The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, November 30, 2004
I was contacted by the Canadian Broadcasting Corporation yesterday to comment on a new inititiave to speed cross-border travel between the US and Canada for "low risk" travellers. New technologies allow pre-screened passengers to skip through customs and immigrations after confirming their identity with an iris scan:
Eye scans at airport for U.S.-bound travellers:
"...The iris scans are voluntary, and no one is compelled to go through a process that critics say is invasive.
But Halifax privacy lawyer David Fraser says increasingly, people are deciding it's worth it.
'Survey after survey says that people are concerned about their privacy, but they really don't put their money where their mouth is,' he says.
'It's easy to tell a pollster that, but when it comes to trading privacy for convenience, people often chose convenience.' ..."
Derren Bibby, at CRM Buyer, has written a very good article on implementing retail RFID in a privacy friendly way. In short, retailers must be transparent about what they are doing and must disable the chips at the door:
INDUSTRY INSIDER: Squaring the Circle with RFID and Privacy
With RFID, while the customer will benefit from a long list of store efficiency improvements, there will be some who will feel uncomfortable with the prospect of a retailer gaining the ability to peer into their shopping baskets to discover exactly what they are carrying.
Sunday, November 28, 2004
Commissioner's Findings - Privacy Commissioner of Canada
The following are new noteworthy settled in the course of the investigation and early resolution case summaries
- PIPEDA Case summary #295: Access request ignored, but no personal information existed
- PIPEDA Case summary #293: Collection agency corrects inaccurate information
- PIPEDA Case summary #292: Windows reveal too much information
- PIPEDA Case summary #291: Company takes steps to become compliant with the Act
- PIPEDA Case summary #290: Company eliminates excessive information from database
- PIPEDA Case summary #289: Trucking company prepares privacy policies and procedures and designates a privacy officer subsequent to settling complaint from former employee
- PIPEDA Case summary #288: Credit check to open a personal deposit account
- PIPEDA Case summary #287: Company amends employee list it sends to union
- PIPEDA Case summary #286: Concerns result in improved language of consent
- PIPEDA Case summary #285: Pharmacy simplifies its consent policy and procedures
- PIPEDA Case summary #284: Store implements changes following laptop lapse
The Columbia Tribune is reporting a doctor's allegations that, after he left his hospital practice, his former employer passed his patient list to an external company to market services to them:
Doctor hears from patients who say university broke law :
"...That's why he decided to leave to start a private practice. King thought he was leaving on good terms with no hard feelings. Then he started hearing from his patients.
King was shocked when he found out what had happened. His former boss, Kevin Dellsperger, chairman of internal medicine, had given a list of about 800 of King's former patients, along with their phone numbers, to a home-health-care provider from Cape Girardeau. A woman from the company had been calling the patients, King says, trying to sell home health-care services, including a $3,000-a-month drug that he says many of the patients didn't need.
'She was making cold calls, asking people about their hepatitis C,' he says. 'Most of the people on the list have hepatitis C. Not all of them do. I got a call from one lady frantic over the phone call. "I don't have hepatitis C," she told me. "What's this all about?" Whoever was making the calls had no way of knowing if these people were sick, if they have cirrhosis, if they're still using. She's just making phone calls to get people on treatment. That is scary.'
It's also, King believes, a clear violation of the recently enacted federal privacy law, the Health Insurance Portability and Accountability Act, or HIPA [sic HIPAA]. The law severely restricts hospitals' and doctors' ability to share private information about patients, including names and phone numbers, without consent from the patient. There are specific rules that guide the use of information for marketing, unless the other medical party already has some relationship to the patient.
What complicates the privacy concern in this case is the nature of hepatitis C patients. Most, King says, are middle-age folks who contracted the disease from youthful indiscretions in the 1960s and '70s. Some got it from blood exposure or bad needles, possibly from drug use, others got it from bad blood transfusions before 1990 when procedures were improved....
The Canadian Imperial Bank of Commerce (CIBC) has released a statement to its customers regarding the ongoing misdirected fax incident:
CIBC - An Open Letter To CIBC Customers From Ron Lalonde On Misdirected Faxes: "
To our CIBC Customers:
I want to personally apologize and share with you my deep concern regarding the breach of confidentiality of client information reported in the media.
I also want to assure you that CIBC takes the confidentiality of its customers' personal information very seriously.
You may be interested in the history of this situation. As soon as we learned that some CIBC faxes had been misdirected to a U.S. company in the spring of 2002, we immediately took steps to safeguard our customers' personal information. We notified our branches that information was being faxed to an incorrect number. We also contacted the owner of the company who had been receiving the faxes and elicited from him a commitment to shred all the faxes he had received and to notify us should he receive any additional ones.
We heard nothing further regarding this issue from the individual for more than two years and thus believed that the company was no longer receiving CIBC faxes in error.
However, in the spring of 2004, the company filed a lawsuit against CIBC stating that they had received CIBC faxes through 2002. Then, late last month, the company informed us for the first time that it had been receiving faxes up to 2004. This news was a disturbing and surprising revelation, as we believed, and the company's lawsuit led us to believe, that the problem had been resolved two years previously.
Once CIBC learned of this continuing issue, we moved to address it. Specifically, we have instructed our branches to cease transmission of all internal faxes containing client information. This information will be transmitted to central processing operations via secure internal courier systems and by direct telephone conversation. We will, however, continue to respect the wishes of those clients who ask to receive information from us by fax transmission.
Longer term, we are exploring other potential secure technological alternatives for the timely transmission of confidential information between branches and processing centres.
If you have any enquiries, or if you are aware of any similar situation in the future, please contact CIBC Customer Care at 1 800 465-2255.
Ron Lalonde, Senior Executive Vice President, Chief Adminstrative Officer, and Chief Privacy Officer."
The Bank previously released a shorter statement on the matter:
CIBC - Statement Regarding Misdirected Faxes:
"CIBC takes the issue of the confidentiality of personal customer information very seriously. We sincerely apologize to all of our customers for any concern that this issue may have caused them.
CIBC is doing everything possible to protect the confidentiality of personal customer information. Effective immediately, we are instructing our branches to cease transmission of all internal faxes containing client information. This information will be transmitted to central processing operations via secure internal courier systems and by direct telephone conversation. We will continue to respect the wishes of customers who ask to receive information from us by fax transmission.
Longer term, we are exploring other potential secure technological alternatives for the timely transmission of confidential information between branches and processing centres.
With respect to the specific case of client information mistakenly transmitted to a US business, we are grateful that Mr. Peer has attempted to protect the confidentiality of this information. To ensure that this information remains protected, we will be bringing a motion for a protective order in the US court as soon as the courts reopen following the American holiday. This application will seek to protect the information of the 29 customers that has been produced as evidence in this case."
For the background to this, please see Candian bank's internal faxes went to West Virginia for three years, Bank responds to incident by prohibiting faxing of customer information.
Labels: information breaches
A very basic medical privacy question is in this week's "The Ethicist" by Randy Cohen in the New York Times Magazine:
The New York Times > Magazine > The Ethicist::
"I am a medical student at a major hospital. A patient who said he was a high-school teacher, depressed and suicidal, turns out to be a convicted felon wanted for parole violations, among other nonviolent crimes. The law dictates that we treat him like other patients, but his rapid recovery was suspicious. He is ''well'' enough to be discharged. Would it be ethical if when he leaves the hospital, the police ''happen'' to be waiting? Anonymous, New York."
For Randy Cohen's sensible answer - which doesn't mention a single privacy law - click here (no subscription required).
Labels: information breaches
Saturday, November 27, 2004
The Edmonton Sun is reporting on how sensitive personal information related to senior Alberta bureaucrats found their way into a drug-bust crime scene. (See PIPEDA and Canadian Privacy Law: Incident: Massive leak of personal information in Edmonton, Alberta.) Apparently, dumpster-diving meth-heads are selling found personal information to ID thieves:
Documents dug out of dumpsters:
"...Personal data including credit reports for provincial bureaucrats recently recovered by cops appears to have fallen into the wrong hands due to 'dumpster diving,' say police. 'My feeling is yes, most of that stuff came from dumpster diving,' city police Det. Bob Gauthier said yesterday, after cops showed the hundreds of documents recovered.
'Dumpster divers' or 'binners,' as police call them, are people who in some cases are addicted to methamphetamine and hunt garbage bins for personal information. They then sometimes exchange the data for drugs. "
reviewjournal.com -- Opinion: LETTERS: UMC policies protected, comforted boy:
"To the editor:
I'd like to correct the record concerning your news reports and editorial about the young boy who witnessed the brutal slaying of his mother and became a victim of violence himself while trying to protect her.
As the only Level 1 trauma center in Southern Nevada, University Medical Center had the responsibility of responding to this boy's medical needs as well as his emotional well-being.
The articles and editorial (" `Privacy' law fails brave boy," Nov. 13) suggested that this boy was left alone to deal with his injuries and the emotional turmoil of his loss. I want to assure everyone that this was simply not the case.
It also was suggested that UMC ought to have allowed total strangers to come into the facility to sit with this patient. While grateful for these offers of assistance, I'd like to explain why this was not practical.
