The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, October 31, 2004
The following was released by the President of the Treasury Board, Reg Alcock, on Friday, October 29, 2004:
Statement by Reg Alcock, President of the Treasury Board, in response to the report issued by the Information and Privacy Commissioner for British Columbia:
"For immediate release
October 29, 2004
Ottawa - Reg Alcock, President of the Treasury Board issued the following statement today in response to the report issued by the Information and Privacy Commissioner for British Columbia on Privacy and the USA Patriot Act:
"The Government of Canada is currently reviewing the report released today by the Information and Privacy Commissioner for British Columbia on Privacy and the USA Patriot Act. We are committed to doing everything we can to protect the privacy of Canadians with respect to key federal personal and sensitive information holdings. The Government will continue to work closely with the federal Privacy Commissioner, provincial governments and the private sector to protect the security and privacy of Canadians and the interests of Canadian businesses.
We are also calling on Canadian businesses to continue to respect the privacy rights of Canadians with regards to information the private sector possesses on individual Canadians, as legislated under the Personal Information Protection and Electronic Documents Act.
The actions taken by the Government in response to potential privacy and contracting risks posed by the USA Patriot Act include: a review by Government departments of their outsourcing arrangements to determine if action is needed; continuing the review of federal privacy laws and policies; and cooperating with the OPC on the planned audit in 2004-2005 of the transfer of personal information between Canada and the United States".
Jennifer Stoddard, the Privacy Commissioner of Canada, ended last week with a statement following the publication of the BC Commissioner's report on cross-border privacy issues:
News Release: Privacy Commissioner calls for further examination of transfer of personal information about Canadians across borders - August 18, 2004: "Striking a balance between the protection of privacy and the promotion of national security is one of the single most important issues facing our society today ," said Ms. Stoddart. "This is an issue to be addressed by all jurisdictions across Canada and our Office looks forward to working with the federal government and the BC Information and Privacy Commissioner to address recommendations in the report."
Labels: information breaches
Saturday, October 30, 2004
Government Technology is reporting a recent survey that has determined that, among those who are aware of RFID, 63% of those polled are concerned about the privacy issues related to the emerging technology. The surveyed consumers said that government, followed by "crooks and bad guys," banks, insurance companies and credit card companies are the most likely to abuse their privacy without their knowledge and consent.
Study Detailing RFID Privacy Concerns Released:
"....Consumers express being more concerned with privacy issues today than ever before. And with many forms becoming electronic, they are cautious about divulging personal information and are taking active steps to protect themselves such as checking to make sure websites are secure before submitting information and shredding paper and mail received unsolicited at home. Many believe their personal information is easily obtained by companies through magazine subscriptions and frequent-buyer programs implemented by grocery stores and airlines.
Although consumers recognize the "perks" of being rewarded for loyal shopping behavior, they are also concerned that their information is not protected and will be shared without their permission. "Almost everyone knows somebody lately who has had a bad experience with privacy invasion, credit card abuse or identify theft," said Linda Stegeman, president of Artafact. "In online focus groups, they recount stories of friends or families who have been affected by institutions or crooks and bad guys getting access to their personal information."
Only 35% of consumers concerned about protecting their personal information believe that RFID (Radio Frequency Identification) is a "good idea." However, they also recognize the business benefits of easily tracking merchandise and preventing theft. Many consumers think they will not reap any benefit from RFID technology and are concerned with the potential for misuse, given the "lack of safeguards."
It is staggeringly easy to accidentally send an e-mail to a large distribution list, placing the addresses in the "TO:" or the "CC:" field instead of the "BCC:" field. A number of incidents of this have led to significant consequences for the senders who have accidentally breached the privacy of the recipients. Recently, a customer loyaty program did this in Canada, resulting in a complaint to the federal Privacy Commissioner. (See PIPED Act Case Summary #277: Mass mailout results in disclosure of contest entrants e-mail addresses.) A large drug company did the same in the United States, leading to a significant penalty from the FTC. (See ACLU Knocks Eli Lilly for Divulging E-Mail Addresses: Site's prescription reminder reveals names of recipients.)
In a recent incident, slightly tinged with irony, the Dutch Data Protection Authority did the same thing:
Data protection watchdog distributes email mailing list | The Register:
"The Dutch Data Protection Authority (Dutch DPA), which supervises the compliance with acts that regulate the use of personal data, was rather red-faced this week when it sent out a newsletter with all of the recipients in the Cc: field instead of the Bcc: field.
DPA's news letter goes out to 4000 subscribers. The DPA, which supervises the compliance with the Dutch Personal Data Protection Act and the Dutch Municipal Database Personal Records Act, was lucky that 'only' a thousand subscribers received the letter, but it managed to make the mistake twice. In a message it apologised for sending the first letter, again putting all recipients to the Cc list, so a second apology had to be sent."
These happen so often that I think Outlook and other mail programs should have a function that asks if you are sure you want to send a message with more than five/ten/whatever recipients in the "CC:" field....
Labels: information breaches
Friday, October 29, 2004
The Information and Privacy Commissioner of BC has released his report into the impact of the USA PATRIOT Act on the privacy of British Columbians. His report is available here and a summary is available here.
See below for media coverage:
U.S. Patriot Act can eyeball private Canadian records, says B.C. report
Canadian Press via Yahoo! News Fri, 29 Oct 2004 11:10 AM PDT
VICTORIA (CP) - The USA Patriot Act has the power to eyeball private information about Canadians despite attempts by governments in Canada to thwart probes by American authorities, says a report released Friday by British Columbia's privacy commissioner.
Patriot Act contravenes B.C. privacy laws: report
CBC British Columbia Fri, 29 Oct 2004 11:06 AM PDT
VICTORIA - B.C Privacy Commissioner David Loukidelis says the U.S. Patriot Act violates provincial privacy laws – and he wants the province to temporarily ban the transfer of personal information to the U.S.
Canada Study Sees Risk in U.S. Anti-Terrorism Law
Reuters via Yahoo! News Fri, 29 Oct 2004 11:31 AM PDT
A key U.S. anti-terrorism law threatens the privacy of Canadians and rigorous steps are needed to protect private medical and financial information, a government study said on Friday.
The Supreme Court of Canada has just released its decision in R. v. Tessling, 2004 SCC 67. The matter at issue was whether the use of infrared imaging from outside a home constituted unreasonable search and seizure under the Charter of Rights and Freedoms. I haven't had a chance to read it in detail, but here's the headnote:
Her Majesty The Queen
Attorney General of Ontario, Attorney General of Quebec and Canadian Civil Liberties Association
Neutral citation: 2004 SCC 67.
File No.: 29670.
2004: April 16; 2004: October 29.
Present: McLachlin C.J. and Iacobucci,* Major, Bastarache, Binnie, Arbour,* 1 LeBel, Deschamps and Fish JJ.
ON APPEAL FROM THE COURT OF APPEAL FOR ONTARIO
Constitutional law -- Charter of Rights -- Search and seizure -- Police using thermal imaging device to take 'heat' picture of accused's home from aircraft without warrant -- Whether warrantless use of thermal imaging device violated right against unreasonable search and seizure -- Canadian Charter of Rights and Freedoms, s. 8.
The RCMP used an airplane equipped with a Forward Looking Infra-Red ("FLIR") camera to overfly properties owned by the accused. FLIR technology records images of thermal energy or heat radiating from a building. It cannot, at this stage of its development, determine the nature of the source of heat within the building or "see" through the external surfaces of a building. The RCMP were able to obtain a search warrant for the accused's home based on the results of the FLIR image coupled with information supplied by two informants. In the house, the RCMP found a large quantity of marijuana and several guns. The accused was charged with a variety of drug and weapons offences. At trial, he unsuccessfully argued that the FLIR overflight was a violation of his right to be free from unreasonable search and seizure guaranteed by s. 8 of the Canadian Charter of Rights and Freedoms, and was convicted. The Court of Appeal set aside the convictions. The court found that the use of FLIR technology constituted a search of the accused's home and, since it was done without a warrant, violated his s. 8 right. The court concluded that the evidence ought to have been excluded and the accused acquitted on all charges.
Held: The appeal should be allowed. The FLIR overflight did not violate the accused's constitutional right to be free from unreasonable search and seizure.
Few things are as important to our way of life as the amount of power allowed the police to invade the homes, privacy and even the bodily integrity of members of Canadian society without judicial authorization. Building upon the foundation laid by the common law, s. 8 of the Charter creates for "everyone" certain areas of personal autonomy where the state, including the police, cannot trespass. These areas we have now gathered up under the general heading of privacy. At the same time, social and economic life creates competing demands. The community wants privacy but it also insists on protection. Safety, security and the suppression of crime are legitimate countervailing concerns. Thus s. 8 of the Charter accepts the validity of reasonable searches and seizures.
Privacy is a protean concept, and the difficult issue is where the "reasonableness" line should be drawn. The distinction between informational and territorial privacy is of assistance in the current factual situation. Whereas the Court of Appeal treated the FLIR imaging as equivalent to a search of the home, and thus "worthy of the state's highest respect", it is more accurately characterized as an external surveillance of the home to obtain information that may or may not be capable of giving rise to an inference about what was actually going on inside, depending on what other information is available to the police. FLIR is not equivalent to entry. Because of the emphasis on the informational aspect, the reasonableness line must be determined by focussing on the nature and quality of the information FLIR can actually deliver and then evaluating its impact on an accused's reasonable privacy interest.
FLIR technology cannot, in its present state of development, permit any inferences about the precise activity giving rise to the heat. The accused had a privacy interest in the activities taking place in his home and it may be presumed that he had a subjective expectation of privacy in such activities to the extent they were the subject matter of the search. The fact that it was his home that was imaged using FLIR is an important factor, but it is not controlling and must be looked at in context and in particular, in this case, in relation to the nature and quality of the information made accessible to the police by FLIR technology. Everything shown in the FLIR photograph exists on the external surfaces of the building and, in that sense, FLIR records only information exposed to the public. Although the information about the distribution of the heat was not visible to the naked eye, the FLIR heat profile did not expose any intimate details of the accused's lifestyle or part of his core biographical data. It only showed that some of the activities in the house generate heat.
Thus, when one considers the "totality of the circumstances", the use of FLIR technology did not intrude on the reasonable sphere of privacy of the accused. Patterns of heat distribution on the external surfaces of a house are not a type of information in which, objectively speaking, the accused had a reasonable expectation of privacy. The heat distribution information offered no insight into his private life and its disclosure scarcely affected his "dignity, integrity and autonomy".
Technology must be evaluated according to its current capability, and its evolution in future dealt with step by step. Concerns should be addressed as they truly arise. FLIR technology at this stage of its development is both non-intrusive in its operations and mundane in the data it is capable of producing. The taking of a FLIR image therefore did not violate the respondent's reasonable expectation of privacy within the scope of s. 8 of the Charter.
GlobeTechnology is reporting on a study recenly conducted on the privacy attitudes and privacy-protecting actions of US consumers. It is eye-opening, but most who work in this area know that consumers regularly talk about privacy fears, but rarely act with their privacy interests in mind.
