added to make explicit that HRSDC has the lawful authority to obtain employee information on a continuing basis. The information to be collected will include information in respect of the date of commencement of employment, duration of employment, amounts earned and reasons for separation from employment. It will apply to employers who (a) hired or recalled ten or more employees in a twelve-month period or expect to do so in the upcoming twelve months or (b) were required to issue ten or more records of employment in a twelve-month period or expect to do so in the upcoming twelve months.



This proposed regulatory amendment was prepared by Human Resources and Skills Development Canada's Employment Program Policy and Design in consultation with Insurance Program Services, Investigation and Control, Legal Services and Privacy and Access to Information. External consultations have taken place with Industry Canada which is responsible for PIPEDA and the Department of Justice which agreed to the intent of the Regulations and drafted the wording. The Office of the Privacy Commissioner was also consulted during the developmental stages. The Employment Insurance Commission (including the Commissioners for Workers and the Employers) approved the Regulations in principle on November 14, 2003.

Compliance and enforcement

Existing compliance mechanisms contained in HRSDC's adjudication and control procedures will ensure that these changes are properly implemented. ..."

Labels: , , , , , ,

New findings released by Federal Privacy Commissioner 

The Privacy Commissioner has released four new findings under the Personal Information Protection and Electronic Documents Act.

Commissioner's Findings - Privacy Commissioner of Canada

Labels: , ,

Article: U.S. Patriot Act Raises Canadian Privacy Fears 

Reuters is carrying a story on its wire service about the effect of the USA Patriot Act on the privacy of Canadians. Yahoo! News - U.S. Patriot Act Raises Canadian Privacy Fears

Labels: , ,

CRTC suspends application of new Canadian telemarketing rules 

The CRTC has temporarily suspended the application of their recent changes to the Canadian telemarketing rules. The full text of the decision is here and the "blurb" is below:

Telecom Decision CRTC 2004-63


Telecom Decision:

2004-63 The Commission approves, with one exception, the Canadian Marketing Association's (CMA's) application to stay Review of telemarketing rules, Telecom Decision CRTC 2004-35, 21 May 2004, pending the disposition of the CMA's application to review and vary that Decision. The stay applies to all requirements set out in Decision 2004-35 except the requirement that telecommunications service providers track and report complaint statistics; this requirement becomes effective 1 January 2005. Reference: 8662-C131-200408543. [.pdf]

Readers interested in Canadian telemarketing law and the regulation of it by the CRTC in particular are encouraged to check out Mathew Englander's site devoted to the topic at

Labels: , ,

Nova Scotia government introduces legislation to monitor drug prescribing 

The government of Nova Scotia has introduced a bill in the legislature that would allow the Prescription Drug Monitoring Board to have full access to medical records of Nova Scotians and to report suspected illegal prescribing to law enforcement.

Board may soon be able to report suspected abuse of prescription drugs

By AMY SMITH / Provincial Reporter Twelve years after its creation, Nova Scotia's prescription monitoring board could soon have the legal authority to report suspected drug abuse.

"Very often a physician is not aware another physician or two other physicians are writing prescriptions for the same product for that individual," board chairman Patrick King said Tuesday. "The program will now have the teeth to be able to deal with these individuals to the appropriate law enforcement...."

The Minister of Health's press release is available at

From Bill 107:

Prescription Monitoring Act:

"18 Upon the request of the Administrator, prescribers, pharmacists or any other body or person shall provide to the Administrator any information, including medical records, the Administrator requires to achieve the objects of the Program.

19 Information received by

(a) the Administrator;

(b) any person employed by the Administrator pursuant to this Act; or

(c) the Board,

shall only be used in accordance with this Act and the regulations and not for any other purpose.

20 Notwithstanding the Freedom of Information and Protection of Privacy Act, the Administrator may release

(a) information with respect to monitored drugs; and

(b) personal information with respect to a resident who has a prescription for monitored drugs,

to a prescriber, a pharmacist, a licensing authority or other body or person to achieve the objects of the Program.

21 Information communicated to the Administrator or the Board by persons employed in the administration of the Health Services and Insurance Act is deemed to be information communicated pursuant to clause 34(a) of the Health Services and Insurance Act.

22 (1) Any data provided to the Minister, the Governor in Council or the public with respect to the Program pursuant to this Act shall be non-nominal data.

(2) Notwithstanding subsection (1), a resident may have access to the resident's own personal information with respect to the Program.

23 (1) Where the Administrator has reasonable grounds to believe that an offence has been committed contrary to the Controlled Drugs and Substances Act (Canada) or the Criminal Code (Canada) or successor legislation, information in the possession of the Administrator in respect of such offence may be communicated to the appropriate law enforcement authority by the Administrator or such person as may be designated by the Administrator.

(2) The Administrator may, at any time, file a complaint with a licensing authority regarding the activities of a member of that licensing authority if the Administrator has reason to believe that the member may be practising in a manner that is inconsistent with the objects of the Program.

(3) Where the Administrator lays a complaint pursuant to subsection (2), the Administrator shall provide the licensing authority with all relevant information on which the complaint is based."

So far, there hasn't been much comment on the privacy aspects of the proposed law.

Labels: ,

Tuesday, September 28, 2004

US Congressional Hearing on ID Theft and Social Security Numbers 

Sabrina I. Pacifici's excellent blog, beSpacific is referring to some interesting reading about US social security numbers and ID theft:

beSpacific: Hearing on ID Theft Addresses Protection of Social Security Numbers

Hearing on ID Theft Addresses Protection of Social Security Numbers

Prepared Statement of the Federal Trade Commission on Identity Theft and Social Security Numbers, Before the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce, September 28, 2004.

  • Accompanying FTC press release

  • See also the Fair Credit Reporting Act and previous postings here and here on security issues associated with public and private use of social security data.
  • Labels: ,

    Not again: Medical records found on street 

    SANS PrivacyBits is pointing to a recent article about medical records found in the streets of San Diego:

    "USA: Medical Records Found on Street (22 September 2004)

    The medical records of about three to five patients at San Diego's Kaiser Hospital were found in the street outside of the hospital. According to a hospital representative, the papers fell out of a recycling bin that was being picked up by the Edco Recycling company. Kaiser is reviewing its contract with Edco and working to prevent any future incidents.

    [Editor's Note (Hofman): A good reason to have secure shredding bins, with locks that are taken off when the contents are processed.

    (Murray): Information leaks; get used to it. This kind of leakage is not nearly so serious a problem as the routine use of medical records by service providers, insurers, and government. ]"


    Medical privacy law said to be chilling cancer studies / Scientists fight for fast access to patient files 

    The San Francisco Chronicle is carrying an article on the impact of HIPAA on health registries, such as the California Cancer Registry:

    Medical privacy law said to be chilling cancer studies / Scientists fight for fast access to patient files:

    "...Since April 14, 2003, however, a new federal law designed to protect the privacy of medical records has made it harder, if not impossible, for medical researchers in the United States to troll through patient charts, whether they are trying to unravel the riddle of cancer or studying complications in childbirth.

    Citing the privacy rule, at least 17 Bay Area hospitals have imposed restrictions on the state Cancer Registry's accustomed rapid access to patient records.

    'The door kind of slammed in our face,' said Dr. Dee West, chief scientific officer for the Northern California Cancer Center, which collects data in the Bay Area for the state registry.... "

    Under Ontario's new Personal Health Information Protection Act, personal health information may be disclosed without consent for research purposes if approved by a Research Ethics Board and if the researcher enters into an agreement with the custodian in the form presecribed by the Act.

    43. (1) A health information custodian may disclose personal health information about an individual to a researcher if the researcher,

    (a) submits to the custodian,

    (i) an application in writing,

    (ii) a research plan that meets the requirements of subsection (2), and

    (iii) a copy of the decision of a research ethics board that approves the research plan; and

    (b) enters into the agreement required by subsection (5).

    Research plan

    (2) A research plan must be in writing and must set out,

    (a) the affiliation of each person involved in the research;

    (b) the nature and objectives of the research and the public or scientific benefit of the research that the researcher anticipates; and

    (c) all other prescribed matters related to the research.

    Consideration by board

    (3) When deciding whether to approve a research plan that a researcher submits to it, a research ethics board shall consider the matters that it considers relevant, including,

    (a) whether the objectives of the research can reasonably be accomplished without using the personal health information that is to be disclosed;

    (b) whether, at the time the research is conducted, adequate safeguards will be in place to protect the privacy of the individuals whose personal health information is being disclosed and to preserve the confidentiality of the information;

    (c) the public interest in conducting the research and the public interest in protecting the privacy of the individuals whose personal health information is being disclosed; and

    (d) whether obtaining the consent of the individuals whose personal health information is being disclosed would be impractical.

    Decision of board

    (4) After reviewing a research plan that a researcher has submitted to it, the research ethics board shall provide to the researcher a decision in writing, with reasons, setting out whether the board approves the plan, and whether the approval is subject to any conditions, which must be specified in the decision.

    Agreement respecting disclosure

    (5) Before a health information custodian discloses personal health information to a researcher under subsection (1), the researcher shall enter into an agreement with the custodian in which the researcher agrees to comply with the conditions and restrictions, if any, that the custodian imposes relating to the use, security, disclosure, return or disposal of the information....

    Thanks to PrivacySpot and Topix.Net for the pointers to the Chronicle article.

    Labels: , ,

    Monday, September 27, 2004

    EU Dialogue with Citizens: Data protection 

    The European Union has produced a number of "citizen guides", including one related to privacy and data protection: "EUROPA | Dialogue with Citizens | General EU-wide guides: Data protection". Thanks to for the lead.


    How to Tell If Your Employer Has You Under Surveillance. 

    On a lighter note, here are the signs that your employer has you under surveillance, brought to you by McSweeney's Internet Tendency:

    McSweeney's Internet Tendency: How to Tell If Your Employer Has You Under Surveillance.:

    "A maintenance worker climbs a ladder in your cube, evidently to check a light fixture or heat duct. After he climbs back down, he calls someone on his cell phone and says, 'Roll 'em!'"

    Many more tell-tale signs at McSweeney's....

    Labels: ,

    Sunday, September 26, 2004

    Breaking the Social Security Number habit 

    About a week ago I blogged about the use of social security numbers as student IDs at US Universities (see Article: Half of US universities use SSN as student identifier, leaving students vulnerable to ID theft). From Penn State Live, it is reported that Penn State University is in the process of kicking the SSN habit by moving over to a new student ID numbering system:

    Faculty and staff preparation key to successful for SSN changeover:

    "These days, the importance of safeguarding personal data is a hot topic of conversation not only at Penn State, but also at many other institutions including the federal government. In July, the House Committee on Ways and Means approved the Social Security Number Privacy and Identity Theft Prevention Act, a bill designed to put further restrictions on the use and display of Social Security numbers (SSNs) in an effort to better protect identities. Although this bill is not yet law, it signifies that the prevention of identity theft has become a national concern.

    Recognizing that concern, Penn State is just three months away from adopting a new Penn State ID number (PSU ID) in place of SSNs as the primary identifier of students, faculty and staff. 'We're looking to protect private information from unintentional exposure and intentional identity theft,' said David Lindstrom, chief privacy officer at the University. 'The less we use, display and make available private information, the better we control the risk.'

    Since SSNs are a potential target for would-be identity thieves, Penn State recently created a new University policy to protect the privacy and confidentiality of an individual's SSN. Policy AD19, which will govern the future use of SSNs, takes effect Jan. 1, 2005, when the new PSU ID is adopted. It has been published now to give University offices time to comply with its provisions...."

    Labels: ,

    Incident: Hacker taps into CSUH Server 

    Here is the latest privacy breach to have occurred at California universities:

    Hacker taps into CSUH server :

    "Records of 2,000 students potentially affected, school says
    By Ricci Graham, STAFF WRITER

    HAYWARD -- A computer hacker somehow gained access to the records of about 2,000 Cal State Hayward students earlier this month, prompting campus officials to send out letters warning students that their personal information may have been compromised.

    Kim Huggett, director of public affairs at Cal State Hayward, said on Wednesday that officials have not determined how the hacker was able to 'briefly gain unauthorized access' to student records through one of the campus servers. ..."

    This is just the most recent of a number of incidents reported in the last little while. (See Incident: Identity theft alert for CSU students and staff and Incident: Computer System at U.C. San Diego Hacked.) I'm not sure if this means that practices are more lax in California or whether they just report on these incidents more often.

    Labels: ,

    Saturday, September 25, 2004

    SINs not needed to get a credit rating check 

    Today's Toronto Star has an article about social insurance numbers and credit reports: " - SINs not needed to get a credit rating check". It is a followup to a previous article about a promotion to get your credit report online, free. The service required the customer to enter their SIN and includes some discussion about privacy and SINs.

    Anybody who is interested in the use of social insurance numbers and Canadian privacy law may also want to read the following articles that touch on the topic:

    The Office of the Privacy Commissioner also has a brand new "fact sheet" on the social insurance numbers: "Best Practices for the Use of Social Insurance Numbers in the Private Sector."