First, UMC employs three certified child life specialists who are assigned to respond to the emotional needs of any pediatric patient who requires their services. In this particular situation, a child life specialist was immediately assigned to the patient upon admission to the hospital.
It should also be pointed out that this patient was recovering in a specialized pediatric intensive care unit, where the nursing care is one-on-one for each patient. Therefore, at no time was this child ever left alone or unattended. In fact, I can assure you that we were there to provide comfort and assistance and to hold his hand during a time of immeasurable grief and loss.
Much has been written about the Health Insurance Portability and Accountability Act being the rationale for not publicly disclosing the patient's name and condition. The reality is, even if there were no HIPAA regulations, there have always been patient privacy protocols any hospital would follow. I think we all can agree that hospitals must do all that they can to guard the privacy of their patients and to ensure that their medical information be kept confidential. Additionally, this boy was a witness to a murder, so an extra layer of caution needed to be maintained to protect him.
We take very seriously our slogan, "UMC: The Symbol of Excellence." We believe that in this case, we lived up to that slogan's significance. We saved a life. We cared for a poor child's emotional well-being with personal attention and care. We found a relative who could come sit by his bedside. In this case, as in all cases, our first priority was with the patient. I thought your readers would like to know.
LACY L. THOMAS
The writer is chief executive officer of University Medical Center in Las Vegas. "
Phew! It has been a busy week. I flew back from Vancouver on Monday and hit the ground running. I gave four presentation this week, all of which are available for download for anyone who is interested.
I think I only have one presentation next week, but it's in Toronto. I'm getting too scared to look at my calendar, these days ...
This is a follow-up to my previous blog entry (PIPEDA and Canadian Privacy Law: Article: CN's hidden camera sparks workers' ire). Canadian National Railway has responded to workers' concerns about hidden cameras by saying that they will stay and that the union will be told when they are activated. The article also quotes Brian Bowman of Pitblado in Winnipeg, the leading privacy lawyer in the prairies.
Winnipeg Sun: NEWS - CN cameras stay:
"CN Rail intends to use hidden cameras in its Transcona Wheel Yard despite union protests. Jim Feeny, a spokesman for the railway, said two cameras will remain in the ceiling and the Canadian Auto Workers will be told when they are activated. "
The Halifax Chronicle Herald is carrying an article in today's business section, based on privacy and security concerns dicussed at the McInnes Cooper/National Privacy Services Inc. seminar on privacy and business.
Who has your number?:
"By CLARE MELLOR / Business Reporter
David Fraser pulls a store receipt from his wallet that shows all 16 digits of his debit card number in black and white.
A big no-no due to identity theft concerns, many retailers in Nova Scotia still haven't stopped the practice, said Mr. Fraser, a Halifax lawyer.
'I know some of the largest retailers in Nova Scotia are not protecting customer information,' said Mr. Fraser, an expert in privacy law.
Under the federal Personal Information Protection and Electronic Documents Act, all businesses must take adequate steps to protect against accidental disclosure of customers' personal information. "
Heather Black, the Assistant Privacy Commissioner of Canada, was the keynote speaker at the half-day event, and she shared some very interesting statistics about complaints recently brought to the Office of the Privacy Commissioner:
"Since January, there have been 567 complaints lodged with the federal Office of the Privacy Commissioner in Ottawa about the use and disclosure of personal information, Heather Black, Canada's assistant privacy commissioner, said at the seminar.
Sixty-one complaints were made against retailers, 71 involved insurance companies, 168 complaints involved financial institutions and 102 involved telecommunications companies. Twenty-eight complaints were made against doctors and other health professionals."
Friday, November 26, 2004
Following national publicity about misdirected faxes (see PIPEDA and Canadian Privacy Law: Incident: Candian bank's internal faxes went to West Virginia for three years), the bank in question has ordered all of its employees to stop sending personal information via the supposedly "internal" fax sytem that has been implicated in the incident:
CIBC orders companywide halt to faxes with customer info until glitch fixed
TORONTO (CP) - Scrambling to deal with a potentially serious breach of client privacy, CIBC said late Friday it is ordering all employees to stop using the bank's internal fax system to send customer information between branches or offices.
The bank, which has known that a U.S. junkyard has received CIBC internal faxes as far back as 2001 and as recently as this year, said it has assembled a team of senior managers to deal with the problem.
CIBC spokesman Rob McLeod said the bank determined that faxes about 29 of its customers were obtained by the owner of a West Virginia junkyard, who is suing the bank for $3 million US and claiming the bank failed to heed his warning...."
Update: See, also, The Globe and Mail: CIBC bans faxes after scrapyard gets more.
"Legal experts say the commissioner is likely to focus on the consent provisions of the federal privacy law, known as the Personal Information and Protection of Privacy Act.
"It does not appear that the customers of the bank could have been reasonably interpreted to have consented to the transmission of these documents in the circumstances described," said Margaret Ann Wilkinson, a professor of law at the University of Western Ontario. "It is clear that these documents should not have been disclosed to this third party because the bank is prohibited from making such a disclosure."
Ms. Stoddart [Privacy Commissioner] said her investigation is also concerned with the length of time — more than three years — the information was faxed to Mr. Peer.
"We'll be looking into the procedures within that bank that resulted in what appears to be such a serious breach of privacy," said Ms. Stoddart, a lawyer and historian who was appointed on Dec. 1.
"It would appear to have gone on for a certain time. So how diligent was the bank in addressing this problem? What steps did they take? What went wrong?"
Ms. Stoddart said she expects her investigation to take about two months and that the goal of any investigation of a privacy breach is to reach a practical solution to prevent further breaches.
"However, when that is not enough or our advice is not heeded, we can go to Federal Court and ..... we can ask for damages," she said. "At any point, I would think, the CIBC could choose to settle any claims their unhappy customers might have, either within our process or without our process."
Some CIBC customers said they were consulting lawyers.
Legal experts said the Privacy Commissioner's findings will affect what legal actions customers pursue.
Ms. Stoddart said her investigation may also focus on the role of CIBC's chief privacy officer, Ron Lalonde, to whom Mr. Maclachlan, the ombudsman, reports.
Privacy experts said they expect the Privacy Commissioner to look at the relationship of Mr. Lalonde's office to other senior executives, including chief executive officer John Hunkin.
Yesterday, privacy experts criticized the bank for failing to notify customers affected as soon as the privacy breach occurred.
"What they should have done immediately is notify all of the branches," said Philippa Lawson, a lawyer and executive director of the Canadian Internet Public Policy Interest Centre at the University of Ottawa's law school."
I had a nice e-mail exchange with Mary Minow, author of the LibraryLaw Blog, about privacy and patron records. She has posted the good bits on her great blog and it is available here: LibraryLaw Blog: Does Canadian law protect library patron records?. I highly recommend adding her to your blogroll, especially if you are interested in privacy aspects of libraries.
Canadian Occupational Health and Safety Magazine has an interesting analysis of the recent Federal Court Decision in Eastmond v. Canadian Pacific Railway, where the issue was the reasonablness of video surveillance cameras at a railyard. The author discusses the implications of the decision from the labour-side point of view and makes some recommendations:
Across the table - Camera surveillance and the privacy rights of employees:
"What lessons can be gleaned from the decision of Justice Lemieux to better equip workplaces that have electronic surveillance? Employees and employers should be aware that this decision has established jurisdictional parameters for hearing recommendations from the Privacy Commissioner. Paragraph 13 of PIPEDA provides the Commissioner with the discretion to 'investigate a complaint or defer it if he considered it appropriate a complainant should exhaust a grievance [procedure].' This means that in the absence of collective agreement language that does not refer to the privacy rights of employees, employees may refer the recommendation of the Privacy Commissioner to the Courts.
However, in the case where a collective agreement does include privacy right language, PIPEDA has greater legislative authority and may still be referred to the Courts at the discretion of the Commissioner. Therefore, labour relations jurisprudence is still in need of a decision by the Commissioner or the Courts speaking to the issue of whether a labour arbitrator will have precedence to hear a privacy right complaint where such language is in the collective agreement.
The Court has directed respondents to PIPEDA applications to raise at the earliest opportunity the existence of an alternative dispute resolution mechanism available to the parties, such as a grievance procedure. The Court did not go so far as to say the Commissioner would be bound to defer to this other mechanism, but the inference is that alternatives should be contemplated before proceeding to the courts.
One lesson to be learned in the era of privacy rights legislation is that parties, union and non-union, should be negotiating local-level conciliation procedures. This should result in win-win resolutions instead of litigious and adversarial confrontations in the courts. "
Last night's CTV news national broadcast reported on an ongoing problem that the Canadian Imperial Bank of Commerce has been having with many, many misdirected faxes winding up at a West Virgina junk yard. This morning's Globe and Mail also contains a report on the problem, about which CIBC is apparently well aware but hasn't been able to resolve.
The Globe and Mail: Internal faxes went to West Virginia for three years:
"RIDGELEY, W.VA. - Canadian Imperial Bank of Commerce has been faxing confidential information about hundreds of its customers to a scrapyard operator in West Virginia for more than three years, and he can't get them to stop.
Wade Peer says he has been overwhelmed since 2001 by internal CIBC fund transfer request forms containing the social insurance numbers, home addresses, phone numbers and detailed bank account data of several hundred bank customers...."