Security, but only if it's convenient: "
U.S. consumers may express fear of identity theft, but they continue to offer too much personal information over the telephone and the Internet, a survey says.
Consumers continue to repeat the mistakes that resulted in nearly 10 million identity theft victims in the United States last year as reported by the U.S. Federal Trade Commission.
The 2004 Identity Management Survey, commissioned by Texas-based Electronic Data Systems Corp. and the International Association of Privacy Professionals, based in Maine, found that consumers are not taking enough security precautions to protect themselves despite repeated warnings of identity theft.
According to the survey, more than 70 per cent of consumers are too ready to share information such as their names, addresses, postal codes, phone numbers, account numbers or give the answer to a security question to an unsolicited call or e-mail...."
Thursday, October 28, 2004
According to a press-release on the BCGEU website, the Information and Privacy Commissioner of British Columbia will be releasing his long-awaited -- and delayed -- report on the impact of the USA PATRIOT Act on the privacy of British Columbians' personal information. The report will be released at 10:00 am (PST), to be followed by the reaction of the BCGEU. (See BCGEU: News conference to respond to privacy ......)
This just in....
The Concealed I: Anonymity, Identity and the Prospect of Privacy www.anonequity.org/concealedI
March 4-5, 2005
of University Ottawa, Faculty of Law , Ottawa Canada
* Do we have a right to speak anonymously? * Why do people claim to value privacy but act otherwise? * What are the constitutional implications of the compelled disclosure of identity? *What is the effect of imposing anonymity on women who enter the legal system as a result of sexual assault or other crimes of gendered violence? * Do we have the right to resist excessive surveillance?
These are some of the questions being investigated by a multidisciplinary team of researchers on a project entitled On the Identity Trail (www.anonequity.org). The team, along with faculty members from the Law and Technology Program at the
University of Ottawa (www.commonlaw.uottawa.ca/tech), invites you to a two-day conference dedicated to investigating these and other privacy issues in our increasingly networked society.
Panel discussion topics include: * THE NATURE AND VALUE OF PRIVACY AND ANONYMITY * PUBLIC PERCEPTIONS OF PRIVACY * POLICY ISSUES FOR PRIVACY COMMISSIONERS * DEBATE ON THE COMPELLED DISCLOSURE OF IDENTITY * INVASIVE SURVEILLANCE TECHNOLOGIES * COMPARATIVE CONSTITUTIONAL ISSUES * PUBLIC SAFETY IN FREE AND DEMOCRATIC SOCIETY * PRIVACY ACTIVISM
The conference will begin on Day I with an introductory session investigating the nature and value of privacy and anonymity in an era of ubiquitous identification technologies. This will be followed by an investigation from a social science perspective on public perceptions of privacy and data flows. These two panels lay the ground for a very special policy lunch, hosted by
Canada's federal and provincial privacy commissioners. In an unprecedented collaboration, the various participating privacy commissioners will present a cross-Canada "policy-scan", setting out the most pressing issues encountered by their offices and offering a range of viewpoints in response. The remainder of the afternoon on Day I will include a debate on compelling the disclosure of identity and a session on invasive identification and surveillance technologies.
Day II of the conference will begin with law and policy issues and will end with an investigation of some broader social dimensions of anonymity and identity. The day starts with a session investigating some of the crucial comparative constitutional questions, and is followed by a session that focuses more specifically on issues of race and gender. These sessions will be followed by another policy lunch featuring representatives of the law enforcement and security community debating the need for identification from the perspective of "public safety" in a free and democratic society. The remainder of the afternoon of Day II will focus on the broader public, including a session on social activism and the appropriateness of certain public responses to oppressive surveillance. We end the conference with a walking tour of the surveillance cameras in the
Ottawa area and an artistic performance.
Ken Anderson Assistant Commissioner (Privacy) Ofiice of the Information Privacy Commissioner of Ontario
Jacquelyn Burkell Professor, Faculty of Information and Media Studies,
University of Western Ontario
Colin BennettProfessor, Political Science University of Victoria
Bill Brown New York Surveillance Camera Players
Paul De Hert Professor, Faculty of Law,
Leiden University& Free University Brussels
Jane Doe Teacher, Lecturer and Arts and Culture Worker,
A. Michael Froomkin Professor, Faculty of Law,
Oscar Gandy Professor,
Annenberg SchoolFor Communication, Pennsylvania Universityof
Daphne Gilbert Professor, Faculty of Law,
Declan McCullagh CNET
Research Chair in Ethics, Law & Technology, Canada of University Ottawa
David Lyon Professor, Department of Sociology, Queen's University
Mexico Attorney General,
Steve Mann Professor, Department of Electrical and Computer Engineering,
University of Toronto
Helen Nissenbaum Professor of Culture & Communication, Computer Science and Sr. Fellow in Law, NYU
G.T Marx Professor Emeritus, Department of Sociology, M.I.T
Stephanie Perrin Research Coordinator, On the Identity Trail Privacy Consultant and Advocate,
Jennifer Stoddart Privacy Commissioner of
Marc Rotenberg Executive Director, Electronic Privacy Information Center; Adjunct Professor Georgetown Law
Alan Westin Professor Emeritus, Columbia University President, Privacy and American Business
The Health Information Act of Alberta has recently come under the microscope as a result of a review of the legislation by a committee of the Alberta legislature (see Alberta legislature committee recommends changes to the Health Information Act (HIA)). The President of the AMA has expressed concerns about the many categories of non-treatment-related disclosures of personal health information that can be made without the knowledge and consent of the patient. See the recent article in the Medical Post (19 October 2004):
MedicalPost.com: AMA concerned law does not protect confidentiality:
What the Health Information Act lacks is a fundamental commitment that, in non-direct-care situations, protecting patient privacy is more important than sharing information, Dr. Ballantine explained. The association believes that patient privacy should be regarded as more important than sharing information for non-direct-care purposes.
Patients expect that physicians and other providers will share their health information to provide direct care. Patients don't expect, though, that their information can be shared, without consent, for all of the non-direct-care purposes authorized by the act. That's where the problem lies, she stressed...."
The Privacy Commissioner released a new finding yesterday (the finding itself is dated September 3, 2004), the first finding to address the mandatory use of biometrics in the workplace. In this case, the employer used voice-print technology for security and managing the employer-employee relationship. The Assistant Commissioner determined that the use of this technology was reasonable, and struck the appropriate balance for security purposes.
Commissioner's Findings - PIPEDA Case Summary #281: Organization uses biometrics for authentication purposes - September 3, 2004 - Privacy Commissioner of Canada:
"Several employees complained that their employer was forcing them to consent to the collection of biometric information, namely, their voice print, for the purpose of accessing a number of the company's business applications. These applications are used for logging work-related information, as well as for absence reporting. "
Kerry Diotte, a columnist for the Edmonton Sun, has a piece about proposed amendments to the Alberta Health Information Act that were voted down by a legislature committee that was reviewing the Act. The proposal would have allowed hospitals to disclose health information without consent to police in certain circumstances:
Edmonton Sun Columnist: Kerry Diotte - Too much privacy?:
In a submission to the committee studying changes to the act, then-acting deputy chief Mike Bradshaw summed up the cops' concerns.
'The [Edmonton Police Service]'s primary concern is that the (current act) prevents health-care providers from contacting or disclosing to police services information where it is reasonably suspected that a person attending the hospital has been involved in some form of criminal activity,' wrote Bradshaw.
That point hits home with Lukaszuk who welcomes the more common-sense approach of the new legislation.
'In my opinion, shifting the balance from complete protection of health information to a slight relaxation of such protection -and enhancing police ability to apprehend criminals - was a reasonable undertaking,' said Lukaszuk.
'After all, any law-abiding Albertan would not object to a police officer wanting to know whether he is in hospital or whether he has a bullet wound. It's likely only the criminal element that would object.' "
An article in last week's Vancouver Sun reports on the opinions of a leading public health researcher that privacy zealots and their bureaucratic brethren are blocking valuable research:
Our privacy rules 'block health research: Important studies held back, scientist says
"Privacy and ethics rules in Canada are choking studies into everything from the hazards of cellphones to the ill-effects of living near busy, polluted roads, says a leading public health researcher...."
Labels: information breaches
The New York Times is running, in the Auto section, an article on event data recorders that record the last few seconds before an airbag deployment. These are the so-called black boxes that are increasingly becoming useful in litigation and insurance claims. Some claim that it amounts to "big brother onbaord":
The New York Times > Automobiles > Does Your Car Have a Spy in the Engine?:
"AFTER Danny G. Hopkins's Cadillac CTS rear-ended Lindsay Kyle's Dodge Neon at a traffic light in Rochester a year ago, witnesses said Mr. Hopkins had been zooming down the road, and crash investigators who examined the condition and location of the wreckage estimated that Mr. Hopkins was traveling 65 to 70 miles an hour at the point of impact.
But in a trial that ended on Oct. 7, a witness emerged with more to say: that four seconds before the crash, it had been traveling 106 m.p.h."
Labels: information breaches
Tuesday, October 26, 2004
Here's a weird, interesting privacy story ...
The Ticker - Students object to assignment, cite privacy concerns:
"Last week Baruch senior Adorian Lazar brought to the attention of the USG student objections to a controversial research paper that required them to divulge personal information, including whether they'd ever had an abortion or lived with someone while unmarried. The paper was a requirement for a Sociology 1005 class. The professor's name has been withheld...."
Labels: information breaches
ITBusiness.ca, which is always at the forefront of covering privacy matters in Canada, is running an article with an overview of Ontario's new health privacy law, the Personal Health Information Protection Act (PHIPA):
"Ontario prescribes privacy law for health-care sector
10/26/2004 5:00:00 PM - The province introduces specific rules around patient data and some heavy fines for those who don't comply. Learn about the 'lockbox' principle and how UHN and others are getting prepared..."
Following the finding by the federal cabinet that the Personal Information Protection Act (Alberta) is "substantially similar to PIPEDA, the Alberta Information and Privacy Commissioner, Frank Work, has released the following statement:
Commissioner welcomes substantially similar finding:
"Edmonton, October 26, 2004
Commissioner Frank Work today welcomed news that Industry Canada has found Alberta's Personal Information Protection Act (PIPA) substantially similar to the Federal Personal Information Protection and Electronic Documents Act.
The substantially similar finding means the provincial law rather than the federal law governs the collection, use and disclosure of personal information by private sector organizations in Alberta. Personal information in the custody or control of private sector organizations as it relates to commercial transactions or activities will be subject to the Act. Personal employee information is also covered by the PIPA.
"This is good news. It gives businesses in Alberta some certainty as to which law governs," says the Commissioner. "The finding enables my Office to make arrangements with the Privacy Commissioner of Canada to coordinate our efforts so that we do not have two Commissioners knocking on the same door, with respect to the same issue," adds the Commissioner.
The PIPA allows the Commissioner to review the decisions of private sector organizations to deny an individual access to their own personal information, or to refuse a request for correction to their own personal information. Individuals may also make a complaint to the Commissioner if they believe their personal information has been collected, used or disclosed without proper authority or without their consent.
The Information and Privacy Commissioner is an independent Officer of the Legislature. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Health Information Act, and the Personal Information Protection Act."