    Labels: ,

    Wednesday, September 22, 2004

    Biometrics coming soon to an airport near you 

    From Washington Technology:

    Canada-DHS pilot program to use iris scanning:

    "The Canada Border Service Agency, which is working on a Registered Traveler-style pilot program with the U.S. Homeland Security Department, is implementing iris-scanning technology at Canadian airports to verify the identity of travelers.

    The program, called Nexus Air, will begin in November at Vancouver International Airport, Vancouver, British Columbia, before rollout at other Canadian airports for a yearlong trial. ...

    Nexus Air builds on Canada’s Canpass Air program, which has 4,000 members and also uses iris scanning. As in the U.S. Transportation Security Administration’s Registered Travel pilot program, frequent fliers enroll in Canpass Air -- and soon Nexus Air -- by volunteering personal information and submitting to an iris scan. In return, they can then enjoy expedited check-in and customs screening. "

    Labels: , , , , ,

    BC Privacy Commissioner delays PATRIOT ACT report a second time 

    The Information and Privacy Commissioner of BC says his report on the impact of the USA PATRIOT ACT on the privacy of British Columbians will be delayed a second time:

    Privacy commissioner delays again report into impact of Patriot Act on B.C.:

    "'The sheer volume of the submissions and the complexity of the issues have forced a second extension of the report's release date,' said Mary Carlson, director of policy and compliance for the Office of the Information and Privacy Commission.

    The commission received more than 500 submissions from individuals, governments, other privacy commissioners, businesses, unions, technology associations, non-profit associations, civil liberties groups, health care bodies and seniors' organizations."

    Labels: , , , ,

    Case of first impression: Ontario court considers "commercial activity" and application of PIPEDA to non-profits 

    This decision is hot off the presses:

    For privacy lawyers, this is the very first time that the term "commercial activity" has been considered in the context of the Personal Information Protection and Electronic Documents Act. This question is of critical importance because the law only applies to the collection use and disclosure of personal information in the course of commercial activites (or if it is informaiton about an employee of an organization that the organization collects, uses or discloses in the course of the operation of a federal work, undertaking or business).

    In this case, a non-profit hunting association was resisting the disclosure of its members list as it was otherwise required to do under the Corporations Act (Ontario). The Court concluded that the organization was not engaged in commercial activities, so PIPEDA does not interfere with the disclosure. (For some unknown reason, there seemed to be some question whether the organization was a "federal work, undertaking or business"!?)

    As an aside, I think it's interesting that we are seeing more cases come out of the courts than out of the Office of the Privacy Commissioner. I gather that they are significantly overworked with too few staff and other resources.


    MacKENZIE J.

    The Nature of the Proceeding

    [1] The applicants, Graydon Rodgers, (Rodgers) and the Peel Trap Club (an unincorporated entity, being an activity group of the respondent The Peel County Game and Fish Protective Association), bring a motion in the context of an application commenced by Notice of Application dated June 24, 2003.

    [2] Briefly stated, the applicants seek: declaratory relief under various heads for alleged breach of fiduciary duty; injunctive relief restraining The Peel County Game and Fish Protective Association (the Association) from expelling Rodgers or any other member of the Peel Trap Club (the Trap section) as a member of the Association and from disbursing of more than 43% of the proceeds of sale of the Association's real property; in the alternative, that the Association be wound up and that 50% of the proceeds of winding-up to be paid in trust to the Trap section.

    [3] The applicants move now for an order compelling the Association to provide a list of the members of the Association to Rodgers. The Association previously refused to provide such list to Rodgers.

    [4] The basis for the refusal by the Association to provide such list is that Rodgers' request fails to meet the requirements of s.306 or 307 of the Corporations Act (Ontario) (the Act) but even if those requirements are met, the Personal Information Protection and Electronic Documents Act (PIPEDA) operates to "trump" or override the provisions of the Act in that regard.

    Issues on the Motion

    (1) Whether Rodgers is entitled to an order for production of the membership list of the Association pursuant to s.307 of the Act;

    (2) Whether PIPEDA applies to Rodgers' request for the Association's membership list to override s. 307 of the Act.


    [5] In 1948, the Association was incorporated as a non-share corporation pursuant to the Act. Its letters patent stipulate as its primary purpose the promotion and maintenance of safe recreational shooting for its members. The record establishes that: the Association does not carry on any active business; has no employees, relying on members volunteering to discharge administrative tasks; and, in accordance with its charter, does not carry on its activities for purposes of gain for the members.

    [6] The Association currently comprises five activity groups, the two material groups being the Trap section and the Handgun section. Rodgers is a member of the Trap section and the respondents, Calvert, Stigge and Modeland, are members of the Handgun section.

    [7] For some time, Rodgers has been concerned about the individual respondents acting in breach of their duties as officers and directors of the Association by preferring the interests of the Handgun section to which they belong over the interests of the Association as a whole. This concern arises over the sale of the Association's lands and premises and the proposed use of the proceeds of that sale to acquire other lands and premises. Rodgers' concern is that the individual respondents will take into account only the interests of the Handguns section in deciding what will be the appropriate replacement lands and premises to the exclusion of the interests of the other sections of the Association, including the Trap section.

    [8] To this end, Rodgers made an informal request of the officers of the Association for the Association's membership list at a Board of Directors' meeting on March 12, 2002. Subsequently on or about September 10, 2002, he made a formal request for the membership list by filing the sworn affidavit prescribed by s.307(2) of the Act.

    [9] By memorandum dated September 18, 2002 by the respondent Calvert to the directors of the Association, the directors were advised that they were obliged to supply Rodgers with the list of members of the Association on the basis of legal advice obtained from the Association's counsel. By an undated memorandum (received sometime in October 2002) addressed to Rodgers, the respondent Calvert, on behalf of the Board of Directors, informed the applicant that the Board was "unable to comply with your request at this time as certain parts of [PIPEDA] came into effect January 1, 2001 and January 1, 2002 and this Act appears to deal directly with requests such as that made above [for the membership list] and we need a legal clarification".

    [10] On October 10, 2003, counsel for Rodgers wrote to counsel for the Association making a further request pursuant to s.307 of the Act for the membership list.

    [11] On October 14, 2003, counsel for the Association responded to Rodgers' counsel, denying the request for the membership list and stating that the Association "a gun club, is an undertaking that is outside the exclusive legislative authority of the Province of Ontario and accordingly it is governed by the requirements of PIPEDA and the release of any membership information cannot be made without the consent of the individual members."

    [12] I turn now to the first issue, whether the applicant is entitled to an order for production of the Association's membership list pursuant to s.307 of the Act.

    [13] Section 307 of the Corporation's Act (the Act) provides as follows:

    307(1) Any person, upon payment of a reasonable charge therefor and upon filing with the Corporation or its agent the affidavit referred to in ss.(2), may require a corporation, other than a private company, or its transfer agent, to furnish within ten days from the filing of such affidavit, a list setting out the names alphabetically arranged of all persons who are shareholders or members of the corporation, the number of shares owned by each such person and the address of each such person as shown on the books of the corporation made up to a date not more than ten days prior to the date of filing the affidavit.


    Ss.2 sets out the form of the affidavit, the material paragraphs being:

    (2) I require the list of shareholders (or members) only for purposes connected with the above-named corporation.

    (3) The list of shareholders (or members) and the information contained therein will be used only for purposes connected with the above-named corporation.]


    (4) Every person who uses a list of shareholders or members of a corporation contained under this section,

    (a) for the purpose of delivering or sending to all or any of such shareholders or members advertising or other printed matter relating to shares of securities other than the shares or securities of the corporation; or

    (b) for any purpose not connected with the corporation,

    is guilty of an offence and on conviction is liable to a fine of not more than $1,000.00.

    (5) [This subsection creates an offence where directors or officers of the corporation fail to furnish the list in accordance with ss.1.]

    (6) Purposes connected with the corporation include any effort to influence the voting of shareholders or members at any meeting of the corporation, any offer to acquire shares in the corporation or any effort to effect an amalgamation or reorganization or any other purpose approved by the minister.

    [14] Rodger's position is that he has complied with the requirements of s.307(2), has paid a fee for the membership list in question and is seeking the membership list in order that he may communicate with other members of the Association respecting his concerns about the management of the Association, with particular reference to the proposed sale of the Association's property.

    [15] In response, the Association contends that there is no evidence that Rodgers intends to use the membership list for purposes connected with the Association, as required under s.307(6). As well, the Association submits that it would be open to Rodgers or any other person to present a blatantly false affidavit in support of a request for the membership list; accordingly, the Association contends that it has an obligation with respect to the safety and privacy rights of its members. In this situation, the directors in discharging their fiduciary obligations to the members would be obliged to conduct due diligence in investigating any request for a list of members, including cross-examination of an applicant on any affidavit under s.307(2) filed in support of that request.

    [16] Counsel for the respondents refers to s.332 of the Act, which, it contends, gives the court discretion to make orders deemed fit to give a remedy to a member of a corporation who is aggrieved by the failure of the corporation or its directors and officers to perform any duty imposed on the corporation and/or its directors and officers. In this case, the applicant submits that the court in the exercise of its discretion could make an order that would permit the applicant to have communication with the members and at the same time protecting their privacy.

    [17] I reject the submissions of the respondents and accept the submissions on behalf of Rodgers on the right to production of the membership list of the Association.

    [18] The contention that the applicant is not using or will not be using the membership list for "purposes connected with the corporation" i.e. Association is not tenable. It is undisputed that the Board of Directors of the Association have signed a relocation agreement with the City of Brampton that requires the sale of the Association's real property. There is no question that the relocation of the Association will entail decisions as to the suitability of the proposed replacement lands and premises for the Association's activities. As noted, Rodgers has concerns about the proposed replacement lands and premises and wishes to communicate those concerns to other members of the Association.

    [19] Counsel for the Association submits that the words "or any other purpose approved by the minister" are words of limitation. The contention is that the concerns expressed by Rodgers are not within the stipulated purposes of s. 307(b) nor are they the subject of "any other purpose approved by the minister."

    [20] I reject this submission. The proposition that the description of "purposes connected with the corporation" in ss.(6) of s.307 is exhaustive runs counter to the principle of democracy inherent in shareholders' rights. Corporate governance by the directors is subject to review and audit by the shareholders, pursuant to corporate enabling legislation. To give subsection (6) the restrictive interpretation sought by the Association would diminish shareholders' abilities to communicate concerns about corporate governance to each other and thereby detract from their rights of audit and review of directors' acts and conduct in properly constituted meetings of shareholders.

    [21] For these reasons, I interpret the word "include" in subsection (6) to be illustrative rather than exclusive in effect. If the legislator had intended the examples of "purposes connected with the corporation" to be exclusive, the word "means" instead of "include" would have been apt.

    [22] Accordingly, I find that Rodgers' purpose in seeking the membership list is a purpose connected with the corporation.

    [23] I also reject the submission of the Association that its directors were required in the proper discharge of their fiduciary obligations, to conduct due diligence investigations of Rodgers' request including cross-examination of any affidavit filed in support of the request.

    [24] In these circumstances there is no basis on which the Association can reasonably claim the affidavit filed by Rodgers under s.307(2) is false and required investigation by the Association. The record is incontrovertible that on several occasions, both formally and informally, Rodgers made it known to the officers and/or the Board of Directors that he wished the membership list.

    [25] As noted above, on the 18th of September 2002 Calvert sent a memorandum to the Board of Directors wherein, among other things, he noted that Rodgers "has submitted a duly signed affidavit" and that the Association's counsel had advised the Board that it must comply with the request. There may indeed be situations in which a corporation's transfer agent might have valid concerns as to the truth of the prescribed form of affidavit filed in support of obtaining a membership list; this is not one of them. I similarly reject the contention that giving the applicant that the membership list of the Association would violate the privacy of its members. This concern is addressed by the provisions of s. 307(4) of the Act. In this regard, the Act restricts the purposes for which the membership can be used and makes it an offence to use the list for any restricted objective.

    [26] In the result, I find Rodgers is entitled to production of the membership list of the Association in accordance with the provisions of s. 307. However, his right to production of the list engages the issue as to whether PIPEDA operates to disentitle Rodgers to his rights under s. 307 of the Act.

    [27] PIPEDA was given royal assent on April 13, 2001, being implemented in three phrases over a three-year period that began on January 1, 2001.

    [28] Section 4(1) of PIPEDA provides as follows:

    4(1) This part applied to every organization in respect of personal information that

    (a) the organization collects, uses or discloses in the course of commercial activities; or

    (b) is about an employee of the organization and that the organization collects or uses or discloses in connection with the operation of a federal work undertaken or business.

