The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, December 31, 2004
Thanks to the series of articles in Canwest newspapers on privacy and surveillance that ran between Christmas and New Year's, I've been asked to be on a couple of radio shows at the beginning of next week. Tune in to Peter Anthony Holder's show on Monday night at 8:05pm (EST) on CJAD in Montreal (live radio feed here) or to the Bill Good show on Tuesday morning at 11:00am (PST) on CKNW in Vancouver (live radio feed here). I understand that there may be a call-in portion for both shows, so feel free to call with your privacy stories and questions. If they archive shows for posterity, I'll post a link.
The Globe and Mail is carrying a report that a boxer's medical information was released without his permission, perhaps having a significant impact upon his career. It is alleged that a clinic released neurological and MRI test results that showed cranial bleeding.
The Globe and Mail: Joe Mesi sues, alleging breach of privacy:
"Buffalo - Boxer Joe Mesi is suing a medical clinic and the New York State Athletic Commission, alleging they improperly distributed medical records that indicated he suffered multiple brain bleeds in his last fight...."
Labels: information breaches
Thursday, December 30, 2004
Further to my earlier posting on the new US Government identity verification project (PIPEDA and Canadian Privacy Law: US Government developing standard for positive identification), the Washington Post is carrying an article that comments, among other things, on privacy objections to the new standard:
Single Government ID Moves Closer to Reality:
"....Some federal employees have concerns about the new cards.
Colleen M. Kelley, president of the National Treasury Employees Union, which represents more than 150,000 federal workers in 30 agencies, said the proposed standard would permit agencies to print employees' pay grade and rank on the new cards, which many workers would consider an invasion of privacy.
'For example, an agency might seize upon this technology as a means to track employees as they move throughout a building,' Kelley said in written comments to NIST last week. 'That is troubling, standing alone. It would be particularly objectionable if the agency tried to track visits to particular sites such as the union office, Employee Assistance Program offices and the inspector general's office.'
NIST has gathered comments on the draft standard from more than 500 entities and individuals but has not made them public.... "
I wonder how long it will take before this makes its way into IDs for civilians, such as passports and drivers' licences.
The New York Times circuits section is running an article entitled Tools to Make Your Hard Drive Forget Its Past. The title is a bit misleading, since it only lists the tools to need to reformat your drive to start from scratch with a fresh installation of your software.
If you really want to erase your hard drive to preserve the confidentiality of your information before you sell or ditch your PC, you need a toolkit that truly destroys the data that is written on the magentic media. A number of products are available on the market that at least purport to meet rigorous standards, such as those set by the US Department of Defence (See Google Search: DoD 5220.22-M). The Canadian RCMP recommends, in their Hard Drive Secure Information Removal and Destruction Guidelines, that hard drives containing Secret or Top Secret data be disintegrated into itty bitty pieces (smaller than 1/4 of an inch).
Wednesday, December 29, 2004
The third article in the series of privacy articles by CanWest Global is now online from the Ottawa Citizen's site: Security-riddled schools more like 'correctional facilities': Instead of making students feel safer, an education professor argues extreme surveillance makes them feel like criminals, writes Sarah Schmidt.
Stuart Laidlaw has a very interesting article on customer surveillance at Canadian banks and the impact of the USA Patriot Act on their vigilance: TheStar.com - Banks up customer surveillance.
icWales has an article ("Privacy law is making hospitals lose patients") on the the new practice of removing--in the name of privacy--patients' nameplates from above their beds and whiteboards from nursing stations. This has led to substandard care and literally losing patients, at least in Wales. The article cites a survey published in the British Medical Journal that examined the attitudes of patients to having their names made known in this way. (Ravindra Gudena, Stanley Luwemba, Amy Williams, and Lloyd R Jenkinson, Data protection gone too far: questionnaire survey of patients' and visitors' views about having their names displayed in hospital, BMJ, Dec 2004; 329: 1491.)
Based on a very simple questionnaire, most did not find the practice of posting patients names was invasive of privacy and most felt that patient names should appear over their beds:
Responses of 243 patients and 215 visitors to questionnaires about patients in hospital having their names displayed. Values are numbers; percentages (95% confidence intervals)
Patients Visitors Totals Have you seen the name board or not? Yes 173; 71 (65 to 77) 157; 73 (67 to 79) 330; 72 (68 to 77) No 70; 29 (23 to 35) 58; 27 (21 to 33) 128; 28 (24 to 32) Where should the name board be located? In the open 182; 75 (70 to 80) 160; 74 (69 to 80) 342; 75 (70 to 79) Hidden 4; 2 (3 to 7) 12; 6 (0 to 12) 16; 3 (2 to 5) No preference 57; 23 (19 to 28) 43; 20 (14 to 26) 100; 22 (18 to 26) Do you mind having your name displayed on the name board (or, does this infringe on patients' privacy?) Yes 10; 4 (2 to 7) 21; 10 (2 to 5) 31; 7 (4 to 9) No 233; 96 (93 to 98) 194; 90 (84 to 94) 427; 93 (91 to 96) Should patients' names be displayed above their beds? Yes 236; 97 (95 to 99) 201; 93 (90 to 97) 437; 95 (94 to 97) No 7; 3 (5 to 8) 14; 7 (3 to 10) 21; 5 (3 to 7)
This raises a number of questions about the wisdom of certain privacy laws and practices in the clinical environment. I wonder whether one can imply consent to having one's name posted over their bed if a good survey strongly suggests that the majority of patients don't object and, in fact, think that posting their names is a good idea. If you couple this with an opportunity to "opt out" on the admitting form, you should be able to satisfy most of the people most of the time.
Labels: information breaches
The author of Sent.Org, aka [evL] blog, has an interesting and long posting that starts with a discussion of the privacy issues inherent in GPS capable cell phones, which leads into a broader discussion of privacy issues and routine law enforcement access to personal information. Rather than summarize it, I suggest taking a look at the blog posting itself:
:: [ evL ] Calling? :: sent.org :: [ evL ] blog :: sent :: [ evL ]:
"IF YOU PURCHASED A NEW CELLPHONE over the past 18 months or so, odds are that one of the features listed in small print on the side of the box was "E911 capable." Or, as in the case of my latest Motorola, "Location technology for piece [sic] of mind." Perhaps you asked the salesman to explain the feature, and he replied that it means that cops can home in on your phone in case of an emergency, a potentially important perk should you ever find your hand pinned beneath an immovable boulder in rural Utah, as Aron Ralston did recently. Assuming he could have gotten a signal, an E911-capable phone might have saved the young backpacker the pain of having to amputate his own arm.
What your salesman probably failed to tell you--and may not even realize--is that an E911-capable phone can give your wireless carrier continual updates on your location. The phone is embedded with a Global Positioning System chip, which can calculate your coordinates to within a few yards by receiving signals from satellites. GPS technology gave U.S. military commanders a vital edge during Gulf War II, and sailors and pilots depend on it as well. In the E911-capable phone, the GPS chip does not wait until it senses danger, springing to life when catastrophe strikes; it's switched on whenever your handset is powered up and is always ready to transmit your location data back to a wireless carrier's computers. Verizon or T-Mobile can figure out which manicurist you visit just as easily as they can pinpoint a stranded motorist on Highway 59.
So what's preventing them from doing so, at the behest of either direct marketers or, perhaps more chillingly, the police? Not the law, which is essentially mum on the subject of location-data privacy... "
Labels: information breaches
Tuesday, December 28, 2004
Part two of the weeklong series of articles on privacy issues by Canwest reporter Richard Foot has been published in the Ottawa Citizen, Montreal Gazette, Vancouver Sun, etc. This part is on surveillance and the possibility of pervasive surveillance being coupled with facial recognition software.
They're watching you, and they know who you are (Ottawa Citizen):
"Biometric face recognition is about to change the way governments do business, and could remove our last shreds of anonymity, writes Richard Foot.
The Ottawa Citizen
December 28, 2004
In London, Ont., 16 video cameras mounted on traffic poles keep a 24-hour watch on downtown streets for the city's police. In New York City, more than 2,400 outdoor video cameras -- many operated by private companies -- gaze out over the streets of Manhattan alone.
'No matter what, walking through the world these days, you're going to end up on video camera,' says David Fraser, a Halifax privacy lawyer.
Public surveillance isn't a new phenomenon, but despite its creeping presence, Canadians have maintained a measure of anonymity when we venture outside our homes. Video cameras might be watching us in public places, but unless we're famous or infamous, they usually can't identify who we are.
A recent survey has confirmed what I've thought for some time: consumers will trade away their privacy at the drop of a hat. The study from Boston University suveyed a range of US consumers on their use and attitude to loyalty cards. Consumers will consistently trade their anonymity (and thus privacy) in exchange for discounts and other perceived benefits. This is even the case for those who are concerned about privacy (16% of those surveyed think about the personal information they are giving away each time they use their cards).
I'll try to find more information on the study, particularly the questions asked as part of the survey. I'm particularly curious if consumers selectively use their cards out of concern for the information that would be included in their profiles (for example, privacy-conscious consumers may not use their cards when they purchase items that may disclose too much personal information) and whether they really think about all the uses to which the information may be put.
The press release is reproduced in full below:
PRESS RELEASE: Grocery Store Loyalty Card Use is Strong Despite Privacy Concerns:
"New research from Boston University finds that 86% of adults carry a grocery store loyalty card and use it, even though cards give stores the right to track consumer purchases.
Boston, MA (PRWEB) December 28, 2004 -- Grocery story loyalty cards are more widespread than the Internet or the home computer: 86% of adults have at least one, most have more than one. Yet nearly half of the people who carry them didn’t know about the sophisticated web of tracking and marketing they were getting stuck in when they signed up. Is this a privacy bomb waiting to go off? No, according to results of a Fall 2004 study by a student research team at Boston University’s College of Communication. In an online survey of 515 adult supermarket shoppers the students found that even though privacy concerns are high, most cardholders agree that the benefits of using a loyalty card outweigh any infringement on personal privacy.
Grocery store loyalty cards are the credit card or keychain-sized cards with a barcode or magnetic stripe offered by most large supermarket chains. Chances are good you have at least one in your wallet or purse. When scanned at the cash register, the card unlocks special discounts offered to “loyal” members. In return for the savings, cardholders agree to allow the grocery store to track their purchases each time they shop. Grocery stores use this information to decide which products to carry, what prices to charge, and in some cases, to target consumers with specific coupons and promotions on behalf of grocery manufacturers.
Actual grocery store uses vary by store – some find the data analysis so time consuming they have chosen to abandon the cards altogether as PW Supermarkets, a small chain in Northern California, recently did. Still others have sophisticated systems for matching publicly available information about consumer households with the data collected at the cash register, a practice that infuriates privacy advocacy groups.
Does this tracking influence the consumer’s choice to use a discount card? A clear majority – 76% – of cardholders report that they use their grocery store loyalty card nearly every time they shop despite the fact that 52% also are concerned about how much of their personal information is collected by companies generally. Why do it, then? Sixty-nine percent of consumers report that the card benefits them in the form of lower prices and access to special promotions. And while seven in ten shoppers now know that grocery stores keep track of what they spend, only 16% think about this fact each time they use it.
“The fact that consumers – even those generally concerned about privacy – are willing to use these cards is testament to the fact that personal information is a commodity people are willing to trade with the right company for the right price,” explains Professor James McQuivey, who supervised the research project. No doubt this will only embolden supermarkets as they try to squeeze ever more dollars from a thin-margin retailing environment. What’s next? McQuivey offers, “Expect radio frequency identification embedded in the loyalty card of the future, an electronic tag that will identify you when you walk through the door, when you’re standing in front of the Pampers, and when you arrive at checkout. All with your permission, of course, and in exchange for a benefit grocery stores have yet to identify.”
About the survey
An online survey of 515 people 18 years of age and older was conducted during the last week of October 2004. As such it can only represent the two-thirds of households with Internet access. Sample was randomly drawn from a representative subgroup of participants in Survey Sampling International’s US online panel. The margin of error for a randomly drawn sample this size is +/-5%.
About the College of Communication at Boston University
The College of Communication at Boston University is home to the Communication Research Center where professors train undergraduate and graduate students in the science of consumer research and analysis. This project was designed by students under the supervision of Professor James McQuivey.
College of Communication
640 Commonwealth Ave
Boston, MA 02215
Monday, December 27, 2004
Canwest Global is doing a series of feature-length articles on privacy between Christmas and New Year. For the first one, I was "shadowed" by a reporter to look at the sorts of data that we leave in our wake as we go throughout our daily lives.
"Short of becoming a hermit, there's little Canadians can do to avoid the pervasive climate of surveillance that surrounds them, says Richard Foot. However, there is protection in knowing what information is sought, how it is collected, and why.
The Ottawa Citizen Monday, December 27, 2004
David Fraser walks out his front door on a midwinter morning bound for work. His movements and activities are under surveillance, tracked by networks of people and distant computers in his own city and around the planet.
Mr. Fraser isn't a wanted man, nor is he a foreign spy. He's an ordinary Canadian inhabiting a world so wired by ubiquitous technology that almost everything he does is monitored and measured in breathtaking detail.