The British Columbia Government Employees Union, which started the USA PATRIOT ACT and outsourcing firestorm in BC a while ago, has presented a fifty-thousand name petition against privatizing government jobs by outsourcing:
BCGEU: Right-to-Privacy Campaign presents 50,000-name petition opposing the privatization of government jobs:
"The BC Government and Service Employees� Union congratulated Right-to-Privacy-Campaign representatives who turned over petitions totaling 51,203 names to the Opposition caucus in Victoria today, opposing the contracting out of Medicare and Pharmacare jobs to private companies.
While support for stopping the privatization of Medicare and Pharmacare jobs is welcome, President Heyman cautioned that all personal information in government data banks is at risk.
"The Campbell Liberals are proceeding with plans to contract out help desk, disaster recovery and many other services to the private sector," Heyman said. "If these contracts proceed, virtually every piece of confidential information handled by the government could be accessed by private multi-national corporations.""
Monday, October 25, 2004
Law Technology News - Keeping Promises: Online Privacy Policies:
"Rethinking the boilerplate on your company's Web pages could help you avoid FTC sanctions..."
Though written from an entirely American perspective, it is of relevance to Canadians and other non-Americans thanks to the long-arm of the law. Courts can and do assume jurisdiction over operators of websites originating from outside their borders, particularly if the sites are "aimed" at their jursidiction. Canadian companies with an online presence have to seriously consider not only PIPEDA, but also the enforcement powers of the FTC.
The October 2004 edition of Canadian Lawyer magazine has a brief feature on Canadian blogging lawyers. It refers to Michael Fitzgibbon's fantastic blog, Thoughts from a management lawyer, Sharon E. Reashore's Elder Law in Nova Scotia and this blog, PIPEDA and Canadian Privacy Law. The article, which discusses the benefits of blogging for lawyers, is only available in the print edition.
Michael Geist continues his argument in favour of stronger Canadian privacy laws in this week's LawBytes column in the Toronto Star:
TheStar.com - Revise privacy law to expose offenders, block snoops:
"With Industry Minister David Emerson scheduled to lead a parliamentary review of Canada's privacy legislation in 2006, it is time to consider how Canada can break from the pack by establishing a privacy law framework that combines the societal benefits of a strong privacy commissioner with an enforcement approach that leaves no doubt that privacy compliance is not to be taken lightly."
Labels: information breaches
Public Safety and Emergency Preparedness Canada has just released (21 October 2004) its mandatory Annual Report on the Use of Electronic Surveillance, 2003. Thanks to Michael Power for the link.
Sunday, October 24, 2004
Marketplace, the Canadian Broadcasting Corporation's consumer affairs program has just continued their series of privacy features by investigating two of the country's loyalty programs:
CBC Marketplace: Mining your business
"Our quest: to find out what companies do with your information - the personal stuff you provide on the sign-up sheet when you apply for a card ... and the information gleaned from your purchases when your card is swiped at the store."
Their investigation (with a small sample) confirmed the conclusions of Katherine Albrecht, of CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), that loyalty programs do not result in real savings ...
"For some background on loyalty card programs, we headed to Harvard University, in Boston, Massachusetts. We met with a student and privacy activist named Katharine [sic] Albrecht. She's doing her doctoral thesis on loyalty cards.
In all her research, Albrecht says she's "been unable to find a single consumer benefit from using these cards."
But wait ... We thought these loyalty card programs were about saving consumers a dime. To test Albrecht's thesis, we did a little research of our own. We went shopping.
Among the interesting elements of the report is a view into the information that is collected by loyalty programs. The show's "consumer cadets" opened loyalty program accounts and subsequently requested access to their personal information. The responses from the companies are posted on the show's website.
Those interested may also wish to check out some of the materials released by the Public Interest Advocacy Centre in Ottawa, following their complaint to the Privacy Commissioner about the information collected by various organizations, including a high-profile loyalty program.
Most followers of computer security and privacy news know about Bruce Schneier. (He is the author and editor of the Crypto-Gram newsletter and of Beyond Fear: Thinking Sensibly about Security in an Uncertain World.) In his recent blog entry about the security and privacy issues related to the reports that RFID will be added to American passports (see Wired News: American Passports to Get Chipped), he very clearly articlates the perceived privacy risks of adding this technology to passports. I would only add that the same risks are inherent in adding RFID to any identity document.
Schneier on Security: RFID Passports:
"October 04, 2004
... But the Bush administration is advocating radio frequency identification (RFID) chips for both U.S. and foreign passports, and that's a very bad thing.
These chips are like smart cards, but they can be read from a distance. A receiving device can "talk" to the chip remotely, without any need for physical contact, and get whatever information is on it. Passport officials envision being able to download the information on the chip simply by bringing it within a few centimeters of an electronic reader.
Unfortunately, RFID chips can be read by any reader, not just the ones at passport control. The upshot of this is that travelers carrying around RFID passports are broadcasting their identity.
Think about what that means for a minute. It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily--and surreptitiously--pick Americans or nationals of other participating countries out of a crowd.
The Bush administration is deliberately choosing a less secure technology without justification. If there were a good offsetting reason to choose that technology over a contact chip, then the choice might make sense.
Unfortunately, there is only one possible reason: The administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can't be done.
Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it."
Your ID is apparently worth about ten bucks. Today's New York Times has a feature on identity theft, its history, who are the criminals and what is being done to address the problem:
The New York Times > Business > Your Money > Identities Stolen in Seconds:
"....A spokesman for the Consumer Data Industry Association, the trade group representing credit reporting agencies, said consumers could put fraud alerts on their credit histories if they wanted to keep prying eyes at bay. Representatives of Visa and MasterCard, the two largest credit card associations in the country, say that they are guarding customer account numbers more carefully, for example, by deleting the numbers in mail and other documents delivered to customers' homes.
Sergio Pinon, the head of security and risk services at MasterCard, said that MasterCard was deploying computer systems that analyze the spending patterns of individual card users and pluck out anomalies in case a fraud is under way. Like Ms. Feddis, Mr. Pinon said that he was the victim of an identity thief, but that he stopped the fraud because his bank had quickly spotted an intrusion into his credit card account.
Both MasterCard and Visa also monitor Web sites that broker stolen credit card numbers and other personal information. 'One of the things we've discovered is that your identity is worth about $10' on the Internet, said Linda Locke, a MasterCard spokeswoman.
With identities so cheap, experts say that criminals who want to mask themselves inside the envelope of someone else's financial world will continue to have ample opportunities to express themselves.
'The only limitation to identity theft is the creativity of the thief, and that's scary because there's really no limit on creativity, is there?' Ms. Foley said. 'The tour guides on this crazy ride are the thieves, not us and not law enforcement, and as long as that continues it's going to be a problem.' ..."
Saturday, October 23, 2004
Hack at UC Berkeley Potentially Nets 1.4 Million SSNs:
"Hackers took advantage of a known vulnerability on an unpatched computer to potentially gain access to some 1.4 million names, Social Security numbers, telephone numbers, addresses and dates of birth at University of California at Berkeley, officials said Tuesday. ..."
Labels: information breaches
eWeek is reporting that the computer network at Purdue has been hacked into and sysadmins are urging all users to change their passwords. The breach is still being investigated and there is no word on whether personal information has been disclosed:
Someone Hacked Into Purdue's Computers:
The school has not been able to determine whether the intruder obtained personal information. Ksander advised users to watch for signs that others might have obtained their personal information.
Labels: information breaches
The federal cabinet, on October 12, 2004, issued two very important orders, exempting organizations in Alberta and British Columbia from the application of PIPEDA: the provincial private sector privacy laws have been declared to be substantially similar to the federal law. Therefore, PIPEDA does not apply to the collection, use and disclosure of personal information by provincially regulated organizations that occurs within Alberta and British Columbia. (Surprise! PIPEDA will apply if you disclose it across provincial borders.)
PC2004-1163 relates to the Personal Information Protection Act (Alberta) and PC2004-1164 relatesto the Personal Information Protection Act (British Columbia). Both orders are long awaited. Neither have been "Gazetted", but they are effective on the date of registration, which was October 12, 2004.
(A big thanks to Michael R. Whitt, of Borden Ladner Gervais in Calgary, for sending me copies of the exemption orders ... and for his contribution to the privacy roundtable that Eloise Gratton and I moderated at the Canadian IT Law Association annual conference in Calgary this past week.)
Friday, October 22, 2004
Privacy risks for 'hundreds and hundreds' of B.C. contracts
Gordon Campbell Liberals outsourcing IT contracts to U.S. companies
Vancouver - The British Columbia government has admitted that "hundreds and hundreds" of provincial contracts will be vulnerable to privacy concerns despite the passage of new controls by the legislature.
The province is in the process of outsourcing B.C. information technology (IT) contracts to American companies. The U.S. firms are subject to the Patriot Act, a sweeping piece of legislation passed following the Sept. 11, 2001, terrorist attacks on New York and Washington.
American courts have already ruled that the Patriot Act takes precedence over any privacy protections enacted by foreign governments.
Critics, led by the B.C. Government and Service Employees' Union (BCGEU/NUPGE), are strongly opposed to outsourcing of IT contracts because of this vulnerability.
Meanwhile, Joyce Murray, B.C.'s government services minister, acknowledged this week that the strengthened legislation will only apply to contracts signed after Oct. 12, not to "hundreds and hundreds" of already-existing contracts.
No deadline for compliance
Contracts signed prior to Oct. 12 will be brought into compliance with the new legislation "as soon as possible," Murray told MLAs in the legislature. However, she did not indicate how long this might take.
Diane Wood, the BCGEU's secretary-treasurer, says the revelations by the minister make an even stronger case against outsourcing IT contracts. In effect, U.S. companies awarded IT contracts will have no alternative but to break the law, she says.
“If they comply with the Patriot Act, they break B.C.’s law. If they follow our legislation, they risk prosecution in the United States,” Wood notes.
She also objects to the province forcing the amendments through the legislature before the B.C. Privacy Commissioner files a report on the Patriot Act and its potential impact on B.C. outsourcing contracts.
“The only way to ensure that our personal and confidential information is fully protected, is to keep it in our own government where it belongs,” says Wood. NUPGE"
Bill 73, the British Columbia law to amend the Freedom of Information and Protection of Privacy Act (see BC Amends Public Sector Privacy Law) was blasted through the BC Legislature and received royal assent yesterday: BILL 73 -- 2004: FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY AMENDMENT ACT, 2004
In Silicon Valley North, Rick Segal argues that privacy is overrated for customers looking for personalized services:
Silicon Valley NORTH: The problem with privacy:
"Privacy is really not all it's cracked up to be. For the most part it gets in the way of doing lots of useful things with technology. With apologies to the Society for Staying Out of My Life, it's an interesting venture capitalist's exercise to go through some possibilities when you suspend for a moment the fears of Big Brother... "
Labels: information breaches
The tension between patient privacy and an insurer's interest in knowing what is being paid for has led to a significant conflict between certain North Carolina psychiatrists and an insurance company. The Psychiatric Times has a very thoughtful article on a battle raging between two psychiatrists and Blue Cross and Blue Shield of North Carolina.