    [29] The three stages of PIPEDA'S implementation are:

    1. Stage One: January 1, 2001

    PIPEDA applied only to an organization in respect of personal information, other than "personal health information", that (a) the organization collects or uses or discloses in connection with the operation of a federal work, undertaking or business, or (b) it discloses outside the province for a consideration;

    Stage Two: January 1, 2002

    PIPEDA applied to organizations covered in stage one in respect of personal health information that they collect, use or disclose;

    2. Stage Three: January 1, 2004

    PIPEDA applied to all organizations in Canada that collect, disclose or use personal information in the course of commercial activities, subject to exemptions granted or Provinces that have by that date enacted their own privacy legislation. It is not in dispute that Ontario has not enacted its own privacy legislation as of the 1st of January, 2004.

    [30] It may be seen from the foregoing timelines that the relevant time for considering the application of the Act herein was stage two, i.e. the application of the Act on or after January 1, 2002. In the circumstances, s. 4(1)(a) of PIPEDA is the operative section inasmuch that there is no question that the members of the Association are not "employee[s] of the organization" as described in sub (b) of s. 4(1).

    [31] It should be noted that there is no issue between the parties that the names and addresses of members of the Association constitutes "personal information" within the definition of s. 2(1) of PIPEDA; the Association is an "organization" as defined in the interpretation section; and the Association is a "federal work, undertaking, or a business" as defined in the interpretation section of PIPEDA.

    [32] I take issue with the joint submission that the Association is within the definition of a federal work undertaking or business. In the PIPEDA interpretation section 2(1), the pertinent part reads as follows:

    2(1) The definitions in this subsection apply in this Part


    "Federal work, undertaking or business means any work, undertaking or business that is within the legislative authority of Parliament. It includes


    (i) a work, undertaking or business outside the exclusive legislative authority of the legislatures of the Provinces


    [33] The Association was incorporated under the laws of Ontario and its activities are conducted solely within the Province of Ontario. The legislative jurisdiction of the Province respecting the Act is founded upon s. 92(13) (property and civil rights) and matters of a local or private nature within the Province (s. 92(16), both of the Constitution Act, 1867).

    [34] The position of the respondents is that having regard to the recreational shooting activities (the Handgun section and the Trap section, among other sections) of the Association, the Firearms Act and Regulations enacted by the Federal Parliament under its criminal law power pursuant to s. 91 of the Constitution Act 1867 take the Association's activities or "undertaking" outside the exclusive legislative authority of the Provinces.

    [35] In order to determine whether the Association is a federal work or undertaking within the meaning of PIPEDA, an examination of the nature of the Association's activities and undertaking is required. It is a given that the mere fact the Association has been incorporated in the Province of Ontario and conducts its activities and undertaking within the Province of Ontario is not determinative of whether it is a federal work or undertaking within the meaning of PIPEDA.

    [36] The examination of the Association's activities and undertaking indicates that it is not outside the exclusive legislative authority of the Province of Ontario nor is it a work or undertaking expressly enumerated in s.91 of the Constitution Act. The question then becomes whether the pith and substance of the activity and undertaking is a matter of property and civil rights and of purely local concern. If this question is answered in the affirmative, it does not come under the exercise of s.91 of the Constitution Act 1867 to enact criminal law, i.e. the Firearms Act, simply because the recreational shooting aspects of the Association's activity and undertaking is impacted by the Firearm's Act.

    [37] In Barry's Ltd. v. Fisherman, Food and Allied Workers Union [1993] N.J. No. 34 (NFLD. C.A.), (leave to appeal to S.C.C. dismissed), one of the issues was whether the business operated by the appellant was subject to federal legislation and regulations, specifically, the Fish Inspection Act. The issue before the Court was whether the appellant's business of fishing came within the definition of a federal undertaking under the Canada Labour Code. In this regard, the case is pertinent because the definition of federal work or undertaking in the Canada Labour Code is similar in substance to the same definition contained in PIPEDA: "a work, undertaking or business outside the exclusive legislative authority of the legislation of the Province".

    [38] In the course of its reasons, the court observed that the Federal Parliament had authority to legislate with respect to the regulation of trade and commerce and there was no doubt that the Federal Parliament had authority to enact the Fish Inspection Act. However, the court further observed that such authority did not make a company engaged in trade and commerce and bound by some federal enactment in relation thereto a federal work or undertaking.

    [39] The court gives an example of this principle in noting that s.7 of the Federal Food and Drugs Act provides that no person shall manufacture, prepare, preserve, package or store for sale any food under unsanitary conditions. The court concludes that this provision does not constitute every corner grocery store a federal work or undertaking within the meaning of the Canada Labour Code.

    [40] I find this reasoning to be apt in the present circumstances. The fact that the Criminal Code of Canada applies to every aspect of personal, institutional or corporate activity in Canada does not thereby constitute in law those activities as federal works or undertakings.

    [41] Despite my finding that the Association is not a federal work or undertaking contrary to the joint submission of the parties, I turn to the question of whether the personal information that the Association collects, uses or discloses was done in the course of commercial activities.

    [42] Rodgers submits that the court is entitled to give significant weight to the interpretation of PIPEDA by the office of the Privacy Commissioner of Canada, being the administrative agency under PIPEDA: see Nowegegijick v. R. [1983], 1 S.C.R 29 at p.37. Counsel cites various dicta from the website of the Privacy Commissioner. The pertinent parts of such dicta are as follows:

    Whether or not an organization operates on a non-profit basis is not conclusive in determining the application of [PIPEDA]. The term non-profit or not-for-profit is a technical term that is not found in PIPEDA. The bottom line is that non-profit status does not automatically exempt an organization from the application of [PIPEDA].

    Most non-profits are not subject to [PIPEDA] because they do not engage in commercial activities. This is typically the case with most charities, minor hockey associations, clubs, community groups and advocacy organizations. Collecting membership fees, organizing club activities, compiling a list of members' names and addresses and mailing out newsletters are not considered commercial activities. Similarly, fundraising is not a commercial activity. However, some clubs, for example, many golf clubs and athletic clubs, may be engaged in commercial activities which are subject to [PIPEDA].

    As the definition of commercial activity makes clear, selling, bartering or leasing a membership list or list of donors would be considered a commercial activity.

    [43] It is not in issue that the Association, at the time of the applicant's request for the membership list, was not selling, bartering or leasing its membership list or list of donors. The record establishes the following facts about the Association, its activities and undertaking.

    (1) Its charter objects are "to promote and maintain safe recreational shooting and to promote and maintain sportsmanship, fellowship and conservation."

    (2) It is carried on without the object of gain for the members;

    (3) There is no profit margin in the membership fees nor is there an objective to make a profit but rather to meet expenses.

    (4) It has no employees, volunteers perform necessary services with the exception of the recording secretary (minutes of meetings) the monthly bookkeeping service and ground maintenance personnel, who receive a small honorarium.

    (5) The general public does not have access to the Association's facilities in the ordinary course; when there are competitions, non-members must pay entrance fees.

    [44] The question remains whether the activities and undertaking are commercial activities within the meaning of PIPEDA.

    [45] Section 2(1) defines commercial activity as:

    Any transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering of donor membership or fundraising lists.

    [46] As noted above, there is no evidence to support a finding that the Association was "selling, bartering or leasing its 'donor, membership or other fundraising lists'." The question then becomes whether producing a membership list under s.307 of the Act, is of a commercial character so as to come within the s. 2(1) definition of commercial activity.

    [47] Rodgers submits that in interpreting the words "commercial activity" in the statutory definition, the court should apply the preponderant purpose test, set out in Ontario (R.A.C.) v. Caisse Populaire de Hearst Ltee., [1983] 1 S.C.R. 57. The test simply stated is that if, upon analysis, the preponderant purpose of the activity is the making of a profit, then the activity may be classified as a business. However, if there is another preponderant purpose to which any profit earned is merely incidental, then it will not be classified as a business.

    [48] The respondents contend, however, that since the primary purpose of PIPEDA is to protect personal information, the term "commercial activity" should be interpreted primarily as it relates to "the collection, use or disclosure" of personal information rather than as it relates to the Association engaged in the "collection, use or disclosure". Counsel submits that if the collection of personal information in a membership list arises in a transaction that is of a non-commercial character, but the use or disclosure of that personal information is in a transaction or act that is of a commercial character then the personal information is entitled to the protection of PIPEDA. Counsel further submits that if the collection of the personal information arose in a transaction that is of a commercial character, then that personal information is entitled to the protection of PIPEDA regardless of whether disclosure itself was in the course of commercial activity. In sum, the Association submits that the collection of personal information in making up the membership lists was in the context of a "commercial activity".

    [49] Counsel argues as follows:

    (1) The personal information that the applicant seeks to obtain from the Association's list of members was collected by the Association in the course of the membership transaction.

    (2) The membership transaction involves the member submitting among other information his or her name, address and phone number, together with the prescribed membership fee.

    (3) In return, the member is entitled to receive the services and benefits that members of the Association enjoy.

    (4) That exchange of consideration is a transaction that is clearly commercial in character.

    [50] I deal first with the preponderant purpose submissions. I am persuaded that the question of whether any organization is a business for purposes of taxation under the Assessment Act is not determinative or applicable to the interpretation of the term "commercial activity" under PIPEDA, having regard to the different objectives of the two statutes. However, I am not persuaded that the interpretation submitted by the Association as to the breadth of the words commercial activity as defined in PIPEDA is apt.

    [51] The "exchange of consideration" involved in supplying personal information and a prescribed membership fee in exchange for the services and benefits of membership in the Association may constitute consideration under the law of contract. However, consideration in contract does not in itself lead to the finding of commercial activity in the PIPEDA context. In my view, there must be something more than a mere "exchange of consideration", as described by counsel, to be within the definition of "commercial activity".

    [52] Counsel for the Association has in his written submissions referred to a dictionary definition of the words "commerce" and "commercial", in aid of interpreting the meaning of the phrase "commercial activity".

    [53] In that dictionary, the word "commerce" is defined as:

    exchange between men of the products of nature and art; buying and selling together; exchange of merchandise


    The word "commercial" is defined as:

    engaged in commerce; trading; of or relating to commerce or trade.

    (See Shorter Oxford English Dictionary page 349 - Appendix B.)

    [54] The same words are defined in the Oxford English Reference Dictionary, Oxford University Press, Second Edition, 1996, as follows:

    "commerce": financial transactions, especially the buying and selling of merchandise, on a large scale;

    "commercial": of, engaged in or concerned with commerce; having profit as a primary aim rather than artistic, etc. value.

    (See page 290).

    The difficulty in dictionary definitions can be readily seen by the absence of the word or notion of profit or gain in the source quoted by counsel for the Association and the presence of the notion of profit or gain in the definition found in the Oxford Reference Dictionary.

    [55] Although the dictionary definitions assist somewhat in interpreting the term "commercial activity" in s. 2(1) of PIPEDA, I rely more heavily on the interpretation from the Privacy Commissioner's website noted above wherein it is stated that "collecting membership fees, organizing club activities, compiling a list of members' names and addresses and mailing out newsletters are not considered commercial activities."

    [56] On the record before me, it is not feasible to set out criteria or facts as to what constitutes a commercial activity for a not-for-profit organization. I am nonetheless persuaded there is nothing in the record that indicates that the activities of the Association at large and the production of the membership list in particular in this case would be considered a commercial activity for purposes of PIPEDA. In light of these findings I do not find it necessary to address to address the contention of the Association that the words "required by law" in s.7(3)(i) of PIPEDA do not apply to s.307 of the Corporation's Act but only to case law. In similar fashion I find it unnecessary to give effect to concerns expressed on behalf of the Association that if the list of members were to get into "the wrong hands" it could result in dangerous consequences since the members own firearms and ammunition. The applicant in receiving the membership list for the Association is governed by the provisions restricting the use to which the membership list can be put and will be subject to the sanctions contained in the Act for any non-compliance with those restrictions.


    [57] An order shall go directing the Association through its proper officers to produce and deliver forthwith to the applicant a list of the members of the Association in accordance with the provisions of s.307 of the Act.


    [58] The motion raises a novel point of law. Both parties through their counsel have attempted to address the issues and have done so in a thorough manner. In the circumstances, I am of the view that each party should bear his/their own costs.


    MacKENZIE J.

    Released: September 8, 2004

    Labels: , , ,

    Tuesday, September 21, 2004

    Health privacy law will lead to offshoring of clinical research 

    In an earlier blog entry, I referred to a press release that claimed the HIPAA privacy rule will hinder clinical research. Now, UPI is carrying a story that says this will lead to the "offshoring" of clinical trials:

    Health privacy law hinders research - (United Press International):

    "... Dr. Roberta Ness, of the University of Pittsburgh's Graduate School of Public Health, told the American College of Epidemiology conference in Boston this week unless the law is significantly changed many clinical studies could be moved off-shore and out of reach of U.S. regulations..."

    Thanks to SANS PrivacyBits for the link.


    Saskatchewan opposition wades into the health privacy debate 

    Further to a few recent items referred to in this blog (see here and here), the Saskatchewan opposition is asking that amendments to the Health Information Act be discussed by a legislative committee:

    Committee should deal with privacy act: Opposition

    The opposition Saskatchewan Party wants concerns involving proposed regulations for the Health Information Protection Act discussed by a legislative committee.