See, also, the CTV coverage here.
Canadian railways have had problems with video surveillance upsetting employees, leading to complaints to the Privacy Commissioner (see: Eastmond v. Canadian Pacific Railway, 2004 FC 852). Canadian National Railway is now in the news after workers discovered cameras hidden in the ductwork:
Winnipeg Sun: NEWS - CN's hidden camera sparks workers' ire:
"Vandalism concerns, company explains
The discovery of a hidden camera at CN Rail's Transcona Wheel Yard shook employees and poisoned the workplace, the union says. But the railway says putting two cameras in the ceiling was a way to get to the bottom of unexplained equipment breakdowns. ..."
Thursday, November 25, 2004
Ontario's new privacy law is finally getting some press. ITBusiness.ca, one of the few Canadian publications that has very thorough privacy coverage, is carrying an article on the Personal Health Information Protection Act:
Ontario prescribes privacy law for health-care sector:
11/22/2004 2:20:34 PM - The province introduces rules around patient data and fines for those who don't comply.
"Ontario's law regulating the privacy of health information took effect Nov. 1, and may force organizations that fail to comply to pay up to tens of thousands of dollars in maximum penalties.
In what's being hailed as the province's first privacy law governing a specific industry, the Personal
Health Information Protection Act (PHIPA) will be overseen by the office of the Information and Privacy Commissioner, Ann Cavoukian, and apply to all individuals and organizations involved in the delivery of health-care...."
A reporter from the Halifax Daily News attended the McInnes Cooper privacy and business seminar in Halifax yesterday and has written an article that appears on the paper's website.
The article contains an account of my own experience when I went to a local store seeking warranty service for my cell phone. I didn't know the date of purchase, so the customer service person asked for my name. Because there are dozens of "David Frasers" in Halifax, he just flipped the monitor over to me and scrolled through all of them so I could pick out the right one. In the process, I saw all the Frasers in the province with cell phone service through one of our larger providers, along with their balances and how many days they were behind in their payments. Not a good practice, to say the least.
Businesses, customers lack privacy know-how: "By Stephane Massinon
David Fraser knows first hand how casually some Atlantic Canadian businesses treat customer privacy.
The Halifax privacy lawyer was recently at a large electronics store in metro when an employee asked for his name. Fraser obliged, only to be met with a look of confusion.
The employee, thinking it would make the matter easier, turned the computer screen around and asked, "So, which (David Fraser) are you?" Fraser not only saw all the names, but also all the [other] David Frasers's private information, including account balances...."
The article also includes a reference to our experience in "getting the word out" for the seminar itself. Many business contacted suggested that they don't collect "very personal information" so weren't affected. Sorry, but any business with personal information, sensitive or not, had better pay attention to the law.
Labels: information breaches
CBS5 from the San Francisco bay area is reporting on an e-mail survey done by TRUSTe that suggests that many consumers are being scared away from shopping online because of privacy fears and the risk of identity theft:
CBS5.com - ONLINE SHOPPERS CONCERNED ABOUT PRIVACY, STUDY SAYS:
"Holiday shoppers are less inclined to buy online this season for fear of identity theft and other privacy issues, according to a survey released today.
TRUSTe, a San Francisco-based nonprofit that provides seals of approval to Web sites that protect users' privacy, reported today that about six in 10 consumers, or 58 percent, might reduce their online shopping because of privacy concerns.
That's up from last year, when 49 percent of those surveyed said they might back off online shopping.... "
Thanks to Privacy Digest for the pointer.
Privacy International and the Electronic Privacy Information Center have recently released their seventh annual Privacy and Human Rights Survey, which details global threats to privacy and related civil rights. It particularly highlights the increasing surveillance of citizens and intrusive uses of technology in the battle against terrorism.
From the joint EPIC/PI press release:
Privacy International & EPIC Release Annual Global Privacy Study
GLOBAL HUMAN RIGHTS STUDY WARNS OF ENDEMIC PRIVACY THREATS
Major report sets out government surveillance strategies
17th November 2004
A major international privacy report published today has concluded that governments across the world have substantially increased surveillance in the past year. The report warns that threats to personal privacy have reached a level that is dangerous to fundamental human rights.
The 7th annual Privacy and Human Rights survey, published by Privacy International & the US based Electronic Privacy Information Center (EPIC) reviews the state of privacy in sixty countries and warns that invasions of privacy across the world has increased significantly in the past twelve months. The 800 page report is available free of charge at http://www.privacyinternational.org/survey/phr2004
The report paints a bleak picture of the erosion of the right to privacy, particularly since the September 11th attacks in the United States. It observed: that crime and public order laws passed in recent years have placed substantial limitations on numerous rights, including freedom of assembly, privacy, freedom of movement, the right of silence, and freedom of speech. Governments have continued to use terrorism as the pretext for an increase of surveillance, even when surveillance is unwarranted.
The report identifies a trend across the world toward mass surveillance of the general population, and cited a catalogue of illegal spying and surveillance activities by government agencies.
In response to calls for increased security many countries have pursued policy and legislative efforts that aim at implementing identification schemes, expanding the surveillance of communications for law enforcement and national security agencies, weakening data protection regimes, and intensifying data sharing and collection practices - all made possible by a growing cooperation between government entities and the private sector.
The report singles out a number of trends:
- New identification measures and new traveller pre-screening and profiling systems
- New anti-terrorism laws and governmental measures provide for increased search capabilities and sharing of information among law enforcement authorities
- Increased video surveillance
- DNA and health information databases
- Censorship measures
- Radio frequency identification technologies
- New electronic voting technologies
- Mismanagement of personal data and major data leaks
Privacy International's Director, Simon Davies, said the report highlighted a 'disturbing' trend toward greater state power. 'Governments are systematically removing the right to privacy. Surveillance of every type is being instituted throughout society without any thought about the need for safeguards.'
'The spectre of terrorism has at last become the device that any government can deploy to entrench the powers they always sought. The situation has become a dangerous farce,' he added.
'Governments are joining together their data systems. They are sharing information to a greater extent each year with the private sector. And they are cooperating unquestioningly with other governments to exchange vast reserves of personal information. This situation cannot continue without imperilling the right to privacy', said Mr Davies.
On a more upbeat note, the report did identify positive counter-trends:
'Invasions of privacy were met in various countries with forceful reactions from human rights groups. In Germany, outcry against a retail chain's use of RFID tags unbeknownst to its customers led to the halt to the company's projects. In Greece, the data protection authority struck down the use of biometric identity verification in airports because the collection of personal information through RFID tags exceeded its purpose. In Malaysia, the Bar Council criticized the security and privacy risks of Mykad, the multi-purpose smart card, which forced the government to work on a legislation to answer such concerns. In Poland, the Constitutional Tribunal held unconstitutional a law that allowed police officers to observe and record events in public places. Public interest groups had opposed the law alleging that it violated the right to privacy enshrined in the Polish Constitution. In Sweden, the privacy commissioner forbade a school's fingerprint recognition program. In Ukraine, a new law that restricts access to information was strongly opposed by several NGOs and international organizations because of its violation of the Constitution and global freedom of information standards. In reaction, amendments were introduced that improve the final version of the law.'
Wednesday, November 24, 2004
Today, National Privacy Services and McInnes Cooper co-hosted a half-day program on lessons learned from the first year of PIPEDA's full implementation in the private sector. I kicked off the program with an overview of PIPEDA and what it's all about. Then, Heather Black, the Assistant Privacy Commissioner of Canada, provided some very interesting insights on trends that her office is seeing (complaints are up 50%, a smaller portion of complaints are determined to be well-founded than last year). Heather gave her presentation "without a net", but mine is available here.
CANOE -- CNEWS - Tech News David Canton: Medical privacy now law:
"Ontario's new law on the privacy of health information will affect every person in the province. The Personal Health Information Protection Act (PHIPA), which became law Nov. 1, applies to individuals and organizations involved in the delivery of health-care services.
Some organizations that may not consider themselves in the health-care sector will be subject to PHIPA -- it reaches beyond the traditional hospital/doctor setting...."
Tuesday, November 23, 2004
The New York Daily News is reporting what appears to be a horrible breach of privacy related to some of the most vulnerable students in the charge of the New York school board:
New York Daily News - Home - Secret school files dumped:
"A decade's worth of tragic childhood tales - confidential records of students schooled at home because of horrible injuries or debilitating illnesses - were callously dumped last week on a Bronx street.
It was an absolutely startling thing to see: 300 pounds of very private papers, left just outside a Department of Education office like useless trash, sitting beside empty pizza boxes, old air conditioning filters and other recyclables.
Tucked inside hundreds of folders were sensitive, heartrending stories - children handicapped, children shot or beaten and children slowly dying of cancer...."
Labels: information breaches
Parry Aftab has started a blog in remembrance of Ron Plesser. He was a leading privacy lawyer and, unfortunately, I never had a chance to meet him before his untimely passing. Please visit, read the rembrances and post any of your own.