This is very much a live issue here in Canada. Patients may not be aware of how much information is being transmitted to their insurers and fear of disclosure can have a significant impact upon the therapeutic relationship. At the same time, health professionals may inadvertently provide too much information, resulting in unintended consequences to the patient.
Patient Privacy Battle Hinges on Competing Interests:
"by Michael Jonathan Grinfeld
Psychiatric Times January 2001 Vol. XVIII Issue 1
One of the reasons that details surrounding a clash over the privacy of patients' records in North Carolina are shrouded in secrecy is that there are still aspects of the dispute that, ironically, remain confidential. The year-and-a-half-old battle, which started after a breakdown in the relationship between two psychiatrists and a major health insurer in the region, yielded privacy issues so critical that the American Psychiatric Association and the North Carolina Psychiatric Association (NCPA) ultimately agreed to jump into the fray.
At issue is a conundrum that will ultimately confront every psychiatrist in the nation and will, if not resolved in a way that reconciles competing interests, strike at the heart of mental health care: Can psychiatrists preserve patient confidentiality while at the same time providing enough information to insurers so they can get paid?
Unresolved questions abound: How much information can insurers justifiably request to ensure that health benefits are paid properly? Are benefits payers asking for so much information that they risk undermining the therapeutic relationships between physicians and patients, or, even worse, are they so intrusive that people won't seek care when they need it? Will physicians sacrifice their obligation to preserve their patients' most intimate revelations in order to ensure an uninterrupted income stream? ..."
Thursday, October 21, 2004
Further to the report of the Alberta legislature's special committee reviewing the Health Information Act, the Alberta Information and Privacy Commisioner has responded via the following press release (further info at the same site):
Commissioner responds to the Final Report of the Select Special Health Information Act Review Committee:
Edmonton, October 21, 2004
Frank Work, Alberta's Information and Privacy Commissioner, issued his comments today on the release of the Final Report of the Select Special Health Information Act Review Committee.
There are a number of positive outcomes arising from the Committee's recommendations including:
- The authority to publish ethics committee research approvals on a website is a positive as it provides for increased openness, accountability and transparency for Albertans
- Recommending against certain disclosures without consent, specifically disclosure for common or integrated government programs. The Commissioner believes this is an extremely broad category of disclosure without consent.
The Commissioner also had a number of concerns with some of the Committee's recommendations, including the failure to address substantive issues such as:
- The issue of expanding the scope of the Act to include privately funded health professionals, organizations, and health clinics of post-secondary educational institutions was deferred to a committee of the Legislature to be established in early 2005. The Commissioner believes that this leaves a gap in legislation with no provincial access or privacy legislation for the privately funded health sector and needs to be addressed immediately.
- Also deferred to the future 2005 committee:
- whether genetic information should be explicitly addressed,
- whether health service provider information should remain under the Act,
- examining the need for more clear and transparent rules for the electronic health record, harmonizing the Act "
- Also deferred to the future 2005 committee:
- whether genetic information should be explicitly addressed,
- whether health service provider information should remain under the Act,
- examining the need for more clear and transparent rules for the electronic health record,
- harmonizing the Act to the rules of the pan-Canadian health information privacy and confidentiality framework,
- the Commissioner's request for the explicit right to conduct and compel information for purposes of conducting audits, and
- the Commissioner's request for explicit power to enter into extra-provincial agreements and to consult and delegate extra-provincially.
The Commissioner is not opposed to the creation of a discretionary authority for custodians to disclose limited registration information to law enforcement agencies for the purposes of obtaining search warrants or subpoenas. However, he opposes the creation of mandatory disclosure and reporting of health information to law enforcement and is concerned about the lack of certainty for custodians.
Wired News is reporting that the next generation of US passports will be "chipped" using RFID technology:
Wired News: American Passports to Get Chipped:
"...The RFID passport works like a high-tech version of the children's game 'Marco Polo.' A reader speaks out the equivalent of 'Marco' on a designated frequency. The chip then channels that radio energy and echoes back with an answer.
But instead of simply saying 'Polo,' the 64 Kb chip will say the passport holder's name, address, date and place of birth, and send along a digital photograph.
While none of the information on the chip is encrypted, the chip does also broadcast a digital signature that verifies the chip itself was created by the government. Security experts said the U.S. government decided not to encrypt the data because of the risks involved in sharing the method of decryption with other countries.... "
And thus is born the aluminum-lined password holder industry.
Wednesday, October 20, 2004
Another in a series of significant privacy incidents has hit California universities. This time, a research database containing very sensitive personal information was penetrated. See the discussion on Slashdot and the article, below, from Security Focus:
SecurityFocus HOME News: California reports massive data breach:
"The FBI is investigating the penetration of a university research system that housed sensitive personal data on a staggering 1.4 million Californians who participated in a state social program, officials said Tuesday.
The compromised system had the names, addresses, phone numbers, social security numbers and dates of birth of everyone who provided or received care under California's In-Home Supportive Services program since 2001, says Carlos Ramos, assistant secretary of the state's Health and Human Services Agency. The program pays a modest hourly wage to workers who provide in-home care for hundred of thousands of low-income elderly, blind and disabled people.
Officials say they have not determined whether or not the intruder actually downloaded the database, which had been made available to researchers at the University of California, Berkeley under a confidentiality agreement. 'We don't know whether or not the information was accessed,' says Ramos. 'Since it is sensitive data we figured it would be best to get word out to people so they can take preventive measures just in case.' ..."
See also the California Department of Social Services information about this incident at: http://www.cdss.ca.gov/ihss/. The Department also has an FAQ related to the incident at http://www.cdss.ca.gov/ihss/IHSSSecuri_1720.htm.
Tuesday, October 19, 2004
Mathew Englander (http://www.mathew-englander.ca/) recently wrote to me about the latest developments in the CRIA lawsuit appeal. With his permission, I'm including his letter and I suggest taking a look at the appeal materials he refers to:
A while ago you blogged about the decision by Justice von Finckenstein of the Federal Court (2004 FC 488) not to compel several ISPs to release information related to the identities of their subscribers alleged to have infringed copyright by file-sharing (pipeda.blogspot.com/2004/04/privacy-aspects-of-matter-of-bmg.html).
You may wish to run an update as the decision is under appeal to the Federal Court of Appeal. I have been reading the factums at CIPPIC's web site (http://www.cippic.ca/en/projects-cases/file-sharing-lawsuits/document-archives.html). The central issue on appeal is whether a plaintiff in a John Doe lawsuit needs to establish a "prima facie case" or just a "bona fide case" before an innocent third party is compelled to release information about the identity of the defendant.
This may seem like a dry legal distinction, but it has serious implications for privacy. The "prima facie" standard (which Justice von Finckenstein adopted as the first criterion of five; see paras. 13-14 of his decision) is stricter. As I understand it, it means that the plaintiff must provide some acceptable evidence on each element of the cause of action. The "bona fide" standard appears to mean that the plaintiff need only show that it honestly believes the defendants are liable. Having a stricter standard is more respectful of an individual's privacy since it requires more evidence before the court may order the individual's personal information released.
The Canadian Recording Industry Association was coordinating the legal action for the plaintiffs. It is interesting to look at its news releases on the matter (http://www.cria.ca/news.htm). For example, on March 12, after the first day of the hearing before Justice von Finckenstein, it issued a news release saying it was "confident" its motion would be granted.
The plaintiffs' motion was dismissed because of deficient evidence. CRIA had hired a company called MediaSentry to investigate music piracy. MediaSentry downloaded files from 29 users of peer-to-peer software, and came up with an IP address for each user at the time of download. The IP address could be linked with an ISP through whois queries, so the plaintiffs wanted the ISPs to disclose the real name, address for service, and other information about the holder of the account to which the particular IP address was assigned at the particular time.
However, there was no evidence at all as to how MediaSentry came up with the IP address of each peer-to-peer user. In addition, the affidavits tendered by the plaintiffs were full of hearsay with no explanation for why they did not provide affidavits from those with direct knowledge. It seems to me that this was a big screwup by the lawyers who prepared the motion material.
There were five ISPs named as non-party respondents to the motion: Shaw, Rogers, Bell Canada, Telus, and Videotron. All five are respondents on the appeal and each filed its own memorandum of fact and law. It is particularly interesting to read the ISPs' arguments. Only one, Videotron, is basically supportive of the plaintiffs. Bell Canada's position is ostensibly neutral, but its arguments are strongly opposed to the plaintiffs' appeal. The other three expressly argue that the appeal should be dismissed.
In my view, the decision of Justice von Finckenstein is solid and it is surprising that CRIA is even appealing it. Since these are just intended as test cases in any event, it might be better off going back to square one, having MediaSentry or some other company entrap some more alleged copyright-infringers and this time developing a stronger evidentiary base to bring to court.
The October 18, 2004 edition of Fortune Magazine points to an increasing practice of retailers demanding ID when customers return products. This has led to a flurry of complaints to the Canadian Privacy Commissioner (see "New Privacy Law Sprouts Forest of Complaints"). But the Fortune article refers to a new service that tracks shopping patters and the returns of individual customers. If you have a pattern of "excessive returns", your return will be declined.
FORTUNE - Magazine - Sorry, Your Return Is No Good Here:
"Walking through the mall a couple of weeks ago, Hayden Cobb, a 32-year-old systems engineer at Lockheed Martin, couldn't resist a few impulse buys. But after realizing that all his crisp new shirts didn't fit right, he headed back to the Express store near Atlanta, receipt in hand. The clerk asked for his driver's license, swiped it, and then handed him a small slip of paper that read 'Return Declined.' 'I was dumbfounded,' he says.
Cobb is just one of the many customers who are finding that returning merchandise isn't as easy as it used to be. Retailers including Express, the Limited, and the Sports Authority have begun tracking consumer return and exchange habits to help curb the $16 billion that stores lose in 'return fraud' each year. All the companies mentioned have enlisted California-based Return Exchange, a five-year-old for-profit company that stores customer ID and payment information and tracks shopping behavior, looking for patterns of fraudulent or excessive returns. The system also aimsto prevent 'wardrobing,' in which people (women in particular) buy clothes, wear them to a party, and return them the next day. 'We're not accusing you of being a thief,' says King Rogers, a consultant who advises Express on security matters. 'We're suggesting that you're not a profitable customer.' While stores have long reserved the right to refuse returns, shopper tracking has privacy watchdogs like Jordana Beebe of the Privacy Rights Clearinghouse alarmed (she's particularly worried that data across stores may eventually be aggregated)... "
Labels: information breaches
The latest SANS privacy bits contains the following report:
: "UK: Loophole in EU Data Protection Laws Puts UK Consumers at Risk (16 October 2004)
According to Peter O'Grady, assistant secretary of Lloyds TSB Group union, British consumers are at risk due to the outsourcing of call centers in India and other developing countries. Information given to call center operators in India by British consumers is not protected due to a legal loophole in the European Union (EU) data protection laws. His warning comes as Royal Sun Alliance, an insurance giant, announced it was sending 1,100 jobs to India.