    Health critic Rod Gantefoer says it's important the committee deal with them first.

    Privacy commissioner Gary Dickson says the province's health department needs to be more careful about how it handles patients' health information.

    Dickson has released a 20-page report critiquing the province's proposed regulations for the Health Information Protection Act.

    The Information and Privacy Commissioner's report is available here.

    Labels: , ,

    Saskatchewan labour group objects to proposed changes to province's Health Information Protection Act  

    The Saskatchewan Federation of Labour is objecting to the proposed changes to the Saskatchewan Health Information Protection Act that would allow hospitals to use patient information for fundraising without consent. (See my blog entry Saskatchewan proposal to use patient information for fundraising lists.)

    Saskatoon StarPhoenix - network:

    "A warning to the provincial Health Department from the privacy commissioner.

    Gary Dickson says if an organization wants to use somebody's personal information for a different purpose than for which it was given, it should go back to the individual for consent.

    Dickson says allowing regional health authorities that operate hospitals to share with their fundraising organizations the names and addresses of patients without getting their consent would be a serious breach of privacy.

    He has released a 20-page report critiquing the provincial government's proposed regulations for the Health Information Protection Act."

    For those in Ontario, you may be interested in the "case study" included the the Information and Privacy Commissioner's new "Guide to the Health Information Protection Act":

    Example 5: Can personal health information be used for fundraising activities?

    A charitable foundation for a children’s hospital has been asked to raise money to support a large research project on a specific childhood genetic disorder. To make the campaign for funds as effective as possible, the foundation has decided to solicit funds only from families affected by this particular disorder. The foundation has asked the hospital for the contact information of the parents of children who have been identified as having this genetic disorder. Is the hospital permitted under the Act to provide this information to the foundation?

    Is the parents’ contact information considered to be personal health information?

    Under the Act, personal health information includes identifying information about an individual if the information relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family. Thus, parental contact information combined with information about a child’s genetic disorder would be considered to be the personal health information of both the child and the parent.

    Is the hospital permitted to provide personal health information to the foundation for fundraising purposes?

    Since the hospital foundation is fundraising on behalf of the hospital, the foundation is considered to be an agent of the custodian and the provision of personal health information to an agent of the custodian is considered to be a use by the custodian rather than a disclosure to the agent. Under the Act, custodians may use personal health information for the purpose of fundraising activities only where the individual expressly consents or the consent of the individual can be implied, from the circumstances, and the information consists only of the individual’s name and contact information (as specified in the regulations). In this scenario, consent for the use of the information for fundraising may be implied, but only if the information that will be used is limited to individuals’ contact information.

    Is the information that will be used limited to individuals’ contact information?

    Since the fact that one of more of the individual’s children has a specific genetic disorder will be used to compile a list for the purpose of targeted fundraising, the information that will be used is not limited to contact information. Accordingly, the conditions for implying consent to use the information for fundraising purposes in this scenario have not been met. The custodian would have to seek express consent for this type of targeted fundraising activity.

    Labels: , ,

    Monday, September 20, 2004

    Privacy Site of the Day: 

    My attempt at posting a daily privacy link has been somewhat irregular, but I hope that what I lack in regularity, I make up for in quality.

    Today's Privacy Site of the Day is the blog, which is subtitled "nothing but privacy". And it lives up to its billing. I've been a regular reader for some time and it has been a great resource. The site is very innovative: Rather than being the effort of a single practitioner, it is written by a team of privacy lawyers from the Texas firm of Hughes & Luce. The firm name is not prominent on the blog, which is a little surprising since the site would be a great promotional vehicle for their privacy practice group. But they aren't too shy about trumpeting their success: has been named one of the top fifty blawgs by Electronic Data Discovery Information Exchange.

    Bloglines users can subscribe to this blog by clicking here: Subscribe with Bloglines


    Resource: A Guide to the Health Information Protection Act (Ontario) 

    The Information and Privacy Commisioner's office in Ontario has released a very useful guide to the Personal Health Information Protection Act (also known as PHIPA, HIPA or Bill 31). The fourty-four page guide is meant to provide "health information custodians" with a good undertanding of their obligations under this new law (that comes into force on November 1, 2004).

    IPC - A Guide to the Health Information Protection Act:

    "The Personal Health Information Protection Act sets out rules for the collection, use and disclosure of personal health information. These rules will apply to all health information custodians operating within the province of Ontario and to individuals and organizations that receive personal health information from health information custodians. The rules recognize the unique character of personal health information - as one of the most sensitive types of personal information that is frequently shared for a variety of purposes, including care and treatment, health research, and managing our publicly funded health care system."

    It is available as an HTML document for viewing onscreen or as a nicely-formatted PDF file.

    Labels: , ,

    Sunday, September 19, 2004

    US Senate votes for privacy study on agencies' data-mining use 

    The United States Senate passed an amended version of the 2005 Department of Homeland Security spending bill that included a requirement that all federal agences that use data mining techniques report on the privacy impact of this activity. The version of the bill passed by the House of Representatives in June of this year did not contain such a requirement: See - Senate votes for privacy study on agencies' data-mining use (9/16/04).


    Friday, September 17, 2004

    Column: Leave social networks at home 

    Linda Musthaler's column in NetworkWorldFusion discusses the privacy aspects of social network software such as friendster, plaxo and the like:
    Leave social networks at home:

    "Attention friends and acquaintances: Please stop sending me invitations to join your electronic social networks. I know Plaxo, Friendster, Tickle and other networking tools help you remember my address and phone number, but I'd prefer you hand-write them in your little black book. At least the data will belong to you alone and won't be shared with the world.

    It seems not a week passes that I don't get an invitation to join one of these social networks. So, being the skeptic that I am, I did a bit of research about them. What I found scared the heck out of me, and it's enough to give a corporate privacy officer heart palpitations. ..."


    Thursday, September 16, 2004

    Privacy law prompts recording of calls 

    This may strike some as more than a little ironic, but the Star Ledger of New Jersey reports that health privacy laws in the United States have prompted an increase in the recording of calls. The article, "Privacy law prompts recording of calls" says that hospitals and others are routinely monitoring calls to make sure that representatives are following proper procedure and not disclosing sensitive health informtion until the identity of the caller is clearly established. Oh, and to have a record in case the patient sues later ...


    Commentary on privacy and the USA Patriot Act  

    The Shrewsbury Chronicle contains a brief and interesting commentary on how some of the more intrusive aspects of the USA Patriot Act are affecting ordinary citizens, beginning with the requirement that all users of postal boxes provide the government with two pieces of photo ID.

    Labels: , ,

    Saskatchewan proposal to use patient information for fundraising lists 

    From today's Globe & Mail Health column:

    Looking for a loophole:

    "Saskatchewan's health department is considering amendments to provincial privacy regulations that would allow hospitals to use patient records to build mailing lists for fundraising campaigns.

    Under the current Health Information Protection Act, patients must give their consent before hospitals can send them requests for donations. Duane Mombourquette, director of strategic planning and information policy with Saskatchewan Health, said one option now under consideration would allow hospitals to assume patients don't mind being asked for money.

    If patients don't enjoy being contacted, Mr. Mombourquette said, they would be allowed to contact the hospital and take their name off the mailing list.

    Gary Dickson, Saskatchewan's Information and Privacy Commissioner, plans to give the provincial legislature his opinion about the proposal in a few weeks."

    Labels: , ,

    Is circumventing "disclsoure" a distinction without a difference? 

    This article relates to the lawsuit that has been brought against Albertsons pharmacies (see Lawsuit: Privacy advocacy group sues drug store chain over alleged privacy concerns). The lawsuit alleges that Albertsons used pharmacy customers' personal information to send marketing communications. According to counsel for the plaintiffs, the way in which the communications were sent is irrelevant:

    Albertsons Sued Over Customer-Data Privacy:

    "'The specific California code provision that we're dealing with prohibits the pharmacy from selling, sharing, or otherwise using any medical information for any purpose,' Krinsk explains. 'The critical distinction that they make, that we believe is of no consequence, is they say that they don't sell the information. They claim that the process that they employ doesn't constitute selling or using of information. Rather than selling the names and addresses they instead either handle [the data] internally or handle some of it internally and then contract out to third-party administrators. We allege that's a distinction without a difference.' "

    For us in Canada, this is not just an interesting read. The same sorts of practices take place all the time here in an effort to circumvent the "disclosure only with consent" requirements of PIPEDA. Many associations used to sell lists to third-parties for marketing purposes but are no longer able to do because they don't have the consent of the members to sell the list to the other organization. To get around this, the organization that wants to market to the members simply pays for the association to send the solicitation on their behaf. Presto, no disclosure. The prevailing opinion is that this fits within the letter of PIPEDA, but is it consistent with the spirit? Is it a distinction without a difference? The distinction is probably lost on members if they receive a mail solicitation apparently from the organization with which they have no pre-existing relationship, unless it really appears to come from the association. As of yet, we have no word from the Canadian Privacy Commissioner or the Federal Court about how this will be viewed.

    Labels: ,

    Privacy Site of the Day: HIPAA Blog 

    Today's "Privacy Site of the Day" is the HIPAA Blog, a blog that contains regularly updated links to HIPAA resources, HIPAA stories and the like. While I don't practice American law, current information on HIPAA is useful and instructive for advising Canadian clients in the healthcare arena. Many of the questions that have arisen in the wake of the HIPAA Privacy Rule are going to come up in Ontario with the implementation of the Personal Health Information Protection Act. For bloglines users, you can add the HIPAA Blog feed by clicking here: Subscribe with Bloglines

    Labels: , ,

    Wednesday, September 15, 2004

    Privacy Law and Workplace Investigations: Workshop 

    I spent the day today with Paul Bradley, VP of PricewaterhouseCoopers, giving a workshop for Insight Information on conducting workplace investigations in the new era of privacy regulation. Anyone who is interested can get a copy of my powerpoint presentation here: Privacy Law and Workplace Investigations: Workshop

    Labels: , ,

    HIPAA does not create a private right of action for release of quality of care information 

    As reported from the Employment Benefits Institute of America, the US District Court in Denver has held that HIPAA does not allow a hospital to sue a media outlet to prevent the publication of quality of care information:

    EBIA - HIPAA ==> Hospital Cannot Sue Newspaper Under HIPAA for Privacy Violations:

    "The publisher of a newspaper obtained (from an unknown source) a report that was prepared as part of a hospital's peer review process. The hospital sued to stop the newspaper from publishing information from the report, arguing that use of the report by the newspaper would violate the HIPAA privacy rules. After losing in its bid to stop publication of the report, the hospital then sought money damages, attorneys' fees, and return of the report under HIPAA and state laws. The court held that HIPAA does not create a private right of action and sent the case to state court to resolve the state law claims...."

    The full citation of the case is University of Colorado Hospital Authority v. Denver Publishing Co., No. 03-WM-1977 (D. Colo. Aug. 2, 2004)


    Thanks, Toronto CED Learning Network 

    Thanks to the Toronto Learning Network, which has named this blog as "Site of the Week":

    The Toronto CED Learning Network:

    "PIPEDA and Canadian Privacy Law

    Maintained by a Canadian privacy lawyer, this web site provides updates and new information about developments in privacy law. "

    Labels: ,

    Tuesday, September 14, 2004

    Japanese companies taking privacy seriously and taking out insurance to cover losses 

    The Asahi Shimbun website has a very interesting story from Japan about the reaction of Japanese businesses to highly-publicised leaks of personal information. While some of these practices may seem to go overboard, they really are prudent since a large number of Japanese customers don't appear to be shy about complaining about mishandling of personal information. If you don't need it, don't collect it in the first place. If you no longer need it, destroy it. I haven't heard about specific privacy insurance in Canada yet, but it may not be too far off ...

    PLUGGING THE HOLES: Data patrol

    Companies are scrambling to protect themselves against potentially disastrous information leaks.

    `A leak of data even on dozens of customers would bring an unrecoverable blow to us.'

    EXECUTIVE, Food company in Tokyo

    Every morning, an executive of a Tokyo food maker heads to the paper shredder and destroys documents. The measure, he says, is essential in protecting the company.

    He is not hiding evidence from investigators. His action is part of efforts spreading nationwide to prevent data leaks that could lead to financial disaster.

    The shredded documents at the food company are delivery order slips that contain customers' names, addresses and phone numbers.

    The company decided to destroy all personal information, except e-mail addresses, as soon as a product's delivery is confirmed. Keeping a large amount of personal data ``means an increased risk,'' the executive says.

    ``Unlike a major company with physical strength, credibility is all that smaller firms like ours can count on,'' said the executive of the food maker, with a work force of several dozen employees. ``A leak of data even on dozens of customers would bring an unrecoverable blow to us.''

    Prior to the full implementation of the personal information protection law next April, businesses are stepping up efforts to prevent information leaks.