Mr. Fraser, a Halifax privacy lawyer, isn't concerned about the surveillance itself. What worries him is that most Canadians simply don't know their lives are so closely watched by the silent eyes of business and government. Like federal privacy commissioner Jennifer Stoddart, he calls public ignorance about the vast, daily exchange of personal information the greatest threat to privacy in Canada today.
'The critical thing is that people must be aware of it,' Mr. Fraser says. 'Yet most people simply don't understand much private information they leave behind them each day, during their ordinary routines.'...
Tomorrow: Biometric wizardry poised to remove last shreds of anonymity. Wednesday: School security: When safety concerns override privacy rights. Thursday: Your health records in cyberspace. Friday: Lives and habits of Canadian consumers up for grabs."
I'll post links to the stories as the appear online.
Sunday, December 26, 2004
The US Senate and House have passed the Video Voyeurism Prevention Act of 2004, which has been sent to President Bush for his signature. The law is restricted by the US federal government's limited jurisdiction, so it applies in federal facilities and areas of special federal jurisdiction. It makes it a federal crime to capture an image of an individual's "private area" when the individual has an expectation of privacy. CNN, among others, is running an AP article on the law:
CNN.com - New bill targets some peeping Toms - Dec 9, 2004:
"... The bill, which President Bush is expected to sign, would make it a crime to videotape or photograph the naked or underwear-covered private parts of a person without consent when the person has a reasonable expectation of privacy.
Conviction could lead to a fine of not more than $100,000 or imprisonment for up to one year, or both.
'Upskirting' and 'downblousing'
The measure got voice vote approval in both chambers of Congress -- the House on September 21 and the Senate on Tuesday.
The legislation would apply only in federal jurisdictions, such as federal buildings, national parks or military bases, but it carves out exceptions for law enforcement, intelligence and prison work...."
We've had a bill pending, on and off, to amend the Canadian criminal code to do the same thing. Unfortunately, it has fallen off the order paper at least once (See PIPEDA and Canadian Privacy Law: Article: Canada 'voyeur' bill still on shelf), but was reintroduced as Bill C-2 and is presently before committee. The text of the bill is here and its current status can be found here.
The proposed Canadian law is similar to the US one referred to above, except is also makes it an offence to distribute a recording produced as a result of an offence under subsection (1).
Because the Canadian federal government's criminal law jursidcition is unlimited, the law will apply coast-to-coast in Canada.
Saturday, December 25, 2004
The Marshfield News Herald (Marshfield, WI) has an article on privacy and hospital records that also briefly discusses some patient attitudes to new processes and procedures:
Marshfield News Herald - Hospitals work on protecting digital records:
"...While the federal government has cracked down on medical privacy, some patients say they were not actually concerned their privacy was being invaded, be it from hackers or from employees within the health care system.
'I have no privacy issues at all, because I could care less if other people saw my medical records,' said Lisa Schilling, 32, of Marshfield. 'What do I have in there that is so good to see?'
Schilling said the HIPAA regulations are actually an inconvenience and would like to help her husband with his medical information 'without them making me sign a piece of paper. It's almost getting too carried away.'
Under HIPAA privacy rules, an individual can schedule an appointment for a spouse but cannot have access to information such as laboratory tests without express written consent from his or her spouse...."
The Electronic Privacy Information Center has released their top ten privacy resolutions for 2005:
EPIC Top Ten Privacy Resolutions for 2005
Top Ten Consumer Privacy Resolutions
Protect Your Privacy in The New Year!
1. Engage in "privacy self defense." Don't share any personal information with businesses unless it is absolutely necessary (for delivery of an item, etc.). Don't give your phone number, address, or name to retail stores. If you do, they can sell that information or use it for telemarketing and junk mail. If they ask for your information, say "it's none of your business," or give "John Doe, 555-1212, 123 Main St." Don't return product warranty cards. Don't complete consumer surveys even if they appear to be anonymous. Profilers can build in barely-perceptible codes that link you to the survey, and this data goes straight to direct marketers.
2. Pay with cash where possible. Electronic transactions leave a detailed dossier of your activities that can be accessed by the government or sold to telemarketers. Paying with cash is one of the best ways to protect privacy and stay out of debt.
3. Install anti-spyware, anti-virus, and firewall software on your computer. If your computer is connected to the Internet, it is a target of malicious viruses and spyware. There are free spyware-scanning utilities available online, and anti-virus software is probably a necessary investment if you own a Windows-based PC. Firewalls keep unwanted people out of your computer and detect when malicious software on your own machine tries to communicate with others.
4. Use a temporary rather than a permanent change of address. If you move in 2005, be sure to forward your mail by using a temporary change of address order rather than a permanent one. The junk mailers have access to the permanent change of address database; they use it to update their lists. By using the temporary change of address, you'll avoid unwanted junk mail.
5. Opt out of prescreened offers of credit. By calling 1-888-567-8688, you can stop receiving those annoying letters for credit and insurance offers. This is an important step for protecting your privacy, because those offers can be intercepted by identity thieves.
6. Choose Supermarkets that Don't Use Loyalty Cards. Be loyal to supermarkets that offer discounts without requiring enrollment in a loyalty club. If you have to use a supermarket shopping card, be sure to exchange it with your friends or with strangers.
7. Opt out of financial, insurance, and brokerage information sharing. Be sure to call all of your banks, insurance companies, and brokerage companies and ask to opt out of having your financial information shared. This will cut down on the telemarketing and junk mail that you receive.
8. Request a free copy of your credit report by visiting http://www.annualcreditreport.com. All Americans are now entitled to a free credit report from each of the three nationwide credit reporting agencies, Experian, Equifax, and Trans Union. You can engage in a free form of credit monitoring by requesting one of your three reports every four months. By staggering your request, you can check for errors regularly and identify potential problems in your credit report before you lose out on a loan or home purchase. Currently, these reports are available to residents of most western states. By September 2005, all Americans will have free access to their credit report.
9. Enroll all of your phone numbers in the Federal Trade Commission's Do-Not-Call Registry. The Do-Not-Call Registry (http://www.donotcall.gov or 1-888-382-1222) offers a quick and effective shield against unwanted telemarketing. Be sure to enroll the numbers for your wireless phones, too.
10. File a complaint. If you believe a company has violated your privacy, contact the Federal Trade Commission, your state Attorney General, and the Better Business Bureau. Successful investigations improve privacy protections for all consumers.
For more information about privacy, visit the Electronic Privacy Information Center at http://www.epic.org/
Slashdot has a discussion of the resolutions at Slashdot | Privacy Resolutions for the New Year.
Friday, December 24, 2004
Larry Ponemon, of the Ponemon Institute, has written a column on the top five privacy issues of 2005: Top 5 privacy issues for 2005 - Computerworld
Labels: information breaches
Thursday, December 23, 2004
Privacy battles in the workplace are increasingly being fought over the newswires. Below is the latest, based on an allegedly hidden video camera at a Canadian prison:
Hidden video surveillance of correctional officers at Leclerc Institution; Correctional Service Canada wrongly blames union for its own illegal acts:
"MONTREAL, Dec. 23 /CNW Telbec/ - Following several media reports December 23, the Union of Canadian Correctional Officers (UCCO-SACC-CSN) is compelled to comment on the discovery of a hidden surveillance camera at Leclerc Institution, a medium-security penitentiary in Laval.
A correctional officer at Leclerc Institution discovered a video camera hidden in a defective emergency light during the evening of September 21, 2004. As soon as the officer moved the light, the preventive security officers and the assistant warden at Leclerc quickly intercepted him. They then lied to him about the purpose of the camera and threatened him with reprisals if he did not keep this discovery secret. He refused and was suspended without pay for seven days for having "damaged government material". The suspension has been grieved.
Following a meeting with the Acting Commissioner of Correctional Service Canada, Mr. Don Head, UCCO-SACC-CSN was satisfied that this was an isolated incident and would not be repeated. Mr. Head stated to the union that only he can authorize the installation of hidden electronic surveillance, and that he did not do so in this case, or at any other penal institution in Canada.
However, UCCO-SACC-CSN is now compelled to publicly comment following defamatory statements by Leclerc Assistant Warden Pierre Gauthier in the Dec. 23 edition of the Journal de Montréal. Mr. Gauthier stated the camera was installed to catch correctional officers in the act of vandalism and intimidating management staff. He also stated the camera respected the Privacy Act and CSC policies.
"Both statements are untrue," said Mr. Pierre Dumont, Quebec Region President of UCCO-SACC-CSN. "This camera was installed illegally, and UCCO-SACC-CSN has filed a complaint over the incident with the federal Privacy Commissioner, Ms. Jennifer Stoddart."
This case is all the more disturbing because it was followed by an incident at William Head Institution, a minimum-security penitentiary near Victoria, BC. Two CSC managers from this institution will face criminal charges in a trial beginning next month in Vancouver over a case of illegal electronic surveillance.
Both the BC and Quebec incidents are illegal attempts to harass the union representing correctional officers in Canada, notes UCCO-SACC-CSN National President Sylvain Martel. He said it is typical behaviour in a situation in which the federal government is refusing to negotiate a renewal to their labour agreement that has been expired since June 2002.
"Certain CSC managers believe themselves to be above the law," said Mr. Martel. "But this union will ensure that even CSC managers cannot break Canadian laws."
The Union of Canadian Correctional Officers (UCCO-SACC-CSN) is the official bargaining agent for 5,700 correctional officers in 54 federal institutions across Canada.
For further information: Lyle Stewart, CSN communications advisor, (514) 796-2066"
In light of the inflamatory language in the release, I'd just like to mention that I am simply quoting verbatim from the union's press release and I will happy publish a rebuttal from Corrections Canada.
Interesting stuff ...
More coverage: CBC Montreal - Guards want warden charged over spy camera
Wednesday, December 22, 2004
The family a US Marine who was killed in action has been trying to persuade Yahoo! to provide them with access to his mail inbox. The grieving father is quoted by the the Associated Press (via Yahoo!, ironically):
'I want to be able to remember him in his words. I know he thought he was doing what he needed to do. I want to have that for the future,' said John Ellsworth, Justin's father. 'It's the last thing I have of my son.'
But without the account's password, the request has been repeatedly denied. In addition, Yahoo! policy calls for erasing all accounts that are inactive for 90 days. Yahoo! also maintains that all users agree at sign-up that rights to a member's ID or contents within an account terminate upon death.
'While we sympathize with any grieving family, Yahoo! accounts and any contents therein are nontransferable' even after death, said Karen Mahon, a Yahoo! spokeswoman.
Since the story appeared, offers of help have poured in from lawyers and hackers. (See: Yahoo! News - Father Seeking Marine's E-Mail Gets Help)
I have mixed feelings about this one. On one hand, your executors act as your personal representative and get to rummage through all your stuff. Should e-mail be excluded from that? Shouldn't Yahoo! have to respond to the executor if presented with a duly certified copy of the late soldier's will? On the other hand, it may bother many people to think that your family may be able to view all your personal e-mails after your death. Perhaps people ought to think about dealing with these matters in their wills and giving directions to their e-mail providers for what to do after they are gone. One more thing to worry about, I guess.
Labels: information breaches
Canada suffers under a tangle of privacy laws, some of which overlap and others that leave gaping holes. In some cases, a number of privacy laws may apply. Misdirected faxes with sensitive information in Alberta over the summer engaged both the Alberta Health Information Act and the Personal Information Protection and Electronic Documents Act, resulting in the first joint investigation and report from the federal and Alberta privacy commissioners. The report is also notable as the Federal Commissioner's report "names names".
The Federal Commissioner's finding is here:
Report: Misdirected faxes containing health information end up in apartment managers' hands - December 21, 2004
In July 2004, it was reported in the Edmonton Journal that a couple who managed an apartment building had received facsimile transmissions in error from various sources. These transmissions contained personal medical information.
The Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta collaborated in investigating this incident. It was determined that the couple received 10 facsimile transmissions from seven different companies. Some of these transmissions came under the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA). Two companies were responsible for these transmissions:
The following is a summary of the investigation into the incidents.
Summary of Investigation — Dynacare
One facsimile was sent erroneously by Dynacare, which operates medical laboratories, on January 19, 2004. It contained such personal information as the name, age, height, smoking habits, and patient number of an individual who had undergone testing by the company. Also included was a diagnosis and specific medical test results for the individual.
Once the company had been alerted to the privacy breach, it investigated the incident but was unable to determine who was directly responsible for the transmission. It was able to narrow responsibility, however, down to one of five individuals. Our Office confirmed that the facsimile was sent via manual transmission, in other words, the person who sent the facsimile manually keyed in the number.
All five individuals had signed an oath of confidentiality at the time of hiring, and were aware of the confidential nature of the medical records and the need to ensure that they are not inappropriately disclosed. These oaths had not been reviewed since they were signed. The company has developed a new form and will ensure that employees review and sign it annually.
Dynacare also implemented an electronic auto fax function on its computers. Facsimile numbers are entered into the system and checked for accuracy. If an employee wishes to send a facsimile, he or she will use the automated system. Such a measure should minimize the risk of regularly used numbers being misdialed. For numbers that are used infrequently or on a one-time basis (they are not programmed into the system), Dynacare provided employees with a set of instructions that are intended to ensure that they confirm the accuracy of the fax numbers before transmission.