Related Article: Royal Sun May Set Up Call Centre In Bangalore
[Editor's Note (Murray): They are at it again. This is economic protectionism masquerading as a concern for privacy. (Triulzi): Unfortunately as the drive towards outsourcing continues these issues are going to become more and more relevant. India's government has been working to address data privacy issues although as of today it does not yet possess any legislation in the field. The real question should be: isn't the data ending up in too many different hands? A large insurer surely has data which should be closely guarded (e.g. medical claims) - what are they doing to guarantee the security of this data? ]"
Labels: information breaches
Just in case you thought that the Radwanski story had been told, a new chapter was tabled in the Parliament today, according to the Canadian Press:
Yahoo! News - Former privacy czar hired daughter of insider in return for access: report:
"OTTAWA (CP) - Hiring rules were so lax in the federal privacy commissioner's office that the daughter of a prime ministerial secretary was given questions and answers in an advance of a pre-ordained job interview, says a new report.
George Radwanski may be long gone but new details are emerging about his troubled tenure. A one-year follow-up report on the scandal, tabled Tuesday in Parliament, revealed that Danielle Bondar was hired to repay what Radwanski considered 'an important political favour.'... "
A Vancouver lawyer has compiled a scary bunch of statistics on losses of computers (and, by inference, data) from the Canadian federal government. See the article in the Globe & Mail:
Computer thefts hint at huge losses of data:
"Hundreds of computers were stolen from federal government offices last year, filched from such security-sensitive agencies as the RCMP, the Canadian Space Agency, Canada Customs and Revenue Agency, the Department of National Defence and the Privy Council, the operational arm of the cabinet."
Labels: information breaches
Monday, October 18, 2004
A special select committee of the Alberta legislature has made fifty-nine recommendations for amendments to the Health Information Act (Alberta). The report is available from the website of the committee at http://www.hiareview.assembly.ab.ca/.
The text of the press release appears below:
Committee recommends changes to the Health Information Act (HIA):
"LEGISLATIVE ASSEMBLY OF ALBERTA
SELECT SPECIAL HEALTH INFORMATION ACT REVIEW COMMITTEE
October 18, 2004
Committee recommends changes to the Health Information Act (HIA)
Edmonton... Striking a balance between protections of privacy versus a need to know was one of the more challenging tasks before the Select Special Health Information Act Review Committee as they reviewed current legislation over the summer.
"Our focus was to review the Health Information Act to determine whether an appropriate balance has been achieved between protection of the individual's privacy and access to health information where appropriate to provide health services and to manage the health system," said committee chair Broyce Jacobs. "I think we achieved that."
With 72 written submissions and 15 oral presentations to consider during the review, months of consideration and deliberation have resulted in 59 recommendations being made by the committee.
The committee's first recommendation is that a future committee be struck in 2005 to address issues that require additional research and further consultation with stakeholders.
"There are a number of issues that require more time," explained Jacobs. "As well, there is intent to consider harmonization with a pan-Canadian health information privacy and confidentiality framework, which is not yet finalized and therefore could not be addressed by this committee."
The focus of this committee's recommendations deal with: the purpose of the Act, definitions, the scope of the Act, health service provider information, individual right to access health records, collection of health information, elements of consent, discretionary disclosure without consent, disclosure to police services, triplicate prescription program, genetic information, informed knowledgeable implied consent, disclosure for research purposes, duties and obligations to custodians, the Commissioner, substitute decision makers, offences and penalties and health information regulations.
A copy of the Select Special Health Information Act Review Committee's final report is available online at http://www.hiareview.assembly.ab.ca/ ."
Michael Geist's regular Toronto Star column this week is a strong argument in favour of changes to the reporting procedures at the Office of the Privacy Commissioner. At present, the Commissioner only releases very brief summaries of her findings that are cleansed of all information that could identify a party. The parties themselves are provided with a much more thorough analysis (see the examples posted by the Public Interest Advocacy Centre). As someone who reads them all to help advise clients, I can say that they are often so summarised that it is difficult to use them as a basis for advice. Michael argues that this only serves to protect those who break the law and proposed changes to the practices at the Privacy Commissioner's Office further undermines the utility of issuing findings:
TheStar.com - Privacy law perversely protects those who break it:
"...For Canadian privacy law to garner the respect it needs to achieve widespread compliance, the commissioner's office should consider several changes to its reporting approach. First, it should work toward a more timely release of findings, recognizing the import attached to them by the privacy community. Moreover, it should update findings that are challenged in federal court and refrain from removing findings from its site without public notice (as it did in one instance over the summer).
Second, the commissioner's office should stop adding an additional layer to the reporting system with its summaries of each finding and instead release the full text of Commissioner's report for each case (with only the complainant's identifying information omitted). The current approach adds unnecessary costs, leads to reporting delays, and fosters uncertainty within the privacy community on the degree to which the summary can be relied upon in future complaints.
Third, it should at long last exercise its power by identifying the targets of well-founded complaints. The Act empowers the Commissioner to "make public any information relating to the personal information management practices of an organization if the commissioner considers that it is in the public interest to do so." Critics of a "naming names" approach have pointed to this provision as a reason for keeping the parties anonymous, arguing that it cannot always be in the public interest to release identifying information.
In fact, changes at the commissioner's office suggest that the law provides plenty of support for a more transparent disclosure policy. Recent reports indicate that the commissioner's office is scaling back its disclosure of findings. Roughly half of all complaints are now settled through mediation and the commissioner apparently does not plan to release the details of those resolved cases. Moreover, where a finding involves a fact scenario that has previously been discussed in a reported case, a new finding will similarly not be issued.
As a result of these changes, the commissioner's office seemingly now plans to release only novel findings that cannot be settled.... "
Labels: information breaches
Sunday, October 17, 2004
An Australian government inquiry has vindicated a number of whistleblowing employees of a Melbourne nursing home. Among the incidents reported is one related to the privacy of the residents: "In a gross breach of privacy, residents' personal records were used as scrap paper for grocery lists and chores to be done around the home."
Labels: information breaches
The media coverage arising from the FDA's approval of the VeriChip implantable RFID chip continues. The BBC, in its 'Magazine', has an article that thoroughly surveys the issues, from a technical overview to the theories of the tinfoil hat brigade:
BBC NEWS | UK | Magazine | Security under the skin:
"A US company has been given the green light to implant microchips in humans. It's intended to provide medical information ... but will it turn into a surveillance system?
How would you like to have the equivalent of a barcode built into your arm?
It would be convenient. A quick scan could save the need to show passports or ID cards. It would be handier than carrying cash or producing medical records.
And a particularly clever barcode would let people find you if you were lost or abducted.... "
Saturday, October 16, 2004
Slashdot | Data Miners Moving to Offshore Data Havens:
"Posted by michael on Saturday October 16, @06:03PM
from the data-arbitrage dept.
schwit1 writes 'Washington Post has an article about former TIA personnel moving their data mining operations offshore (Bahamas) to escape U.S. privacy rules, and to make a buck. I'm waiting for somebody to publish the private data (financial, medical, legal) of federal officials and their families on an open internet web server out of the Bahamas. Is this what it will take for the US to enact stringent privacy rules?' "
The discussion is interesting, as is the article it is based upon, but the participants have varying levels of understanding of privacy law.
Labels: information breaches
Google has launched its desktop search product, which appears to be quite popular. Afterall, who wouldn't want to be able to search all the junk on their computer as easily as you can search the internet? As long as the product doesn't send any information back to Google (a la spyware), what are the privacy issues? Well, there are a few, particularly if you share your computer or your computer is not adequately secured on a network. Danny Sullivan, of Search Engine Watch, has a good article on things to think about when using a desktop search tool.
A Closer Look At Privacy & Desktop Search:
"The anticipated popularity of Google's new desktop search tool means that soon it will be commonplace for everyone to search their computers as easily, comprehensively and quickly as they search the web. After all, several of Google's competitors already are working on desktop search offerings of their own. So even if you don't use Google's tool, chances are, you'll use someone else's.
In short, a new era of search is being ushered in. With it comes some new issues about search privacy. We've already seen how people are sometimes shocked to discover that personal information about themselves is out on the web and made easily accessible through search. Our Search Engines & Legal Issues page recounts many such examples.
The same issues apply in general to desktop search. Search tools, like the new one from Google, will make it much easier to find and locate information on a particular computer. That shouldn't be a privacy issue, as long as ordinary security procedures are followed. Unfortunately, they often aren't."
KVBC of Las Vegas is reporting on an incident in which confidential counselling records were apparently removed from a counselling centre and left in a dumpster for anyone to find:
Confidential Medical Records Found In Dumpster Behind Building:
"Suspected burglary at the Community Counseling Center leaves boxes of confidential files exposed. News 3 Investigator Darcy Spears tells us about the unlikely place the files were found. Counseling center staff were shocked when we showed them dozens upon dozens of private files in a wide open dumpster behind their building. They recovered everything, then called police to find out who would want to hurt those in the business of helping.
On the inside, the signs of respecting privacy and confidentiality are everywhere. But just outside the Community Counseling Center near Sahara and Maryland Parkway, we discovered a serious violation of that privacy. 'Social Security number, telephone number, address, psychological testing results.'"
Labels: information breaches
Thursday, October 14, 2004
Yahoo News is carrying a story on the use of wireless technology in the retail environment, Yahoo! News - 7-Eleven Adopting Wireless Technology. The focus is on 7-11 and slurpee inventory management, but there is a very interesting quote in the middle of the article:
"'Retailers are trying to get back to where they were in 1905,' said Cathy Hotka, a retail consultant in Arlington, Va. 'Back then they knew you, knew your credit, knew what you wanted to buy and how to stock it.' "
It is an interesting observation and I have little doubt that it is true. But today, I am not sure that this 1905 paradigm is what the shopper is looking for. Back then the relationship went both ways. Your local general store knew about your business, but the consumer knew the owner of the general store and most of its activities were out in the open. He wouldn't dare do anything nefarious with the customer's information because the customer would simply walk. It's a matter of trust. I think some retailers can get back to "where they were in 1905", but they have to do it with transparency and earned trust.
Wednesday, October 13, 2004
The United States Food and Drug Administration has approved a new technology that involves implanting a tiny chip into the forearm that contains a unique serial number that is linked to a database containing an individual's medical records. The device is not yet listed on the FDA's website's Medical Devices Approval list, but there are reams of coverage linked from Google News.
See, for example, the following article from ZDNet:
FDA approves injecting ID chips in patients | Tech News on ZDNet:
"The U.S. Food and Drug Administration has approved the practice of injecting humans with tracking devices for medical purposes, according to a Florida company that makes the devices.
Applied Digital, maker of the implantable VeriChip for humans, announced Wednesday the FDA's approval of its technology for use in hospitals following a yearlong review by the agency.
The computer chips, which are about the size of a grain of rice, are designed to be injected into the fatty tissue of the arm. Using a special scanner, doctors and other hospital staff can fetch information from the chips, such as the patient's identity, their blood type and the details of their condition, in order to speed treatment.