    Workers are educated on the importance of data protection. And many companies are now seeking ``data leak insurance'' to cover potential damages from lawsuits.

    The law, which already regulates administrative entities, will be extended to cover private businesses with personal data on 5,000 or more people. Violators face a maximum six-month prison term or a fine of up to 300,000 yen.

    But the real risks, as the Tokyo food maker fears, is a loss of credibility-and potentially huge compensation payments.

    Businesses have a reason to be concerned. Videotape and CD rental chains, for example, have membership information on thousands of customers.

    According to the Japan Network Security Association, compensation for a data leak varies from 1,000 yen to 1.5 million yen per customer, depending upon what information was leaked and how the company dealt with its aftermath.

    Based on past court decisions, the association estimates a leak of an e-mail address could cost a company 4,000 yen. But the compensation amount soars to 300,000 yen per person if the name, address and legal domicile are leaked.

    If all the 1.55 million victims in 57 leakage cases reported last year had sued, the total compensation could have reached 28 billion yen, according to the association.

    The Compact Discs & Video Rental Trade Association of Japan is preparing guidelines for its 1,100 members on how to handle personal data.

    Member stores often use a driver's license to confirm the identity of a customer. But the license also carries the holder's permanent and current addresses.

    ``If data are leaked and 100 customers file complaints, the business would be thrown into confusion,'' said an association official.

    The association advises its members to black out the permanent domicile on the license's photocopy. But ``many shops count on part-time workers so teaching them is a major challenge,'' said the official.

    Concerns over repercussions from data leaks have provided a business opportunity for non-life insurers, which have come out this year with new products to cover damages from information leaks.

    ``The responses are extraordinary,'' said an official of Mitsui Sumitomo Insurance Co., which has sold about 100 policies a month since it made the new product available in June.

    The insurance covers compensation payments up to 300 million yen, even if the leak was an intentional act of an employee.

    A series of large-scale leak cases this year prompted businesses to get insured.

    A leak at Internet service provider Softbank BB Corp. affected 6.6 million customers.

    Information of 1.16 million customers was leaked in the Sanyo Shinpan case, while the figure in the Cosmo Oil case was 920,000.

    Victims are increasingly bringing their cases to court. After residents' register data were taken out and circulated from Uji city in Kyoto Prefecture, three residents sued the city government.

    A court ordered the city to pay a total of 45,000 yen to the plaintiffs. The ruling was finalized in 2002.

    TBC, an aesthetic salon, has been hit with a group lawsuit demanding 1 million yen in compensation for each plaintiff. Data on 50,000 clients, including vital statistics, were leaked, and some of the information was posted on the Internet.

    The Japan Network Security Association says the possibility is high that many more victims will join group lawsuits if the compensation amounts rise to hundreds of thousands of yen per person.

    ``We hope each company will find out how much their personal data are worth before hammering out steps against information leaks,'' an association official said.(IHT/Asahi: September 8,2004) (09/08)


    New rules for reverse phone directory lookup 

    The Canadian Radio-television and Telecommunications Commission (CRTC) has just produced guidelines regulating how incumbent local carriers can offer reverse directory assistance. (Instead of asking for a name and locality to get the number, this service provides name and location when given the phone number.) The issue has a couple of privacy issues, both pro and con. On one hand, it provides personal information that the individual may not want handed out, based solely on their phone number. On the other hand, the service may give people more information about who is calling them, giving them greater control over intrusions into their seclusion. Hard call. According to this article in ITBusiness.Ca, they've hit the balance by only providing name and general locality, not home address. And, presumably, unlisted numbers will not be included in the directory.

    CRTC's reverse directory search policy addresses privacy advocates' concerns

    The Canadian Radio-television and Telecommunications Commission (CRTC) recently established a framework for the provision of Reverse Search Directory Assistance (RSDA) offered by incumbent local exchange carriers (ILECs). RSDA is an expanded directory assistance service that provides the listed name and address associated with a specific telephone number.

    The Commission has decided to allow ILECs to perform information searches when presented with telephone numbers under certain conditions.

    As part of the public process leading to the current CRTC decision, the ILECs stated that none of objectives of the Telecommunications Act would be adversely affected if they provided RSDA. On the other hand, groups such as the Anti-Poverty Organization and the Information and Privacy Commissioner of Ontario, argued that this service contravenes the privacy protection provided by the Act.


    Because of the significant safety concerns over providing street addresses, the Commission decided the only information that can be provided by RSDA searches are name and general locality, such as city, town or postal code.

    There were some concerns expressed that RSDA service could be a valuable asset to commercial entities involved with telemarketing. They could use the service to determine the names and addresses of those calling for information about products and services without their knowledge or consent.

    To address this issue, the new regulations prohibit the use of RSDA for compiling and updating telemarketing lists. ..."

    Labels: ,

    Article: How to stop your data leaking 

    ZDNet UK has a good article on how to stop "data leakage", accidental and malicious. A good read: How to stop your data leaking - ZDNet UK Insight.


    Misdirected faxes plague hospitals and others 

    I should probably stop passing along these stories, since they happen pretty frequently. On the other hand, they serve as a regular reminder that faxes can easily be misdirected. From the article below, it appears the hospital in question has been pretty diligent in trying to stem the problem of misdirected faxes. Nevertheless, mistakes continue to happen.

    HeraldNet: Hospital works to cut number of fax problems:

    "Providence Everett Medical Center mistakenly faxed patient information to The Herald.

    By Sharon Salyer
    Herald Writer

    Providence Everett Medical Center, which set up new faxing policies last year after medical information was mistakenly faxed to the home of a Marysville man, has had the problem occur again.

    This time, the fax, containing confidential patient medical information, was accidentally sent to The Herald's newsroom.

    The problem occurred when an employee was trying to fax medical information using a list of fax numbers for 650 area physicians who have credentials to treat hospital patients, hospital spokeswoman Cheri Russum said..."

    I know that many hospitals that I've been in contact with have implemented a policy that faxes can only be sent using "speed dial" codes, to prevent mis-dialled numbers. If you hit the wrong button, it'll go to another medical professional but at least you know it is unlikely to end up on the front page of the paper. (This strategy only really works if you do not have the newsroom on the speed dial!) Perhaps smarter faxes are needed that will ask "did you really want to send this to the New York Times?" before they actually dial.


    Privacy and knoweldge management 

    One of the areas that I'm interested in, when my mind is not filled with privacy law stuff, is knowledge management. Luckily the blogging world is full of tremendous resources that not only provide useful news in the area, but also very insightful commentary. "Portals and KM", a blog written by Bill Ives, is one the best. His blog has gotten me thinking about KM in new ways, and I'm delighted that I've been able to return the favour by encouraging him to think about privacy aspects of knowledge management and portals: Portals and KM: Privacy Issues in Intranets - PIPEDA.

    Privacy and knowledge management seem to reflect opposite philosophies of information management. Privacy usually suggests locking down data and limiting its circulation. KM, on the other hand, is usually based on notions of free flows of information, at least within an organization. Canadian companies are now having to think about how to integrate the two. It can be done, but involves some serious thinking and perhaps a few additional administrative steps. For example, prior work product and "best practice" documents need to be scrubbed of personally identifiable information before they are made widely available. Information about employees made available on intranets should be limited to that which is necessary from a business point of view and employees should know about what is put up there. Limiting access is also a good idea, because an HR intranet with employee data should not be available to the rank and file.

    Anybody proposing to implement a portal or intranet with employee information would do well to consider privacy at the earliest stages, particularly in this age of identity theft (and when studies are saying most ID theft is an inside job). Of course, an experienced privacy lawyer can help you through this process ...

    Labels: , ,

    Privacy Site of the Day: 

    Today's "site of the day" is - The Source for News, Information, and Action, which is a joint venture of the Electronic Privacy Information Center (EPIC) and Privacy International. The Privacy.Org site brings together the latest news stories that touch on privacy issues and provides convenient links to resources related to both online and offline privacy.

    From the "about us" page

    Privacy.Org is the site for daily news, information, and initiatives on privacy. This web page is a joint project of the Electronic Privacy Information Center (EPIC) and Privacy International.

    What is the Electronic Privacy Information Center (EPIC)?

    EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values

    What is Privacy International (PI)?

    Privacy International is a human rights group formed in 1990 as a watchdog on surveillance by governments and corporations. PI is based in London, England, and has an office in Washington, D.C. PI has conducted campaigns throughout the world on issues ranging from wiretapping and national security activities, to ID cards, video surveillance, data matching, police information systems, and medical privacy.

    Labels: , ,

    Monday, September 13, 2004

    Release: Privacy rule builds biomedical research bottleneck 

    According to participants at a conference in Boston today, the HIPAA privacy rule is having an adverse impact upon clinical studies and biomedical research:

    Privacy rule builds biomedical research bottleneck:

    "Complicated regulations hinder basic science and clinical studies

    CONTACT: BOSTON, Sept. 13 &em; The Privacy Rule implemented as part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 is constraining researchers in the United States and slowing the progress of a wide range of clinical studies and biomedical research. Unless fundamental rule changes are addressed, many studies may simply move offshore, warns Roberta Ness, M.D., M.P.H., professor and chair of the department of epidemiology at the University of Pittsburgh's Graduate School of Public Health (GSPH).

    Dr. Ness is moderating a policy forum discussion on 'Confidentiality and HIPAA: What's a Researcher to Do?' today during the annual meeting of the American College of Epidemiology. Scientific sessions take place through Sept. 14 at the Boston Park Plaza Hotel.

    'HIPAA has had substantial negative effects on our ability to recruit individuals to participate in research,' says Dr. Ness, whose expertise is in women's health-related research, including preeclampsia, ovarian cancer, vaginal microbiology, pelvic inflammatory disease and pregnancy outcomes. 'The way that HIPAA has hurt research, I believe, is a classic example of the law of unintended consequences.' ..."


    Article: A privacy win and a privacy loss 

    From the Direct Marketing News comes an article by Robert Gellman reviewing two ipmortant American privacy-related cases:

    It’s time to catch up with two court cases that were the subject of past columns and that produced new opinions. Privacy did well in one case and poorly in the other.

    The first case is the litigation over the do-not-call registry decided in February by the 10th Circuit. Everybody knows that the court rejected the telemarketing industry’s arguments that the registry is unconstitutional. It was a sweeping victory for the registry, as the court dismissed every argument put forward in opposition. ...

    February also brought a decision by the Supreme Court in a case arising under the Privacy Act of 1974, a law that applies only to federal agencies. The case, Doe v. Chao, involved the improper disclosure of a Social Security number by the Department of Labor. The issue was what a plaintiff had to prove to receive the $1,000 in minimum damages that the statute provides.


    The case is a setback for privacy. Privacy advocates hoped that the court would have more sympathy for the consequences of privacy violations and for the difficulty of proving damages in privacy cases, but they did not prevail.


    If you didn’t like the result in these cases, just wait. There will be more decisions in more privacy cases soon.

    Labels: , ,

    Article: RFID May Be Risky Business 

    Once again, Parry Aftab's regular column in Information Week is a must-read:

    InformationWeek > RFID > The Privacy Lawyer: RFID May Be Risky Business > September 13, 2004:

    "... Whenever privacy technology, laws, or best practices are implicated, there are four issues that always should be considered: notice, consent, access and security. If the data is personally identifiable or capable of becoming personally identifiable when combined with other data you have, have you given notice of what you're doing to those whose data is being collected (the 'notice' requirement)? Have you received the requisite consent for what you're doing (the 'consent' requirement)? How can people review what you've collected for accuracy or stop you from using it later on (the 'access' requirement)? And how well are you protecting the security of the data (the 'security' requirement)? "

    Labels: ,

    Privacy International's Response to European Commission's consultation on telecommunications traffic data retention 

    On 30 July 2004, the European Commission's Directorate Generals on the Information Society and on Justice and Home Affairs issued a consultation document inquiring about the desirability of establishing a uniform pan-European retention regime for all internet and telecommunications traffic data for a period of 12-36 months. The deadline for submissions is 15 September 2004.

    Privacy International (PI) and European Digital Rights (EDRI) have just released their submission on the topic, entitled "Invasive, Illusory, Illegal, and Illegitimate" (three guesses what their position is!). The PI/EDRI submission is an interesting summary of the kinds of data that can be collected and the privacy impact of indiscriminate retention of this data.

    The Canadian Department of Justice began a consultation on "Lawful Access" in August 2002 which proposed, among other things, the capability for law enforcement to issue "Data Preservation Orders", perhaps without a warrant or other judicial authorization.

    Those interested in a free-wheeling debate on the topic can check out the discussion on the European consultation at Slashdot.

    Labels: , ,

    Sunday, September 12, 2004

    Geist writes against the "broadcast flag" 

    Michael Geist's regular column in the Toronto Star this week is devoted to the "broadcast flag" controversy. The adoption of this technology has important privacy implications: - Mr. Minister, please protect the public interest:

    "Opponents of the broadcast flag have also pointed to worrisome possibilities with regard to personal privacy. Since digital copies would now be limited ... to a particular device, the broadcast flag could easily be used to facilitate monitoring of individual viewing habits. In fact, one company, MyDTV, has already proposed pop-up style advertisements based on viewer profiles...."