UPDATE: The Washtington Post is carrying his obituary here: Privacy Law Expert Ronald L. Plesser Dies (washingtonpost.com)
Labels: information breaches
Saturday, November 20, 2004
Sorry for the light (read: non-existent) blogging over the last few days. I've finally gotten to an internet connection ....
Mathew Englander e-mailed me the other day to say that the Federal Court has rendered their decision in his fight against Telus. I haven't read the full reasons, which should be available here soon, but all reports suggest that Telus did not persuade the Federal Court of Appeal to uphold the finding of the Privacy Commissioner and the Federal Court, Trial Division. I haven't found any free coverage online, but here is an extract of an article from the Calgary Herald.
Little guy wins privacy fight against giant Telus.
Canwest News Service
Saturday, November 20, 2004
Byline: Sarah Staples
In a victory for the little guy, a federal appeals tribunal has ruled unanimously that Telus Communications Inc. must go to greater lengths to get its customers' approval before reselling their personal information to telemarketers and others.
``There is no evidence that Telus made any `effort,' let alone a `reasonable' one . . . to ensure that its first-time customers are advised of the secondary purposes (of their personal information) at the time of collection,'' wrote Justice Decary on behalf of his colleagues in the decision released this week.
The case is the result of a protracted battle by Mathew Englander, a lawyer and Vancouver resident, with the phone company since 2001.
Englander argued Telus breaks new federal privacy rules by not informing customers when they sign up for service that it repackages telephone directory listings into CD-ROMs and machine-readable lists and sells them to telemarketers, charities and political parties.
Minutes after the Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted on Jan. 1, 2001, Englander became the first Canadian to lodge a formal complaint to the federal privacy commissioner under the new law.
His arguments were rejected, first by the commissioner and later by a Federal Court judge in a ruling last June. But the Federal Court of Appeals reversed those earlier decisions this week, saying Telus didn't go far enough to make Englander understand his privacy rights.
Telus has been ordered to reimburse Englander the nearly $12,000 he paid in costs after losing the earlier Federal Court decision.
Experts following Englander v. Telus said the ruling sets positive early precedents, defining the legal obligations of business at a time when consumers' expectation of privacy is under siege.
PIPEDA theoretically gives Canadians the right to scrutinize innumerable bits of data collected about them by customer service reps, squirreled into computerized cash registers, and revealed to creditors, doctors and employers. It also warns companies to seek permission before using those details. But the law frames the issues broadly, leaving it to the courts to resolve what crucial notions, such as ``informed consent,'' will mean in practice.
``There are huge costs to industry in attempting to inform the public. Nevertheless, we've moved so far into an age of technology that people don't understand what they're agreeing to,'' said Stephanie Perrin, a consultant and former federal civil servant who was one of the authors of PIPEDA.
``This gives us a first interpretation of what a person can reasonably be expected to understand.''
Englander called the ruling ``an interpretation such that people can make their own decisions about how their information will be used.
``That's what privacy is about,'' he said in a telephone interview. ``It's not only keeping things secret, it's giving individuals the right to decide what stays confidential and what does not.''
Englander's win is a partial victory: the appeals court denied his attempt to stop Telus from charging customers $2 a month for unlisted service a fee that adds $5.96 million annually to the company's coffers, from roughly 250,000 unlisted telephone numbers in Alberta and B.C., according to affidavits.
The telco now has 60 days to offer suggestions for revamping its policies to bring them into compliance with the privacy law. Any changes negotiated with the federal appeals tribunal will be incorporated into their final written judgment, to be issued at an unspecified later date.
Drew McArthur, VP of corporate affairs and privacy officer for Telus, hinted his firm will argue any court-ordered changes should apply only to new customers, and only involve ``the scripting for new customers when they call in for service,'' as opposed to more elaborate and expensive retraining for employees.
The spokesman said phone companies across Canada may be affected, and added Telus is considering its options, including appealing all or some parts of the decision to the Supreme Court of Canada.
One potential hot potato for the highest court is a question of jurisdiction: the appeals tribunal apparently granted federal judges ``overlapping jurisdiction'' to rule on PIPEDA cases, whereas Telus argued any decision on fees should be made exclusively by its regulator, the CRTC.
Also, ironically, the tribunal denied Canada's privacy commissioner deference in cases that come before the courts in future, arguing that to do so would have given privacy advocates an unfair advantage over business interests.
``I think it's now further education of how the court views the balance of the privacy rights of individual versus the needs of businesses,'' said McArthur.
Tuesday, November 16, 2004
A practical review of Canada’s privacy law and what businesses must do to maintain customer trust and avoid the costs of complaints.
Special Keynote Speakers:
Atlantic Canadian businesses have been subject to the Personal Information Protection And Electronic Documents Act since January 1, 2004. Join other business leaders to hear about the impact of privacy laws on business and what you must do to maintain customer trust and avoid complaints. This seminar will focus on practical privacy compliance and how to differentiate yourself to increasingly privacy-aware customers.
Registration is limited to ensure that participants have an opportunity to ask questions of our privacy experts. Register early!
Where: Neptune Theatre, du Maurier Theatre, 1593 Argyle St, Halifax.
When: November 24, 2004 @ 9:00 – 12:00
Price: $100.00 + HST (10% discount for three or more from same organization)
Register: http://www.privlaw.com/pages/training_registration.htm or call National Privacy Services at 464-4497
Sponsored by McInnes Cooper & National Privacy Services Inc.
Labels: information breaches
The edition of Backbone Magazine that came with today's Globe & Mail has an article that suggests 2005 will be the year when PIPEDA gets its due. The Office of the Privacy Commissioner is finally coming out the mess created by the Radwanski regime and provinces are gearing up to enforce their own legislation:
Backbone Magazine - PIPEDA's free ride is coming to an end:
"It's been a year since the federal government extended the Personal Information Protection and Electronic Documents Act (PIPEDA) to include provincially regulated businesses. Since then, those companies have had it easy.
That's because, lawyers say, the office of the federal privacy commissioner has remained largely on the sidelines, putting its house in order since privacy czar George Radwanksi resigned last year under a cloud of questions regarding his spending and management style."
Monday, November 15, 2004
CIRA - News Release - NEW POLICY TO SET STANDARD FOR INTERNET DOMAIN NAME PRIVACY:
"For individuals who register a dot-ca domain name, only the domain name, the name of the Registrar, the registration date, the "last change" date, notice regarding changes in status of the domain name and server IP numbers/names will be available through WHOIS. Individual dot-ca domain owners will have the option of making additional information accessible to the general public.
The policy for organizations - private and public - with dot-ca designations will not change; the same data will continue to be available through WHOIS. Organizations will be able to request that some of their information be kept private.
CIRA will continue to ensure all registration data - including information not made public under the new policy - is available to law enforcement agencies. "
Thanks to Info Diva and Law Librarian Connie Crosby for the tip-off.
Labels: information breaches
The Patriot News of Pennsylvania is reporting on a lawsuit commenced by a woman whose medical file was used as a prop in an advertisement. She alleges that her name, social security number and the fact that she had received a mammogram were visible and she is now vulnerable to identity theft: Pinnacle sued over medical ad.
Dr. Anne Cavoukian, the well-respected Information and Privacy Commissioner of Ontario has written an article for CIO Government Review magazine on the new Personal Health Information Protection Act. It's well worth the read ....
PHIPA power: "
CIO Government Review (09 Nov 2004)
Placing appropriate controls on health data users, while conferring rights on data subjects - that, in a nutshell, is what the Personal Health Information Protection Act, 2004 (PHIPA) accomplishes.
The Ontario government-enacted law that came into force on November 1 applies to all individuals and organizations involved in health care services delivery. These include physicians and other healthcare practitioners - referred to in the Act as "health information custodians" - as well as any agent, who is authorized to collect, use and disclose personal health information on behalf of that custodian.... "
The Information and Privacy Commissioner of Alberta, Frank Work, will investigate the incident in which sensitive personal information of senior civil servants was found at a crime scene in Edmonton. (See: PIPEDA and Canadian Privacy Law: Incident: Massive leak of personal information in Edmonton, Alberta.)
The Calgary Sun: Province to probe credit leak:
"EDMONTON -- Alberta's privacy commissioner plans today to launch a top-to-bottom investigation into the leak of private staff credit files to a possible identity fraud ring. Frank Work said he'll try to find out if civil servants whose files were compromised will face grilling by U.S. security officials if they try to cross the border.
'Anything's possible,' Work said yesterday.
... The files were collected by Trans Union, a U.S.-based multinational credit-check firm.
In a letter to the Sun, senior government staffers voiced the fear that Trans Union might be compelled under the Patriot Act to report the stolen SIN numbers to the U.S. Department of Homeland Security, which could make it difficult for them to travel in the U.S.... "
Sunday, November 14, 2004
The headline of this comment at Computing.co.uk, Is privacy the enemy of progress? may be a little overblown, but the article itself does discuss the balancing of interests inherent in dealing with customer information. On one hand, people should have control over their personal information. On the other hand, businesses have an interest in understanding their customers, their wants and their needs. Those can work together where the individual hands over personal information in exchange for better service.
While the comment may be framed in in an extreme manner ("Companies should try to encourage customers to waive rights to privacy as often as they can"), the key is that customers should be encouraged to hand over their information. It should not be compulsory and when the customer sees the value, they'll hand it over. It's an entirely different matter if they are compelled to hand it over... (Of course, as research shows, customers talk a good line about protecting their privacy but don't often act in a consistent manner.)