Medical data is not stored on the devices, also known as radio frequency identification chips. Rather, it's stored in a database that links the chips' unique serial numbers with patient data. In its review, the FDA carefully studied the privacy issues around the technology, specifically the risk that medical records could be improperly disclosed, according to Applied Digital... "
Tuesday, October 12, 2004
National Privacy Services has launched a month privacy newsletter to keep clients and others updated on privacy issues. It is designed to be a practical resource for businesses. You can subscribe by clicking the link on NPSi's website (http://www.privlaw.com).
The first edition of Privacy News contains the following article that I wrote:
Privacy Note: Privacy Risks of Electronic Communication
The same communication technologies that have revolutionized our workplaces, made workers more efficient and have freed us from our desks also pose particular privacy risks that need to be carefully considered to minimize the risk of accidental disclosure of personal information.
Virtually every privacy code and statute requires that custodians protect personal information against accidental disclosure. This obligation exists at every stage: from collection through storage to ultimate disposal. Virtually every means of communication comes with the risk that the information transmitted may be intercepted or misaddressed.
This risk is significantly heightened, however, with more recent and modern means of telecommunications. Letters can always be misaddressed, but the risk is relatively low if envelopes are individually hand-addressed, one at a time. Faxes and electronic mail take that risk to a whole new level. If a conventional phone number is misdialed, this fact immediately comes to the attention of the calling party. The call can be quickly and politely ended before any information is disclosed. A misdialed fax, on the other hand, will often be completely undetected to the sending party, particularly if another fax machine is reached at the other end of the line, producing a transmission report that simply states the fax was successfully sent. Electronic mail has very similar issues, as anybody who has accidentally clicked on "reply to all" can easily attest. In addition, auto complete features of some email systems may mean that a message may be sent to the first person matching a particular name in your address book, even if they were not the intended recipient. For example, an email meant for Sue Smith may be sent to Ann Smith if the sender is not paying sufficient attention. In addition, electronic mail messages are less secure than postcards because they routinely pass through the computer systems of complete strangers on their way to the final destination. An email message between neighbours using different internet service providers may actually leave the country before finally being routed to the proper inbox.
Health care organizations have always needed to be concerned about this in light of their ethical and professional obligations of confidentiality. New privacy laws, however, bring this issue to the fore once again. Most private sector health care providers now have a legal obligation to protect that information against disclosure and a person whose information is disclosed may be able to seek damages for the leak. In addition, some privacy laws require the custodian of that information to let the individual know that their information was accidentally disclosed. A recent example from the American media involved a hospital that accidentally sent patient records by fax to the newsroom of the local newspaper. Under Canadian laws, that media outlet is unrestricted in what it can do with that information once it has it in its custody. The hospital will consider itself lucky if a report describing its mistake only ends up on the front page of the paper.
A recent finding from the Office of the Federal Privacy Commissioner admonished an employer for allowing medical information about employees to be received at a central fax machine in their HR department. Incoming and outgoing faxes must be additionally secured, particularly when they send or receive sensitive personal information.
So what is an organization to do to secure the transmission of personal information against accidental disclosure? The following checklist provides some guidance:
- Consent to communicate by email should be obtained from the individuals in question, because email communications might be received by unintended parties. Workplace email systems may be routinely monitored by the employer and some people may give others access to their email box, for example to a secretary or a colleague if the individual is on vacation. Home email addresses may be used by a number of members of the same household, posing the risk that a sensitive message may be received by a number of members of that household.
- Email communications should be encrypted wherever possible.
- The "auto complete" feature of email systems should be disabled, requiring the full name of an individual recipient before a message is sent.
- Regularly called fax numbers should be programmed into the auto dial feature of fax machines. In the Health care setting, separate fax machines should be used: one for patient information and a second for other communications. Only vetted health care providers should be entered on the speed-dial feature of the patient information fax machine.
- Clear consent from patients or customers should be obtained before email or fax is used to communicate sensitive personal information.
- Facsimile cover pages should suggest that any unintended recipients contact the sender as soon as possible so that any harm done from the accidental disclosure can be mitigated as much as possible.
For more information on how to secure your organization, and your communications, against accidental disclosures of personal information, please contact National Privacy Services at 1-877-PRIVLAW.
MSNBC has an interesting article on coprorate indentity theft ... where a fraudster steals the identity of an existing company and establishes credit facilities in the company's name: MSNBC - Fake companies, real money.
DMNews (Direct Marketing News) has an interesting article, commenting on the Albertson's pharmacy ligitation begun by the Privacy Rights Clearinghouse (see Lawsuit: Privacy advocacy group sues drug store chain over alleged privacy concerns). The article, written by Alan Chapell, has some good insights on the importance of privacy in customer relations:
Albertson’s Case Shows Hazards of Privacy Waters:
Scenario 1: Completely innocent. Let’s assume for the sake of argument that every allegation Privacy Rights Clearinghouse made is false, and that Albertson’s will be vindicated. Unfortunately, by the time the truth comes out, Albertson’s will have spent a boatload of money in legal fees.
Moreover, guilty or not, its brand image will have taken a large hit. Allegations are usually printed on the front page, while retractions are often buried in the classifieds next to the tag sale ads. And in an environment where all pharmacies are created more or less equal, any negative press is likely to send some of its customers across the street.
Scenario 2: Enron part deux. Now let’s take the worst-case scenario. Let’s say it’s proven that Albertson’s took confidential customer prescription information, placed it into a database and then sold that data to pharmaceutical companies.
Then let’s say that the drug companies use that data to send mailings and place telephone calls to consumers reminding them to renew their prescriptions. And let’s say that these practices are found in court to be in violation of the law. The fallout of fines, legal bills, bad press and customer loss could be nothing short of devastating to the company.
Scenario 3: Middle of the road. Now let’s assume that the facts are somewhere in the middle. Maybe Albertson’s did send prescription reminders, and perhaps those reminders were financed by drug companies. Is that the same thing as selling consumer prescription data to the drug companies?
My point is that there’s a very subtle distinction between selling customer data to a third party and having that third party finance marketing campaigns to your customer lists. I’m not sure how Albertson’s alleged prescription plan differs from a traditional list rental situation. And even if Albertson’s is on the right side of the law, it will be in the unenviable position of defending its legal position at the expense of customer good will.
Consumers are not necessarily interested in subtle legal arguments if they feel that they’ve been misled or otherwise mistreated..."
Monday, October 11, 2004
The New York Times is reporting that, among the many reforms following the 9-11 Commission Report, Congress is on the verge of establishing national rules for drivers' licenses in the US. The Department of Homeland Security will set out what documentation is required to obtain a license and will require that all state databases be connected. In addition, states will be required to issue ID on the same basis to non-drivers to be provided as identification for boarding planes and trains.
Privacy and civil liberties activists are concerned this is another step toward the establishment of a national identification system: The New York Times > Washington > Congress Close to Establishing Rules for Driver's Licenses
Labels: information breaches
Articles about consumer privacy are appearing in the traditional Canadian media, spurred it seems by recent debate over the potential impact of the USA Patriot Act on Canadian privacy. The Toronto Star has an article in today's edition that discusses two consumer privacy issues: (a) what companies do Canadians and Americans trust with their personal information and (b) what impact could the USA Patriot Act have on our privacy.
The article is a good survey of consumer privacy concerns and also brings to light some instances of reams of Canadian data being processed by American companies.
TheStar.com - Who's trustworthy? Canadians, Americans disagree:
"Prospect of U.S. Patriot Act-snooping bothers Canadians
...That means some Canadian consumer information — everything from bank and insurance records to medical data — could be under surveillance by U.S. authorities without our knowledge.
"I think it's a real issue," says Ponemon. "If a company that's in the U.S. has your e-mail and you happen to be a Canadian citizen, by default the e-mail may be viewed and selected for deeper analysis and investigation by U.S. law enforcement."
Think it's a stretch?
Consider that Rogers Cable has a close partnership with U.S. Internet giant Yahoo Inc., which now manages all e-mail for Rogers' high-speed Internet customers. Consider that Bell Canada has a similar relationship with Microsoft's MSN portal.
...Outsourcing is the culprit. Both the CIBC and Royal Bank of Canada have their credit card operations managed by Total Systems Services Inc., which is based out of Georgia and is under the jurisdiction of the Patriot Act.
Consider that Royal Bank was ranked third in Ponemon's survey [of most trusted companies].
If the issue of outsourcing brews into an even larger privacy concern for Canadians, it's conceivable that Royal could fall off the list while those banks that don't outsource to the United States rise to the top.
The implications of data outsourcing aren't something to ignore. All companies need to consider them if they wish to remain trustworthy in the eyes of Canadian consumers."
Sunday, October 10, 2004
Privacy issues are everywhere and most industries are having to readjust their practices to accomodate legislative requirements. Collegiate athletics are are not immune, according to an article in the Lexington [Kentucky] Herald-Leader. The article discusses the balance between athletes' privacy and the insatiable desire of fans to know about their favourite teams and players. Privacy laws also affect the ability of all members of the coaching and training team to know about the physical state of their athletes:
Lexington Herald-Leader | 10/10/2004 | privacy vs. publicity:
"When forward Sheray Thomas underwent surgery last week, Kentucky intended to say nothing about the procedure. Anyone mildly interested in big-time athletics knows that such silence is anything but golden. Like air rushing into a vacuum, wild-eyed rumor fills the void.
Then someone leaked the surgery story, which led [University of Kansas] and the media to wrestle with an ongoing problem in athletics: how to satisfy an athlete's request for privacy while meeting a fan base's insatiable hunger for information while complying with the federal government's stricter rules on the release of medical records."
Labels: information breaches
In a finding released by the Office of the Privacy Commissioner, the Assistant Commissioner concluded that an ISP was not compliant with PIPEDA by installing video cameras in the workplace for the purposes of security and monitoring productivity of unsupervised employees:
Commissioner's Findings - PIPED Act Case Summary #279: Surveillance of employees at work - July 26, 2004:
"A former employee of an internet service provider believed that the company was acting contrary to the Personal Information Protection and Electronic Documents Act (the Act ) when it installed web cameras to monitor the performance of employees."
In short, the Assistant Commissioner concluded that the cameras were too intrusive and the issues could be addressed by other means, even if those means were substantially more expensive (hiring supervisory staff to be at the site in the evenings and on weekends):
The Assistant Commissioner commented that the underlying purpose for the cameras really appeared to be one of deterrence – deterrence of theft, harassment, malingering, criticism, or other behaviour an employer may not like. She noted that privacy-intrusive measures can always fulfil such objectives at minimal financial cost. The Act, however, demands that the cost to human dignity form part of the equation. Continuous, indiscriminate surveillance of employees, she noted, was based on a lack of trust and treats all individuals with suspicion when the underlying problems may rest with a few individuals or with a management plan that may not be entirely sound. The effect, she commented, of such omnipresent observation was stifling. While it may prevent undesirable behaviour, it also forces the employee to call into question every potential action, every potential comment no matter how benign. The goal of ensuring adherence to the company's vision comes at too high a price to our individual autonomy and freedom.
Saturday, October 09, 2004
Expect a new round of concern about US Government access to Canadians' personal information after the announcement that Lockheed Martin has been awarded a contract to assist Statistics Canada with the 2006 census.