    Article: Half of US universities use SSN as student identifier, leaving students vulnerable to ID theft 

    According to the September 6, 2004 edition of US News and World Report, American college students are particularly vulnerable to identity theft, primarily because universities and colleges are use social security numbers as student identifiers:

    U.S.News & World Report Archive: Lessons in privacy (9/6/04)

    "Students may go to college to study, but there's something many don't learn about until it's too late: identity theft. A growing peril in the electronic age, this particular brand of banditry usually entails stealing someone's identity by using his or her personal financial information--name, Social Security number, date of birth, and the like--to apply for new credit cards and loans. The victim isn't accountable for most of the money stolen but still must deal with the major headache of erasing bogus accounts from his credit record and doing battle with collection agencies. According to the Federal Trade Commission, close to 10 million Americans fell victim to identity theft last year, a 41 percent increase from 2002.

    Financially inexperienced college students are particularly vulnerable. That's because roughly half of all colleges use Social Security numbers as student identifiers, and many post grades by ID number. And it's the Social Security number that unlocks the door to a credit history. "My advice to students is to be aware that you're in a high-risk environment," says Ed Mierzwinski, a consumer advocate with the U.S. Public Interest Research Group in Washington, D.C. "And be prepared to fight identity theft hard when it hits."

    US News won't make the full text available until two weeks after publication, but check back ...

    Labels: ,

    Followup: Anti-identity theft freeze gaining momentum 

    I wrote a little while ago about credit report freezes. I just tripped over a longer article on on the subject. The Globe and Mail expires its content much more quickly, so this link should have a longer life*: - Anti-identity theft freeze gaining momentum - Aug 3, 2004:

    "It's called the security freeze, and it lets individuals block access to their credit reports until they personally unlock the files by contacting the credit bureaus and providing a PIN code.

    The process is a bit of a hassle, and the credit-reporting industry believes it complicates things unnecessarily.

    But it appears to be one of the few ways to virtually guarantee that a fraudster cannot open an account in your name...."

    * And the Globe and Mail also now requires an intrusive registration process, so I'll link to other sources if possible.

    Labels: ,

    Saturday, September 11, 2004

    New PIPEDA Finding on video surveillance of the workplace 

    In the last batch of findings released by the Office of the Privacy Commissioner, the Assistant Commissioner had an opportunity to consider the installation of video surveillance equipment in an un-named workplace. The broadcasting company had installed the surveillance system following a full security review. The most interesting aspect of the case is that there is no reference to the requirements that former (and disgraced) Privacy Commissioner George Radwanski laid out as a pre-requisite to installing video surveillance equipment. These were referred to an implicitly supported by the Federal Court in Eastmond v. Canadian Pacific Railway, 2004 FC 852:

    [126] In answering this question, all parties urged I adopt the factors or considerations which the Privacy Commissioner looked at to determine whether CP's purposes for collecting personal information are those a reasonable person would consider are appropriate.

    [127] I am prepared to take into account and be guided by those factors which I repeat are:

    • Is camera surveillance and recording necessary to meet a specific CP need;
    • Is camera surveillance and recording likely to be effective in meeting that need;
    • Is the loss of privacy proportional to the benefit gained;
    • Is there a less privacy-invasive way of achieving the same end?

    [128] As argued by all parties, these considerations or factors enumerated by the Privacy Commissioner are those which, over the years prior to PIPEDA, arbitrators adjudicating privacy issues under collective agreements involving camera surveillance have taken into account in balancing privacy interests of employees with the legitimate interests of employers.

    In this new finding, Commissioner's Findings - PIPED Act Case Summary #273, the Assistant Commissioner did not refer to section 5(3) of PIPEDA, which sets out a baseline reasonableness for the collection, use and disclosure of personal information:

    5(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

    Instead, the Assistant Commissioner focused on whether the company had taken sufficient steps to inform employees of the monitoring and its purposes.

    Furthermore, the investigation established that the use of such a surveillance system constituted an appropriate means of protecting its employees. Since the cameras are not used to collect employees’ personal information and are not used in places where there is a reasonable possibility of invasion of privacy, it does not seem appropriate that the employer would be required to obtain employee consent for its use. Assuming that the cameras were, inadvertently, collecting employees’ personal information, the employer would be able to use the information thus collected without the employees’ consent only in the circumstances set out in the subparagraphs 7(2)(a) and (b) of the Act.

    The Assistant Commissioner appreciated the employer’s flexibility and availability: during the investigation, the employer stated that the employees would be informed of the purposes, and that it would develop a policy document regarding the use of cameras, including the objectives of the security system, the installation sites, the employees authorized to operate the system, the time of surveillance and recording and the equity principles applicable to recording.

    The Assistant Commissioner concluded that the complaint was resolved insofar as the firm agreed to:

    • ensure that its employees are informed of the purposes for which the cameras are being used, in accordance with principle 4.3.2.; and
    • develop a policy document on the use of the surveillance cameras that is made available to the employees, in accordance with principle 4.1.4. The firm will advise the Commissioner about the adoption of such a policy within 60 days following receipt of the letter of finding.

    This finding appears to say that you can use video surveillance if it is an appropriate security measure, as long as the employees whose information will be incidentally collected are informed of the surveillance and of its purposes.

    Labels: , , ,

    Privacy laws and international corporate intranets has an interesting article on some of the legal issues related to cross-border corporate intranets that "disclose" information about employees. If you think an internal phone list wouldn't be a big deal, think again ...

    Legality and the International Intranet:

    "The problem for intranet managers is that intranets often provide information about the activities of the staff, and exchange information on staff with specific expertise and knowledge. Adding photographs of employees to their profile on the intranet is usually regarded as very useful. However, a photograph reveals all sorts of personal information and, according to the Directive, a photo should only be posted with the explicit consent of the individual..."


    Privacy Site of the Day: Ontario's Information and Privacy Commissioner 

    Ontario's Information and Privacy Commissioner, Ann Cavoukian, is probably the most high profile privacy advocate in Canada. Though she oversees Ontario's public sector privacy law (and now the Personal Health Information Protection Act), she is regarded as one of the country's foremost authorities on private sector privacy as well. (She is co-author of The Privacy Payoff: How Successful Businesses Build Customer Trust.)

    Though strictly beyond her jurisdiction, her office has assembled a good set of resources for the private sector in adopting privacy best practices. The presentations and publications on privacy topics are top-notch, as well.

    In short, the Information and Privacy Commisioner's site should be bookmarked and checked regularly.

    Labels: , , ,

    Article: Drivers choose discounts over privacy (from the Associated Press) is reporting on an American trial run of a scheme that will give good drivers a discount on their insurance -- if they prove it by submitting to electronic monitoring of their driving. Needless to say, this is not without controversey... - Drivers trade privacy for insurance discounts - Sep 3, 2004:

    "Jacob Sevlie of Minnesota was part of a pilot project placing black boxes beneath the car dashboards of selected insurance customers.

    (AP) -- For two months, Jacob Sevlie's insurance company tagged along whenever he slid behind the wheel of his Honda Accord.

    An electronic monitor the size of a matchbook closely tracked Sevlie's driving time and behavior. If he had a heavy foot or was a sudden braker, the auto data recorder would betray him.

    Disconnected from the car and hooked to a PC, the device relayed Sevlie's digital driving diary to his auto insurer, Progressive Corp., with the click of a mouse during a pilot program earlier this year...."


    Lawsuit: Privacy advocacy group sues drug store chain over alleged privacy concerns 

    Computerworld is reporting that a California drug store chain is being sued by the Privacy Rights Clearinghouse for allegedly using confidential customer medical information to feed drug comapny marketing practices:

    California group sues Albertson's over privacy concerns - Computerworld:

    "A dozen of the country's largest drug companies are named in the suit

    News Story by Jaikumar Vijayan

    SEPTEMBER 10, 2004 (COMPUTERWORLD) - The Privacy Rights Clearinghouse (PRC), a San Diego-based privacy advocacy group, has filed a lawsuit against supermarket chain Albertson's Inc. and its pharmacy units, SavOn, Osco and Jewel-Osco. The lawsuit, filed in California Superior Court in San Diego County, alleges that Albertson's violated the privacy rights of its pharmacy customers by illegally using their confidential information to conduct targeted marketing campaigns on behalf of large drug companies...."

    Bloglines users can subscribe to the useful Computerworld Privacy News feed by clicking here: Subscribe with Bloglines


    Friday, September 10, 2004

    Parry Aftab's blogs and column 

    While reading Parry Aftab's blogs ( and, which I do on a regular basis, I noticed that she had a kind word or two about my blog:

    A great privacy law blog from Canada by David Fraser, a privacy lawyer there: PIPEDA and Canadian Privacy Law

    PIPEDA and Canadian Privacy Law - Well thought out, great links and notes of recent developments. It's a blog I watch. Parry

    I'm delighted to return the favour. Not only are her blogs very informative and useful, but her regular articles in Information Week are consistently excellent. If you are interested in privacy matters, her column is a must read. I recommend reading the archives and making a point to regularly read her column.


    Privacy Site of the Day: Privacy Impact Assessment Guidelines 

    The Treasury Board Secretariat, the principal policy making body for the Canadian federal government, has made available a tremendous resource for the conduct of privacy impact assessments (PIAs). The federal government's PIA policy and guidelines are on the Treasury Board's site, and they provide an excellent and systematic way of scrutinizing new or expanded projects to ensure that privacy principles and privacy legislation are considered at every step. This is much more efficient than discovering at the conclusion of the project that it has to be redisigned to mitigate privacy risks.

    An additional benefit of the PIA guidelines is that they can be implemented, by and large, by the project team with review and oversight by a privacy lawyer or the organization's privacy officer.

    Also on the subject of PIAs, I'd recommend reading a speech by Stuart Bloomfield, of the Office of the Privacy Commissioner. Stuart spoke about PIAs to the 2nd annual forum on managing government information in March 2004.

    By asking the right questions — i.e., whether the information requested is truly necessary, whether the use is consistent with the stated purpose, whether retention is rationally connected to its use, etc, the PIA serves to give effect to the fair information practice principles.

    In sum, PIAs perform the following roles:

    1. They act as an early warning and planning tool;
    2. They forecast and/or confirm the impacts of a government proposal on the privacy of individuals and groups;
    3. They provide a mechanism to assess a proposal's compliance with privacy protection legislation and principles; and
    4. They provide a framework for the development and implementation of actions and strategies required to avoid or overcome the negative impacts of the proposal on privacy.

    In conducting a PIA and acting upon the advice advanced therein, government departments can:

    1. Avoid adverse publicity, the loss of credibility and public confidence and the legal costs, remedies and sanctions that could result from negative impacts; and
    2. Increase Canadians' privacy awareness and confidence with the government's handling of their personal information by informing them of the details of the proposal.

    The potential costs to departments by not conducting a PIA where one is required should not be underestimated. One need only recall the highly publicized debacle over HRDC's Longitudinal Labour Force File (LLF) whose subsequent dismantlement following public complaints against the database cost the department millions of dollars. Arguably had a PIA been done on the LLF prior to implementation, HRDC could have avoided the adverse publicity and financial losses that it suffered as a result of this incident.

    Labels: ,

    Wednesday, September 08, 2004

    Nfld. Information and Privacy Commissioner "cut" 

    Hot off the wires... Newfoundland and Labrador has sacked its Information and Privacy commissioner on the eve of the coming into force of the province's Access to Information and Protection of Privacy Act (public sector):

    Nfld. cuts watchdog position to part time ahead of access legislation:

    "ST. JOHN'S, Nfld. (CP) - The Newfoundland government announced the dismissal of its information and privacy commissioner Wednesday, saying the position will be cut to part-time.

    Justice Minister Tom Marshall announced the dismissal of commissioner Wayne Mitchell while 'reaffirming' the province's commitment to access to information...."


    American Civil Liberties Union : Combatting The Surveillance Industrial Complex 

    On August 9, 2004, the American Civil Liberties Union released a report/position paper on the enlisting of citizens and companies to report vague and undefined "suspicious activities" related to terrorism. Their position is no surprise, but overall the report is an interesting read:

    American Civil Liberties Union : Combatting The Surveillance Industrial Complex:

    "The Privatization of Surveillance

    The U.S. security establishment is rapidly increasing its ability to monitor average Americans by hiring or compelling private-sector corporations to provide billions of customer records. The explosive growth in surveillance by government and business is creating a "Surveillance Industrial Complex" that threatens all of our privacy.