Is privacy the enemy of progress? - Computing:
"...In many ways, privacy is the enemy of big business. It should be the goal of every large corporation or organisation to find out as much about their customers as they can, to help satisfy their customers' needs. That is the basis of any customer relationship management system, which attempts to learn and retain as much data about the consumer as possible.
Companies should try to encourage customers to waive rights to privacy as often as they can. That way, firms can get the information they need without breaching the Data Protection Act. If a consumer agrees to tell a company everything about themselves, then how can the commissioner take action against it?
A good example of this is the way that supermarkets have encouraged the use of customer loyalty cards. In return for discounts, customers are willing to waive their rights to privacy and allow the supermarkets to maintain an electronic record of what they buy and when they buy it...."
Ok. Pay attention. If you think the law leads to an absurd or inhuman result, take a look at what the law actually says and make sure you really have to do what you think you have to do.
Case in point: An editorial in yesterday's Las Vegas Review Journal refers to a potentially heart-breaking incident at a local hospital in which over-zealous and ill-informed application of HIPAA (the federal health privacy law) led to a lonely, seriously injured boy being left alone without family at his bedside after witnessing the murder of his mother and having being stabbed in the chest himself.
reviewjournal.com -- Opinion: EDITORIAL: 'Privacy' law fails brave boy:
"Legislation so frightens health care workers they deny existence of trauma victim
Las Vegas Valley residents got an unusually harsh lesson this week on the evils of overregulation by the federal government.
Shiloh Edsitty, a 12-year-old Schofield Middle School student, likely witnessed the slaying of his mother early Monday and had the resolve to escape her killer despite having a knife stuck in his chest. Despite an outpouring of support from friends and the community, the boy spent more than two days at University Medical Center without having a single familiar face bedside.
The reason? The Health Insurance Portability and Accountability Act, legislation weighed down by vague protections of patient privacy.
Because of this federal law, UMC representatives maintained they could not acknowledge whether the boy was a patient at the county's only public hospital. Little League teammates, a former foster parent and countless mothers who wanted to hold the boy's hand were turned away.
Nothing in HIPAA specifically mandates such an absurd policy. But because the law allows penalties of up to $250,000 and 10 years in prison for the most flagrant violations -- the boy's attacker might spend less time incarcerated -- health care workers exercise caution to the point of paranoia when asked to release patient information.
Shiloh Edsitty should not have had to wait until Thursday, when relatives arrived in Las Vegas, to enjoy the company of a loved one."
For more articles on Shiloh's sad tale, see Google News "Shiloh Edsitty".
UPDATE: For the other side of the story, see the response from the hospital's CEO: Follow-up: Las Vegas hospital responds to article on hospitalized orphan. From the original article in the Vegas paper, it really did sound like the hospital over-reacted. After reading the CEO's response, it appears that was probably not the case, particularly because the hospital found the child's relatives to sit with him while he was recuperating.
Police in Edmonton, Alberta are investigating a curious (and scary) leak of personal information when forms containing sensitive information related to the provinces top bureaucrats was discovered at the scene of a meth bust.
Sensitive files leaked:
"City police and provincial government officials are tracing a massive leak of personal information files collected on civil servants, linked to a possible identity-theft scam. The Solicitor General's department confirmed yesterday that city police located a stack of dossiers while executing a search warrant on a hotel room in the east end on Tuesday.
The files, collected through the new civil service security screening process launched by Premier Ralph Klein's government last year, include sensitive personal information: phone numbers, home addresses, birthdates and - in some cases - social insurance numbers. "
As a consequence, the province has apparently unilaterally "flaggd" the credit files of the civil servants affected, resulting in threats of lawsuits against the province.
Civil servants see red:See also: Officials' personal info found in police raid (CBC).
"Top civil servants may be considering a lawsuit against the provincial government over the loss of their private credit histories to a possible identity-theft ring. About 460 senior bureaucrats now face new restrictions on their use of credit, after a credit-check company late last week 'red-flagged' their credit files. That move came after the company's own records were found by police in a raid.
Yesterday a letter, faxed anonymously to the Sun and allegedly written by a group of about 40 executive managers in the government, said the staffers met in Edmonton to consider legal action against the province.
'We are seriously concerned... that the government has acted unilaterally to initiate a 'flag' on our personal credit files,' said the letter.... "
Responding to concerns that threaten south Asia's position in the outsourcing sector, Pakistan has just introduced the Foreign Data Security and Protection Act 2004. It aims to only protect foreign data, not indigenous data:
Pakistan Link Headlines:
"IT Minister unveils draft of Data Protection Act
ISLAMABAD: Federal Minister for Information Technology Awais Ahmed Khan Leghari has unveiled a draft version of the data protection act prepared by the Ministry of Information Technology.
'With increasing competition in the global Business Process Outsourcing (BPO) marketplace, the lack of legal cover given to the protection of data within the country is an impediment to growth in this sector', said Leghari at a meeting of the ministry's officials.
The draft act, titled the 'Foreign Data Security and Protection Act 2004' aims to provide for protection and safety to foreign data with regard to the processing of such data in Pakistan...."
See also: IT Ministry unveils draft of data protection act (Daily Times - Pakistan).
Labels: information breaches
Saturday, November 13, 2004
RFID technology has been receiving a great deal of media coverage lately, particularly its potential privacy impact. Slate is carrying a good article that reviews the technology, the latest fuss about the VeriChip and the utility of RFID to stalkers:
A Chip in Your Shoulder - Should I get an RFID implant? By Josh McHugh:
".... Any potential revolution in human tracking or mundane convenience comes with a fundamental insecurity. A scanner operating at the right wavelength can read an RFID chip. That means that any hobbyist can just buy an RFID reader and use it to keep tabs on the chip-implanted people that happen to walk by. Here's a list of RFID readers that can plug into various handheld computers—the 125 kHz readers, including this $425 model, would pick up a VeriChip. Models like this 2-inch-by-1-inch 125 kHz reader could be hidden quite easily. It wouldn't be hard for a tech-savvy stalker to rig his scanner to activate a camera whenever it detected an RFID chip. By logging the times that your implant was scanned, he could easily track your comings and goings
You could make your RFID chip unreadable by putting a blocking device like Mylar fabric or a metal plate between the chip and the reader. RFID chips could also be made to transmit their information in encrypted form, but VeriChip hasn't announced any plans to do so. Until it does, it might be best to keep RFID chips outside your epidermis. And a special message for all you kids out there: If your parents insist on microchip implantation, just make sure you've got some Mylar armbands lying around the house."
The Toronto Star is carrying a story in today's edition that raises real concerns for those who entrust shredding companies to safeguard and securely destroy documents. The article refers to allegations that have arisen in a bitter lawsuit that document destruction company's subcontractor left sensitive documents unsecured and blowing in the winds.
Canada's federal privacy law, the Personal Information Protection and Electronic Documents Act, places the obligation of security on the company that collects the information (in this case, the bank, insurance companies and the like); this is an obligation that carries over into secure destruction. While they may have relied on the contractors to do the job, there is a risk that liability may attach to the original custodians for the failures of the contractors. Legal liability may be secondary, however, to the damage that can occur to a company's reputation if its sensitive customer information is left vulnerable to indentity theft and other risks. From the article in the Star:
Confidentiality gets shredded: Businessman says documents were `just blowing around:
"Case highlights threat to privacy, writes Tyler Hamilton
A courtroom feud between two local paper-shredding companies has triggered allegations that confidential customer records from Canada's major banks were mishandled or lost on their road to destruction.
The allegations, which have not been proven in court, have focussed attention on the paper disposal practices of the country's largest corporations, and highlight the risk of placing sensitive financial documents in the hands of third-party contractors in an age when identity theft runs rampant...."
Friday, November 12, 2004
I just read an interesting story from the Associated Press, 'Sorry' Seen As Magic Word to Avoid Suits, that serves as a reminder of something that too few people do. If you screw something up, say sorry and get on with fixing it. So many of the complaints to the Office of the Privacy Commissioner, in my reading, are based on minor incidents that should never have gotten to a formal complaint. Many could have been resolved by handling the complaint differently.
In my experience, there are three kinds of "complainers". The first is the "complainer", who is bound and determined to complain, no matter what. The second kind, who I call "the martyr", adopts whatever bad thing they experienced as a cause and are bound and determined to make sure their suffering is well known and will not happen to anyone else. The third kind (who is missing a snappy nickname) just wants it fixed, if possible, and wants to hear sorry. The complainer usually can't be satisfied. The martyr can be satisfied, if you can show him/her what you've fixed so that it won't happen again. The third is easily confused with the complainer, but is closest to the martyr. Fixing the problem so it won't happen again and saying sorry will satisfy them. Case closed.
The sad thing is that, if you get very defensive with any of them, it will be a big production with all the associated lost time and expense.
The moral of the story is to (i) listen to the person, (ii) identify the problem, (iii) fix the problem, (iv) tell them it's fixed and (v) say sorry. If they are a complainer, then there is more work to be done. If they are among the latter two categories, you can go on with your day knowing that you've probably saved a lot of time and bother. But you've probably also saved the customer relationship, which is also important.