Yahoo! News - Subsidiary of US weapons manufacturer will help conduct Canada's 2006 census:
"Critics fear some census information could leak out and make its way into the hands of the U.S. government.
They point to the U.S. Patriot Act, which was enacted following the terrorist attacks of 2001. It allows the FBI (news - web sites) and other U.S. authorities access to information held by private American companies. There are concerns that power might extend to companies in Canada and other countries with headquarters in the United States.
'It's our understanding that it makes Canadian information vulnerable,' said Masse, who is the NDP's industry critic.
Statistics Canada says security concerns about the census are not valid.
'No private sector contractor will have access to completed census questionnaires,' said Arora.
That information, Arora added, will only be available to Statistics Canada employees who have signed confidentiality agreements. "
"Spamking" Sanford Wallace is in the FTC's crosshairs again ... this time for allegedly infecting unsuspecting computer users with spyware only to sell a spyware removal program:
USATODAY.com - FTC files case against spyware companies:
"The commission accused the companies of infecting computers with unsolicited software, showering computer screens with pop-up ads and then trying to get consumers to pay $30 to fix it. It is seeking an injunction to get the companies, owned by the same person, to stop, and to offer restitution to consumers..."
The FTC will hold a press conference on Tuesday, October 14, to announce law enforcement actions against spyware.
You can get by with bad information management practices for a little while and stay under the radar, but if you dispose of information inappropriately, there is a very high likelihood that it will become public knowledge in a high-profile way. A Dutch prosector is reported to have disposed of his personal PC that contained loads of his own personal information and detailed information about crimes he was prosecuting. Check out The Register's article on this incident:
Prosecutor leaves crime files on dumped PC | The Register:
"Dutch public prosecutor Joost Tonino was condemned yesterday for putting his old PC out with the trash. It contained sensitive information about criminal investigations in Amsterdam, and also his email address, credit card number, social security number and personal tax files. Tonino dumped the computer, which he hadn't used for two years, because he thought it contained a virus. The operating system wouldn't start.
A taxi driver found the PC on the steet just outside Tonino's home, got it working again and informed a crime reporter, who yesterday revealed on television what was on the hard disk. Based on information left on the PC, the reporter also managed to gain access to Tonino's email account..."
Among the many morals of this story is that employers need to be careful about what work-related information their employees have on their home computers, how it is secured and how it is disposed of. A company that is vigilant about their own workstations and disposal of surplus hardware may not be aware of the achilles heel caused by keen employees who bring work home but don't have a clue about security and privacy. This incident happened because he put the PC on the curb with the trash, but a huge amount of harm could have happened if he simply had an insecure high-speed connection that allowed hackers onto his system without him being aware of it. The article says that criminals would have paid a fortune for the information, so he should really count himself lucky.
Labels: information breaches
The President of the Treasury Board has re-introduced legislation in parliament to protect public sector whistleblowers. Among the laws amended by Bill C-7 are the Privacy Act, the Access to Information Act and the Personal Information Protection and Electronic Documents Act. See the extract from the press release:
"The new proposed legislation puts forward amendments to the Privacy Act, the Access to Information Act and the Personal Information Protection and Electronic Documents Act to strengthen the protection of the identity of parties in a disclosure made within organizations. Previously, only the proposed Integrity Commissioner would have been able to provide this level of confidentiality."
Labels: information breaches
The BCGEU (who started all the fuss about privacy and outsourcing in BC in the first place) has issued a release saying that the amendments to the Freedom of Information and Protection of Privacy Act (BC) do not go far enough to protect the privacy of British Columbians:
"The B.C. Government and Service Employees' Union (BCGEU) is rejecting the government's claim that amendments to B.C. privacy laws will be sufficient protection for British Columbians if their medical and financial records and other personal information are handed over to U.S.-linked companies.
'The Campbell Liberals can try to build a fortress around our personal data but once it outsources information technology (IT) services to American-linked companies, the FBI can use the USA Patriot Act to knock down any legal, constitutional or electronic walls to get British Columbians' personal information,' said Diane Wood, BCGEU Secretary-Treasurer..."
See, also, my blog entry on the amendments: BC amends public sector privacy law to block access to information is services are outsourced.
UPDATE: The Canadian Union of Public Employees, a federal public sector union, has also come out against the proposed amendments:
B.C. Liberals using FOI amendments to mask privatization agenda, says CUPE Bill 73 pre-empts Privacy Commissioner's report on effects of USA Patriot Act:
"BURNABY, BC, Oct. 8 /CNW/ - Amendments to the Freedom of Information and Protection of Privacy (FOIPP) Act are mere window dressing for the provincial government's privatization agenda and do nothing to alleviate British Columbians' concerns about the all-powerful USA Patriot Act, says CUPE BC president Barry O'Neill.
Bill 73, tabled in the legislature yesterday by Management Services Minister Joyce Murray, includes restrictions on public bodies and service providers storing, accessing or disclosing personal information outside Canada.
But amendments to Canadian law cannot protect the privacy of Canadians when U.S. companies are in possession of Canadians' personal information, says O'Neill...."
Friday, October 08, 2004
Parry Aftab's regular column in Information Week is about HIPAA and marketing ... definitely worth reading:
"HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a federal law that sets standards for health-information privacy and security and for the electronic exchange of health information. Physicians and pharmacies, as well as other health-care providers and facilities, all must follow the law to protect prescription information and medical treatments as private patient health information.
But HIPAA is one of the most confusing of all privacy laws and, when marketing issues are involved, one of the most controversial and complicated. HIPAA rules have been amended several times over the course of its development and each amendment has created new controversies. Hundreds of pages of commentary resulted in thousands of pages of comments and concerns from advocacy groups, as well as security, health care, and privacy professionals. These concerns were addressed in some respects when the final HIPAA Privacy Rule became effective in April 2003.... "
The Fort Saskatchewan Record reports that municipalities are seeking the CRTC's Ok to have access to the full "911" database, including unlisted numbers, for coordinating emergency community notifications. The application is hitting privacy hurdles:
"A municipal application to gain access to the 911 database for an emergency response reason is gaining national backing despite potential privacy issues, says a city official.
The city and Strathcona County submitted an application this summer to the nation�s regulators of telecommunications, hoping to gain access to a system that constantly keeps track of active telephone numbers.
The application is under review by the Canadian Radio-Television and Telecommunications Commission, who have to consider a number of issues before approving the request.
"It's a privacy issue," says Worman, noting the Privacy Commissioner of Alberta has signed on.
Accessing to the database would allow cities to have every regional phone number, including unlisted ones, stored in their community notification systems, which is an emergency response mechanism that warns residents when disaster situations are at hand..."
Protection of personal information
30 A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.
Storage and access must be in Canada
30.1 A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:
(a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
(b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act.
Obligation to report foreign demand for disclosure
30.2 (1) In this section:
"foreign demand for disclosure" means a subpoena, warrant, order, demand or request that is
(a) from a foreign court, an agency of a foreign state or another authority outside Canada, and
(b) for the unauthorized disclosure of personal information to which this Act applies;
"unauthorized disclosure of personal information" means disclosure of, production of or the provision of access to personal information to which this Act applies, if that disclosure, production or access is not authorized by this Act.
(2) If a public body, an employee of a public body or an employee or associate of a service provider
(a) receives a foreign demand for disclosure,
(b) receives a request to disclose, produce or provide access to personal information to which this Act applies, if the public body, employee or other person receiving the request
(i) knows that the request is for the purpose of responding to a foreign demand for disclosure, or
(ii) has reason to suspect that it is for such a purpose, or
(c) has reason to suspect that unauthorized disclosure of personal information has occurred in response to a foreign demand for disclosure,
the head of the public body, the employee or other person must immediately notify the minister responsible for this Act.
(3) The notice under subsection (2) must include, as known or suspected,
(a) the nature of the foreign demand for disclosure,
(b) who made the foreign demand for disclosure,
(c) when the foreign demand for disclosure was received, and
(d) what information was sought by or disclosed in response to the foreign demand for disclosure.
The Canadian Press has an article on these amendments, as well:
"VICTORIA (CP) -- The B.C. government introduced amendments to its privacy legislation Thursday designed to allay fears U.S. authorities could get their hands on provincial residents' private records.
Management Services Minister Joyce Murray introduced changes to the Freedom of Information and Protection of Privacy Act that, among other things, restricts storage and access of information outside Canada and threatens heavy fines on those who improperly disclose it.
'Our government takes the issue of privacy protection very seriously and has always been a national leader in privacy protection,' Murray said in a news release.
'British Columbians can be assured that no sensitive personal information will be sent to the U.S. on either a temporary or permanent basis.'"
"On Wednesday, a Florida appeals court ruled that surprise visits paid to the conservative radio host's doctors, during which Limbaugh's medical records were snatched by prosecutors, did not violate Limbaugh's right to privacy.
The records were seized last November as part of an investigation into Limbaugh's alleged illegal painkiller use.
Prosecutors were trying to ascertain whether Limbaugh had been 'doctor shopping,' i.e., raking in duplicate prescriptions from a roster of unsuspecting medical types. They went after his records after learning that he had obtained about 2,000 painkillers, prescribed by four different doctors in a six-month time period. "
Labels: information breaches
The US House of Representatives passed HR2929, the SPYACT, that, if passed by the Senate and not vetoed, will regulate the collection of personal information by "spyware", among other things. The status of HR2929 is avaialable from the Library of Congress and Wired News has an article on the Bill:
It aims to prevent spyware purveyors from hijacking a homepage or tracking users' keystrokes. It also requires that spyware programs be easily identifiable and removable and allows for the collection of personal information only after express consent from users. The bill exponentially increases fines against abusers as well.
The bill also includes exemptions for spyware-like programs used for network security or to prevent fraud, and clarifies that 'notice and consent' forms need only occur once in order to avoid endless pop-ups...."
I expect that this bill will not be the final word on the subject as there are a number of spyware related bills before either of the House and the Senate:
Labels: information breaches
Thursday, October 07, 2004
The state of Virgina, stinging from the fact that nine of nineteen September 11 hijackers used the state's licenses as ID, is considering embedding RFID technology in their new driver's licenses. See the Wired article, which discusses the privacy issues raised by the scheme:
"Some federal and state government officials want to make state driver's licenses harder to counterfeit or steal, by adding computer chips that emit a radio signal bearing a license holder's unique, personal information.
In Virginia, where several of the 9/11 hijackers obtained driver's licenses, state legislators Wednesday will hear testimony about how radio frequency identification, or RFID, tags may prevent identity fraud and help thwart terrorists using falsified documents to move about the country.
Privacy advocates will argue that the radio tags will also make it easy for the government to spy on its citizens and exacerbate identity theft, one of the problems the technology is meant to relieve...."
Information Technology is improving the way Canadians get medical care:
"...'I actually think that Ontario is one of the furthest behind provinces in terms of the electronic health record,' says Closson. 'But the priorities are in place and things are starting to move. Ontario was one of the last provinces to develop its own privacy legislation and I think that has held us back.'
That legislation, the Health Information Protection Act, comes into effect on Nov. 1, 2004. It doesn't address specific technologies, but it does lay out the principles to which every technology must adhere. For example, it requires consent (implied or direct) from the patient for every person who sees the information. And it says that every patient has a right to access his or her own health information.
The office of the information and privacy commissioner of Ontario will be able to investigate complaints related to health information. Ken Anderson, assistant commissioner for privacy, says the office isn't opposed to new technologies, including the electronic health record. He points out that paper charts aren't always kept away from sight, and it's hard to know who has looked at them. So in many ways, digitizing records is secure networks will make them more private...."
If you find it interesting, print it out since Canada.Com expires its content very quickly.
The HIPAABlog recently linked to a great resource for HIPAA information:
HIPAA Blog: " A Fabulous Resource: Sorry for the light blogging of late, but I've had paying clients to take care of. But I do have a great tip for you: the American Health Information Management Association's website is a fabulous resource for all things HIPAA: forms, articles, policies and procedures, etc. Click on 'body of knowledge' in the upper right corner of the main page, and you can brouse hundreds of articles and forms useful for just about any HIPAA circumstance. Check out their security 'toolbox' articles under the 'professional tools' link on the left."
Wednesday, October 06, 2004
I was invited to give a presentation today on the effect of privacy laws on the call centre industry to ContactNB, the industry association for New Bunswick. The presentation is available here: Contact NB: Privacy and The Customer Care Sector
Tuesday, October 05, 2004
David Canton of the London Free Press highlights the Canadian advantage for the outsourcing of services. He suggests, and I agreee, that Canada's privacy laws are a competitive advantage:
"...Canada has a culture that respects confidentiality and privacy and abides by contractual requirements.
Canada's privacy legislation is among the best in the world. Some countries where offshore work is sent have no privacy legislation whatsoever. Indeed, Canadian privacy legislation is more wide-ranging than that in the U.S., where privacy legislation only affects specific industry sectors.
Canadian companies can use these advantages to market their services to U.S. firms wanting to outsource. This will be most effective for sensitive tasks where the outsourcer's intellectual property will be exposed or where the Canadian company will be privy to personal information about the outsourcer's customers.
That could arise, for example, in task requiring the Canadian company to have copies of the outsourcer's software source code, or in a call centre situation where the Canadian company is in contact with customers of the U.S. firm.
Canadian companies should adopt privacy policies that comply with federal privacy legislation (PIPEDA) or relevant provincial legislation. Their standard contracts should make it clear they will respect the privacy of personal information of outsourcer's customers -- for example, that they will not use it for any purposes other than as instructed by the outsourcer and will not disclose it to third parties. "
Within Canada, the Atlantic region has all this and more.
An anti-voyeur vigiliante took the law -- and a peeping tom -- into her own hands this week in Calgary when a she caught a man videotaping up her skirt at a local mall. The privacy law angle is at the end of the article:
"CALGARY -- A 26-year-old shopper was shocked to find a man secretly filming under her skirt but managed to grab him by the lapels and yell for help. Dorianne Bamber said she was shopping at the North Hill Centre on Tuesday and had stopped to look at Halloween costumes when a man came up and stood behind her.
There are no laws governing the misuse of hidden cameras, although a federal bill that would create a new crime of voyeurism to combat electronic-age peeping Toms has passed first reading in Parliament.
Stephen Jenuth of the Alberta Civil Liberties and Privacy Association, said the penalty for mischief ranges from a fine to six months in jail, although such a severe sentence is unlikely.
Bamber said she's speaking out because she wants other women to be aware this can happen to them."
Continuing the trend (are two articles a trend?) of articles reflecting on HIPAA's first year, the Times Reporter of Ohio has a column/comment on HIPAA and its effects.
HIPAA headache: Law protects confidentiality, but limits access
By RYAN KARP, T-R Staff Writer
It’s been more than a year since the Health Insurance Portability and Accountability Act has gone into effect and area medical service providers have felt the effects of it in different ways.
Possibly as a result of hundreds, maybe thousands, of hours of behind the scenes work in preparing for HIPAA, patients seem to appreciate the new privacy laws, said Carey Gardner, community relations director at Union Hospital in Dover.
For Smith Ambulance, which services Tuscarawas County, all the extra paperwork HIPAA has created is a real pain. But Bob Smith, owner and president of the ambulance service, said most people seem to be in favor of stricter confidentiality.
One of the biggest challenges the hospital faced was a new feature HIPAA offered: giving patients the choice to opt out of the hospital directory.
If a patient chooses to opt out of the directory, employees are not permitted to release any information about that patient, not even to family members.
“Their right to privacy trumps everybody,” said Gardner.
However, he said about 95 percent of patients do opt to be in the directory.
The law says they must give each patient a form detailing their HIPAA rights, although Sholtz wondered if many people outside the medical community actually knows what HIPAA is.
“They don’t have a clue,” said Sholtz. “I bet nobody reads it,” Sholtz said, adding he tries to break the law down in simpler terms to people.
HIPAA is so far reaching that Thorn said maybe it created some safeguards that aren’t necessary.
For example, parents of a college student who is under a doctor’s care at an out-of-area school are not necessarily entitled to freely discuss the student’s injuries or illness with the doctor without the consent of the student despite the fact that they’re paying the bills...."
National Privacy Services Inc. is on the brink of launching its Privacy Newsletter. The Newsletter will contain timely and practical articles about privacy and compliance challenges. The first edition will include an article on privacy protection when using electronic communications, including e-mail and faxes. Also, the Newsletter will have summaries of privacy stories and announcements related to NPSi's privacy training, including training for the Personal Health Information Protection Act (Ontario). To subscribe, go to the Newsletter Sign Up Form
The US GAO has produced a report on the first year of the HIPAA privacy rule. Over at HIPAA Blog, Jeffrey Drummond has posted his own snapshot for this first anniversary:
"Of course, Privacy 'went live' way back in April 2003. How have things gone for providers, plans and clearinghouses? For the most part, according to the GAO (Government Accountability Office, not, as I always thought, General Accounting Office), fairly smoothly. There is some confusion and challenges abound (accounting for disclosures and business associate issues are highlighted), and the general public is ill-informed of the requirements and benefits, and governmental organizations face some specific problems. Anecdotal evidence shows some over-implementation of the rules resulting in family members being excluded from access to information on loved ones, and research organizations have their own troubles as well. But overall, the implementation of HIPAA has gone fairly well.
Personally, I think this is because the medical community has always been quite good at keeping private what is supposed to stay private. HIPAA was, in large part, drafted to fix a problem that existed primarily in the minds of the paranoid and over-reactionary. Were evil drug companies and marketing firms using personal medical information for nefarious (or at least profit-driven) purposes? Sure, it happened occasionally. But the vast, vast majority (well over the Ivory Soap threshold of 99.44%) of individuals and entities that had access to personal medical information maintained the privacy and confidentiality of that information at least as well as HIPAA now mandates. It's easy to fix a problem if it doesn't really exist in the first place."
Labels: information breaches
Sunday, October 03, 2004
I blogged a little while ago about a lawsuit that has been brought against a drug store chain in California for allegedly violating California and US health privacy laws by engaging in prohibited marketing activities on behalf of drug companies (see Lawsuit: Privacy advocacy group sues drug store chain over alleged privacy concerns). In the last two days, Parry Aftab has written her reflections on the suit and the issues it raises. Check out The Albertson's healthcare privacy issues: how much do you really care? and HIPAA: Healthcare privacy and marketing.
"While many consumer and privacy advocacy groups have been vocal, the consumer pick-up has been minimal. How do you feel about your pharmacist or physician being paid to have others send your marketing messages or drug promotions? Does it make any difference if they can do it under your pharmacist's or physician's name? Are you worried that your pharmacy might be sending your alternative drug therapy recommendations without informing your physician? Or does the convenience of learning about alternative therapies or being reminded to renew your prescriptions outweigh your concerns?"
Labels: information breaches
Saturday, October 02, 2004
Delaware Online has an article referring to a recent conference on RFID technology an includes a brief discussion of the privacy issues raised by the use of the chips:
"The potential for tracking more than just products has prompted the formation of groups such as Consumers Against Supermarket Privacy Invasion and Numbering.
RFID devices can be read from 20 to 30 feet away and the antennas, first made from copper, can now be printed with conductive ink, making it difficult for consumer to know if products they buy contain RFID transmitters, the group argues. The group has proposed legislation that would require the complete disclosure of products containing RFID devices.
While some have concerns about the tags being used to track more than just products, Ed Coyle, head of the Department of Defense's Logistics Automatic Information Technology office, said at the confer- ence that the key to security, or privacy concerns, is limiting the amount of information on the tags, which also makes the system speedier. "
I am not sure I agree with this last sentiment. The privacy impact of the technology has very little to do with the amount of information embedded in the chip. What matters is the database that the unique identifier is connected with. Afterall, your social insurance number is only nine digits long but has the potential to be a universal tracking code. The VIN on your car is longer, but is connected with your driver's license, which is connected to you.
The following scenario demonstrates the potential of these simple codes: If you buy a pair of shoes with RFID embedded in them at your local mega store, ostensibly for inventory tracking purposes, it will have a unique serial number. At the point of purchase, that unique number can be attached to your visa card number or your debit card in the back office database. The database can connect that to your address, etc. If the RFID in the shoes is linked to your personal unique identifier, anybody who scans the code from the shoes can connect it with you. And it can be scanned from twenty feet away. If your local mega storage puts scanners at the entrances, it will know, for example, if you visited the store again wearing those shoes. It can follow you around the store and know more about your behaviour in the store than you'd probably like. This micro tracking has the potential to be taken to the macro level if scanners, linked to databases, become pervasive.
More information on the privacy impact of RFID is available from Consumers Against Supermarket Privacy Invasion and Numbering at http://www.spychips.com/ (bonus points if you can figure out what side of the issue they espouse).
Friday, October 01, 2004
Other than privacy (which is overwhelmingly the majority of my practice), I'm also an IT/technology lawyer. Before PIPEDA and the emergence of privacy as a legal discipline, IT took up all of my practice. In light of this, I was kindly invited by the Project Management Institute to give a presentation of the legal perspective of IT project management, which I did today.
I have seen far too many technology projects go completely sideways because there was no legal input in advance or because the contract was drafted by a software engineer and "legal" is called in after the development is complete to review the poorly drafted (or completely inappropriate) agreement the day before they plan to sign it. Aargh. An ounce of prevention is worth a pound of cure.
The presentation is available here, for anyone who may be interested: IT Project Management: The Legal Perspective.
More USA Patriot Act shenanigans for Canadians, this time in the form of a warning inserted in the bills of Canadian Visa customers, reports the Toronto Star:
"A small sheet of paper slipped in with the bills of millions of Canadian Visa cardholders has sparked an investigation by Canada's Privacy Commissioner and calls for the federal government to stand up for the privacy rights of its citizens.
Canadian Imperial Bank of Commerce Visa customers were sent an amendment to their cardholder agreement this month warning their financial information could be disclosed in accordance with U.S. laws.
NDP MP Brian Masse criticized the Canadian government yesterday for not challenging controversial American legislation, such as the U.S. Patriot Act, which was passed in the wake of 9/11. Canada's complacency, he said, could now lead to privacy violations... "
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.