Dynacare is in the process of revising its policies and procedures to ensure full compliance with all applicable legislation, including Alberta's Health Information Act and the PIPEDA.
Although Dynacare had not notified the individual whose personal information was on the facsimile, it indicated that it would consider doing so.
The Assistant Privacy Commissioner concluded that Dynacare disclosed personal information without consent, contrary to the provisions of PIPEDA.
Summary of Investigation — Viewpoint
Viewpoint is a medical organization that provides diagnosis consultation services. The facsimile in question, sent on April 14, 2004, was a medical evaluation. It contained the patient's name, age, occupation, detailed medical history, and also included information about the patient's children. The evaluation was sent by a medical consultant to a Viewpoint physician, who reviewed and made comments on the report. It was then supposed to be sent back to the consultant via facsimile. Two of the numbers, however, were transposed, and the facsimile was sent to the incorrect place. Although the Viewpoint physician made notes to the report, he was not responsible for its transmission and Viewpoint has not been able to determine who in fact sent the facsimile to the wrong number.
When the recipients of the facsimile contacted Viewpoint regarding the transmission they were told to destroy the documentation. Viewpoint indicated to our Office that in future, should any facsimile transmissions containing personal information be sent to the wrong number, Viewpoint will dispatch a courier to retrieve any such records. The company has also taken steps to have all facsimile numbers verified before transmission and has implemented measures to have any incidents reported to management.
As for the patient in question, Viewpoint indicated that it would be more appropriate for the medical consultant to contact the patient regarding the disclosure as they have a doctor-patient relationship.
The Assistant Commissioner concluded that Viewpoint contravened PIPEDA when it disclosed personal information without consent.
Recommendations made to Dynacare and Viewpoint
The Assistant Commissioner made the following recommendations to both companies:
- That the organizations implement and follow the OPC's recommendations with respect to the transmission of facsimiles as set out in the fact sheet Faxing Personal Information.
- That the organizations implement measures to notify individuals whose personal information has been inadvertently disclosed via misdirected facsimiles.
- That the organizations review and update employee confidentiality/privacy agreements on a yearly basis.
The press release from the Alberta Information and Privacy Commissioner is available in PDF at http://www.oipc.ab.ca/ims/client/upload/NR_H2004_IR_001_2.pdf and his report is here: http://www.oipc.ab.ca/ims/client/upload/H2004-IR-001.pdf
From the Edmonton Journal:
Clinics, doctors criticized for fax foul-ups: Privacy commissioner puts onus on offices to ensure information sent to correct number:
"EDMONTON - A new report from Alberta's privacy commissioner is a sharp reminder to health workers that careless faxes can put patient privacy in jeopardy.
Each day, hundreds of fax machines in medical clinics send patient information from one place to another. It's the standard way information is shared among doctors, therapists, laboratories and consultants.
On Tuesday, the commissioner's office released a 16-page report that found two local doctors and three clinics violated the Health Information Act by not handling faxes correctly.
The investigation was launched after The Journal reported in July that a local woman received more than 20 faxes with confidential medical information that were supposed to go to LifeMark Health Institute, a private medical consulting company. Nese Premakumran's fax number was one digit different from LifeMark's...."
Tuesday, December 21, 2004
I don't get the Wall Street Journal (online or offline), though I'd like to read the article referred to in this post on privacyspot.com:
The (Privacy) Gap: Popular Retailers Using Secret Cameras to Capture Information About Customers | PrivacySpot.com - Privacy Law and Data Protection:
"The Wall Street Journal (subscription required) reports that many popular retailers are using secret cameras to record, and sophisticated software to analyze, information about what happens in their stores. The cameras, which are different than your vanilla anti-shoplifting camera, are often completely hidden. And the images they record aren't reviewed by a sleepy security guard; they are reviewed by sophisticated computers that can differentiate people on the basis of age, gender, and race. This information is then aggregated into reports about who is shopping, who is browsing, and how they are reacting to items in the store. Interestingly, the data is also matched with information about credit card transactions to determine how much people are spending.
Predictably, retailers swear that the technology is innocuous because no information about particular individuals is recorded; however, the computers can read facial expressions down to the level of "fast-eye movement, smiles and frowns." The data may not be utilized to collect information about individuals at this stage, but there are no guarantees. The bigger problem, of course, is that this technology further erodes the distinction between private and public life. Every time we step outside our front doors, we are consenting to be viewed by other people. But while I may not care that someone knows I visited The Gap (which uses the technology) yesterday, I might care a lot that my facial expressions were recorded and stored in a databse somewhere. Despite the fact that I am out in public, I carry expectations regarding a modicum of residual privacy that I will continue to enjoy. This includes not being photographed, analyzed, recorded, and data-mined in every store I visit. Unfortunately, people's expectations regarding privacy have not kept pace with recent advances in surveillance technology. This has led to the creation of a "privacy gap" that retailers are eager to exploit. Tellingly, the article notes that many stores do not want customers to know they utilize the technology. You see, it might make people feel "uncomfortable." No kidding."
This is the first I've heard of this technology, but it raises some interesting questions.
CIPPIC News - CIPPIC:
"On December 14, 2004, CIPPIC sent a formal complaint about Abika.com to the Federal Trade Commission in the United States, alleging violations of US law. We also responded to the Privacy Commissioner of Canada by way of a letter encouraging her to reconsider her staff's determination that they could not investigate companies located wholly in the USA. After discussions with the Office of the Privacy Commissioner, we filed another complaint against Abika.com under PIPEDA on December 20, 2004."
For the background to this second complaint, see PIPEDA and Canadian Privacy Law: CIPPIC complaint raises a number of novel and interesting issues and PIPEDA and Canadian Privacy Law: Jurisdictional limitations on Canadian privacy law.
This is hot off the presses. With no statutory right to privacy in Ontario (unlike Alberta and British Columbia), an arbitrator has decided that the "reasonableness" test that has ordinarily applied to determine the admissibility of video surveillance evidence may not be warranted. It is worth asking if the admission of video surveillance is really any different from admitting the testimony of the private investigator who took the video. Should the fact that it is more persuasive make it more difficult to admit?
2004 CarswellOnt 5241
Hotel-Dieu Grace Hospital v. CAW-Canada, Local 2458
Ontario Arbitration Board
Heard: July 15, 2004
Heard: October 14, 2004
Judgment: November 2, 2004
1 The grievor was discharged on the basis of video surveillance evidence. This is an interim award regarding the admissibility of that video evidence.
IV. Union Position
8 The Union submitted that the Employer could only use this video evidence if:1. It was reasonable for the Employer to request surveillance;
2. The surveillance was conducted in a reasonable manner; and,
3. There were no other alternatives open to the Employer to obtain this evidence.
9 The Union submitted that the arbitration cases indicated that video of an employee was an intrusion that should not be taken lightly, that an Employer needed to have reasonable grounds to decide to engage in surveillance of an employee and, if the Employer did not have reasonable grounds, the video evidence should be rejected. The Union reviewed several awards and adopted the arguments contained in them.
10 As for reasonable grounds, the Union said the cases made clear that mere suspicion was inadequate. The Union said there were no reasonable grounds to use surveillance in this case. To allow the Employer to use video evidence without first subjecting that evidence to the above reasonableness test would shift the balance of power in favour of the Employer. In summary, the Union said it made sound labour relations sense to use the test of reasonableness in assessing video surveillance evidence.
V. Employer Position
12 The Employer said there was no legal reason to require the Employer to have reasonable grounds to engage in surveillance and there was no proper basis to refuse to admit the video evidence from that surveillance.
13 The Employer referred to Section 48 (12) (f) of the Labour Relations Act, 1995 dealing with admissibility of evidence and said that an examination of that provision indicated that the video was admissible. The Employer submitted that the arbitration cases upon which it relied indicated that the cases cited by the Union have not been followed in recent years. The Employer reviewed both the Union's and its own cases in detail and urged me to follow the approach found in its cases.
15 In summary, the Employer said that, absent a collective agreement or statutory provision, an Employer can engage in surveillance of an employee and use the video from that surveillance in arbitration. There was no basis for subjecting the issue of admissibility of this video evidence to a special test.
Should there be an additional reasonableness test for surveillance video?
32 Notwithstanding that this evidence is relevant to a material issue, and would be admissible applying the statute, the Union said that there was a line of arbitration cases which took a different approach. The Union submitted that those cases held that video evidence should only be admitted in an arbitration if that evidence also passed the reasonableness test. Although there are conflicting decisions of Ontario arbitrators on this point, the Union is correct that in the decisions upon which it relied the arbitrators subjected the introduction of video surveillance to the reasonableness test. There are minor differences in those tests but the key points are:
1. The employer had to have acted reasonably in deciding to place the employee under surveillance; and,
2. The Employer had to have conducted the actual surveillance in a reasonable manner.
33 I note that the reasonableness test appears to have been used in Ontario only for video evidence. Before the days of video, and currently as well, this Employer could have hired a detective to conduct similar surreptitious surveillance away from the work place, make notes on what was observed and take still photographs, and then testify in an arbitration from his or her memory aided by the notes and still photographs. I am aware of no suggestion that such evidence has been subjected to the reasonableness test in an arbitration under the Labour Relations Act.
34 From the awards before me it is clear that this reasonableness test for the admissibility of video evidence was first used in British Columbia in Re Doman Forest Products Ltd. and I.W.A., Loc. 1-357 (1990), 13 L.A.C. (4th) 275 (Vickers), a case discussed in several of the awards relied upon by the parties. At that time British Columbia had a statute providing for a right of privacy and Arbitrator Vickers took the view that, among other things, surveillance conflicted with the employee's statutory right of privacy. In reconciling the employer's right to prove its case through relevant evidence with the employee's statutory privacy right to be free from surveillance, the arbitrator adopted the reasonableness test. If the surveillance was unreasonable under the privacy legislation, the resulting video evidence was not admitted.
35 A similar test was used in Manitoba, where there was also a statutory right to privacy, in Re New Flyer Industries Ltd. (supra). Arbitrator Chapman cited with approval an earlier decision of Arbitrator Peltz between the same parties (the Mogg case) and, at page 63 of his award, Arbitrator Chapman quoted from Arbitrator Peltz' earlier award where the existence of a statutory right to privacy is relied upon. Although Arbitrator Chapman does not specify the source of the statutory right, at page 146 of his award in Re Canadian Timken Ltd. (supra), Arbitrator Welling indicates that the right to privacy in Manitoba was found in the Privacy Act, R.S.M. 1987, c. P125.
36 A similar test was used in Ross v. Rosedale Transport Ltd. (supra), a dispute under federal jurisdiction, to balance an employee's privacy rights found in the federal Personal Information Protection and Electronic Documents Act with the employer's right to prove its case through relevant evidence.
37 In each of those jurisdictions there is a statutory right of privacy and I have no issue with the reasonableness test being applied to balance an employee's right of privacy with an employer's right to prove its case through relevant evidence.
38 But I do have difficulty with the use of a reasonableness test where there is no right of privacy. A reasonableness test has been used in Ontario - see, for example, two cases cited by the Union, Re Toronto Transit Commission (Saltman) (supra) and Re Labatt Ontario Breweries (supra) - where there is no statutory right to privacy. In subjecting videotape evidence to a reasonableness test Arbitrators Saltman and Brandt applied a different approach from that normally used in assessing the admissibility of evidence.
39 In examining the reasonableness test of Arbitrators Saltman and Brandt in the above cases, a test also applied by some other Ontario arbitrators, it is important to note that the use of the reasonableness test for the admission of videotape evidence has been criticized and firmly rejected in a number of later cases - see, for example, Re Kimberly-Clark Inc. (Bendel) (supra); Re Toronto Transit Commission (Solomatenko) (supra); and Re Canadian Timken Ltd. (Welling) (supra) cited by the Employer. (I note that while Arbitrator Bendel's award was released in 1996, prior to Arbitrator Saltman's 1997 award, it was not published in Labour Arbitration Cases until 1998 and was not mentioned in Arbitrator Saltman's award.)
40 The initial and primary basis for the use of the reasonableness test for the admissibility of video evidence has been a concern about privacy. The use of the reasonableness test as a means of balancing privacy expectations or concerns (there being no right to privacy) with the right to lead relevant evidence has been fully and ably reviewed in the three awards by Arbitrators Bendel, Solomatenko and Welling (supra) and I do not intend to repeat that analysis. Although the analysis in those three cases varies in some details, each rejects the reliance on privacy as a basis for using the reasonableness test for the admissibility of video evidence.
41 As there is no right of privacy in Ontario, this reasonableness test, originally designed to balance rights, has to be carefully examined. Since it is not needed to balance competing rights, and has been persuasively rejected by other arbitrators, why might I adopt it?
42 Some of the cases (including cases not relied upon by the Union but referred to in the various awards) suggest alternative rationales for using the reasonableness test and subjecting video evidence, particularly video evidence resulting from surveillance, to heightened scrutiny. But those alternative bases (reliance on values in the Canadian Charter of Rights and Freedoms, analogy with cases on searching employees, and safeguarding the integrity and credibility of the arbitration process) are also examined by Arbitrators Bendel, Solomatenko and Welling in Re Kimberly-Clark Inc. (supra); Re Toronto Transit Commission (supra); and Re Canadian Timken Ltd. (supra), respectively, and persuasively rejected.