    About the Report:

    This report makes the case that, across a broad variety of areas, the same dynamic of the "privatization of surveillance" is underway. Different dimensions of this trend are examined in depth in four separate sections of the report:

    • "Recruiting Individuals." Documents how individuals are being recruited to serve as "eyes and ears" for the authorities even after Congress rejected the infamous TIPS (Terrorism Information and Prevention System) program that would have recruited workers like cable repairmen to spy on their customers.
    • "Recruiting Companies." Examines how companies are pressured to voluntarily provide consumer information to the government; the many ways security agencies can force companies to turn over sensitive information under federal laws such as the Patriot Act; how the government is forcing companies to participate in watchlist programs and in systems for the automatic scrutiny of individuals’ financial transactions.
    • "Mass Data Use, Public and Private." Focuses on the government’s use of private data on a mass scale, either through data mining programs like the MATRIX state information-sharing program, or the purchase of information from private-sector data aggregators. "Pro-Surveillance Lobbying." Looks at the flip side of the issue: how some companies are pushing the government to adopt surveillance technologies and programs based on private-sector data."

    Labels: , ,

    Privacy Site of the Day: David T.S. Fraser's Privacy Law Resources [Shameless plug alert!] 

    This is a day early since I'll be on the road for a few days, with only intermittent access to the internet.

    For some time, I've been bookmarking privacy law resources for handy reference. A short while ago, I put most of them on a webpage so that I could use them regardless of what computer I was using. Since I got my own domain name, "", I've prettied them up and make them available for all and sundry. So, today's "Privacy Site of the Day" is my collection of privacy law resources: David T.S. Fraser's Privacy Law Resources. Included are links to all the privacy laws in Canada, resources for privacy impact assessments, international sources and other sites. If anything is missing, let me know by leaving a comment or e-mail me at david.fraser (a) (replace "(a)" with "@").


    Privacy Site of the Day: PIPEDA Awareness Raising Tools (PARTs) Initiative For The Health Sector 

    Industry Canada, Health Canada and various medical associations have worked together to assemble a list of questions and answers about the impact of the Personal Information Protection and Electronic Documents Act ("PIPEDA") on the health sector. The site is called "PIPEDA Awareness Raising Tools (PARTs) Initiative For The Health Sector" and is generally a good canvass of frequently asked questions. I recommend giving it a read.

    Two caveats, however. The first is that very few of these issues have been considered in the context of a complaint, let alone before the Federal Court of Canada. The second caveat is that at least one of the answers is blatantly wrong:

    47. Under PIPEDA, can regulatory bodies/colleges still continue to conduct their investigative practices? Does PIPEDA require any changes in the manner in which these investigative activities are conducted?

    The relationship between a regulatory body/college and its members is most often of a noncommercial nature, and therefore not captured by PIPEDA. These bodies are also generally empowered by law to obtain personal information as necessary to fulfill their various functions. Professionals subject to the authority of a regulatory body/college would in all likelihood have agreed to the use of their personal information by the body, as part of a condition of membership. PIPEDA recognizes such authority.

    Regulatory bodies/colleges may, in the course of their function, need to obtain personal information from other organizations that are subject to PIPEDA, such as financial institutions. Such organizations may only disclose personal information without consent to entities that have been designated as “investigative bodies” under PIPEDA, by regulation. As such, regulatory bodies/colleges may be required to obtain this designation if they wish to obtain personal information from these organizations without an individual's consent.

    The Investigative Body designation is only useful for the circumstances set out in s. 7(d) of PIPEDA:

    (d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

    (i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

    (ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

    For this exception to apply, it has to be on the initiative of the organization (e.g. the physician), not the investigative body. This means that an organization can disclose personal information to an investigative body without consent, but the investigative body can't use their status to request the disclosure without consent. Also, it only applies in the circumstances set out in (i) and (ii). The circumstances in (ii) would clearly be inapplicable and it is questionable whether the circumstances of (i) would come to pass in the course of an investigation by a College of Physicians and Surgeons. The better response is the application of sections 7(3)(c) and (i):

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

    (i) required by law.

    Many colleges have jurisdiction to subpoena or otherwise compel the production of information in the custody of a physician. These exceptions are clearly preferable to those in 7(d). Some professional regulators, like those for social workers in Nova Scotia, don't have the power to compel the production of documents and are therefore unable to get this information without consent.

    Labels: ,

    Data protection scam in Scotland bilks companies 

    The Scotsman reports that companies in Scotland have been recieving bogus notices requiring that they register under the Data Protection Act, a pay a significant fee: Business - Top Stories - Firms warned over data protection scam:

    "UNSUSPECTING businesses throughout Scotland are being hit with bogus notices demanding money under the 1998 Data Protection Act (DPA), at a UK-wide cost of more than £3 million.

    More than 30,000 individuals, or 200 businesses a month, have so far fallen victim to fake data protection agencies posing as official government bodies, and assistant Information Commissioner for Scotland, Bob Turnbull, warned that activity in Scotland appeared to be picking up. ... "


    Tuesday, September 07, 2004

    LawMeme on Tracking, Traffic, and Toll Transponders 

    Rebecca Bolin in Lawmeme has an entry about privacy issues related to traffic toll transponders:

    LawMeme - Tracking, Traffic, and Toll Transponders:

    "A tool more useful than directions themselves when I was in college at Rice was the Houston Realtime Traffic Map, developed by Texas A&M. This map uses recievers posted at exits from major highways to track Harris County toll road transponders. It calculates the speed for each car as it travels a small section of, say, I-10 and then calcluates the average speed for that section of I-10.

    This use of toll transponders is quite valuable for Houston drivers, most of which I believe probably do not have these transponders at all. However, calculating the speed of a car is far from the use most drivers anticipated. Most probably just thought it paid the toll. If this system did something more than just average the data, more privacy concerns would be raised. If the system merely reported back known data to known drivers--their speed on I-10--with no legal penalty, their actions might be different. If this system started generating tickets, something would certainly change. Drivers might forgoe the convenience of the transponders for privacy; they might drive more responsibly.

    Toll transponder owners should be aware of the privacy risks associated with transponders, and they should be notified of projects like this one in Houston. My East Coast E-ZPass agreement indemnified E-ZPass from all damages for use by third parties and is unclear at best about what use law enforcement could make. Houston's traffic map shows that your transponder could betray your privacy, showing your location and speed anywhere in the city. "

    The comments are valid, but I'd highlight that just because something has the potential to be privacy-invasive does not mean that it will be. Many would say that if the information is properly scrubbed, it is no longer personally identifiable and presents no privacy risk. In any event, operators of these transponder systems should disclose that the data will be used for this purpose so that the more privacy sensitive among us can make the decision of whether to use a tranponder. (But I would guess that the more privacy sensitive don't use transponders because of the other range of potential collateral uses.) Highway operators should also ask themselves whether they could accomplish the same ends by using basic radar technology.


    Editorial: HIPAA horror stories 

    The Carroll County Star Tribune (Arkansas) has an editorial that rails against the impact of HIPAA on the ability of community newspapers to report on the comings and goings of hospital patients and the ability of police to track down missing persons. Desipte its conclusion, it doesn't really deal with the impact of HIPAA on quality of care:

    "Privacy is certainly a good thing, in this age of information technology which threatens our most basic rights, but when heavy-handed laws are enacted which impede the delivery of medical care, we wonder - isn't it time to revisit these laws and repeal those that are obviously not in the best interest of either our health or our privacy?"

    Thanks to SANS PrivacyBits for the pointer, which also points to a similar-toned editorial from The Lohnotan Valley News (Fallon, NV):

    Consider the case of a California man who died recently after coming down with West Nile virus, the mosquito-borne disease that has been spreading like wildfire in northern Nevada. Citing privacy laws, county health officials would not disclose the nature of the man's disease - even to his brother - until after the patient died. The brother was outraged because he didn't know the man was in a potentially life-threatening situation, but at least his brother's confidentiality wasn't breached.

    What started out as a noble attempt to ensure that people who changed jobs didn't automatically lose their health insurance somehow morphed in Congress when senators Ted Kennedy (D-Mass.) and Nancy Kassebaum (R-Kan.) got a hold of it.

    Not surprisingly, a movement to repeal this ill-conceived legislation is gaining momentum; the sooner the better as far as we're concerned.

    Labels: ,

    Privacy Site of the Day: The Public Interest Advocacy Centre 

    The Public Interest Advocacy Centre has been among the most active and vocal participants in the privacy debate in Canada. This country does not have the same organized consumer advocacy groups as does the United States. Consumer and citizen voices are often difficult to hear in policy debates. But on privacy matters, PIAC has had a lot to say and they have also undertaken some interesting projects.

    To begin with, PIAC commented on the CSA Model Code (the heart of PIPEDA) and the bills that led to PIPEDA. They have participated in the consultation process and Philippa Lawson has appeared at privacy conferences to plead the public interest case. From the point of view of a privacy lawyer, one of their greatest contributions has been to complain to the Privacy Commissioner about the "opt-out" practices of a number of the countries companies and then to release the full text of the findings on their website. Because the Commissioner only releases brief summaries of her findings, these are instructive reading.


    Monday, September 06, 2004

    Privacy Site of the Day: Center for Democracy and Technology - Privacy Issues 

    This is the first in a planned series of postings highlighting websites with a privacy focus that I've happened upon and bookmarked as useful resources for future reference.

    The first "Privacy Site of the Day" is put out by the Center for Democracy and Technology, a well-respected organization that is on the cutting edge of issues related to the democratization of cyberspace. Its mission statement says it much more eloquenly than I can (on a Labour Day morning):

    The Center for Democracy and Technology works to promote democratic values and constitutional liberties in the digital age. With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in global communications technologies. CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media.

    The CDT's Privacy Issues page includes a wide range of resources, including policy papers and consumer privacy guides. Definitely worth bookmarking.

    I'm going to try to post one a day, but I can't promise to be that regimented as work/life gets crazy-busy after labour day. I'd also invite readers to submit their favourites, either in the blog's comments or via e-mail: david.fraser(at) (replace the "(at)" with "@").


    Taiwan set to toughen privacy laws after leaks of personal information connected to organized crime 

    Today's Taipei Times has an article on upcoming changes to Taiwan's privacy laws following leaks of personal information by civil servants to organized crime: See Cabinet mulls tighter data protection.


    Comment: Are Privacy Policies Unenforceable and Meaningless? 

    In a blog entry from last week, the chief privacy officer of Plaxo responded to an article written by David Coursey (""Beware of 'Free' Services") that suggests companies may break their privacy promises when they become desperate for money or a new owner arrives on the scene. Plaxo's principal product is a service to keep your contacts up to date, so it collects a fair amount of personal information.

    Plaxo's Personal Card: Are Privacy Policies Unenforceable and Meaningless?


    The fact is promises made within privacy policies are enforceable, specifically by the FTC. People may be familiar with Section 5 of the FTC Act, which declares "unfair or deceptive acts" are declared unlawful. The FTC has demonstrated in the past that an organization's failure to live up to published privacy practices are considered "unfair or deceptive" and the FTC has taken corrective action to protect consumers in these cases.

    In the case of Plaxo, our Plaxo Privacy Policy sums up our privacy practices within the following principles:

    • Your Information is your own and you decide who will have access to it.
    • You maintain ownership rights to Your Information, even if there is a business transition or policy change.
    • You may add, delete, or modify Your Information at any time.
    • Plaxo will not update or modify Your Information without your permission.
    • Plaxo will not sell, exchange, or otherwise share Your Information with third parties, unless required by law or in accordance with your instructions.
    • Plaxo does not send spam, maintain spam mailing lists, or support the activities of spammers.


    But the question remains, can't an organization simply change their privacy policy at any time?

    The answer is yes, but the FTC Act also covers material changes to privacy policies. In speaking with an FTC official at a recent IAPP/TRUSTe Privacy Symposium, I was told the FTC operates under the concept that "a privacy policy walks with the information". In the recent case between the FTC and Gateway Learning, Howard Beales, Director of the FTC's Bureau of Consumer Protection, summed it up by stating, "You can change the rules but not after the game has been played." I direct you to the FTC site for more information:


    Sunday, September 05, 2004

    OPC on Privacy Impact Assessments 

    In March, Stuart Bloomfield of the Office of the Privacy Commissioner of Canada gave a good speech about privacy impact assessments to the "Managing Government information" forum in Ottawa. I didn't link to it when I first came across it, but I thought I'd highlight it today because it's a good read for those who are interested in PIAs or are evangelists about the risk-management benefits of conducting privacy impact assessments before significant projects. Here is an extract from the speech:

    Speech: Managing Government Information 2nd Annual Forum - March 10, 2004 - Office of the Privacy Commissioner of Canada - Privacy Commissioner of Canada:

    "In sum, PIAs perform the following roles:

    1. They act as an early warning and planning tool;
    2. They forecast and/or confirm the impacts of a government proposal on the privacy of individuals and groups;
    3. They provide a mechanism to assess a proposal's compliance with privacy protection legislation and principles; and
    4. They provide a framework for the development and implementation of actions and strategies required to avoid or overcome the negative impacts of the proposal on privacy.