End of Psychology 101 for today, class...
Labels: information breaches
I have discovered, as an interesting coincidence, that David Canton, the author of several articles in the London Free Press that I have read with great interest, is not only a fellow blogger/blawger, but is also someone I briefly met at the Canadian IT Law Association annual event in Calgary. Small world. In any event, I have been a reader of his blawg, eLegal Canton since he started it a short while ago and he often includes articles of interest on privacy law. If you find my blog to be of interest, you'll want to bookmark his as well.
Labels: information breaches
Fox News is carrying an article on car-based event data recorders, also known as black boxes. It's an interesting article, but it passes over how the devices work. From my understanding, at present, the devices are only activated when the airbag deploys and they only record the last seconds before the deployment.
FOXNews.com - Politics - Privacy Experts Shun Black Boxes:
"WASHINGTON - Some safety and privacy experts are reacting with apprehension, others with all out condemnation over a recent ruling by the National Transportation Safety Board (search) to require electronic data recorders or 'black boxes' in all new cars manufactured in the United States.
'I take offense that this personal property of individuals is now being designed by the federal government,' said Jim Harper, privacy attorney and editor of Privacilla.org."
Labels: information breaches
Thursday, November 11, 2004
Ther Personal Information Protection and Electronic Documents Act allows an organization to disclose personal information without consent in connection with the collection of a debt owed to that organization (see s. 7(3)(b) of the Act). This does not, however, provide blanket permission to disclose the debtor's circumstances and credit history in doing so. The Privacy Commissioner's office has just released finding #282, in which an individual complained about excessive disclosure during collections actions by a bank:
Commissioner's Findings - PIPEDA Case Summary #282: Excessive disclosures in the pursuit of a debt - October 21, 2004 - Privacy Commissioner of Canada: "An individual claimed that a bank disclosed a significant amount of his personal information to two of his employees without his consent. The complainant alleged that these disclosures were extremely damaging to his reputation and contributed to his decision to resign as the head of a company."
The complainant alleged, an produced compelling evidence, that the bank in question "had told [the complainant's employees] that the complainant’s account was severely delinquent, his credit card was suspended from further use, his payment history was sketchy, the bank was intending to enforce its claim against the complainant, and as part of that enforcement, was going to garnish his wages, which would be embarrassing for both the company and the complainant."
The Assistant Privacy Commissioner was not amused. She found:
In short, any organization collecting a debt may only disclose the minimum amount of personal information necessary. Any more, and you are likely offside.
I linked to a Globetechnology article a little while ago that referred to a survey on consumer attitudes and privacy (With privacy, customer actions lag behind their words). Now the survey in question, the EDS / IAPP Privacy & Identity Management Survey, has been made available on EDS' website:
"As the need for privacy, security and strong identification management is stressed in virtually every aspect of our lives, it becomes increasingly important for organizations to shoulder the responsibility of addressing their customers’ requirements in those areas. EDS, the International Association of Privacy Professionals and the Ponemon Institute© recently conducted a study that reveals consumers’ habits, perceptions and requirements concerning identity management and the privacy of their personal information. Their responses reveal an awareness, but also a need for organizations to evaluate and improve consumer education on identity theft, a need for understanding consumer wants and needs, and a need for innovative identity management solutions."
Wednesday, November 10, 2004
Findlaw's commentary section contains an interesting article by Professor Ramasastry of the University of Washington School of Law about the privacy protections for alleged file-swappers in John Doe suits by the RIAA and others:
Ramasastry: Privacy, Piracy and Due Process in Peer-to-Peer File Swapping Suits:
"....Here's how the RIAA typically proceeds. It files a 'John Doe' lawsuit based on an Internet Protocol (IP) address connected to P2P trading via Kazaa, Grokster, Limewire, or another, similar system. The suit is often filed in the jurisdiction where the relevant Internet Service Provider (ISP) is located.
Once the suit is filed, the RIAA subpoenas the ISP to force it to disclose the real name of the 'John Doe' associated with the IP address. That person, however, is not necessarily the file trader - it may instead be a relative, college roommate, or landlord. And neither that person - nor the file trader, if he or she is a different person - is given prior notice and a chance to fight the subpoena.... Fortunately, however, that may change."
The Virtual Chase is linking to (and summarising) a recent US report on the use and availability of Social Security Numbers:
GAO: SSNs Need More Privacy:
"(9 Nov) A GAO report released this week says too many public records, especially from state and local government agencies, reveal Social Security numbers. 'State agencies in 41 states and the District of Columbia reported visible SSNs in at least one type of record and a few states have them in as many as 10 or more different records.... In general, federal agency display of SSNs in public records is prohibited under the Privacy Act of 1974. While the act does not apply to the federal courts, they have taken action in recent years to prevent public access.... Overall, GAO found that the risk of exposure for SSNs in public records at the state and local levels is highly variable and difficult for any one individual to anticipate or prevent.' While the GAO did not examine the use of SSNs on cards issued for identity or health benefits purposes, it noted that '42 million Medicare cards, 8 million Department of Defense identification cards, as well as some insurance cards, and 7 million Veterans Affairs identification cards ... display the full nine-digit SSN.'"
Labels: information breaches
Tuesday, November 09, 2004
All organizations that are presented with an official looking document need to consult counsel because the document may be flawed or it may be based on unconstitutional legislation. Simply believing it is valid might not cut it.
Libraries should read the related posting in the LibraryLawBlog.
The online Christian Science Monitor from November 10, 2004 includes a good, feature-length article by Susan Llewelyn Leach on the privacy impact of making public databases available online. At one time, court and registry info was free for the browsing but it almost always involved a visit to the actual registries. Now, online access means the information is more easily grabbed, pumped into databases, combined with other data and mined for purposes unrelated to the reasons for which it was originally compiled. I highly recommend the article, available here: Privacy lost with the touch of a keystroke?.
Labels: information breaches
Just in the nick of time, the Ontario government passed the first batch of regulations (329/04) for the Personal Health Information Protection Act on October 21, 2004 and have just published them in the Official Ontario Gazette. Scroll down, down, down to page 1077, which is page 37 of the PDF file.
Confusion about the condition of PLO leader Yasser Arafat has been all over the media, with varying reports he is dead, dying, in a coma, on life support, off life support, dancing about, etc. One thing that has hardly been mentioned is that much of this confusion is because of France's data protection legislation. Under the French law, hosptials are not able to disclose information about patients without the consent of the individual concerned or their next of kin. In the case of Arafat, he is unable to consent so his wife, Suha Arafat, controls the flow of any information related to her husband, giving her an important and valuable bargaining chip in her dealings with the rest of the Palestinian leadership. See:
VOA News - Palestinian Officials Check Arafat's Condition:
"... It is still unclear what is wrong with Mr. Arafat. French privacy laws give his wife, Suha, the right to withhold medical information about his condition. But Mr. Shaath suggested his three-year detention in his West Bank office contributed to Mr. Arafat's illness...."
Labels: information breaches
The BBC is reporting on a security breach at a UK online bank that allowed access to others' accounts by simply entering a username:
BBC NEWS | Business | Cahoot hit by web security scare:
"A security loophole at internet bank Cahoot briefly allowed customers to access other people's accounts, a BBC investigation has revealed. "
Thanks to SANS Privacy Bits for the link.
Labels: information breaches
OnlyPunjab.com is carrying what appears to be an advertorial for PC Guardian that reports that computer thefts and break-ins in North America for 2003/04 resulted in the compromise of information for 2.5 million North Americans. (No word on how many Punjabi identities were compromised.) Regardless of the source, it is an interesting read:
North America's "October Surprise" - 2.5 Million Personal Electronic Records Stolen in 2004 Due to Computer Thefts:
"For instance, in the last 12 months PC Guardian has identified the following thefts:
- Officials for the Ohio Democratic Party announced the theft of three computers, including a server that contained the local party's financial information, names and personal phone numbers of hundreds of party members, candidates and volunteers.
- The Republican Party campaign headquarters in Washington state announced the theft of three laptops with confidential Bush-Cheney campaign information.
- Reynolds Cancer Support Center officials warned clients that a server containing personal health information was stolen from its Fort Smith, Ark., office.
- A Lake Forest, Calif., direct mail marketing company reported the theft of a server containing personal financial records of more than 100,000 credit union customers in the western United States.
- First Option Financial reported the theft of thousands of personal financial records when computers were stolen from its office in Houston, Texas.
- Wells Fargo & Company lost more than 200,000 customer financial records when two laptops were stolen, one in California, the other in Texas.
- Airlines Reporting Corporation (ARC), in Arlington, Virginia, reported the theft of computers containing financial data on thousands of customers from United Air Lines, Northwest Airlines, Delta Airlines and American Airlines.
- Kern County Mental Health Office lost 110,000 personal Medicare records when a laptop was stolen from its Bakersfield, Calif. office."
Monday, November 08, 2004
The New Zealand Herald is carrying a story about a man who was canned from his job because he refused to use his employer's electronic punch card system that required his fingerprint to clock in and out of work:
New Zealand News - - Fingerprint-protest worker fired:
"David Barnes has forfeited his job at an Auckland printing works rather than become a 'marked commodity' by surrendering his fingerprints to his employer.
'Where does it all end?' he said yesterday of his dismissal as a maintenance engineer for PMP Print in Wiri.
'Ultimately we'll be no more than producers and consumers in an extremely regulated Big Brother society that I don't wish to be part of.'
Mr Barnes, 52, was sacked last month for alleged serious misconduct for refusing to allow his fingerprints to be scanned into a machine for identification when clocking on and off... "
David Canton's most recent column in Canoe's CNews is dedicated to avoiding e-mail mistakes that can easily and inadvertently cause you privacy headaches:
CANOE -- CNEWS - Tech News David Canton: E-mail poses privacy problems:
"E-mail has revolutionized our workplaces, made workers more efficient and freed us from our desks. But this same communication technology also poses particular privacy risks that need to be carefully considered to minimize accidental disclosure of personal information.
A recent decision by the privacy commissioner of Canada is an example of that risk.
Letters sent by traditional mail can be addressed incorrectly, but e-mail takes the risk of privacy infringement to a whole new level. It's easy enough to do, as anyone who has accidentally clicked on the 'reply to all' button can attest.... "
Labels: information breaches
Sunday, November 07, 2004
I blogged on the topic of blacklisting those who return merchandise to retailers a little while ago (Retailers demanding ID, tracking returns), based on a brief article from Fortune Magazine (which is not available online anymore). Now, MSNBC has a more extensive article on this database, and others that are increasingly being used to profile consumers and employees, often without any regard to nuances that may affect the accuracy of the information:
MSNBC - Some shoppers find fewer happy returns:
"...As more personal information is collected into databases, computers have been handed increasing power to make decisions about our everyday lives. The technological systems aim to solve costly and important business problems, but the proliferation of these 'electronic blacklists' has alarmed consumer and privacy advocacy groups who say many databases have incomplete, incorrect or misleading information...."
Labels: information breaches
The Canadian Internet Policy and Public Interest Clinc (CIPPIC) has complained to the Privacy Commissioner of Canada against an American company that harvests databases and public records to produce reports that include, in some cases, supposed psychosexual profiles. Accusearch (d/b/a/ Abika.com), which a takes a dim view of "privacy fanatics", is said to aggressively mine databases to produce their background checks, physchological profiles and the like.
CIPPIC, in its complaint filed in June, is alleging that Abika is collecting, using and disclosing the personal information of Canadians without consent, in violation of PIPEDA. The complaint also alleges that Abika violates the accuracy principle of PIPEDA by producing inaccurate reports.
This complaint is likely important in that the Commissioner will be forced to consider whether the activities of a US company, operating in the US, may violate PIPEDA. Of course, the next question is whether the Commissioner or the complainant can do anything about it.
For more info, see the Canadian Press report: Yahoo! News - U.S. firm's sale of personal data about Canadians sparks complaint.
The following is from the CIPPIC website, including a link to their complaint.
Update: On the first version of this posting, I mistakenly attributed the complaint to the Public Interest Advocacy Centre.
Abika.com (June 9, 2004)
After researching this online private investigation service, CIPPIC filed a complaint with the federal Privacy Commissioner alleging that the company's entire service is based on fundamental and widespread violations of privacy legislation. Abika.com collects often highly sensitive personal information from various sources, and sells it to anyone willing to pay the associated fee.
Below are links to coverage of the Privacy Commissioner's Annual Report to Parliament.
Labels: information breaches
Saturday, November 06, 2004
The United States Department of Housing and Urban Development is promoting the use of shared local databases to assist in providing adequate services to local homeless populations. While collecting information on needs such as this can have a compelling rationale, Wired News (Activists Slam Homeless Tracking) is reporting that activists are lobbying against the effort because of fears for the safety of battered women fleeing abusive spouses. The databases contain name, address (if any), social security numbers and information on disabilities. The fear is that databases, regardless of the security, are vulnerable to abuse and could assist in tracking down fleeing spouses.
The media is full of reports of accidental disclosures, either through hacking, social engineering and simple misuse by "authorized" users. Any program that compiles information about vulnerable populations must balance the need for the information against the risk to individuals should the data be disclosed. Mandatory registration such as this can also have the effect of deterring these vulnerable populations from seeking the assistance they desperately need.
See the full article at: Wired News: Activists Slam Homeless Tracking.
Labels: information breaches
Over the protests of public sector unions and privacy advocates, the government of British Columbia has formally announced that it is outsourcing the processing of medicare claims to a US-based company, Maximus. The prospect of this happening led to complaints by the BC Government and Service Employees Union to file a complaint to the province's Information and Privacy Commissioner, prompting the Commissioner's investigation into the impact of outsourcing and the USA Patiot Act on the privacy of British Columbians (see BC Privacy Watchdog Seeks US Government, FBI Input in Patriot Act). For more info on the recent outsourcing announcement, see:
CNEWS - Politics: B.C. announces medical privatization plan:
"...Maximus, Inc., a U.S.-based firm, has been given a 10-year contract worth $324 million, the government announced Thursday. The company also has a five-year renewal option...."
In August of this year, Richard Gibson of the Seattle area pleaded guilty to violating the US health privacy law, HIPAA, and became the first person convicted under that law for violating the privacy of a patient. See US Privacy Law Leads to Conviction for ID Theft and Fraud.) Gibson was just sentenced to sixteen months in prision and was ordered to pay restitution to his victims:
Seattle Post-Intelligencer: Man sentenced for stealing cancer patient's identity:
"The technician, Richard W. Gibson, 42, was sentenced to 16 months in prison Friday, the first person in the nation sentenced under a new law designed to protect patients' privacy, federal prosecutors said. He also will be required to pay at least $15,000 in restitution, including reimbursing Drew for the time and money he spent trying to clear his name."
Labels: information breaches
Friday, November 05, 2004
The Electronic Frontier Foundation (EFF) has released a document entitled Best Practices for Online Service Providers. In response to Online Service Providers being continually subjected to subpoenas and warrants for log files, EFF argues that unless there is a legislated or reguatory need to archive data, OSPs should not keep any user info they don't need.
Best Practices for Online Service Providers: "...The best way to protect against the risk of log artifacts on disk is to never create any user logs in the first place. This is the ideal and safest solution even though it is often impractical. By reconfiguring the logging preferences in server applications, one can easily change the log level to record nothing about network events. But for most OSPs, these logs are necessary for network troubleshooting and security precautions. This is also virtually impossible for large, for-profit providers that need to maintain billing and subscriber contact information. Thus, the best tactic for an OSP is to come up with a safe and sane network policy in which logs are retained for the shortest possible time..."
Under Canadian privacy laws (at least until retention requirements are imposed under lawful access guidelines), ISPs/OPSs should only be collecting for reasonable purposes and keeping it for only as long as is reasonably necessary for the purposes for which it was collected. I know of at least one ISP that keeps their log files indefinitely because they enjoy their friendly relationship with law enforcement. They still require a warrant, but the cops know that it is all kept. Some organizations want to minimise the muss and fuss of being dragged into court being asked to provide user info. If they simply don't have the info that is being sought, they say so and avoid the issue. (This issue has also come to the fore in public libraries, where privacy aware librarians have changed practices to delete the history of borrowers after books are returned undamaged.)
Thanks to the ever-informative, always useful BeSpacific for the link.
Jennifer Stoddart has issued her first report to Parliament since becoming the Privacy Commissioner of Canada. The report addresses the rebuilding process the office is going through, as well as its experience in dealing with both the Privacy Act and the Personal Information Protection and Electronic Documents Act. The official press release summarizing the report is here: A Year of Progress and Rebuilding - Meeting the Growing Privacy Challenges Ahead. The Annual Report to Parliament is available in HTML and PDF formats.
Labels: information breaches
The one-year old HIPAA privacy rule has received varying reviews, particularly recently on the occasion of its first anniversary. Johns Hopkin's Magazine has a great article that provides a thorough review of the impementation of HIPAA at Johns Hopkins, in the format of a magazine feature. Lots of anecdotes and a great overview. A must read.
Johns Hopkins Magazine - HIPAA, Heal Thyself:
"A sweeping set of patient privacy regulations went into effect last year, complicating life considerably for Medicine's researchers, fundraisers, and archivists. Now many are wondering: Are the intended benefits outweighed by the unintended costs?"
Labels: information breaches
Thursday, November 04, 2004
The Globe and Mail is running an article on the Ontario health privacy law, the Personal Health Information Protection Act (PHIPA). One caveat though ... it seems to suggest that the law binds employers. The law only applies to "Health Information Custodians", which generally includes healthcare professionals, hospitals and the like. Employers and insurance companies are only affected by the rules that state that non-health information custodians can only use personal health information for the purposes for which it was disclosed to them by health information custodians:
New Ontario rules protect personal health data:
"The rules will affect daily conduct of business for organizations such as insurance companies, hospitals, doctors and medical service providers, Mr. Zinn says.
However, in practical terms, employers can face questions about the way they collect and distribute employee health information for insurance plans or even who sees notes from doctors to confirm sick leave taken by employees.
Employees can file complaints with the office of the Information and Privacy Commissioner of Ontario for investigation. Individuals within organizations can be personally liable for fines of up to $50,000 for breaches of the regulations. Organizations could be fined up to $250,000. "
Wednesday, November 03, 2004
As announced on this page last week, the private sector privacy laws of Alberta and British Columbia have been declared by the Federal Cabinet to be substantially similar to PIPEDA. The official announcement was made by Industry Canada today:
Organizations in Alberta and British Columbia Receive Exemption from Federal Personal Information Protection Legislation:
OTTAWA, November 3, 2004 — The Government of Canada today announced that organizations in Alberta and British Columbia that are subject to either province's private sector privacy laws are exempt from the Personal Information Protection and Electronic Documents Act (PIPEDA). This exemption applies to the collection, use and disclosure of personal information within either province.
PIPEDA will continue to apply to the collection, use and disclosure of personal information related to the operations of a federal work, undertaking or business (e.g. banks, airlines, telecommunications companies) in both provinces, as well as to the cross-border collection, use and release of personal information.
Both Alberta and British Columbia have privacy legislation that is considered substantially similar to PIPEDA. This helps ensure the existence of an effective national standard for privacy protection, which also meets accepted international norms. Clear, consistent rules for the protection of personal information increase consumer and business confidence in online commerce.
PIPEDA came into full effect January 1, 2004. It applies to all personal information collected, used or disclosed by private sector organizations in the course of commercial activity. Its privacy provisions are based on the Canadian Standards Association's Model Code for the Protection of Personal Information (CAN/CSA-Q830-96). The Act's key provisions state:
- organizations are required to seek the consent of individuals prior to collecting, using or disclosing their personal information;
- organizations must protect personal information with security safeguards appropriate to the sensitivity of the information; and
- individuals may access personal information about themselves held by an organization and have it corrected, if necessary.
For more information on PIPEDA, please visit http://www.strategis.ic.gc.ca/privacy.
For more information on compliance, organizations should refer to the Office of the Privacy Commissioner's online guide at http://privcom.gc.ca/information/guide_e.asp.
For more information, please contact:
Last week, I gave a presentation to a group of directors of public libraries in Nova Scotia. Library staff are regularly called upon to consider privacy issues, particularly in connection with public use internet stations. Police regularly ask for information related to who was using a particular terminal at a particular time, often in connection with threats made or other allegedely illegal conduct. In addition, some libraries are contemplating offering reading suggestions based on reader preferences, a form of "data mining".
PIPEDA applies in Nova Scotia and public libraries are not, by and large, engaged in commercial activities. While they were interested in PIPEDA, most of the discussion related to privacy best practices they can adopt to meet the growing expectation of their users. The presentation is available here: Privacy and Public Libraries
Tuesday, November 02, 2004
Once again, a very vivid reminder that service providers often have your corporate reputation in their hands. Siliconvalley.com is reporting on an indicident in which computers were stolen from a "solution provider", containing sensitive personal information of the customers of the bank that outsourced the services:
Stolen computers have Wells Fargo customer data:
"NEW YORK (AP) - Thousands of Wells Fargo & Co. mortgage and student-loan customers may be at risk for identity theft after four computers were stolen last month from a vendor that prints loan statements.
The computers were taken from the Atlanta office of Regulus Integrated Solutions LLC contained customer names, addresses, and social security and account numbers."
Any company considering outsourcing services that will involve the transfer of personal information must carry out full due diligence to make sure they know what they are getting into. There can be a lot of finger-pointing in the courts, but as far as consumers are concerned, it will be their bank, their phone company, their credit card company, not some nameless service provider, who dropped the ball.
Under the Canadian federal privacy law, PIPEDA, every organization that collects, uses and discloses personal information is responsible for securing personal information against accidental leaks. This responsibility follows the data and the original collector must ensure that any service providers have adequate safeguards.
There has been no shortage of the privacy controversy sparked by the release of the VeriChip, an RFID chip designed to be implanted in humans to enable immediate access to your personal health information. Engadget, one of the web's premiere gadget blogs, reports on obstacles being faced by the company that is brining them to market, including the fact that they only have a limited license to the technology until 2013 and that very few hospitals have readers for the devices: See End-of-worlders fear not: VeriChips face serious obstacles - Engadget - www.engadget.com.
Focus on Privacy
David T.S. Fraser – firstname.lastname@example.org
Most privacy law practitioners expected that the year 2004 would bring a torrent of findings from the Office of the Privacy Commissioner once the Personal Information Protection of Electronics Documents Act, S.C. 2000, c.5 (“PIPEDA”) became fully applicable to the collection, use and disclosure of personal information in the private sector. While the Commissioner’s Office struggles through its backlog, the civil courts have been a rather productive area for consideration of PIPEDA.
One of the more recent cases emerging from the courts relating to PIPEDA is that of Clustercraft Jewellery Manufacturing Co. Ltd. v. Wygee Holdings Ltd.,  O.J. No. 2877 (QL). The case relates to the alleged non-delivery of a quantity of diamonds to Clustercraft. The respondent, Wygee Holdings Ltd., sought information related to employees of Clustercraft who may have been able to shed light on the allegedly missing diamonds. Clustercraft’s witness resisted the questions on the basis that it was not able to disclose the information due to the constraints of PIPEDA.
A Master of the
In the brief reasons for the order, Justice Ducharme concluded that the information not only crossed the relevance threshold but could not be shielded from disclosure by PIPEDA due to the application of s. 7(3)(c) of that Act.
The general rule, in circumstances where PIPEDA applies, is that personal information can only be collected, used and disclosed with the knowledge and consent of the individual, subject to enumerated exceptions. One of those exceptions is applicable to the litigation context. Section 7(3)(c) of PIPEDA provides:
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is …
(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;
Though the applicable Rules of Civil Procedure are generally seen as sufficient to engage the operation of this subsection, Justice Ducharme concluded, at paragraph 9:
At a minimum, the order of Master Albert is an order made by a court with jurisdiction to compel the production of information. Thus, this submission of the Appellant also fails.
The Clustercraft case confirms that where “personal information” that is otherwise protected by PIPEDA is relevant and producible in the course of litigation, PIPEDA will not act as a shield to prevent its disclosure.
An additional aspect of this case that does not appear to have been discussed by the parties or the Court is whether PIPEDA would be applicable to the information in the first place. The information being sought by the Respondents related to Clustercraft’s present and past employees. Though there has not been extensive judicial comment on this point to date, the language of PIPEDA suggests that employee information of businesses such as Clustercraft is beyond the Act’s purview.
The application section of PIPEDA, section 4, provides:
4. (1) This Part applies to every organization in respect of personal information that
(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
The law applies to commercial activities (except in those provinces where local legislation is declared to be “substantially similar”) or information about employees of the federally regulated private sector. Unless Clustercraft is a “federal work, undertaking or business”, PIPEDA would not preclude the collection, use or disclosure of its employees’ personal information, for litigation or any other purpose.
 Reprinted by permission of LexisNexis Canada Inc., from The Canadian Privacy Law Review, October 2004, edited by Michael Geist, Copyright 2004.
Monday, November 01, 2004
The recent report by the BC Privacy Commissioner on privacy and outsourcing to US-controlled companies has led to questions in Australia:
Australian IT - US law raises privacy worries :
"THE South Australian Government has promised to review the access of US outsourcer Electronic Data Systems to information on citizens in the wake of a Canadian government report finding a 'reasonable possibility' of unathorised disclosure by US outsourcers to US government agencies.
A spokesman for Administrative Services Minister Michael Wright, who oversees the EDS whole-of-government outsourcing contract, said the the Government was 'taking the issue seriously'.... "
As alluded to above, much Australian government data processing is done by EDS. A related story, from Yahoo News, includes a statement from EDS that there has been no disclosure of Austrialian personal information to US authorities under the USA PATRIOT Act:
EDS denies breaching Privacy Act
"... The company's managing director Chris Mitchell says EDS is a corporate citizen and it complies with the Privacy Act of Australia.
"The US Government would have to talk to the Australian Government about superseding the laws of the land, that's all I can say," he said.
Mr Mitchell says the data for the Federal Government's accounts are dealt with in Australia and some other clients' data is processed offshore, but only with their agreement...."
The British Columbia Government and Service Employees' union's privacy campaign is using interesting advertising and leaflets, such as the attached. For info on the full campaign, visit their general anti-outsourcing page and the Right To Privacy Campaign site.
Over the weekend, I updated and added more content to my page of privacy resources, David T.S. Fraser's Privacy Law Resources. On the table of Canadian privacy legislation, I have added an annotation indicating the laws that have been declared by the federal Governor in Council to be substantially similar to PIPEDA.
I have also added a number of links to the national privacy regimes of the US, the UK, France and Germany:
- Public Sector
- Health Information
- Financial Information
- Gramm Leach Bliley Act (GLB) (PL 106-102) [Text] [PDF]
- Subtitle A: Disclosure of Nonpublic Personal Information - 15 U.S.C. § 6801-6809 (Financial Privacy)
- Subtitle B: Fraudulent Access to Financial Information - 15 U.S.C. § 6821-6827 (Pretexting)
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.