43 I can find no basis in the arbitration awards relied upon by the parties to persuade me to adopt a reasonableness test for the admissibility of this video evidence. In particular, I reject the primary ground advanced for this test - privacy - as a basis for using the reasonableness test. I also reject the other reasons which have been advanced - reliance on values in the Canadian Charter of Rights and Freedoms, analogy with cases on searching employees, and safeguarding the integrity and credibility of the arbitration process. Nothing in those awards persuades me that a special test is needed to determine the admissibility of video evidence.
44 The Union offered further policy reasons for adopting the reasonableness test. The Union submitted that to allow the Employer to use video evidence without subjecting that evidence to the reasonableness test would shift the balance in favour of the Employer. The Union also submitted that it made sound labour relations sense to use the test of reasonableness in assessing surveillance evidence. The Union did not provide specifics, but I understood that the submissions flowed from:1. The idea that employees have an expectation of privacy, even if not a right; and,
2. The distaste which some people have regarding an employer conducting surreptitious surveillance.
45 The Union urged me to shift the balance, and to uphold sound labour relations values, by subjecting the video evidence to the reasonableness test.
46 I do not think that my subjective perception about a need to shift the balance of power between the parties, or the balance between the Employer and the grievor, is a sound basis for a decision to reject relevant evidence, or to subject this evidence to the additional reasonableness test.
47 Moreover, the fact that some people find this practice of surreptitious video surveillance offensive does not, in my view, carry any weight in determining the admissibility of the video evidence. Improvements in technology have enhanced the ability of a "sleuth" to record what an employee has done away from the work place but, as I noted earlier, it has long been possible to engage in surveillance and testify about what was observed. I do not see that the recent use of video has created a shift in the balance of power which should be corrected, even assuming that correcting a shift in the balance of power was a sound basis for determining admissibility. In my view, because the evidence is clearer, more detailed, and thus perhaps more persuasive, the possibility of video evidence has, at most, simply prompted employers to more frequently exercise a power which employers have long possessed.
48 While I have concluded that shifting the balance of power is not a proper basis for determining the admissibility of this video evidence, I would note that if the Union wishes to shift the balance of power it is able to do so in the bargaining process. The parties' collective agreement is their current agreement in terms of the allocation of power between the two of them. It is clearly possible for a collective agreement to address this issue and to indicate an approach to the admissibility of video evidence which an arbitrator would be required to apply. But there was no suggestion of anything in the parties' existing collective agreement which would assist in resolving the issue before me on the admissibility of this video evidence. ....
Below is a press-release issued by the CAW today:
Canada NewsWire - CAW to charge CN for threats to whistleblower:
"TORONTO, Dec. 21 /CNW/ - The Canadian Auto Workers union will file charges against Canadian National Railway for threatening to discipline a union representative who exposed CN's hidden surveillance cameras at its Winnipeg repair shops.
Les Lilley, the union chairperson representing 600 CAW members and a CN employee for more than 34 years, has been summoned to a disciplinary hearing to be held this afternoon. The allegations, which include 'insubordination,' could carry severe penalties ranging up to dismissal.
On November 24, workers in the Transcona Wheel Shop discovered a hidden surveillance camera in an air duct. Last Thursday, Queen's Bench Justice Wallace Darichuk granted the CAW's request for an injunction prohibiting CN from using all but four cameras in its Transcona Shops complex, and restricting the use of those four cameras to the protection of workers' safety. Les Lilley conducted the in-house investigation which brought the evidence of covert surveillance to light.
'The charges against Les are outrageous,' said CAW Local 100 Prairie Region vice-president Dennis Wray. 'CN is using intimidation and reprisal tactics to muzzle whistleblowers and divert attention from its own actions. This is the same disturbing pattern of corporate behaviour which helped trigger a month-long strike of 4,500 CAW members last winter.'
The CAW will charge CN under a section of the Canada Labour Code which bars employers from interfering with legitimate union activities. "Other charges may also be laid," said CAW national representative Abe Rosner in Montreal, "considering the proximity of the threats to the issuance of the court injunction."
Last week the union filed a grievance as well as a formal complaint to the federal Privacy Commissioner accusing CN of spying on Wheel Shop workers contrary to federal legislation and asking for punitive damages for loss of dignity and invasion of privacy. Those matters will be heard over the coming months."
No suggestion of looking for charges under PIPEDA's whistleblower provisions.
Update: See also Winnipeg Sun: NEWS - CN union to grieve hearing (2004.12.22)
Monday, December 20, 2004
A FOX station in the pacific northwest is carrying the following story:
FOX 12 OREGON Conflict with law enforcement:
"WENATCHEE, Wash. Last spring a Douglas County man shot himself in the hand while cleaning his gun.
He was treated at a hospital that did not report the incident to law enforcement because of privacy law.
Douglas County Sheriff Dan LaRoche heard about it weeks later and said it should have been investigated, although he believes it was an accident.
The incident is an example of how the privacy law (Health Insurance Portability and Accountability Act -- known as HIPAA) can hamper law enforcement.
A spokeswoman for the Washington State Hospital Association, Cassie Sauer, says the year-old law has strained the working relationship between health care workers and police in some areas of the state. (Wenatchee World)"
In Alberta, the Health Information Act allows healthcare providers to tell the cops, but only if the person has not told the hopspital not to: "Doc, don't tell the cops about my seven gunshot wounds."
Saturday, December 18, 2004
OTTAWA -- Highly sensitive personal, military and national security information held by the Canadian government is accessible to U.S. authorities under the Patriot Act, according to a document obtained Friday.
A team of Canadian government lawyers studied the vulnerability of top-secret data after a controversy broke out in B.C. earlier this year over whether British Columbians' personal medical records were being put at risk due to the provincial government's plan to contract out services to a U.S.-owned firm.
The federal lawyers agreed with B.C. privacy commissioner David Loukidelis that the Patriot Act, enacted after the 2001 terrorist attacks in New York, gives the U.S. government enormous ability to probe into the databases of American companies that do business with Canadian governments.
"Their preliminary findings indicate that the Federal Bureau of Investigation could require an American corporation under the U.S. Patriot Act to disclose information under its control, including information held by its Canadian subsidiaries," wrote Mark Seely, an official with Public Works and Government Services Canada, in a July 22, 2004 e-mail to more than two dozen Public Works officials....
Friday, December 17, 2004
In another interesting turn of events, an Alberta public servant has requested that the Federal Privacy Commissioner investigate the breach of privacy connected to the discovery of hundreds of files of bureaucrats' personal information in Alberta. This is in addition to an investigation conducted by the Alberta Commissioner, the report for which was released this week (see PIPEDA and Canadian Privacy Law: Alberta Commissioner releases report on incident involving sensitive info of senior public servants).
Feds called in:
"A top Alberta bureaucrat burned in the recent leak of private credit data from the provincial government's staff-screening process has sicced Ottawa's privacy watchdog on the case. The bureaucrat, who has asked not to be named, said he's filed a request for an investigation by the federal Office of the Privacy Commissioner.
The commission office couldn't confirm the request yesterday. 'We get about 19,000 requests a year, [!]' said a spokesman.
Although provincial Information and Privacy Commissioner Frank Work released his own report on the Trans Union affair this week, the federal office may also have jurisdiction - since the screening process involved the Canadian Security Intelligence Service.
The screening process was launched by the Klein government last year to guard against fraud or security breaches by top bureaucrats. It included criminal background and credit checks, along with a CSIS 'vulnerability risk screening.' ...."
For background, see:
I haven't found a copy of the decision in this matter, so I only have the following news report to go on...
It appears that the union representing workers at the Canadian National Railway yard in Winnipeg has sought an injunction to prevent the railway from using hidden cameras in a machine shop (see CN Rail turns on hidden cameras to investigate vandalism). The court, according to the Winnipeg Sun, granted the injunction in part: the railway can only use the cameras in the interests of safety, not for any discipline proceedings. If the judge relied on PIPEDA, which is not clear from the report below, it would be the first case of its kind.
Winnipeg Sun: NEWS - Partial victory for union:
"CN limited to four cameras
By KATHLEEN MARTENS, BUSINESS REPORTER
A judge has given CN Rail workers in Winnipeg a partial victory in their fight to kill hidden cameras watching them work. Queen's Bench Justice Wallace Darichuk yesterday granted an interim injunction sought by Canadian Auto Workers Local 100 on behalf of 90 members at the Transcona Wheel Shop.
Injury or death
His order, effective immediately, limits the railway to using four ceiling cameras in the interests of safety only -- not for suspicions about productivity or sabotage.
Darichuk said he was swayed by the railway's argument that unexplained breakdowns of equipment could cause injury or death. Court heard wheel mechanisms repaired in the shop have broken down up to five times a day this month and that's why CN brought in the cameras and turned them on Dec. 7. ..."
Thursday, December 16, 2004
SecurityFocus HOME News: Long prison term for Lowe's wi-fi hacker:
"A 21-year-old Michigan man was sentenced to nine years in federal prison Wednesday in federal court in Charlotte, North Carolina for his role in a failed scheme to steal credit card numbers from the Lowe's chain of home improvement stores by taking advantage of an unsecured wi-fi network at a store in suburban Detroit.
Brian Salcedo faced a possible sentence of 12 to 15 years under federal sentencing guidelines, but at the government's urging federal judge Lacy Thornburgh gave the hacker credit for helping out his former victim following his guilty plea last June, according to the prosecutor on the case.
'He provided assistance to Lowe's,' says assistant U.S. attorney Matthew Martens. 'He met with the corporation to help them understand the vulnerabilities in their system and how they can improve and protect themselves from hackers in the future.'
Salcedo's partner in the caper, 21-year-old Adam Botbyl, has also pleaded guilty, and was sentenced Thursday to 26 months in prison followed by two years of court supervised release. In an interview last August, Botbyl told SecurityFocus he regretted participating in the scheme. 'It's going to take a lot to start to get my reputation back,' he said. 'This has messed up my entire life for at least 10 or 15 years.' ..."
Labels: information breaches
This is the first week that I've thought it would be easier to blog about who isn't complaining to the Office of the Privacy Commissioner ...
A Vancouver man is taking his complaint about foreign outsourcing of studen loans to the Privacy Commissioner, according to the Georgia Straight:
Straight.com: Student-Debt Activist Seeks Privacy Probe:
"A Vancouver man has asked the federal privacy commissioner to investigate the outsourcing of Canada student loans to a U.S.-owned company. Mark O'Meara, founder of the www.canadastudentdebt.ca/ Web site, claimed that as a result of a recent corporate takeover, Nebraska-based Nelnet has access to all federal student debtors' personal information and financial data.
On December 6, Nelnet announced that its wholly owned Canadian subsidiary had completed its purchase of a CIBC subsidiary, Edulinx Canada Corp., which administers the Canada Student Loans Program on behalf of the federal government. According to Human Resources and Skills Development Canada, more than 1.8 million students have borrowed approximately $15.6 billion through the Canada Student Loans Program since 1993.
In an e-mail to the Straight, O'Meara stated that the federal privacy commissioner should examine whether student-loan data is now subject to the USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism). Under Section 215 of the act, the FBI is permitted to obtain secret court orders to obtain "any tangible things".
On October 29, provincial Information and Privacy Commissioner David Loukidelis released a report concluding that there is a "reasonable possibility" of unauthorized disclosure of personal information under the USA PATRIOT Act. He issued numerous recommendations to mitigate this risk.
O'Meara claimed that the federal privacy commissioner's office never responded to his e-mail asking for an investigation. Federal Privacy Commissioner Jennifer Stoddart also did not respond to the Straight's request for an interview by deadline.
Nelnet's Nebraska-based spokesperson, Ben Kiser, told the Straight that nothing will change for students and borrowers as a result of the change in ownership. "Edulinx will remain a Canadian firm with operations in Canada," he said. "That means all processing, call-centre, data-storage, records-storage, and other student-loan functions will continue to take place exclusively in Canada."
Last August, however, the American Civil Liberties Union filed a submission to Loukidelis claiming that the FBI could obtain personal records stored by a subsidiary of a U.S. corporation operating in another country. In one instance, a U.S. grand jury subpoenaed a foreign-bank employee while he was on U.S. soil. In a separate submission filed by the B.C. Government and Service Employees' Union, ACLU lawyer Jameel Jaffer claimed that the USA PATRIOT Act could enable the FBI to obtain entire databases of personal records without notifying anyone."
Wednesday, December 15, 2004
Yahoo! News - Privacy commissioner investigating new Rogers 'negative option' complaint:
Communications consultant Michael Krauss complained in September about a fine-print section of the company's service agreement that requires cellphone customers to fill out an online form or contact a customer service representative to prevent Rogers from disseminating information to other Rogers companies for telemarketing. 'I have commenced an investigation under the Personal Information Protection and Electronic Documents Act (PIPEDA) that Rogers Wireless is allegedly using negative consent when obtaining customers' permission to collect, use and disclose their personal information,' senior privacy investigator Kasia Krzymien told Krauss in a letter dated last Friday.... "
Following the incident in which sensitive personal information of senior public servants was found in the course of a drug bust (see Article: Dumpster-diving meth-heads collect info for ID thieves and Incident: Massive leak of personal information in Edmonton, Alberta), the Alberta Information and Privacy Commissioner has released his report. The breach originated with the private contractor, the investigation found, but the government didn't do enough to obtain privacy assurances:
Government 'dropped ball' on security breach:
"The Klein government is not living up to its own rules regarding the security of personal information it collects, charge Opposition Liberals. Edmonton Manning Grit MLA Dan Backs said a report prepared by the privacy commissioner's office into the discovery of personal documents pertaining to senior government officials in a city hotel room last month shows the government is 'failing miserably' in its duties.
'The government really dropped the ball on this one,' Backs said yesterday. 'The government ministers responsible (for the Solicitor General department and Personnel Administration Office) are failing miserably in their responsibility to protect the privacy of Albertans.' However, the report states the leak did not occur at the government level, but rather with TransUnion Credit Information Services Inc., a credit-reporting agency...."
Monday, December 13, 2004
Canada's privacy law is already hobbled by the constitutional division of power. For example, as a federal law, it cannot apply to the provincially regulated workplace. But, theoretically, it can apply outside of Canada's border. This has been the theoretical position of officials from the Office of the Privacy Commissioner. However, when dealing with an actual complaint, the Commissioner did not extend the federal privacy law to an organization entirely outside of Canada.
Michael Geist, in his weekly Toronto Star Column, reports on an as-of-yet unpublished finding of the Commisioner that concludes that the law cannot regulate the use of Canadian personal information that is in the hands of an organization that has no presence in this country:
TheStar.com - CIBC breach spotlights hole in privacy law:
"...According to a recent unpublished letter from the privacy commissioner, the answer is unfortunately no. The Commissioner has adopted the position that Canada's privacy legislation stops at the border and that her office does not have the power to investigate companies that do not have a physical presence in Canada.
The letter was issued in response to a complaint launched by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Abika.com, a U.S. company that harvests databases and public reports. The company uses the information to produce reports that allegedly include, in some cases, psychosexual profiles. CIPPIC filed its complaint in June, claiming that Abika collects, uses, and discloses the personal information of Canadians without their consent in violation of Canada's national privacy law.
The privacy commissioner's office responded privately to Canadian Internet Policy and Public Interest Clinic two weeks ago. It noted that the company does not have a physical presence in Canada and therefore concluded that 'while the organization may well be collecting information on Canadians, our legislation does not extend to investigating organizations located only in the United States. We are, therefore, unable to investigate this matter under PIPEDA' (the Personal Information Protection and Electronic Documents Act, Canada's national privacy law that governs how businesses collect and use personal information)...."
I tend to agree with Michael ... the Privacy Commissioner could have asserted jurisdiction and then dealt with the challenges of enforcement. This would at least have left the complainant with the ability to take the finding to the Federal Court of Canada to see if a real remedy could be fashioned.
Under traditional principles of international law, there are six bases on which a country such as Canada can assume jurisdiction to proscribe the actions of individuals and companies. (In most cases, these principles have arisen in the criminal law context but there is no reason to believe the Canadian courts would not apply them.) Four of the bases for jurisdiction are relevant to this discussion:
- Territorial Principle – A state has the jurisdiction to regulate individuals and subjects within its territory, including internal waters and airspace. This is the primary and most universal base for jurisdiction.
- Nationality Principle – Civil law countries have traditionally asserted jurisdiction over their nationals, regardless of where they may be located.
- Passive Personality Principle – States have assumed jurisdiction over crimes committed abroad against its nationals.
- By Agreement – A country may, by agreement, grant another country jurisdiction over certain persons or subjects within its borders.
Traditionally, the territorial principle has been the most persuasive and widely applied. This is based on the fundamental principle of international sovereignty that a state has absolute jurisdiction over "all persons, citizens and aliens alike, and things within its territory."
The Supreme Court of Canada’s decision in Libman v. The Queen is the leading Canadian authority on the issue of how and when a Canadian court may assert jurisdiction. Libman dealt with a "telemarketing scam" where the calls originated from Canada but were made to residents of the United States. Justice LaForest, who delivered the judgment of the unanimous court, recited the relevant facts:
3 During the period covered by the informations, Mr. Libman operated a telephone sales solicitation room (or "boiler room") at 43 Menin Road in Toronto, where a number of individuals were employed as telephone sales personnel. Pursuant to Mr. Libman's directions the sales personnel telephoned United States residents and attempted to induce them to purchase shares in two companies, Hebilla Mining Corporation and Claravella Corporation, which purported to be engaged in gold mining in Costa Rica. In addition to the telephone representations, the United States residents also received promotional material which was mailed from Panama City, Panama and San José, Costa Rica by associates of Mr. Libman.
4 The telephone sales personnel, on the direction of Mr. Libman, made material misrepresentations with respect to their identity, where they were telephoning from, and the quality and value of the shares they were selling. As a result of these misrepresentations, a large number of United States residents were induced to purchase shares in the two mining companies. There was some evidence tendered at the preliminary inquiry from which it could be inferred that these shares were virtually worthless.
5 The United States residents who agreed to purchase shares were told by the telephone sales personnel to send their money to offices operated by Mr. Libman's associates in either San José, Costa Rica or Panama City, Panama. There was evidence tendered that Mr. Libman went to a location outside Canada, usually Costa Rica or Panama, to meet with his associates and receive his share of the proceeds of the sale of the shares. Mr. Libman then brought this money back to Toronto and distributed a portion of it to his sales personnel. There was also evidence tendered at the preliminary inquiry with respect to the wire transfer of monies from Panama City to Mr. Libman in Toronto.
The appellant, Mr. Libman, was charged in Canada with fraud under the Criminal Code. In his defence, the appellant argued that Canada did not have the jurisdiction to prosecute him for the offence as the deprivation of the victim is the essential element of the offence and, if it did occur at all, it did not occur in Canada.
Justice LaForest began with the essential principle of territorial jurisdiction:
11 The primary basis of criminal jurisdiction is territorial. The reasons for this are obvious. States ordinarily have little interest in prohibiting activities that occur abroad and they are, as well, hesitant to incur the displeasure of other states by indiscriminate attempts to control activities that take place wholly within the boundaries of those other countries; see R. v. Martin,  2 All E.R. 86, at p. 92. … As well, along with other types of protective measures, states increasingly exercise jurisdiction over criminal behaviour in other states that has harmful consequences within their own territory or jurisdiction; see The Lotus (1927), P.C.I.J., Ser. A., No. 10. It follows from this that the same criminal act may occasionally be subject to prosecution in more than one country, a matter to which I shall refer from time to time.
The analysis is relatively straightforward where all the elements and effects of an alleged offence are within the bounds of the prosecuting state: Territorial and subject matter jurisdiction unambiguously provide that state with sufficient grounds to assert jurisdiction. In fact, it would be difficult for another state to attempt to exert jurisdiction. Matters become much more complicated when transnational activities are in question:
After surveying the threads of English and Canadian jurisprudence, LaForest J. concluded that a Canadian court may assert jurisdiction in circumstances where there is a "real and substantial link" between the offence and Canada:
16 The cases reveal several possibilities, of which I mention a few. One is to assume that jurisdiction lies in the country where the act is planned or initiated. Other possibilities include the place where the impact of an offence is felt, where it is initiated, where it is completed, or again where the gravamen, or essential element of the offence took place. It is also possible to maintain that any country where a substantial or any part of the chain of events constituting an offence takes place may take jurisdiction.
17 Though counsel for Mr. Libman argued that exclusive jurisdiction belongs to the country where the gravamen of the offence took place or where it was completed, a review of the English authorities does not really support that position. What it shows is that the courts have taken different stances at different times and the general result, as several writers have stated, is one of doctrinal confusion, a confusion compounded by the fact that the discussion often focuses on the specific offence charged, a discussion made more complicated by the further fact that some offences are aimed at the act committed and others at the result of that act.
74 I might summarize my approach to the limits of territoriality in this way. As I see it, all that is necessary to make an offence subject to the jurisdiction of our courts is that a significant portion of the activities constituting that offence took place in Canada. As it is put by modern academics, it is sufficient that there be a “real and substantial link” between an offence and this country, a test well-known in public and private international law; see Williams and Castel, supra; Hall, supra. As Professor Hall notes (p. 277), this does not require legislation. It was the courts after all that defined the manner in which the doctrine of territoriality applied, and the test proposed simply amounts to a revival of the earlier way of formulating the principle. It is in fact the test that best reconciles all the cases. The only ones that do not fall within it are those like Harden and Rush which, in my view, should no longer be followed.
75 That this approach is attuned to modern times is evident from the fact that some variant of it has been recommended by numerous law reform bodies or adopted in legislation…
76 Just what may constitute a real and substantial link in a particular case, I need not explore. There were ample links here. The outer limits of the test may, however, well be coterminous with the requirements of international comity.
77 As I have already noted, in some of the early cases the English courts tended to express a narrow view of the territorial application of English law so as to ensure that they did not unduly infringe on the jurisdiction of other states. However, even as early as the late 19th century, following the invention and development of modern means of communication, they began to exercise criminal jurisdiction over transnational transactions as long as a significant part of the chain of action occurred in England. Since then means of communications have proliferated at an accelerating pace and the common interests of states have grown proportionately. Under these circumstances, the notion of comity, which means no more nor less than “kindly and considerate behaviour towards others”, has also evolved. How considerate is it of the interests of the United States in this case to permit criminals based in this country to prey on its citizens? How does it conform to its interests or to ours for us to permit such activities when law enforcement agencies in both countries have developed cooperative schemes to prevent and prosecute those engaged in such activities? To ask these questions is to answer them. No issue of comity is involved here. In this regard, I make mine the words of Lord Diplock in Treacy v. Director of Public Prosecutions cited earlier. I also agree with the sentiments expressed by Lord Salmon in Director of Public Prosecutions v. Doot, supra, that we should not be indifferent to the protection of the public in other countries. In a shrinking world, we are all our brother's keepers. In the criminal arena this is underlined by the international cooperative schemes that have been developed among national law enforcement bodies.
78 For these reasons, I have no difficulty in holding on the facts agreed upon for the purpose of this appeal, that the counts of fraud with which the appellant is charged may properly be prosecuted in Canada, and I see nothing in the requirements of international comity that would dictate that this country refrain from exercising its jurisdiction. Since these fraudulent activities took place in Canada, it follows for the reasons set forth in the Chapman case that the conspiracy count may also be proceeded with in Canada.
It goes without saying that the evolving adoption of privacy and data protection laws are not identical to criminal law, either domestically or internationally. However, analogies are easily made and there is an evolving international cooperative scheme, beginning with the OECD Guidelines.
As the basis for Canada to claim jurisdiction requires a "real and substantial link" between the activity and Canada, one must consider whether the collection of personal information about Canadians by foreign companies would be considered to provide a "real and substantial link" to Canada or the collection of information about non-Canadians by a Canadian company. The facts in Libman are sufficiently analogous to provide authority for the proposition that a court on review would likely find a “real and substantial link” between such activities and Canadian jurisdiction, notwithstanding any argument that the connection is de minimis.
The Personal Information Protection and Electronic Documents Act sets out, at Section 4, the basis of its application:
4. (1) This Part applies to every organization in respect of personal information that(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
(2) This Part does not apply to
(a) any government institution to which the Privacy Act applies;
(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or
(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.
*(3) Every provision of this Part applies despite any provision, enacted after this subsection comes into force, of any other Act of Parliament, unless the other Act expressly declares that that provision operates despite the provision of this Part.
The application section is entirely silent with respect to its intended territorial application. The only reference to specific jurisdictions are contained in the transitional provisions and the definition of "federal work, undertaking or business". The transition provisions begin with Section 30:
30. (1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.
(1.1) This Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.
*(2) Subsection (1) ceases to have effect three years after the day on which this section comes into force.
*[Note: Section 30 in force January 1, 2001, see SI/2000-29.]
*(2.1) Subsection (1.1) ceases to have effect one year after the day on which this section comes into force.
*[Note: Section 30 in force January 1, 2001, see SI/2000-29.]
These provisions are temporary (and expired on January 1, 2004), as they assist with the gradual implementation of the legislation, providing individual provinces with the ability to put in place substantially similar legislation during the period in which the law only applies to the federally regulated private sector and cross-border sales of information. It may be notable that the cross-border reference says "outside the province" and not "to another province".
In the absence of clear guidance from the statute, one can interpret it to apply in all circumstances where there exists a "real and substantial link" to Canada, following the Supreme Court's guidance in Libman. In any event, there is nothing in the statute that would prevent Canada from assuming jurisdiction in the circumstances set out above.
In the past, Officials with the Office of the Privacy Commissioner have advised that the Commissioner likely would assume jurisdiction where the collection of personal information is about Canadians or Canadian residents or where the collection originates in Canada. This appears to no longer be the case. Not only would the collection take place "in Canada", the Commissioner’s office used to be of the view that PIPEDA is part of an international scheme of privacy protection that could reach over borders.
The Privacy Commissioner has an arguable basis to make this second assertion and assume jurisdiction. As mentioned above, Canada implemented PIPEDA following the OECD Guidelines and in light of threatened restrictions on cross-border data flows caused by the EU Directive. Recital 20 of the EU Directive reads:
(20) Whereas the fact that the processing of data is carried out by a person established in a third country must not stand in the way of the protection of individuals provided for in this Directive; whereas in these cases, the processing should be governed by the law of the Member State in which the means used are located, and there should be guarantees to ensure that the rights and obligations provided for in this Directive are respected in practice;
The EU Directive is implemented, for example, in the United Kingdom's Data Protection Act 1998, which provides that the statute would apply, for example, if a call centre contacting Canadians were located in the United Kingdom:
Application of Act.
5. - (1) Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if-
(a) the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or
(b) the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.
(2) A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom.
(3) For the purposes of subsections (1) and (2), each of the following is to be treated as established in the United Kingdom-
(a) an individual who is ordinarily resident in the United Kingdom,
(b) a body incorporated under the law of, or of any part of, the United Kingdom,
(c) a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and
(d) any person who does not fall within paragraph (a), (b) or (c) but maintains in the United Kingdom-
(i) an office, branch or agency through which he carries on any activity, or
(ii) a regular practice;
and the reference to establishment in any other EEA State has a corresponding meaning.
While Canada is obviously not bound by the EU Directive, it appears to be the spirit of PIPEDA that the Canadian law fit within this general scheme of international data protection.
This may be academic, as this no longer appears to be the position of the Office of the Privacy Commissioner.
Saturday, December 11, 2004
Bruce Schneider, one of the leading thinkers on security has recently had some interesting things to say about privacy. In my experience, most IT-types usually think about privacy as being primarily a security issue: you keep information private by keeping the baddies out. But privacy is more than that. It's about giving people control over their own personal information....
Schneier on Security: The Digital Person:
"Last week, I stayed at the St. Regis hotel in Washington, DC. It was my first visit, and the management gave me a questionnaire, asking me things like my birthday, my spouse's name and birthday, my anniversary, and my favorite fruits, drinks, and sweets. The purpose was clear; the hotel wanted to be able to offer me a more personalized service the next time I visited. And it was a purpose I agreed with; I wanted more personalized service. But I was very uneasy about filling out the form.
It wasn't that the information was particularly private. I make no secret of my birthday, or anniversary, or food preferences. Much of that information is even floating around the Web somewhere. Secrecy wasn't the issue.
The issue was control. In the United States, information about a person is owned by the person who collects it, not by the person it is about. There are specific exceptions in the law, but they're few and far between. There are no broad data protection laws, as you find in the European Union. There are no Privacy Commissioners, as you find in Canada. Privacy law in the United States is largely about secrecy: if the information is not secret, there's little you can do to control its dissemination...."
If you aren't a regular reader of Schneider on Security, I highly recommend adding it to your blogroll.
"BURNABY, BC, Dec. 10 /CNW/ - SuperPages(TM) announced today that it has relaunched the People Finder portion of its SuperPages.ca Web site, following upgrades to the security features of the online residential listings service.
SuperPages(TM) placed its extensive People Finder service back online at 11.00am this morning. SuperPages.ca removed the residential listing service Wednesday afternoon because an updating tool that allowed users to change their address and email information was not fully secure. The Business Finder service, which lists 1.3 million businesses nationally, was not affected by the security issue or loss of service.
In order to ensure that users residential information remains secure, SuperPages.ca has now removed the updating tool from the People Finder service.
'Our customers' privacy and security is of utmost importance to us at SuperPages.ca,' said Todd Millar, the president of SuperPages(TM). 'We took the People Finder service offline after we became aware that the potential to change residential listing information still existed.'
SuperPages.ca's People Finder function provides users with access to 11.7 million residential listings in Canada and 1.5 million residential listings in British Columbia. With several million searches each month on the People Finder Service, SuperPages.ca is Western Canada's premier online directory.
'I can assure all of our SuperPages.ca users that our residential listing information remains both accurate and secure,' said Millar. "
Thursday, December 09, 2004
Here's a head-scratcher. A prisoner is a US jail, facing deportation to Canada, was given highly sensitive information about a number of Albertans so he could apparently prepare to fight the extradition order. The prisoner may be accused of a savage beating, but at least he knows that he probably should have the info:
"Skinhead Daniel Sims has in his U.S. jail cell the SIN numbers of staff of the Edmonton law firm that sued him after he beat former broadcaster Keith Rutherford so badly he lost an eye. The SIN numbers - including that of high-profile Edmonton lawyer Tom Engel - are included in a 1,000-page immigration file Sims obtained this week from American authorities as he battles deportation back to Canada.
Sims said the documents include financial information such as total income, taxes paid and Canada Pension Plan contributions made by Engel and his wife in 2001 - two years after Rutherford's lawsuit was concluded.
'I got this from the U.S. Attorney's office but because the file is so big they didn't notice,' said Sims, 33, from his Kern County jail cell in Bakersfield, California.
'As far as me and Tom Engel, there's no way I should have this. I don't really want it.' ...."
The Information and Privacy Commissioner of Alberta says he'll investigate if he receives a complaint.
Perhaps spurred by the coverage of the CIBC faxing incidents, more people are contacting the media to report having received misdirected bank faxes. And it is not just CIBC that is affected as CTV.ca reports: CTV.ca | More people report receiving bank faxes. Also, check out the video of their television reports on the right-hand column of the page.
Everyone would be well advised to read the Alberta Information and Privacy Commissioner's fact sheet on faxing sensitive medical information: "Guidelines on Facsimile Transmission"".
Wednesday, December 08, 2004
Both the Toronto Star and CTV are carrying stories predicting that long-awaited "no not call" legislation is on the way, sooner rather than later.
CTV.ca | Canadian do-not-call legislation coming: report:
"By the end of next week, Canadian lawmakers could be considering a bill aimed at ending the scourge of unwanted phone calls from telemarketers.
According to a report in The Toronto Star, legislation to create a national do-not-call registry similar to one already launched in the United States is expected to be tabled before the end of next week.
The bill is expected to bar telemarketers from calling anyone on the list, unless they have established a pre-existing relationship. That means someone who's requested information about a specific service can be contacted.
Previous legislation that would have allowed Canadians to register with such a list died with the last federal election call.
Under current Canadian Radio-television and Telecommunications Commission regulations, telemarketing agencies must maintain their own registry of people not wishing to be called. Numbers appearing on those lists can't be faxed or phoned for three years....."
And from the Toronto Star:
TheStar.com - National 'do-not-call' registry likely:
"The Liberal government is widely expected to introduce legislation next week that would create a national do-not-call registry, giving Canadian households the option of shielding themselves from unwanted telemarketing calls.
A similar registry was introduced with great fanfare last year in the United States and has already attracted more than 66 million households. Government and industry sources said a bill is likely to be tabled before the House of Commons breaks next week for the holidays, but could be delayed until it sits again in late January.
'I am convinced now that they have every intent of doing it, and doing it very soon,' said John Gustavson, president of the Canadian Marketing Association, which has supported a national registry since 2001. 'We think it's the right way to go, and we think it will be valuable information for marketers and valuable relief for consumers.'...."
As a complete aside, I find it interesting that Canadian marketing organizations, unlike their US counterparts, favour DNC laws and privacy laws.
Even if the organization is 100% benevolent and trustworthy, you still need to be concerned about the employees. Case in point: three (former -- hopefully!) employees the Red Cross have been indicted for stealing the identities of 40 blood donors, using information collected during corporate blood drives:
Three indicted in identity theft scheme victimizing blood donors:
"A Red Cross employee and two other people were accused Friday of stealing the identities of about 40 blood donors and using the information to obtain about $268,000 in cash and merchandise.... "
The last month has been rich pickings for observers of privacy in Canada. The country's leading media outlets have had an abundance of coverage of privacy issues. Today, it is the Globe and Mail with an article on biometrics in the workplace, focusing on the use of fingerprint devices to authenticate and log users onto their systems. Or, in this case, their cash registers:
The Globe and Mail: Print scans: retail tool or invasion of privacy?:
"When Carly Johannesson takes her post at the IDA drugstore's cash register in Medicine Hat, Alta., she places her finger on a small pad that reads the fingerprint and electronically gives her access to the system.
With that simple tap, she finds herself on the front lines of one of the more contentious retailing issues: whether employers' use of fingerprint scans is another smart business tool or a move by Big Brother to gather data that some believe should remain private.
'It has tremendous potential, especially in terms of speeding up processes and internal security,' says Gary Joachim, co-owner of the Medicine Hat pharmacy, which implemented the system a few months ago. 'As employers, we're tied to a lot of confidential information from our employees, like social insurance numbers. This is just one more thing that's added to the kettle of confidential information.'
Computer users are tapping into fingerprint identification more frequently to log on to their terminals, but now the technology is arriving in the retail sector, opening up new opportunities and issues for those in the field....."
Labels: information breaches
The newswires are carrying a report that CIBC's fax problems weren't only with a junkyard in West Virgina.
Report:2nd Man Received Confidential CIBC Data -CP :
"Wednesday December 8, 3:34 AM EST
NEW YORK (Dow Jones)--A second businessman says the Canadian Imperial Bank of Commerce (CM.T) has been faxing him confidential customer information for several years -the second such privacy breach revealed in less than two weeks, the Montreal Gazette reported on Wednesday, according to the Canadian Press.
Local businessman Stephen Oakes told the Gazette the CIBC has been sending private information about its customers to his toll-free number for four years, CP reported.
Oakes estimates he has received 24 CIBC faxes since 2000, containing names, home addresses, social insurance numbers and bank plan account numbers, CP reported. ..."
For the background to this story, see "PIPEDA and Canadian Privacy Law: Misdirected fax saga continues" and the news reports it links to.
Full points to the Toronto Star for its very strong coverage of privacy issues.
A column in today's edition discusses the privacy problems associated with companies that continue to print the full debit and credit card numbers on receipts and, more importantly, the huge lack of resources hampering the responsiveness of the Office of the Privacy Commissioner. The OPC, under PIPEDA, has up to a year to issue a finding and it appears to be taking about that long. Michael Geist's complaint, blogged about in "Privacy Commissioner issues first spam decision under the Personal Information Protection and Electronic Documents Act (PIPEDA)", was filed in February of this year and took about ten months to result in a finding. See the Star's column:
TheStar.com - It's up to the public to enforce privacy law: "
When Denise Ranger ordered Chinese food recently, she was shocked to see her credit card number and expiry date printed in large type on the receipt � along with her address and telephone number.
'Any person could take my telephone number, go to the Internet, find my full name and shop to their heart's content, or even take my identity,' she says.
When she called the office of the Privacy Commissioner of Canada, she found something equally shocking: It would take up to a year to investigate her complaint.
The privacy commissioner's office is short-staffed. It has only one person handling calls from the public.
Renee Couturier, a privacy commission spokeswoman, didn't realize the call centre was down to one full-time staff member until I asked her to double-check.
'We had five inquiry officers at our peak,' she says. 'When we have critical periods, we have to pull people from other areas to assist.' ...."
As soon as it came to my attention, I added Michael Fitzgibbon's fantastic blog Management Updates: Thoughts from a Management Lawyer to my blogroll. He consistently has very high quality analysis and insights on important issues that affect all employers. (He's also a charter member of the Canadian legal blogging community.)
Needless to say that I wholeheartedly agree with his post that privacy is consistenly one of the hot topics of 2004. I just hope it will continue to be so in 2005! Check it out: Privacy - The 'Hot' Topic of 2004?
Labels: information breaches
DRM personal privacy threat:
"p2pnet.net News:- Jennifer Stoddart, Canada�s privacy commissioner, says she's about to, "become involved in the process to amend Canada's copyright laws".
Her statement came in response to a CIPPIC (Canadian Internet Policy and Public Interest Clinic) request to address privacy implications of proposed copyright legislation.
In it, Stoddart said she would, 'oppose legislation or legislative amendments that conferred unjustified privacy-invasive surveillance powers upon digital copyright holders,' going on: 'However, we have not as yet been consulted by either Heritage Canada or Industry Canada officials regarding the proposed legislation referred to in your letter. I have instructed my staff to initiate a dialogue with these departments to ensure that privacy risks are identified and addressed.' ..."
Winnipeg Sun: NEWS - CN spying: union:
"Operating four hidden cameras
By KATHLEEN MARTENS, BUSINESS REPORTER
CN Rail has now turned on four hidden cameras in its Transcona Wheel Yard, the Canadian Auto Workers union says. The news is a blow to the union, which had been fighting to get the company to disconnect the covert surveillance discovered two weeks ago.
A maintenance-area worker found one camera in the ceiling and the union contacted the media about the find. The railway confirmed publicly there were two cameras that had not yet been activated trained on an area where repair work was under investigation.
Union spokesman Dennis Wray said he received a letter from CN yesterday saying four cameras were now running.
'The members are upset,' said Wray, who is CAW Local 100 vice-president for the Prairie region."
Tuesday, December 07, 2004
The Ontario government has released an apology and an account for what happened in the most recent breach of privacy that involved 27,000 government benefits recipients:
Update On Disclosure Of Personal Information :
Government Apologizes And Takes Immediate Steps To Correct Computer Error
TORONTO, Dec. 6 /CNW/ - On behalf of the Ontario government, Gerry Phillips, Chair of Management Board of Cabinet, today repeated his apology to recipients of cheques from the Ontario Child Care Supplement for Working Families Program whose privacy was breached last week. The breach, which affects approximately 27,000 people, resulted from an error that caused the stub portion of the cheques to include the name, address and an identifier that includes the SIN number of another client.
Phillips has stressed that the Ontario government will take every action possible to help prevent the recurrence of such incidents in the future.
This disclosure of personal information about another recipient was caused by a cheque-printing error that occurred during the implementation of a computer software upgrade. These cheques were dated November 30, 2004, and were part of a run of approximately 27,000. The approximately 86,000 people who receive payments by direct bank deposit were not affected.
While there were many people affected, the personal information of any single recipient is only included on one other cheque stub.
Once ministry staff learned of the nature and scope of the problem on the evening of December 2, government cheque production and distribution were stopped.
On December 3, the government informed the Information and Privacy Commissioner and all MPPs of the breach. Government officials worked with the Information and Privacy Commissioner and others to determine the most appropriate way to assist the affected individuals.
On the weekend, letters of apology were prepared for all Ontario Child Care Supplement clients affected by this breach. At 7 a.m. today, the letters were given to Canada Post for delivery.
Based on advice from the Information and Privacy Commissioner, the government has asked people affected by this to destroy any personal information they received which does not belong to them. As a precautionary measure, the government has recommended that cheque recipients monitor and verify all bank accounts, credit card and other financial transaction statements for any suspicious activity.
Government officials have identified the problem, fixed and tested its computer cheque systems, and been assured that these systems will operate properly.
Officials have also taken steps to ensure that no problems have arisen in other computer cheque systems. These systems are operating correctly, cheque processing has resumed, and no backlog is expected.
The government has implemented additional quality assurance measures and will continue to update appropriate technical and procedural measures to ensure the highest standards for safeguarding personal information.
The government welcomes and will cooperate fully with the Information and Privacy Commissioner during any investigation into this matter.
In addition to seeking the Commissioner's advice, the government is conducting an internal audit into this breach to determine precisely what happened and why.
The government sincerely regrets the breach of privacy."
I just received a pointer to a story in the Vancouver Sun about an interesting glitch that appears to allow anyone to alter any directory listing on the SuperPages online phone directory. The site is available from myTelus.com. Not a good thing. I expect that Telus has had enough of dealing with the Privacy Commissioner as of late.
I just went to www.mytelus.com and it looked like I could change the info of my west coast relatives. Not that I would ...
The story is available on the Vancouver Sun website, but they expire their content quickly.
SuperPages glitch lets anyone alter your listing
"Fancy an address in Shaughnessy? Or do you dream about moving your boss to Timbuktu?
A security glitch in SuperPages' online listings allows anyone to change the telephone number, address and other personal information of any listing and the edited version will show up in the SuperPages and myTelus.com listings for subscribers across Canada.
A similar loophole in www.SuperPages.com allows users to do the same for U.S. listings, although unlike SuperPages.ca, the U.S. site doesn't permit telephone-number changes.
Jonas Abersbach, who runs his own tech-support company, SupportLINK Systems, discovered the glitch when he went online to change his company's SuperPages listing.
SuperPages is the Telus directory that handles both the online and print white pages and classified directory.
Making the change requires some deception. Abersbach found that, by using a free e-mail account and a password of his own invention, he could not only change his own information, he could change others' as well.
"If you do it properly you can use the same computer to update many listings," said Abersbach, who started his company at the age of 17 and ran it part time while he completed a computer-science degree at the University of B.C. "Thousands of records could be corrupted. What's maybe more of a problem, for example, is the address of the police chief could be changed or added, or his name could be slandered, or he could be given a middle name -- and the same for government figures, political figures or famous people.
"Their privacy is infringed upon. Everybody's privacy is infringed upon."
Abersbach said he took his concerns to SuperPages because he was worried any savvy hacker could create a program to wreak havoc with the online database. He said someone with knowledge could write a program in a couple of days that could override the SuperPages condition allowing only two updates per e-mail address.
"You could write a program to register an e-mail address online and use a different e-mail address after every two updates," he said.
Abersbach said after two weeks it appeared SuperPages had updated one of its servers to prevent the unauthorized editing, but anyone clicking on the site could be directed to a server that still had the glitch.
I tested SuperPage's security, first giving our business editor an address on Dante's Ave. in Hades and then moving him to: 1234 Vancouver Sun St., Pouce Coupe, B.C., H0H0H0, with the phone number 604-123-4567...."
Labels: information breaches
Slashdot has a discussion about privacy, profiling and Abika.com, an American company that was recently the subject of a complaint to the Office of the Privacy Commissioner (see: CIPPIC complaint raises a number of novel and interesting issues). The discussion was kicked off by a profile of the founder of the company in the Times of India: Now, invasion of Pravasi privacy. Interesting reading, all of it.
Labels: information breaches
The Medical Post has a good article on how the BC Childrens' Hospital has been providing patients and their parents liberal access to medical records, without disruption and also fostering trust and better communication: MedicalPost.com: B.C. hospital giving patients unprecedented chart access.
Labels: information breaches
Michael Geist, of the University of Ottawa and member of the federal SPAM Task Force, has instigated the first finding of the Office of the Privacy Commissioner related to spam. Not only is it the first decision of its kind, it also concludes that business e-mail addresses are not included in the so-called "business card exception" to the definition of "personal information" and that the harvesting of e-mail addresses from an organization's website does not allow the use of the consent exception that applies to "publicly available information".
The "business card exception" relies on the definition of "personal information" under s. 2 of PIPEDA:
"personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization."
The Assistant Privacy Commissioner, in the written finding to Professor Geist, concludes that because business e-mail addresses are not listed in the definition, they are not excluded from the definition.
The "publicly available information" exception is contained in s. 7 of PIPEDA:
Collection without knowledge or consent
7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if
(d) the information is publicly available and is specified by the regulations.
Use without knowledge or consent
(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if
(c.1) it is publicly available and is specified by the regulations;
The key provision in this case is contained in the regulation that stipulates that one can only use "publicly available information" for the purposes for which it was made available to the public in the first place:
(b) personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice;
In this case, the Assistant Commissioner concluded that Professor Geist's e-mail address was posted on the University of Ottawa website to further the interests of the University. This purpose did not include receiving solicitations to buy sports tickets.
I will be interested to see if Professor Geist will take this matter to the Federal Court to provide us a more definitive conclusion on these important points.
See, also, a very good article on this incident at the Toronto Star: Football club broke email privacy rules.
Monday, December 06, 2004
After the recent incident that saw personal information of 27,000 Ontarians disclosed (see: Another privacy breach to round out the week, et seq), the government of Ontario has switched to damage control mode. Interestingly, the Chairman of Ontario's Management Board says there is no threat of identity theft or fraud from the incident:
Government insists no threat of identity theft after release of personal data:
"TORONTO -- There's no serious threat of identity theft after the government mistakenly sent out 27,000 provincial cheques with the wrong names and social insurance numbers attached, Management Board Chairman Gerry Phillips insisted Monday.
''We know exactly who got the name of the next person,'' Phillips told the legislature. ''I think that frankly eliminates any possibility of theft or fraud in this case.''...."
Sunday, December 05, 2004
The “Personal Identity Verification for Federal Employees and Contractors” briefing was developed in response to the Homeland Security Presidential Directive (HSPD-12). The directive sets a policy for a common identification standard for Federal employees and contractors. It also establishes the high level requirements to be satisfied in the Personal Identity Verification standard.
The following information is intended to convey current thinking regarding the NIST response to the HSPD. The concept and design decisions contained herein are tentative and subject to change in the course of consultations with affected Federal government departments and agencies.
A general threat facing government agencies is the unauthorized access to physical facilities or logical assets under the protection umbrella of the PIV system and in which a PIV card is employed in access control processes. Specific examples of threats to government resources include the following:
- Cardholder makes improper use of a valid card
- Counterfeit cards are used to intercept or gain access to stored information
- Stolen or borrowed cards are used to gain unauthorized access
- PIN information is captured / intercepted through passive surveillance
- Lower sensitivity rated cards are used to gain access to more sensitive and critical assets.
HSPD-12 mandates a government-wide standard for secure and reliable forms of identification. The policy further defines the following criteria for a secure and reliable form of identification. The identification standard (PIV FIPS 201) will be:
- Based on sound criteria to verify an individual employee’s identity
- Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation
- Rapidly verifiable electronically
- Issued by providers whose reliability has been established by an official accreditation process
- Applicable to all government organizations and contractors
- Used to grant access to Federally controlled facilities and information systems
- Flexible enough for agencies to select the appropriate security level for each application by providing graduated criteria from least secure to most secure
- Not applicable to identification associated with national security systems
- Implemented in a manner that protects citizens’ privacy
The program working paper is available at http://csrc.nist.gov/piv-project/Papers/Narration-PIV-Briefing10-1.doc and a slideshow from the project briefing is available at http://csrc.nist.gov/piv-project/Papers/PIV-BriefingSept16-2004.pdf.
Thanks to Privacy Digest for the pointer.
Saturday, December 04, 2004
After it was revealed that 27,000 benefits cheques were distributed along with social insurance numbers and addresses of other benefits recipients, the opposition Conservative Party is calling for the resignation of Ontario's finance minister, Greg Sorbara. I don't expect it will happen, but this is further evidence how a glitch that was likely caused by a lower-level employee can have huge repurcussions for an organization:
The Globe and Mail: Tories call for finance minister to step down pending privacy investigation:
"Toronto - The province's finance minister should step aside over an embarrassing security lapse, Conservative Leader John Tory said Saturday.
Mr. Tory called on the premier to ask Greg Sorbara to step down while the privacy commissioner investigates how the social insurance numbers of 27,000 people were accidentally released last week...."
Labels: information breaches
The Globe and Mail, in today's edition, has more information on the most recent breach of privacy to hit the presses:
The Globe and Mail: Province apologizes in privacy snafu:
"The Ontario government appears to have made a major privacy gaffe, mailing out thousands of cheques this week that included wrong names and social insurance numbers.
Government officials said yesterday that as many as 27,000 cheques were sent out with incorrect confidential information.
Ontario Management Board chairman Gerry Phillips blames human error and a new computer system for the security lapse.
'I take this matter extremely seriously and apologize on behalf of the government for this unacceptable release of personal information,' Mr. Phillips said. 'I want to assure the public that government officials have identified the cause of the problem and have taken steps to ensure this does not happen again.'
The cheques were issued with the correct names of the recipients, but the cheque stub contained the name of someone else as well as a social insurance number and home address.
The cheques were part of the Ontario government's child-care supplement for working families.
The issuing bank for the cheques was the Canadian Imperial Bank of Commerce, which was implicated in a separate privacy breach last week that involved the transmission of confidential bank customer data to a business in West Virginia.
'CIBC is not in any way involved in this error made by the Ontario Ministry of Finance,' bank spokeswoman Susan McDougall said in a statement. Ministry officials were also quick to stress that the CIBC played no part in the error."
Labels: information breaches
Friday, December 03, 2004
CTV News is reporting another Canadian privacy breach apparently caused by a computer glitch. Apparently, twenty seven thousand welfare cheques were distributed this week with the social insurance numbers of others written on them. Once again, apologies are the the order of the day:
CTV.ca | Personal info released on Ont. benefit cheques:
"The Ontario government is apologizing for an embarrassing security lapse that accidentally disclosed the social insurance numbers of 27,000 people in the province.
The error occurred when the latest run of Ontario child-care supplement cheques went out with stubs attached that included the wrong name, address and SIN, said Management Board Chairman Gerry Phillips.
'I want to begin by apologizing to those 27,000 people,'' Philips said late Friday. 'This is unacceptable.''...."
Labels: information breaches
There has been no shortage of criticism of the Personal Information Protection and Electronic Documents Act (PIPEDA). Some say it is simply weird by incorporating an external standard (in this case the Canadian Standards Association Model Code for the Protection of Personal Information). Some say it is hard to follow because it is full of principles rather than rules. Others think it is unmanageable. Others say it is toothless.
One thing that most agree on is that there is an important aspect provision that was simply forgotten: there is nothing in the law that would allow the disclosure of a customer list either as a prelude to or in the course of a business acquisition. Theoretically, you can't disclose a customer list as part of due diligence, nor can you provide details of key employees (if the company in question is a federal work, undertaking or business) unless you have the consent of the individuals concerned.
One exception to the consent rule is that you can disclose personal information without consent if the disclosure is:
"7(3)(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;"
Some clever insolvency practitioners have taken advantage of paragraph 7(3)(c) in PIPEDA and the huge discretion given to judges under the Companies' Creditors Arrangement Act (CCCA) to deal with this problem when the anticipated acquisition is related to the court supervised sale of a business under the CCAA. A recent order of the Quebec Superior Court in Re Strategy First Inc. includes a reference to PIPEDA and gives the court's blessing to due diligence disclosure and post-closing disclosure of personal information:
" ORDERS that, pursuant to subparagraph 7(3)(c) of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5, the Petitioner is permitted in the course of these proceedings to disclose personal information of identifiable individuals in its possession or control to stakeholders or prospective investors, financiers, buyers or strategic partners and to their advisers (individually, a 'Third Party'), to the extent desirable or required to negotiate and complete the Restructuring or the preparation and implementation of the Plan or a transaction in furtherance thereof, provided that the Persons to whom such personal information is disclosed enter into confidentiality agreements with the Petitioner binding them to maintain and protect the privacy of such information and to limit the use of such information to the extent necessary to complete the transaction or Restructuring then under negotiation. Upon the completion of the use of personal information for the limited purpose set out herein, the personal information shall be returned to the Petitioner or destroyed. In the event that a Third Party acquires personal information as part of the Restructuring or the preparation and implementation of the Plan or a transaction in furtherance thereof, such Third Party shall be entitled to continue to use the personal information in a manner which is in all material respects identical to the prior use of such personal information by the Petitioner;"
One additional aspect of interest is that the Order requires acquirors to use the personal information in the manner in which it was used by the original custodian.
Ok, one more interesting thing: The order was made by the Quebec court. Presumably, it was dealing with a Quebec company that is not a federal work, undertaking or business. But ... PIPEDA doesn't apply in Quebec to such companies, but I guess it doesn't hurt to throw it in.
The Industry Canada Task Force on Spam has released a consensus document that includes nine "best practices" for ISPs and network players for the reduction of spam. From the IC press-release:
Task Force on Spam Achieves Consensus for Best Practices to Reduce Spam:
"OTTAWA, December 3, 2004 - The Honourable David L. Emerson, Minister of Industry, today congratulated members of the Government of Canada's Task Force on Spam for agreeing to a series of best practices that should help reduce spam before it reaches the end-user.
The Task Force met with key stakeholders today to review the progress of An Anti-Spam Action Plan for Canada. Announced last May, the action plan is a joint government and private sector effort to reduce and control spam. Increased public awareness, international collaboration, industry best practices and regulatory measures are all being addressed.
"The Task Force is six months into its mandate and the fact that such a disparate group of private sector players, ranging from small Internet service providers to large corporations, has agreed to a common standard is worthy of praise," said Minister Emerson. "It shows our mutual commitment to reducing spam."
Among the best practices the industry leaders have agreed to follow are that Internet service providers (ISPs) and other network operators should block e-mail file attachments with specific extensions known to carry infections, or filter e-mail file attachments based on content properties.
Industry-wide practices of this kind are a world first, representing a product of consensus among Canada's largest and smallest ISPs, network operators, large enterprise users, software developers, anti-spam advocates and Industry Canada.
The Task Force also unveiled an Internet-based communications campaign, including a common logo and Web site, to raise public awareness on steps that users can take to limit and control the volume of spam they receive.
"Public education and awareness are critical tools in our fight against spam," said Suzanne Morin, Co-chair of the Public Education and Awareness Working Group. "We point out a number of straightforward measures that consumers can take to help protect themselves and fight spam."
Unsolicited commercial e-mail, generally known as spam, has become a major problem globally, accounting for approximately two thirds of e-mails circulating on the Internet. The majority of spam originates outside Canada and therefore outside of Canadian jurisdiction. Spam results in increased network management costs and is often used to spread viruses. This is a serious issue that affects consumer and business confidence in e-mail and the Internet.
Launched on May 11, 2004, the Task Force on Spam oversees the implementation of a six-point action plan. The plan calls for specific initiatives by government and the private sector, including: the use of existing laws and regulatory measures; the review of regulatory or legislative gaps; the improvement of current industry practices; the use of technology to validate legitimate commercial communications; the enhancement of consumer education and awareness; and the promotion of an international framework to fight spam.
The Task Force on Spam will submit a final report to Minister Emerson in spring 2005.
For more information, including the nine recommended best practices, please visit http://www.e-com.ic.gc.ca."
The Task Force Home Page is at http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/h_gv00248e.html
Labels: information breaches
After the anger and fingerpointing about the recent CIBC faxing incident(s), columnists are moving to a practical approach on the issue: why are you faxing confidential informaiton and is there a better way to communicate? Jim Middlemiss of the Financial Post has a good column on these questions:
You're faxing my what, where?:
"There are better ways to send sensitive information
December 2, 2004
Businesses can avoid potential public relations and legal nightmares by developing privacy policies, authentication processes and using cutting-edge technology. The Canadian Imperial Bank of Commerce learned this the hard way last week when U.S. scrapyard operator Wade Peer went public with his story about how one of Canada's largest banks was flooding his fax machine with highly confidential information about its clients for the past three years."
I usually advise clients to be very careful faxing. The preferred way to do it is to e-mail a PDF of the documents (and turn off e-mail address auto-complete features). If you routinely send confidential information via fax, you should only use pre-programmed speed-dial numbers. And make sure you verify each one right after they are programmed. And you need to do what you can to avoid hitting the wrong button: the medical records department button must not be adjacent to the button for the local newspaper. Don't laugh. It has actually happened. Do you think that they will heed your cover-page warning to immediately destroy the fax? Perhaps not.
Labels: information breaches
Thursday, December 02, 2004
The Information and Privacy Commissioner has his work cut out for him, at least for the short term. More purloined personal information has been found through an investigation that began with the discovery of sensitive data in the course of a drug bust. It appears the information was collected by dumpster diving drug addicts, who sell the info to ID thieves to fuel their addictions. From the Edmonton Sun:
Edmonton Sun: Privacy watchdog probes firms:
"The province's privacy commissioner yesterday launched an investigation into three Edmonton-area businesses whose customers' personal information ended up in a hotel room. The privacy office is already investigating how civil servants' personal data - including credit reports - got to the hotel and was then found by cops working on a credit card probe. Drug paraphernalia and a shotgun were also found.
'This has got to stop,' Privacy Commissioner Frank Work said. 'The paper that the (police) showed me was mind-blowing. There's bags of it. I thought, 'Holy smokes.' '
Linens 'n' Things, Nor-Don Collection Network Inc. and Digital Communications Group Ltd. are under investigation.
But the holiday season is prime-time for dumpster divers and identity thieves, Work warned.
'There's going to be a zillion purchases and then a zillion returns. All that paper generated will make for a field day for thieves when they go rifling through dumpsters,' he said.
Also, from today's Globe and Mail:
The Globe and Mail: Alberta probes leak of credit records:
CALGARY -- Alberta's Privacy Commissioner launched an investigation yesterday after the credit information of thousands of consumers landed in the hands of suspects in an identity-theft scheme.
Edmonton police recovered bank records, cellphone contracts, credit information held by a collection agency and credit-card receipts in connection with a search warrant executed Nov. 9 in a city hotel room in a credit-card investigation.
A man and a woman face criminal charges, including two counts each of possession of credit-card data, and it appears the documents were seized before the personal information of hundreds, even thousands of individuals, was used illicitly...."
PIPEDA made a brief appearance in an Ontario court in an interlocutory decision of Case Management Master Thomas Hawkins rendered at the end of September 2004. In Goldberg v. St. John, the defendant sought the plaintiff's client records to test a lost income claim. The plaintiff had been an employee of CIBC World Markets and he resisted the discovery request on the basis that the information should be subject to privilege and that its disclosure was barred by PIPEDA. He lost on the PIPEDA claim:
Goldberg v. St. John:
" In order to challenge and test the plaintiff's evidence as to lost income, the defendants seek the following information: production of client records on all the plaintiff's customers for the period from 1997 to the present including client names and addresses. The defendants wish to track all the plaintiff's commission revenue and to understand why the plaintiff's commission revenue increased or decreased. Some 150 clients are involved. The theory of the defence is that some or all of the income which the plaintiff has lost and will lose in the future was and will be the result of factors unrelated to the accident.
 The plaintiff and CIBC World Markets Inc. resist this request on the ground that the information which the defendants seek is information which they are required to keep confidential. This confidentiality obligation is found in several places. First there is the Investment Dealers Association National Instrument 33-102. Secondly, there are the confidentiality of client information provisions found standard 'B' in the Conduct and Practices Handbook for Securities Industry Professionals prepared by The Canadian Securities Institute.
 The plaintiff and CIBC World Markets Inc. also rely upon the privacy provisions of the Personal Information Protection and Electronic Documents Act, S. C. 2000 ch. 5. I do not base my decision on this statute. I am not persuaded that this federal statute applies to a provincially regulated business and its employees such as CIBC World Markets Inc. and the plaintiff. CIBC World Markets Inc. is a stockbroker, not a bank."
Once again, it has been held that PIPEDA does not shield a party to litigation from disclosing relevant records. But this also reminds one that the info may be shielded by other legal and procedural rules.
Wednesday, December 01, 2004
Labour groups are once again attacking the government of British Columbia for outsourcing public services that involve personal information. This second campaign comes after its high-profile attempt to derail the outsourcing of the province's medicare administration (See BCGEU's privacy campaign). While that campaign did not dissuade the Campbell government from its plans (BC announces medical privatization plan), it did lead to a significant inquiry by the province's Information and Privacy Commissioner. Now under attack is the province's plan to outsource bill collection:
B.C. opens private bank and credit data to U.S. scrutiny: "B.C. opens private bank and credit data to U.S. scrutiny
New privatization deal means U.S. authorities will have access to bank account and credit card numbers, property records, income and driver's licence information on B.C. residents
Vancouver - The B.C. Government and Services Employees' Union (BCGEU/NUPGE) plans to launch a new campaign this week warning residents that the Liberal government of B.C. Premier Gordon Campbell is making highly personal data vulnerable to American scrutiny through outsourcing and privatization.
The latest information to be placed in the hands of private American companies involves a wide range of information on most B.C. residents, including bank account and credit card numbers, property records, income and driver's licence information.
The province announced a $572-million ($483-million US) deal Friday with Electronic Data Systems (EDS) of Plano, Texas, to take over much of its bill collection activity. The 10-year deal comes with barely six months remaining in the Liberals' current mandate.
The province argues that privacy provisions contained in the contract will safeguard personal information but the union says the government is misleading citizens because it is already known that the contract will not withstand the overriding and intrusive powers available to American authorities under the U.S. Patriot Act.
The Patriot Act was passed by Congress and signed into law by President George Bush following the Sept. 11, 2001 terrorist attacks on New York and Washington.
The deal is even worse than a recent 10-year, $324-million contract signed with U.S.-based Maximus Inc. to privatize the processing of the medical claims of B.C. residents.
Privacy commissioner ignored
Once again, the province has ignored concerns raised by its own information and privacy commissioner, putting private sector ideological interests ahead of those of its own people, the BCGEU says.
Essentially, the latest contract means that intensely personal information on most British Columbians will be exposed to potential scrutiny by the FBI and other U.S. government agencies, the union warns.
"It’s another example of the Liberals bullying ahead without heeding the warnings of privacy commissioner David Loukidelis issues raised by the privatizing of records management, says BCGEU president George Heyman.
Loukidelis said the U.S. Patriot Act creates a real risk that personal information, once placed in the hands of private companies with U.S. links, will be open to scrutiny by the FBI and other American agencies. He recommended a series of measures to protect the privacy of British Columbians.
Heyman says Premier Campbell has failed to take the necessary range of measures recommended by the commissioner.
Patriot Act applies
"The fact is that the Patriot Act applies. EDS is an American company, and all the records in its possession are exposed," Heyman says.
"The Campbell government is clearly misleading the public and betraying the promise they made to British Columbians that real protections would be in place before any contracts were signed."
A long list of personal data at risk, Heyman warns..
"It includes everything from credit card and bank account numbers, personal property and asset details, individual and family income, and drivers license, vehicle and insurance information. It’s pretty serious stuff that British Columbians wouldn’t want to share with the Bush government," he says.
Meanwhile, the BCGEU leader said full details on his union's latest campaign to warn residents will be announced this week. The union is also continuing efforts to mount a legal challenge to the government.
The union says privacy guarantees written into the contract by EDS and the province will be overridden by the all-intrusive federal powers of the U.S. Privacy Act.
The Globe and Mail has been full of futher reports related to the CIBC misdirected faxes saga. Today, a Toronto Star columnist, and CIBC customer, replies to the bank's efforts:
TheStar.com - Trust misdirected at CIBC:
"CIBC, wake up. You can do a better job on privacy.
As one of your many customers, I appreciate getting a personal apology from your chief executive officer, John Hunkin - at least, in an open letter on the CIBC website.
This followed an earlier letter from chief privacy officer Ron Lalonde, who talked about what was done to safeguard customers' information after the Canadian Imperial Bank of Commerce learned that some faxes had been misdirected to a U.S. company in the spring of 2002.
'We notified our branches that information was being faxed to an incorrect number,' Lalonde said. 'We also contacted the owner of the company who had been receiving the faxes and elicited from him a commitment to shred all the faxes he had received and to notify us should he receive any additional ones.'
What about all the CIBC customers whose privacy had been breached? Didn't they deserve to know a U.S. business was privy to confidential details on their banking transactions?
And what about the Privacy Commissioner of Canada's office? Didn't it deserve to know about a potential violation of the act it administers, the Personal Information Privacy [sic] and Electronic Documents Act?
Apparently, you decided there was no need to notify customers or the privacy commissioner...."
For more coverage see:
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.