    In conducting a PIA and acting upon the advice advanced therein, government departments can:

    1. Avoid adverse publicity, the loss of credibility and public confidence and the legal costs, remedies and sanctions that could result from negative impacts; and
    2. Increase Canadians' privacy awareness and confidence with the government's handling of their personal information by informing them of the details of the proposal.

    The potential costs to departments by not conducting a PIA where one is required should not be underestimated. One need only recall the highly publicized debacle over HRDC's Longitudinal Labour Force File (LLF) whose subsequent dismantlement following public complaints against the database cost the department millions of dollars. Arguably had a PIA been done on the LLF prior to implementation, HRDC could have avoided the adverse publicity and financial losses that it suffered as a result of this incident."


    US Health Privacy Law leads to conviction of ID theft and fraud 

    The first conviction under HIPAA, the United States Health Insurance Portability and Accountability Act, has taken place in Seattle. The US Attorney's office has released the following press release, describing the guilty plea related to the theft of a cancer patient's personal information for ID theft purposes. Interestingly, he wasn't charged under traditional identity theft laws, but only for "wrongful disclosure of individually identifiable health information for economic gain.".

    August 19, 2004


    RICHARD W. GIBSON, age 42, of SeaTac, Washington pleaded guilty today in federal court in Seattle to wrongful disclosure of individually identifiable health information for economic gain. This is the first criminal conviction in the United States under the health information privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) which became effective in April, 2003. Those provisions made it illegal to wrongfully disclose personally identifiable health information.
    As set forth in the Plea Agreement (also view Information), GIBSON admitted that he obtained a cancer patient's name, date of birth and social security number while GIBSON was employed at the Seattle Cancer Care Alliance, and that he disclosed that information to get four credit cards in the patient's name. GIBSON also admitted that he used several of those cards to rack up more than $9,000 in debt in the patient's name. GIBSON admitted he used the cards to purchase various items, including video games, home improvement supplies, apparel, jewelry, porcelain figurines, groceries and gasoline for his personal use. GIBSON was fired shortly after the identity theft was discovered.

    The Government and GIBSON agreed as part of the Plea Agreement, that GIBSON should be sentenced to a term of 10 to 16 months. Under these terms, the Court could order that the term be served either wholly in federal prison, or in a combination of federal prison and either home confinement or community confinement. GIBSON has also agreed to pay restitution to the credit card companies, and to the patient for expenses he incurred as a result of GIBSON's use of his identity.

    At a hearing scheduled for November 5, 2004, U.S. District Court Judge Ricardo S. Martinez will determine whether to accept the Plea Agreement, and if accepted, will determine GIBSON's sentence within the 10-16 month range set forth in the Plea Agreement and the length of any supervised release following his prison term. If the Court rejects the Plea Agreement and the agreed upon sentence, GIBSON will have an opportunity to withdraw his guilty plea.

    "Too many Americans have experienced identity theft and the nightmare of dealing with bills they never incurred. To be a vulnerable cancer patient, fighting for your life, and having to cope with identity theft is just unconscionable," stated United States Attorney John McKay. "This case should serve as a reminder that misuse of patient information may result in criminal prosecution."

    The case was investigated by the Federal Bureau of Investigation (FBI) and is being prosecuted by Assistant United States Attorney Susan Loitz. For further information please contact Emily Langlie, Public Affairs Officer for the United States Attorney's Office at (206) 553-4110.

    Thanks to Symtym and GruntDoc for leading me to this release.

    Labels: , , ,

    Saturday, September 04, 2004

    UK media looking to overturn European privacy ruling 

    The UK website The Lawyer is reporting a lobbying effort to have an important privacy ruling appealed.

    UK press in-housers fight privacy ruling - 9 August 2004:

    "Associated Newspapers' head of legal is attempting to mobilise the UK media to back lobbying efforts aimed at convincing the German government to appeal the controversial Princess Caroline decision to the Grand Chamber of the European Court of Human Rights (ECHR).


    The case revolves around photographs of Princess Caroline of Monaco that were published in German magazines.

    The landmark judgment handed down by the ECHR in Von Hanover v Germany on 24 June 2004 has caused uproar among UK media lawyers, who feel that the decision imposes a privacy law on European states and hampers the freedom of the press.

    Tench's petition has two main points. The first is that EU member states should have the power to enforce a lower degree of privacy than that required by the court. The second is that the European Convention on Human Rights governs the relationship between a state and its citizens, not private companies. "

    According to reports, Germany has declined to appeal the decision. (The BBC report also has a nice, concise summary of the issues.)


    Explain the value of personalization and the customer will share their info 

    I was thinking a bit more about an article I referred to a little while ago (see: Article: The Privacy Dilemma)). The article is from Computerworld, a great source of timely articles related to privacy and security. It includes a quote from a Gartner analyst:

    According to Gartner Inc. analyst Adam Sarner, privacy legislation can actually be a boon to personalization initiatives -- at least in the case of "explicit" personalization, in which a company collects data with the customer's permission, with the promise that it will use the data to only make relevant contact.

    "Every company should have user profiles that allow customers to set preferences: when they want to be contacted, how often and about what. That's explicit personalization, and it can be extremely powerful," says Sarner. While the sit-down nature of the Web offers the best interface for creating user profiles, the data should be populated across databases that touch every relevant contact point, whether it be through e-mail or call center or at point of sale. "The trick is not just leave it on the Web but make it part of the complete user profile," Sarner says.

    In my experience, if you clearly explain the benefits of personalization, they'll share their personal information and allow you to provide them with better service. When I teach about privacy law, there's an example that I often use. About a year ago, I had to travel to Ottawa and the regular hotel I stay at was booked up. So I called another hotel, where I had stayed a long while before. I made my reservation and asked if they wanted my credit card number to hold the reservation. The clerk responded "Oh, Mr. Fraser, we'll hold your room with the credit card we have on file." I hadn't stayed there for ages and they still had my credit card number on file. How many reservation clerks had access to it? Where was it stored? They thought they were giving great service, but I weirded me out. It weirds out just about everyone I tell the story to (except hotelliers). I had stayed there once and didn't expect to stay there again. Interestingly, the other hotel where I usually stay has my credit card on file and it doesn't bother me. Why? Because they asked me for it and explained the benefits. I signed up for their frequent guest program, a perk of which is they keep your preferences on file and use it to serve you better. I could have said no. But the value was there: My reservations take a second, I always get the right kind of room and they know what side of the building I like. The value is readily apparent, I have the choice and I trust them.

    Most times a customer fills out a form, I think they do a little crude calculus: how much am I giving up and how much am I getting in return. Companies that aren't proactive about privacy aren't explaining the value to their customers at this critical moment. If the customer doesn't know what you want to do with it, they get suspicious. And they give you junk information, limited information or they walk away.


    Break-in at BC school board leaks sensitive personal information 

    An August 23, 2004 break-in at a British Columbia school board's offices resulted in the theft of sensitive payroll information about board employees and students, including info about medical conditions. See the full story at the Tri-City News:

    Hundreds of calls in wake of SD43 break-in:

    "The investigation into a theft that compromised the financial integrity of thousands of school board employees is 'extremely active,' said Coquitlam RCMP spokesperson Cpl. Jane Baptista.

    'Hopefully in the next while, I will have more information,' she said. 'At this time, I'm not at liberty to speak anymore about it as I do not wish to compromise the integrity of the investigation.'

    Since a break-in at the school board office Aug. 23, staff have sent emails and letters trying to reach 13,400 employees and former employees to warn them crooks may get access to their bank accounts because confidential data was stolen.

    Cheryl Quinton, the school district's communications manager, estimates she has fielded more than 100 emails and phone calls a day since employees were notified of potential identity theft. 'Because its an area that needs some time with each caller, it's seldom a quick answer, so it's taking time,' she said.

    The impact of the theft of computers and other equipment has forced the district to review not only its security - already beefed up - but how it handles records and information, Quinton said. Some former employees received more than one copy of the same letter (see Letters, page 11) because of payroll designations. If employees switch divisions, such as from teacher on-call to permanent, or from CUPE to excluded staff, a separate payroll record remains.

    Also compromised by the theft was personal information, including medical alerts and course information for as many as 100,000 students but, Quinton said, she has had very few calls from parents. Still, there are concerns. ..."

    Labels: , ,

    Thursday, September 02, 2004

    Training for the Personal Health Information Protection Act - PHIPA - Bill 31 

    National Privacy Services Inc., a company to which I am the principal legal advisor (and trainer) has announced additional dates for its training program for the Personal Health Information Protection Act (aka PHIPA and Bill 31).

    The training is being offered in conjunction with ClinCoach Inc., an internationally recognized company specialising in training for clinical researchers. Readers of the blog and other select folks can get 50% off registrations for the September/October sessions if you mention PHIPA31 at the time of registration.

    Check out the updated brochure at:

    Training for the Personal Health Information Protection Act - PHIPA - Bill 31. You can register online at NPSi's website.

    Labels: , ,

    Article: Privacy Laws And Kids, A Delicate Balance 

    WOKR-TV's website (from Rochester) has an article about the balancing act that healthcare providers have to deal with as a consequence of privacy legislation. The article focusses on HIPAA, but similar issues arise here under PIPEDA and provincial laws.

    Privacy Laws And Kids, A Delicate Balance:

    " Patrice Walsh (Rochester, NY) 08/24/04 - If a child gets hurt, parents are usually the first to be notified, but not always.

    At age 18, young people in college are considered adults and protected under Health Insurance Portability and Accountability Act (HIPAA) law. They must consent before parents are notified in case of illness or injury.

    Megan Bero, 18, is accustomed to having her mother nearby when she's sick. Now the SUNY Brockport freshman is on her own for the first time, and suffering from a case of hives.

    Megan was given a prescription, something her mother would not have been told unless Megan wanted her to know.

    Megan said, 'If it's something serious, I think she should be told, she's my mother, she should be called.'"

    Ontario's Bill 31 does a better job in dealing with substitute consent, but a lot remains up to the judgment of individual physicians and healthcare providers.

    My general approach is to consider the ability of the individual child to consent (in a meaningful way) to the collection, use or disclosure of personal information. If the kid is able to make those decisions in an informed manner, the decision is theirs to make and the physician should not assume they are able to disclose any information to the parent without consent. Even if there is a general consent from the child to disclose information to the parents, particular care must be taken when you are dealing with sensitive topics, such as pregnancy, abortion and sexually transmitted diseases. The physician should always be aware of the privacy rights of the patient and consistently looking after the patient's best interests.

    Complete aside: I find the infantilization of young adults to be very interesting. As a lawyer who advises a number of universities and post-secondary institutions on privacy practices, it is clear that the line between child and adult is blurring, at least from the perspective of the parent. When I went to university, it was unheard of for a parent to call a professor to ask about a kid's progress and there never would have been any thought that the university was acting in loco parentis. An eighteen year old is an adult. Period. End of sentence. Now universities are facing an onslaught of parents who act as though their kids are in high school still and assume they have a right to know whether Johnny has been skipping English 101. Nothing of substance, I just find it interesting.

    Labels: ,

    Study: Clear privacy practices boost trust and online sales for Internet companies 

    My own personal experience backs up the findings of a study recently released from the University of California, Irvine. The number of consumers who care about privacy is growing and they are a relatively silent bunch. Rather than raise a fuss, they just don't complete a transaction if they aren't comfortable with how the company proposes to use their information. Proably what makes them the most uncomfortable is simply not knowing what will happen with their personal information.

    PIPEDA requires that every business that collects, uses and discloses personal information in the course of commercial activities have a privacy policy that, among other things, gives a general account of how the business handles personal information. Principle 2 puts the onus on the business to inform the individual of the purposes of the collection. Not only is it the law in Canada, it is good business practice. If a growing number of your customers want to know, you better tell them. And don't try to produce screens and screens of small print, because they either won't understand all the legalese or they'll think you're being too clever and deceptive. Every business should have a privacy statement that they want customers to read and about which they can be proud. And, if you don't want to disclose a practice, you probably shouldn't be doing it.

    Take a look at the release from the University of California, Irvine (which came to my attention via Science Blog and the IAPP Daily Dashboard).

    Clear privacy practices boost trust and online sales for Internet companies, determines UCI study :

    "Informatics professor builds Web-based template to assist Internet buyers and sellers

    Irvine, Calif. , August 30, 2004

    Internet companies can boost sales and build trust with online shoppers by providing clear and readily available privacy disclosures, according to a recent UC Irvine study.

    "Surveys have demonstrated that online shoppers are concerned about their privacy, specifically about the confidentiality of the personal data they provide to Web retailers," explained Alfred Kobsa, author of the study and professor of informatics in UCI's Donald Bren School of Information and Computer Sciences. "To allay these concerns, many Web sites include a link to their online "privacy policies," which describe how the retailer treats the personal data of customers. Even comprehensive privacy notices that should reassure readers are, however, often written in a lengthy and legalistic manner, and in effect, hardly ever read by Internet shoppers."


    This page is powered by Blogger. Isn't yours? Creative Commons License
    The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs