The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Monday, January 31, 2005

Another university hacked; personal information breached 

Here goes another one ....

The UCSD Guardian Online: Hackers breach Extension computers:

"Campus administrators detected a low-level breach of computers within the UCSD Extension network, which has stored more than 4,800 files of students' personal information.

"This was a very unfortunate incident," UCSD Extension Marketing Director Monica Doyle said. "Universities are getting hacked into all the time now - that's why it's important we have really good security."

A university investigation into the breach, which administrators discovered on Nov. 6, revealed that hackers did not access any of the files on affected computers. The files contained full names, social security numbers and credit card information for students and alumni.

"This breach was used to store music and DVDs," Doyle said. "There is no evidence that any personal records were accessed."

Pursuant to state law, administrators notified individuals affected by the breach of the incident and advised them to place fraud alerts on their credit cards to avoid identity theft. The law requires companies and state agencies to notify individuals if their personal information is electronically compromised...."

Labels: ,

US health privacy law affects research recruitment 

A study being released in the Annals of Epidemilogy reports that HIPAA is having a dire impact upon research. Not surprisingly, one of the big problems is that hospitals and universities are being inconsistent in the application of the new law.

U.S. Newswire : Releases : "Privacy Rule Cuts Research Recruitment By More Than Half...":

"PITTSBURGH, Jan. 31 /U.S. Newswire/ -- The Health Insurance Portability and Accountability Act (HIPAA) designed to enhance patient confidentiality by restricting access to medical records is slowing the progress of critical biomedical research, according to an editorial published in the February issue of the journal Annals of Epidemiology. In perhaps the first quantitative study of recruitment trends following the rule's implementation in April 2003, Roberta B. Ness, M.D., M.P.H., reports a significant "chilling effect."

Dr. Ness, professor and chair of the department of epidemiology at the University of Pittsburgh's Graduate School of Public Health (GSPH), documented trends in recruitment of research subjects to the Prenatal Exposures and Preeclampsia Program Project (PEPP), an ongoing prospective study of women followed throughout pregnancy at the Magee-Womens Hospital of the University of Pittsburgh Medical Center, for which she is a co- investigator. The ultimate aim of the study is to determine the cause of preeclampsia, a devastating complication that affects up to seven percent of first pregnancies and can be fatal for mother and baby.

The first phase of the PEPP study took place prior to HIPAA implementation from 1997 to 2001, with an average of 12.4 women being recruited each week, writes Dr. Ness, who also is chair of the policy committee for the American College of Epidemiology. After HIPAA, due to restrictions on researchers' ability to identify potentially eligible subjects, recruitment fell to an average range of 2.5 to 5.7 women a week.

Inconsistencies among academic institutions concerning interpretation of HIPAA regulations remain a potent threat to a wide range of clinical and biomedical research studies, she said. The University of Pittsburgh's Institutional Review Board (IRB), for instance, at first disallowed waivers of the rule. Investigators may seek a waiver to allow them easier access to health information protected as private under HIPAA, but waiver criteria vary among universities. In Pittsburgh, a waiver was granted in 2003 and rescinded in 2004.

"Recruitment with a HIPAA waiver decreased by half, and recruitment without a HIPAA waiver fell by half again," said Dr. Ness.

Internal university efforts continue to resolve these kinds of conflicts for researchers, but modifications to the rule itself would go a long way toward standardizing the way institutions view it, Dr. Ness said, adding that the University of Pittsburgh is not alone in its more conservative interpretation of the HIPAA rule.

"The post-HIPAA era brought an unwillingness on the part of the University of California system to continue its 16-year-long rapid cancer case reporting relationship with the California State Cancer Registry," she said. "For well over a year, researchers were barred from access to large numbers of recently diagnosed cancer patients in a case that also briefly engaged the state's court system. Fortunately, the University of California reversed its stance."

Still, concern continues among many researchers, Dr. Ness said. The American College of Epidemiology, on whose board Dr. Ness serves, and the Association of American Medical Colleges have called on the U.S. Department of Health and Human Services (HHS) to address the issue.

"An HHS advisory committee has proposed HIPAA modifications that include harmonizing HIPAA with the common rule that determines other IRB activities, among others," she said. "We can only hope that the new Secretary for Health and Human Services will adopt these modifications."

Labels: ,

Canadian Marketing Association receives funding to study privacy 

The CMA has received $50,000. from the Office of the Privacy Commissioner as part of its contribution program:
DMNews.com | News | Article:

"The Privacy Commission of Canada awarded funding to the Canadian Marketing Association to undertake a study on privacy best practices for business, the association said last week.

The CMA will receive $50,000 (Canadian) to conduct the research.

The association will develop methods to help businesses better handle private consumer information and comply with Canada's Personal Information Protection and Electronic Documents Act, the CMA said.

The CMA will look at effective data management practices in the industry and develop guidelines for businesses. Later, the CMA will research the role of the chief privacy officer at businesses and also identify privacy issues and concerns for small businesses."

Labels:

OSFI on the case of the CIBC faxing debacle 

The federal banking regulator, the Office of the Superintendent of Financial Institutions is also investigating the CIBC faxing fiasco, according to the Globe and Mail:

The Globe and Mail: OSFI to review CIBC faxing debacle:

"Canada's top financial industry regulator is looking into a faxing debacle at Canadian Imperial Bank of Commerce in which confidential information for dozens of customers was accidentally sent to a scrap-yard operator in West Virginia.

The Office of the Superintendent of Financial Institutions, the federal government body charged with overseeing the banking sector, is reviewing the incident and has held discussions with CIBC officials to make sure the problem has been dealt with properly, according to a letter from federal Finance Minister Ralph Goodale.

'You may be interested to know that the Office of the Superintendent of Financial Institutions is . . . examining this issue and has been in contact with CIBC officials to assess whether the bank is taking appropriate action to resolve this matter,' Mr. Goodale stated in an e-mailed letter to one CIBC investor...."

Update: April 18, 2005 - PIPEDA and Canadian Privacy Law: Privacy Commisioner of Canada releases her report on the CIBC faxing incidents

Labels: ,

Sunday, January 30, 2005

Canada moves to counter privacy threat posed by U.S. Patriot Act 

According to the Canadian Press, the Federal Government is in the final stages of taking contractual steps to limit the access of American authorities to personal information of Canadians. It is worth noting that this appears to apply only to future contacts and that the government is content to include blocking clauses in agreements with contractors, rather than amending the Privacy Act, as has been done in British Columbia:

Yahoo! News - Canada moves to counter privacy threat posed by U.S. Patriot Act:

"OTTAWA (CP) - The government will revamp the wording of future federal contracts with the aim of countering U.S. powers, granted under anti-terrorism laws, to tap into personal information about Canadians.

The move is intended to prevent the U.S. Federal Bureau of Investigation from seeing sensitive Canadian data the government supplies to American firms doing business with federal departments in Ottawa.

The government has also asked all agencies and departments to conduct a 'comprehensive assessment of risks' to Canadian information they release to U.S. companies carrying out work under contract.

The U.S.A. Patriot Act, passed following the Sept. 11, 2001 terrorist attacks, gave the FBI broader access to records held by firms in the United States.

The FBI can apply to a U.S. court to have a company disclose records, including information about Canadians, to assist with investigations involving prevention of terrorism or espionage.

Privacy Commissioner Jennifer Stoddart says that if a federal institution hires a U.S. company to process personal information about Canadians, then American laws apply to the data if the work is being done south of the border.

The federal Treasury Board leads a working group that is now busy finalizing special clauses to be used in future business proposal requests and contracts.

The group is consulting with Stoddart's office on clauses 'that we believe to be fundamental' to include in future request proposals and contracts, says a federal notice recently circulated to departments...."

Labels: , , , , ,

Students crack RFID security 

The New York Times is reporting that a group of researchers have managed to crack the most prevalent impelementation of RFID as a security device. They can read your chip/card while standing next to you in the elevator, crack the keys and, less than an hour later, replicate your chip or card.

While the threat remains theoretical, this has significant repurcussions for owners of vehicles that use RFID immobilizers, pay-at-the-pump systems and facilities that use RFID access cards. See: The New York Times > Science > Students Find Hole in Car Security Systems. See also a discussion at Slashdot: Slashdot Mobil SpeedPass, Various Car RFID Car Keys Cracked

Update: The full articled on how it was done is available here:

RFIDAnalysis.org:

"The Texas Instruments DST tag is a cryptographically enabled RFID transponder used in several wide-scale systems including vehicle imobilizers and the ExxonMobil SpeedPass system. This page serves as an overview of our successful attacks on DST enabled systems. A preliminary version of the full academic paper describing our attacks in detail is also available below. "

Labels: , ,

Saturday, January 29, 2005

Presentation to Meeting Professionals International 

On January 13, 2005, I led a roundtable discussion on privacy laws for the Ottawa chapter of Meeting Professionals International. The focus was on how those in the event planning industry should approach privacy laws. The event itself had a very interesting format: there were more than a dozen tables going at the same time, each on a different topic. Attendees signed up for their preferred choice when they arrived. Infolink, one of the sponsors, prepared a precis of each roundtable, including mine, which is available here.

As one would expect, the meeting was amazingly well planned....

Labels: , ,

Busted by his loyalty card 

The discussion in Slashdot referred to in my previous post (PIPEDA and Canadian Privacy Law: Loyalty card almost leads to wrongful conviction for arson) led me to the following story:

A magistrate in the UK was investigated for theft of a watch that he "found" in a Tesco store. When he brought it in to be serviced, the jeweller looked up the serial number and found it was reported "lost or stolen". The magistrate said he bought it at a bric-a-brac store, but his loyalty card gave him away: it showed he had been at the Tesco store within two hours of the rightful owner, who lost it there.

Telegraph News Magistrate fined for keeping lost Rolex:

"...Inquiries with Tesco, through its Club Card loyalty scheme records, and receipts of purchases showed Rowlett had been in the shop within two hours of Mrs Scott...."

Labels: , ,

Loyalty card almost leads to wrongful conviction for arson 

The records of a man's purchases compiled by a supermarket loyalty program almost led to his wrongful conviction on arson charges in Washington state. A veteran firefighter was suspected of the crime and his Safeway Club Card revealed a purchase of the store-brand firestarter. He was arrested in October and what would have appeared to be a slam-dunk prosecution had to be abandoned when someone else came forward and took responsibility.

The personal information collected through loyalty programs and other means are a double-edged sword. On one hand, purchase records can provide an alibi that the suspect, for example, was in a different location. On the other hand, otherwise innocuous purchases that are recorded can be interpreted to incriminate someone, perhaps inappropriately. There is also a big risk that too much weight will be put on this evidence, when there is no confirmation of who actually used the card.

Slashdot | Safeway Club Card Leads to Bogus Arson Arrest:

"Posted by michael on Saturday January 29, @06:03AM

from the if-you're-innocent-you-have-nothing-to-fear dept.

Richard M. Smith writes "Tukwila, Washington firefighter, Philip Scott Lyons found out the hard way that supermarket loyalty cards come with a huge price. Lyons was arrested last August and charged with attempted arson. Police alleged at the time that Lyons tried to set fire to his own house while his wife and children were inside. According to KOMO-TV and the Seattle Times, a major piece of evidence used against Lyons in his arrest was the record of his supermarket purchases that he made with his Safeway Club Card. Police investigators had discovered that his Club Card was used to buy fire starters of the same type used in the arson attempt. For Lyons, the story did have a happy ending. All charges were dropped against him in January 2005 because another person stepped forward saying he or she set the fire and not Lyons...."

Labels: , ,

Friday, January 28, 2005

A living room is not a public place, says Supreme Court of Canada 

The Supreme Court of Canada released its decision in R. v. Clark yesterday. The Court reversed lower court decisions that held that a living room may be a "public place" for the purposes of the Criminal Code of Canada.

The question arose in a prosecution of a person who was observed masturbating in his living room through an open window. The lower court convicted him under section s. 173(1)(a) of the Criminal Code, concluding that the accused had made his living room a "public place." The Supreme Court of Canada disagreed, noting that Parliament is free to change to law to refer to a place in public view.

Here's the headnote:

Daryl Milland Clark Appellant

v.

Her Majesty The Queen Respondent

and

Attorney General of Ontario Intervener

Indexed as: R. v. Clark

Neutral citation: 2005 SCC 2.

File No.: 29976.
2004: November 2; 2005: January 27.

Present: McLachlin C.J. and Major, Bastarache, Binnie, LeBel, Deschamps, Fish, Abella and Charron JJ.

ON APPEAL FROM THE COURT OF APPEAL FOR BRITISH COLUMBIA

Criminal law -- Disorderly conduct -- Indecent Acts -- Criminal Code prohibits wilfully doing an indecent act in a public place -- Whether masturbating in illuminated room before an uncovered window while unknowingly being observed by neighbours is an indecent act in a public place -- Whether living room "a public place" within meaning of ss. 150 and 173(1)(a) of Criminal Code -- Meaning of word "access" in definition of "public place" in s. 150 of the Criminal Code.

The accused was observed masturbating near the uncovered window of his illuminated living room by neighbours from the privacy of their darkened bedroom, across contiguous back yards, from a distance of 90 to 150 feet. The police were summoned. They observed the accused from "just below the navel up" from the neighbour's bedroom and "from about maybe the neck or the shoulders up" from street level. The accused was charged under ss. 173(1)(a) and 173(1)(b) of the Criminal Code. Section 173(1) makes it an offence to wilfully do an indecent act (a) "in a public place in the presence of one or more persons", or (b) "in any place, with intent thereby to insult or offend any person". The trial judge convicted the accused under s. 173(1)(a) after finding he had converted his living room into "a public place" but acquitted him under s. 173(1)(b) after finding that it did not appear the accused knew he was being watched or intended to insult or offend any person. The Supreme Court of British Columbia and the Court of Appeal upheld the conviction. The Court of Appeal concluded that the accused had "intentionally conducted himself in an indecent way, seeking to draw attention of others".

Held: The appeal should be allowed. The accused's conviction is vacated and an acquittal entered.

The facts as found by the trial judge do not support the accused's conviction. The accused's act was not committed in "a public place" within the meaning of ss. 150 and 173(1)(a) of the Criminal Code. A "public place" is defined in s. 150 as "any place to which the public have access as of right or by invitation, express or implied". "Access" means "the right or opportunity to reach or use or visit" and not the ability of those who are neither entitled nor invited to enter a place to see or hear from the outside, through uncovered windows or open doors, what is transpiring within. Interpreting "public place" as contemplating physical as opposed to visual access renders the whole of s. 173(1) more coherent and is consistent with Parliament's legislative distinction in the Criminal Code between conduct that is criminal because it occurs in a public place and conduct that is criminal because it is exposed to public view or open to public view.

The Court of Appeal erred by departing from the trial judge's appreciation of the evidence in the absence of a finding that he had committed a palpable and overriding error. It also erred in finding that the conviction is supported by case law that expands the meaning of "a public place" to include the place where the witnesses to an indecent act are physically situated. Even if correctly decided, this case law does not support the conviction since the accused's act did not occur in a public place within the expanded meaning. Although the definition of "endroit public" in the French version of s. 150 contains no equivalent of the word "includes" found in the definition of "public place" in the English version, there is no need to choose between versions because both contemplate physical as opposed to visual access."

Labels: ,

Most identity theft occurs offline 

Reuters and others are reporting on statistics released by American regulators that suggest the vast majority of ID theft occurs offline, through dumpster diving and old fashioned wallet theft: More identity theft offline than online. For other sources, see Google Search: "identity theft" offline.

Labels: , , ,

UK retailer's use of RFID brings protests 

Consumer and privacy groups are upset at the use of RFID chips by UK retailer, Tesco: BBC NEWS | Business | Tesco 'spychips' anger consumers

Labels: ,

OPC announces recipients of special research funding 

Last year, the Office of the Privacy Commissioner invited proposals for privacy-related research grants. Yesterday, it announced the recipients of funding:

PRIVACY COMMISSIONER AWARDS $371,590 TO NON-PROFIT ORGANIZATIONS FOR RESEARCH INTO THE PRIVACY IMPACT OF EMERGING TECHNOLOGIES:

"Ottawa, January 27, 2005 -- The Privacy Commissioner of Canada, Jennifer Stoddart, is pleased to announce the awarding of $371,590, under the Office of the Privacy Commissioner of Canada's (OPC) Contributions Program, launched in June 2004, to support non-profit organizations, including universities, advocacy organizations and trade associations in conducting research into the privacy impact of emerging technologies.

'Canadians are becoming increasingly aware of privacy threats in an age of global and inter-organizational transmission of personal information. This is the first time the Office of the OPC has launched a program to enhance knowledge in addressing those concerns, by building strong links between the research community and privacy rights practitioners in Canada,' said Ms. Stoddart.

The Office was so impressed by the quality of the submissions that an additional $171,590, over and above the original $200,000 allotted, was allocated to the program to support the development of expertise in key areas of privacy and data protection, and to foster an understanding of the social value of privacy and the Personal Information Protection and Electronic Documents Act (PIPEDA) in addressing emerging issues...."

Labels: ,

Thursday, January 27, 2005

E-mailing sensitive personal information after collecting it securely 

Risks Digest is a great source of information about the everyday risks the we face. Often, it carries examples of privacy risks. The latest issue contains a submission about an insecure practice that ... though sensitve personal information is collected securely using web-browser encryption, the information then treated pretty causally.

The Risks Digest Volume 23: Issue 68:

"HTTPS .ne. secure

Fri, 21 Jan 2005 7:25:35 -0500

I recently filed a change of address for some Qwest stock I own. Qwest uses The Bank of New York (www.stockbny.com) to manage stock accounts, so I went to their web page, and filled out the form using name, address, SSN, and account number. Checked for the padlock indicating HTTPS, and convinced there was *some* degree of due diligence, submitted the form. The confirmation screen starred out all but the last four digits of the SSN (i.e., ***-**-9999), which seemed reasonable.

Last night I got back an e-mail that they couldn't process my change request (the reason is unimportant), and included in the text of the message my name, e-mail address, account number, and SSN. No stars this time to shield sensitive information. Seems like a pretty useful e-mail to intercept!

What kind of security policies allow including this sort of information? The security & privacy policies don't say anything about safeguarding customer information.

If anyone has a privacy/security contact at Bank of New York, I'd certainly be interested in talking to them!

(This is certainly not a new type of problem; see RISKS 21.83 for another example I wrote about 3 years ago.)"

Labels:

Bush Pushes Computerized Medical Records 

One of the next big initiatives of the Bush administration, according to the Guardian, will be electronic health records. Privacy, of course, will be one of the big issues to be dealt with:

Guardian Unlimited | World Latest | Bush Pushes Computerized Medical Records:

"...Brailer acknowledged great challenges to implementing a system available nationwide. All medical workers will need to have compatible technology, and converting records to such a system can be a costly hassle. Privacy and security must be ensured so that only those with patient consent have access to the records, he said.

Bush said he is sensitive to privacy concerns. ``I presume I'm like most Americans. I think my medical records to be private. I don't want people looking at them, I don't want people, you know, opening them up unless I say it's fine for you to do so,'' he said.

Brailer said the government needs to develop incentives to get doctors online. The government has already awarded grants to encourage the transition...."

It is very easy to say that access should only be provided if the patient consents. The reality of the healthcare system is that the information has the greatest value to the patient when the patient is unable to conset.

Labels: ,

Rumours about spy chips in cash 

The following link was sent by a regular correspondent ...

Bearing in mind that rumours are rumours, this one is rather interesting and perhaps chilling:

New rumours about spy chips in Euro notes | EDRI: "

There is a renewed rumour that the European Central Bank is going to add spy chips (RFIDs) to Euro banknotes. 'Czerwensky intern', a German newsletter providing bank and insurance background reports, says the ECB might have already signed contracts with Hitachi, and is ready to introduce the spy-notes this year. Allegedly, the contract requires such a high volume of RFIDs that Hitachi can't deliver all chips itself, but has to rely on subcontractors.

Earlier rumours (dating back to 2001) about plans to track and trace all Euro notes with the help of RFIDs were strongly denied by the ECB. On 4 June 2003 EDRI-gram reported about a press release from Hitachi announcing negotiations about the contract to Japanese investors. The RFIDs in euro banknotes could help against counterfeiting and make it possible to detect money hidden in suitcases at airports. But the technology would also enable a mugger to check if a victim has given all of his money. If RFIDs are embedded in banknotes, governments and law enforcement agencies can literally 'follow the money' in every transaction. The anonymity that cash affords in consumer transactions would be eliminated.

According to the biannual report from the ECB on the counterfeiting of the euro, released on 13 January 2005, the amount of counterfeited euro banknotes is still very low. It has risen 8% compared to 2003, "but the recent trend has been downwards."..."

Labels: , , ,

Opinion: It's no secret that privacy laws can be bad for our health 

Unfortunately, I am having a crazy day so I don't have a chance to comment on this opinion piece that appeared in the Globe and Mail:

The Globe and Mail: It's no secret that privacy laws can be bad for our health:

"The advent of electronic health records, combined with the creation of huge databases, and the increasing commercialization of medicine has sparked widespread concern about the privacy of medical information.

As a result, governments, health-care institutions, consumers groups and private corporations have fashioned laws and rules to protect the privacy of individuals. These initiatives are, for the most part, long overdue. They confirm and extend the long-standing legal principle of doctor-patient confidentiality."

Labels: ,

Wednesday, January 26, 2005

Interesting student perspectives on privacy 

After reading Despite High-Tech Snoops, We're In A Golden Age Of Privacy, the author of Household Chemical asked his students about privacy. The results were interesting:
Household Chemicals: A Private Life:

"...I am currently teaching a media studies class and asked my students their opinions on this topic. It became very apparent that their personal privacy is very dear to them. Confirming Geewax, almost all of them had private bedrooms while growing up, and a fair number had private bathrooms. Thus, when probed about their notion of what is personal, they seemed to suggest that personal means anything having to do with bodies and bodily functions, which is to say there is a private body and a public body and never the twain shall meet. On the other hand, data is abstract, disembodied as it were. In this mindset there is really nothing at stake in those traces of data we leave practically everywhere in our electronic lives - they do not impinge on our embodied identities. The data are not us, or at least until the credit card bill arrives.

At first glance, such an outlook may seem dangerously naive, especially in the age of identity theft. However, I wonder if the perceived necessity for physical privacy is symptomatic of a much more profound desire for a stable identity, taken from us precisely because we cannot help but to propagate ourselves in bits and pieces, as data-traces, in our electronic transactions?

At first glance, such an outlook may seem dangerously naive, especially in the age of identity theft. However, I wonder if the perceived necessity for physical privacy is symptomatic of a much more profound desire for a stable identity, taken from us precisely because we cannot help but to propagate ourselves in bits and pieces, as data-traces, in our electronic transactions?"

Labels: ,

Tuesday, January 25, 2005

Access requests and civil litigation discovery are two different things ... 

The Office of the Privacy Commissioner has recently (24 January 2005) released a finding based on a complaint brought by a former employee who sought access to his personal information. The complainant was already suing his former employer related to his employment.

The case raises a number of interesting issues: you can only charge a token amount ($1500 is not a token amount) to provide access to personal information and discovery rights under concurrent litigation do not oust the right of access under PIPEDA:

Commissioner's Findings - PIPEDA Case Summary #285: Company refuses former employee's request for access - December 21, 2004 - Privacy Commissioner of Canada:

"Finally, the Assistant Commissioner commented on the two issues raised by the respondent during the investigation. With respect to the view that the complaint was an attempt to circumvent the disclosure and production rules under the Rules of Civil Procedure, the Assistant Commissioner noted that the scope of discovery is different from the scope of an access to personal information request under the Act. Discovery requires each party to a proceeding to disclose before trial all of the facts and information that it is aware of and that are relevant to the issues in the lawsuit. The Act grants a right of access to all personal information about an individual held by an organization, subject to certain exceptions, whether relevant or not. The Assistant Commissioner maintained that documents received through discovery cannot be considered sufficient to meet the requirements of an access request under the Act.

Regarding the company's concerns about providing minutes from board meetings to the complainant, the Assistant Commissioner reminded the organization that the Act provides for exceptions to the right of access to one's personal information, which are outlined in section 9, noting in particular the provision regarding confidential commercial information.

She recommended that the company examine its records and provide the complainant with access to all of his personal information collected, used or disclosed during the time period requested, subject to any exceptions.

The Assistant Commissioner noted that she remained skeptical that no single member of the board of directors took notes during the meetings when the decision to terminate the complainant's employment and his ensuing lawsuit were discussed. She recommended that the company confirm with all staff members and directors that no notes, e-mails or other material collected and retained contained the complainant's personal information. The Assistant Commissioner asked that the company report back to her to confirm what actions it had taken in response to the complainant's allegations."

Labels: , ,

MedicalPost.com: OPED: A reminder of responsibilities on safeguarding health info 

Today's edition of the Medical Post contains an OP-ED piece by Ken Pole, reminding physicians of their obligations under new privacy laws:
MedicalPost.com: OPED: A reminder of responsibilities on safeguarding health info:

"...Then there's the fact that if health-care consumers have a grievance about improper use of personal information, it's up to them to initiate legal action. There's nothing in PIPEDA that provides for penalties or damages, and since it is Federal Court of Canada jurisdiction, up-front legal costs quickly become horrendous.

I'm not a fan of litigation but sometimes it's unavoidable, even necessary, to make an example. If a physician or institution breaks the law, the only current punishment is public embarrassment. Perhaps a substantial fine, including damages to the complainant, would wake everyone up.

So, if you still needed it, consider yourself rapped between the ears. And now that you're paying attention, check out the Privacy Commissioner's Web site for a general guide at http://privcom.gc.ca/ information/guide_e.asp as well as information developed specifically for the health sector."

Personally, I'd recommend the Physician's Privacy Manual, which I wrote and that can be purchased from National Privacy Services at 1-877-PRIVLAW.

Labels: , ,

China introduces privacy law 

The China People's Daily is reporting that China is introducing a privacy law. I am reproducing the article in its entirety, since I had some trouble brining it up at all ...

People's Daily Online -- China to legislate for protection of personal information:

"The expert-suggested draft for the "Law for personal information protection of the People's Republic of China" has been brought out the other day.

As entrusted by the Information Office of the State Council the legislation was drafted by the subject group of some experts from the legal research institute of the Chinese Academy of Social Sciences.

Zhou Hanhua, chief of the subject-group and researcher of the Legal Research Institute of the CASS accepted the interview by the reporter the other day.

Leakage of information incurs big trouble: Just bought a house and gave birth to child business-dealers coming one after another.

"I have a feeling that my personal information is almost known to everybody without any privacy of my own as though I were a 'transparent figure'," said Mr. Xu with emotion recently, who's engaged in IT business. "I wanted to find a job a few months ago without sending out many personal resumes but numerous companies phoned me. I have just bought a new apartment and so far haven't got the key yet many building material dealers and household-moving companies phoned to ask me whether I like to buy sticks of furniture or any building materials. Last year when my wife just gave birth to a child I received a lot of advertisements about articles for babe's use to my home."

"In Chinese tradition personal rights are normally neglected and so the frequent happening of personal information being maliciously infringed." Zhou Hanhua, researcher of the Legal Institute of the CASS said, some schools to prevent from cheat in examination, or to strengthen internal administration installed close-circuit TV equipment for monitoring and so every action and behavior of students were under control. Some places collected more than 100 pieces of personal information when making various kinds of cards for social insurances or other e-cards. This harbors a great danger for abusive use of personal information.

To deal with the problems entailed from the emergence of an informationization society it is required by the Information Office of the State Council that the State Informationization Legislation be hastened. Starting to work on it from 2003, Zhou Hanhua said, the draft of the "Law for Personal Information Protection" as suggested by the expert group has now been completed and will soon be put on the agenda for legislation.

Cellular phone-number, home address, medical files and occupation information are all on the list for protection.

When mentioning the protection of personal information people will at once think of the protection of personal privacy said Zhou Hanhua. "What the 'Law for personal information protection' protects is not only the personal privacy of a citizen but rather a wider scope than the personal privacy, for instance: your cellular phone-number, home address, your medical files, and your occupation and something else. These may not fall into the category of personal privacy but are under the protection of the 'Law for Personal Information Protection'. And if you've delivered your resume to an employer's company it is liable for the company to keep the information for you. Should the other party make your personal information known to others it is considered to have violated the law no matter whether it is intentional or unintentional."

In addition, as to whether an image pick-up should be installed in a public place at will and how to define the behavior for a secret pick-up or recording, the law has laid down a stipulation about it.

For information protection attention better be paid in advance to regulate it from the very sources

The "Law for personal information protection" has to protect personal rights on the one hand Zhou Hanhua is of opinion, and on the other it must not obstruct the normal circulation of information. And for one thing it must offer full protection to the personal information and for another it has to take into consideration the necessary social governance and supervision.

The way for the victim to protect ones personal privacy in the past can more often than not be done by way of a lawsuit when the violation happens by demanding the violator to compensate, said Zhou Hanhua. Now the protection of personal information includes not only the protection after the event but also the interference beforehand, i.e. to regulate the behavior from the very head. For instance, some schools want to install video-pick-ups it should be done when being examined and approved.

Possible to incur criminal liability if violating personal information

According to the law at present, the violation of personal reputation can only be subjected to the liability in accordance with the civil law, Zhou Hanhua said. Once the "Law for personal information protection" is officially brought into force the violation of personal information may not only have to take up administrative and civil responsibilities or even criminal liabilities.

In alien countries the happening of violating personal information is liable to be sentenced to 2 to 3 years of imprisonment if it constitutes a crime, Zhou Hanhua said. How to take up the criminal responsibility in China must be referred to certain particular requirements in the criminal law. And the overseas practices may be taken over for our references.

By People's Daily Online"

Labels: ,

Monday, January 24, 2005

Electronic health records: safety, efficiency and privacy 

Business Week is carrying an article on the movement toward electronic health records in the United States, including a discussion of some of the privacy issues raised by them.

Between You, The Doctor, And The PC:

"...

HOW PRIVATE?

A move to electronic records could make a patient's medical files accessible anywhere in the world. Proponents point to reduced costs and increased patient safety. Meanwhile, privacy advocates raise questions about security. Of major concern is that there not be a central, national repository of patient information, but rather a network of records maintained by individual providers and health systems. 'I don't think a national database would fly in this country,' says Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit that focuses on such issues. She says such a system would be vulnerable to insider abuse and could become a target for hackers."

Thanks to PrivacySpot for the link: BusinessWeek Examines Issue of Online Medical Records | PrivacySpot.com - Privacy Law and Data Protection

Labels: ,

Some thoughts on the Better Business Bureau's rules for collecting customer information 

My previous blog posting, PIPEDA and Canadian Privacy Law: Privacy Imperatives for Customer Data: Interview with Jordana Beebe, refers to the Better Business Bureau's new rules for personal privacy.

The BBB's basic rules are:

  • If you do not need it, do not collect it.
  • If you need it once, do not save it longer.
  • If you got it, but you do not need to save it, dispose of it carefully.
  • If you have to keep it, think security.
  • Do not broadcast personal information.
  • Do not use Social Security numbers as account numbers.
  • Do not give out employee or customer information to anyone whose identity cannot be positively confirmed.
  • Locks and alarms are a real deterrent.

From a consumer point of view, they seem to be a step in the right direction. They differ significantly from the Canadian Standards Association Model Code for the Protection of Persoal Information, which is the benchmark in Canada (and is now mandatory under the Personal Information Protection and Electronic Documents Act). The BBB rules appear to be entirely focused on reducing the risk of identity theft, rather than respecting a customer's right to informational self determination. There is no mention of letting customers know how you propose to use the information, nor is there any element of choice for the consumer. Both of these are fundamental to the CSA Model Code. Though the code has its share of critics, but it is reasonably balanced and probably the best one out there.

Labels: , ,

Privacy Imperatives for Customer Data: Interview with Jordana Beebe 

Business Week magazine is running an interview with Jordana Beebe of the Privacy Rights Clearinghouse about the Better Business Bureau's Basic Rules for Businesses on Protecting Personal Information . Privacy Imperatives for Customer Data:

"Smart Answers columnist Karen E. Klein recently spoke with Jordana Beebe, communications director of San Diego-based Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization, about identity theft, a new set of business privacy guidelines released by the Better Business Bureau, and how both companies and consumers can protect themselves as more and more information goes digital. Edited excerpts of their conversation follow..."

Labels: ,

Sunday, January 23, 2005

Driver's licenses as national IDs? 

The Christian Science Monitor is carrying an article on the current debate swirling around over the move to set standards for issuing drivers licenses in the US, all in the name of security. Many are concerned this is the first step toward a de facto national ID card:

A driver's license as national ID? | csmonitor.com:

"...What several analysts question is why this standardizing IDs makes us more secure?

'How does identification really relate to security?' asks Daniel Solove, a law professor at George Washington University and author of 'The Digital Person: Technology and Privacy in the Information Age.' 'People just assume it [improves security] as if it was a fundamental truth.'

The new law focuses heavily on how a license is obtained, systematizing the list of documents needed to apply and how to verify them. In some states, like New York, it's a long list."

Labels:

The Commissioner is on the case of leaked lawyer's personal information 

From a report in the Edmonton Sun, it appears that the Federal Privacy Commissioner is -- personally -- investigating how an imprisoned criminal in the United States obtained very personal information about an Edmonton lawyer:

Privacy boss to probe how con got confidential info:

"The federal privacy commissioner is coming to Edmonton to probe RCMP records in an effort to determine how a city lawyer's personal information ended up in the U.S. jail cell of a convicted skinhead. But criminal defence lawyer Tom Engel has also come up with some of his own theories about how his personal information - and that of his partner, their wives and four legal assistants - got into the jail cell of skinhead Daniel Sims. "

I'd be very surpised if Jennifer Stoddart is putting on her trenchcoat and digging out her magnifying glass to investigate this personally, but that's what it sounds like.

(For some background on the story of Tom Engel's personal information disclosure, see: PIPEDA and Canadian Privacy Law: Authorities give US prisoner detailed personal information on Albertans)

Labels: ,

Saturday, January 22, 2005

Update on weird questions at airport checkin 

There has been a lot of buzz about Cory Doctorow's experience checking in for a transatlantic flight with American Airlines. (See PIPEDA and Canadian Privacy Law: Weird personal questions reported on checkin with airline.) The author of Secondary Screeining contacted the airline and actually received a prompt reply, which is posted in his site:

Secondary Screening: Cory Doctorow and Secondary 'Secondary Screening' Classes:

"After reviewing our documentation on Mr. Doctorow's experience in London, it is evident that both our contracted security screener and Mr. Doctorow contributed to what is not a representative example of our security screening process.

Mr. Doctorow exhibited specific behaviors and cues before and during our initial security screening that caused our screener to initiate a secondary screening process. We will not publicize those behaviors because to do so might hamper the effectiveness of the screening process in the future.

That said, our contracted screener veered from standard procedure when she asked for Mr. Doctorow to write the addresses of his destinations in the United States. She did clearly state that once the interview was completed, the address list would be destroyed in front of Mr. Doctorow or that he could have the list to keep. American Airlines absolutely does not register or record that type of personal data.

Although the agent concerned is very promising, this incident clearly showed a lack of experience in the questioning process. The agent will go through additional training and supervision. Through daily briefings, the remainder of the station will benefit from the experience gained from this incident.

American Airlines is entirely serious about the security procedures we undertake to help ensure the safety of our passengers and crews. We expect that our passengers apply the same serious consideration when they encounter our procedures. The vast majority of airline travelers appreciate the increased security and have adapted to a new reality in air travel. That is not, however, an excuse for security measures to be applied unevenly, and to reiterate, we do not keep personal information gathered during screening processes.

We appreciate that Mr. Doctorow called our attention to the mistakes that were made because it helps us rectify the situation going forward. He will also receive a personal response to the letter he sent to our Customer Relations department.

Tim Wagner
American Airlines Spokesman"

Labels: , , ,

Incident: Identity Theft Concerns Over UNC Lost Hard Drive 

I am no longer suprised when I hear about huge security breaches involving personal information at universities. Now, students and staff at the University of North Carolina are the victims of a lost computer hard drive containing very sensitive personal information:

PRESS RELEASE: Identity Theft Concerns Over UNC Lost Hard Drive:

"More than 15,500 students and staff at the University of Northern Colorado (UNC) may be in jeopardy of identity theft after a university computer hard drive containing confidential personal and financial information was announced to be missing by UNC President Kay Norton on Thursday, Jan.20. As reported by Mike Peters of the Greeley Tribune, the external hard drive contained names, addresses, Social Security numbers, bank account numbers, dates of birth and pay schedules for students and staff dating back to April 1997...."

Labels: ,

Incident: Harvard Hacked 

The Harvard Crimson is reporting on a security breach at Harvard University that allowed access to student numbers and student drug prescriptions:Drug Records, Confidential Data Vulnerable: Harvard ID numbers, PharmaCare loophole provide wide-ranging access to private data.

See also coverage in the Boston Globe:

Boston.com / News / Local / Mass. / Harvard fixing data security breaches:

"...Harvard shut down access to a software tool widely used by faculty to survey students, after student reporters from The Harvard Crimson demonstrated how it could be misused to obtain any student or employee's Harvard identification number. The eight-digit ID numbers, printed on identification cards, are widely used by students, staff, and faculty to conduct business on campus.

In a more disturbing security problem, the Crimson reported that by using student birth dates and ID numbers obtained from the polling site, its staff members were able to misuse a website run by an outside health care firm, Rhode Island-based PharmaCare, to get access to lists of prescription drugs bought by Harvard students. At the university's request, access to that website for Harvard community members has now been blocked by the company...."

Labels:

How do employees feel about workplace privacy? 

Michael Fitzgibbon at the Management Uppdates: Toronto Labour Relations and Employment Lawyer, has a summary and a review of the findings of the 2005 Workplace Privacy Survey that's definitely worth taking a look at:

Toronto Labour Relations and Employment Lawyer: Michael Fitzgibbon:

"How Do Employees Feel About Monitoring and Privacy?

There are a couple of articles on the 2005 Workplace Privacy survey commissioned by the Society for Human Resource Management and CareerJournal.com (see:Survey Suggests Employees Doubt Workplace-Monitoring Motives and You May Have Less Privacy At Work Than You Think)....."

Labels:

Friday, January 21, 2005

RBC Financial Group names Jeff Green as chief privacy officer 

This is the first time I've seen a Canadian company issue a press release to announce the appointment of a CPO. Good to do, in my view.

RBC Financial Group names Jeff Green as chief privacy officer:

"TORONTO, Jan. 20 /CNW/ - RBC Financial Group today announced the appointment of Jeff Green as chief privacy officer. In this capacity, Mr. Green is responsible for overseeing the implementation of policies and practices for the management of privacy on an enterprise-wide basis...."

Labels:

Thursday, January 20, 2005

Commissioner finds Custodian disclosed health information for purposes of a court proceeding in accordance with the Act 

The Information and Privacy Commissioner of Alberta has just released a significant decision about the ability of physicians to release personal health information to the Canadian Medical Protective Association, the mutual defence organization that includes 95% of Canadian physicians. In the decision, the Commissioner concluded that a physician is able to disclose personal health information without consent (and even over the objections of the patient) to the CMPA, even if the disclosing physician is not a party to the lawsuit.

I expect this will be a bit controvertial ...

From the Commissioner's press release:

Commissioner finds Custodian disclosed health information for purposes of a court proceeding in accordance with the Act:

"January 20, 2005

Commissioner finds Custodian disclosed health information for purposes of a court proceeding in accordance with the Act

The Complainant said that Dr. Murji ('the Custodian') disclosed his health information to the Canadian Medical Protective Association ('CMPA') in contravention of the Health Information Act. The Complainant had brought a medical malpractice action against three physicians but not against the Custodian who was the complainant's treating physician. The CMPA, which is a defence organization or quasi-insurer for physicians, was representing the three defendant physicians. In an interview with legal counsel for the CMPA, the Custodian disclosed information about the Complainant's medical treatment. The Complainant had expressly objected to the interview.

The Commissioner found that section 3(a), which says the Act does not limit information otherwise available by law to a party to legal proceedings, allows the Act and the common law to co-exist and did not remove this disclosure from the scope of the Act. He found the Custodian disclosed the health information in accordance with section 35(1)(h) of the Act as the information was disclosed for the purpose of a court proceeding. Section 58(2) of the Act did not apply as the only issue was whether the Custodian could grant the interview, not the amount of information disclosed during the interview. The Commissioner also found that the Custodian had properly exercised her discretion to disclose."

Labels: , ,

Wednesday, January 19, 2005

Weird personal questions reported on checkin with airline 

Cory Doctorow, author of the popular website BoingBoing, has a post on his site about a weird experience he had checking in for a flight from the UK to the USA. The airline required him to provide a list of all the folks he'd be staying with in the US. Not content to comply, he refused, questioned their authority to ask this information and, finally, has written an open letter to the airline, which is available here. This is the first I've heard of such questioning.

Boing Boing: Why is American Airlines gathering written dossiers on fliers' friends?

"Last week on a trip from London to the US, American Airlines demanded that I write out a list of the names and addresses of all the friends I would be staying with in the USA. They claimed that this was due to a TSA regulation, but refused to state which regulation required them to gather this information, nor what they would do with it once they'd gathered it. I raised a stink, and was eventually told that I wouldn't have to give them the requested dossier because I was a Platinum AAdvantage Card holder (e.g., because I fly frequently with AA). I have written an open letter to AA asking for details on this -- see the link below for the whole text...."

Labels: ,

Computer World tries to answer "What's up with universities?" 

After a string of successful penetrations of university computer systems containing personal information, Computer World has an article that tries to answer my question, "what's up with universities":

Hack Exposes Lax Security in Academia - Computerworld:

"....In a survey of 501 colleges and universities conducted last fall by The Chronicle of Higher Education Inc. and Gartner Inc., 41% of the respondents said hackers had succeeded in penetrating their systems. Fifty-three percent reported denial-of-service attacks, and 14% reported unauthorized access to student data.

But there is a growing awareness of the potential cost and risk to reputation associated with lax security, and a better understanding of the broader threat that unsecured university networks can pose, said Rodney Petersen, a policy analyst at Educause, a Washington-based nonprofit association of 1,900 universities.... "

See also PIPEDA and Canadian Privacy Law: What is up with universities?.

Labels: ,

Privacy issues delay posting of doctors' profiles 

The government of Manitoba originally promised that it would make "report cards" of the province's physicians available online. The project is being delayed due to privacy concerns, reports the Winnipeg Sun:

Winnipeg Sun: NEWS - Privacy issues delay posting of doctors' profiles:

"Manitobans will have to wait until at least the spring to access 'report cards' on their doctors' pasts. The NDP promised more than 2 1/2 years ago to make physician profiles public on the Internet, including records of disciplinary action and malpractice judgments....

He said there are concerns the privacy of doctors will be violated if unfounded complaints are published for all to see...."

Labels:

Tuesday, January 18, 2005

Incident: More hacking of university computers containing personal information 

Here we go again!

Yahoo! News - Hacker Breaches Security Of 2 UCSD Computers:

"A hacker breached the security of two University of California San Diego computers that stored the names and Social Security (news - web sites) numbers of about 3,500 students and alumni of UCSD Extension.

The breach, which left the personal information exposed for as long as a couple of days, is the third such incident at UCSD in the past year, according to The San Diego Union-Tribune.

University officials said there is no evidence of identity theft. An investigation showed the hacker was using the servers to store music and movies, UCSD spokeswoman Dolores Davies told the newspaper.

The breach was discovered in mid-November and those who were affected were mailed notification letters the first week of January, the newspaper reported...."

Labels: , ,

Incident: More hacking of university computers containing personal information 

Here we go again!

Yahoo! News - Hacker Breaches Security Of 2 UCSD Computers:

"A hacker breached the security of two University of California San Diego computers that stored the names and Social Security (news - web sites) numbers of about 3,500 students and alumni of UCSD Extension.

The breach, which left the personal information exposed for as long as a couple of days, is the third such incident at UCSD in the past year, according to The San Diego Union-Tribune.

University officials said there is no evidence of identity theft. An investigation showed the hacker was using the servers to store music and movies, UCSD spokeswoman Dolores Davies told the newspaper.

The breach was discovered in mid-November and those who were affected were mailed notification letters the first week of January, the newspaper reported...."

Labels: , ,

UK patients can opt-out from electronic health records 

I'm aware of a number of government-sponsored electronic health records programs, from Nova Scotia to Alberta and further afield. The one being planned and implemented in the United Kingdom is the first that I know of that will allow individuals to choose to not be included:

Guardian Unlimited | The Guardian | Patients can stay off NHS database:

"NHS patients are to be asked whether they want intimate details of their personal medical history to be included in a new national electronic database that can be accessed by GPs, paramedics and hospital staff throughout England.

Those worried the information could be abused will be entitled to have it removed from the system or placed in an electronic 'sealed envelope', to be opened only in a dire emergency, John Hutton, the health minister, said yesterday.

However, patients restricting access to their records in this way ran the risk of clinical staff making mistakes in an emergency through lack of relevant information about previous medical conditions or allergic reactions. "

Labels: , ,

Monday, January 17, 2005

'Counselor' appears to have violated privacy laws 

The Fort Wayne (IN) News Sentinel contains a letter and a response related to what may be a really reprehensible practice. A woman wrote in that she was "set up" to particpate in marriage counseling, the purposes for which may have been to assemble information to be used against her in a divoce proceeding. She was asked to sign a release, which she likely did not read and which appears to have given permission for the counselor to provide the information to her husband's lawyer. Though I can't imagine that the "release" would stand up to close scrutiny, it reinforces the lesson that people should read what they're signing.

KRT Wire | 01/17/2005 | 'Counselor' appears to have violated privacy laws:

"(KRT) - Q: ...

This "counselor" had both my husband and me sign releases when we came to his office, which I thought was standard procedure, but my husband's lawyer now has all of our records and is nitpicking and choosing information from my files to crucify me. My attorney says that my husband's part of the file is "clean," and that he has never seen a case like this. Had I known that my husband's lawyer picked the counselor to sandbag me, I would have never gone, much less signed a release. What can I do? Or is my goose cooked for being naive?

A: Based on the facts as you describe them, we don't know if it's your goose - or that of your "counselor" - that is cooked. In addition to state laws and ethical considerations that require confidentiality of protected health information, health care providers - including psychologists - are subject to federal confidentiality laws.

As we have referred to tangentially in other columns, the federal medical information privacy law - called HIPAA - applies to all health care providers, including psychologists, who deal with protected health information. This means, in its most simplistic form, that covered entities and individuals are required to keep protected health information confidential - unless they receive a valid release. In addition, "business associates" of these health care providers, including professionals such as accountants, lawyers, etc., are likewise required to maintain the confidentiality of protected health information.

In order to secure a valid HIPAA release, the document must have been signed voluntarily and with "informed consent." Informed consent means that all of your questions should be answered before you sign the document. It's not enough to merely hand you a form and tell you to read it and sign it.

In addition, the release should set forth the purpose and contain withdrawal provisions.

Here, it would appear to us that your lawyer may have an argument that you signed the release under what appears to be fraudulent circumstances. Surely, you would not have consented to see this counselor had you known that he was a friend of your husband's lawyer and that your husband had been seeing a lawyer for a period of time before you were "directed" to this medical professional for purposes other than counseling - that is, to have a professional witness available to corroborate your husband's positions.

Without full disclosure, we don't believe you could have given voluntary consent. And, given your desire to save your marriage, we don't believe that the counselor has lived up to the appropriate standard of care of a "reasonable and prudent" psychologist, or that you or another reasonable patient would have done this had you known the true circumstances. In other words, you appear to have been coerced.

Under these circumstances, we believe you have a good argument that your lawyer needs to raise in order to protect your interests and those of your children."

Labels: ,

Saturday, January 15, 2005

Handling customer complaints under PIPEDA 

Anybody reading the Canadian media before Christmas couldn't help but notice the huge amount of coverage given to a stream of faxes sent by a number of branches of a particular bank that kept on finding their way to a junkyard in West Virginia. The story took off and other complainants came out of the woodwork. Other banks were also the subject of stories, all related to mishandling of sensitive personal information (PIPEDA and Canadian Privacy Law: Bank faxes saga continues; involves other banks, too). Further examples of misdirected personal information are appearing in the media (see TheStar.com - Customer privacy concerns continue at CIBC). The most obvious thing to learn from these incidents is that people need to be very careful when faxing customer information. Or mailing it. But what is not as obvious is that none of these stories should have ever made it as far as they did. Not only was customer information mishandled, but more importantly (from the bank's point of view), the customers were mishandled.

I've touched on this before (PIPEDA and Canadian Privacy Law: Two magic words, big effects ...), but it bears repeating. Where the banks (and most organizations that end up at the unpleasant end of a privacy complaint) went wrong is the way they acted when their misstep was brought to their attention: (i) they did little to assure their customers, (ii) they did not appreciate the gravity of the situation, and (iii) they did not escalate the issue to the proper level. From what I understand of the faxing fiasco, the faxes went from a wide range of branches to one unintended recipient. Calls to the branches may have elicited a response, but they were not reported to a higher authority who would get a sense of the big picture and realize that there was a problem and it was chronic. Each branch did not know that dozens of other branches were making the same mistake and nobody was tracking the issue. When it comes to privacy breaches, one person in senior management must be apprised of the situation. Only that person will know if it was an one-off incident or whether the screw-up is pervasive. Secondly, employees of organizations need to be resensitised to the importance of the personal information they handle. It may not be important to the company, but that is irrelevant. It is important to the customer, so it must be treated appropriately. I happened upon an example of this at Ottawa airport night before last. Sitting in the restaurant, the woman at the table next to me got up to go. She must have been an airline employee because she left behind a copy of a manifest for a flight from Halifax to Ottawa. Being a nosy sort, I picked it up. I recognized a few names on the list, including a particular superior court judge who would not have been impressed. It told me that the person in seat 23A was 73 years old and needed help to get on and off the plane (why the put her in a window seat at the back of the plane should be the subject of a different sort of complaint). It also listed who ordered kosher meals.

To some, this is sensitive personal information and should not have been left lying around. But I think that people who deal with sensitive personal information all the time become numb to the fact that it really is sensitive and needs to be properly protected. I am sure that all lawyers know of colleagues who can be pretty casual when talking about clients. I've certainly heard some doozies about testimony about intimate matters that was probably humiliating to the person to reveal, but really had no effect on the lawyers since they've seen it all. When the information is routine, you start treating it routinely. I have heard from dozens of managers and business owners who say that they don't have to worry about privacy law because the information they handle isn't "sensitive." Well, in many cases it is, but the company has forgotten that it is sensitive or may be sensitive to their clients. All businesses need to think about information through the eyes of their clients. Even more, they need to think about it through the eyes of their most sensitive, paranoid clients. Personal information is important and must be treated accordingly.

Finally, each customer concern must be treated seriously. Most people don't complain routinely. Some may be chronic complainers, but most are not. If a client takes the time to complain about how their information was handled, they only have done so because it matters to them. If you treat the complaint casually, it can easily get out of control. If they don't get satisfaction from the organization, with the respect and priority they think it deserves, they will take their complaint to the privacy commissioner or, worse yet, to the media. I've read all the published findings on the Commissioner's website. Initially, would sometimes think that some people complain about truly trivial things. I scratched my head at more than a few. Then I began to wonder more and more often how the organization ever let the complaint get to the Office of the Privacy Commissioner in the first place. When a complaint gets that far, particularly about something "trivial", it is most likely because the organization didn't fix the "trivial problem" and let it get out of control. If you fix it as soon as it happens, that's it. No complaint. No problem.

I've dealt with customer concerns on behalf of clients. In almost every case, they are resolved favourably if you take the concern seriously, give it due priority, treat the customer with respect, and ultimately fix their problem.

To give an example, I was involved with a concern/complaint about a consent form that had been prepared for a client. This particular client was in a large industry but was the only location in their city that was visibly tackling the privacy issue. The customer called with some questions and was immediately referred to the privacy officer. Initially, the customer sounded a little indignant. He had read the form and had a problem with one of its provisions. We were satisfied with the correctness of the document, but the customer didn't seem to be amenable to our explanation. Since we were right, we could have told him that and walked away. But that wouldn't have ended the matter, since he knew enough about PIPEDA to make it likely that he'd buy a stamp and complain to the Commissioner. So we figured that if he was asking questions, there were probably a dozen or so customers who had the same question but didn't contact the client. Rather than fight it, we redrafted the form to make it more clear. We even asked the customer for his opinion of the new form and he approved. In the end, rather than have a potential complaint on our hands, the customer actually sang the client's praises around town leading to more business. Not only was a complaint avoided, but we managed to improve the customer's relationship with the client.

Privacy is not just a legal compliance issue. As an increasing portion of customers are concerned with the protection of their personal information and whether they can trust the companies they deal with, privacy is a critical customer relations issue. If you don't appreciate that fact and begin to look at your business through your customers' eyes, you are at much greater risk of having a complaint go to the Privacy Commissioner. That involves expense, a risk of bad publicity and a lost customer.

One further thought: I'm often asked by my clients about who should assume the role of privacy officer for their company. If they are a large company, they often think it should be their in-house counsel. At first blush, this seems sensible since a lawyer has the tools to understand and apply the law. I always say that it depends upon the individual lawyer. Many lawyers reflexively get defensive and switch into denial mode. (Or at least begin denying until they have a chance to investigate.) Because this is a customer service issue as well as a legal issue, the privacy officer needs to be customer-friendly. Not all lawyers have this trait. Automatic denials and switching to "damage control" tend to escalate matters, while empathy, understanding and focusing on a solution for the customer will calm the situation. A lawyer with privacy expertise should always be consulted, because this is a legal, risk-management issue. Few employees have the knowledge of PIPEDA to fully understand the company's obligations and the risk it faces in a particular situation.

Labels: , , ,

FBI Keeping Records on Pre-9/11 Travelers 

In the aftermath of the terrorist attacks on September 11, 2001, US federal investigators obtained massive amounts of information on individuals who were airline passengers in the months leading up to the attack. The FBI is keeping those records, according to the Associated Press, with no intention of giving them up. Privacy activists are up in arms over it:

FBI Keeping Records on Pre-9/11 Travelers: "

WASHINGTON (AP) - If you're among the millions of Americans who took airline flights in the months before the Sept. 11, 2001, terrorist attacks, the FBI probably knows about it - and possibly where you stayed, whom you traveled with, what credit card you used and even whether you ordered a kosher meal.

The bureau is keeping 257.5 million records on people who flew on commercial airlines from June through September 2001 in its permanent investigative database, according to information obtained by a privacy group and made available to The Associated Press.

Privacy advocates say they're troubled by the possibility that the FBI could be analyzing personal information about people without their knowledge or permission.

'The FBI collected a vast amount of information about millions of people with no indication that they had done anything unlawful,' said Marcia Hofmann, attorney with the Electronic Privacy Information Center, which learned about the data through a Freedom of Information Act request. 'The fact that they're hanging on to the information is inexcusable,' Hofmann said on Friday...."

Labels: , ,

US law will require secure disposal of employee info 

From USA Today (via beSpacific: beSpacific: Employers Soon to be Required to Shred Employee Documents):

USATODAY.com - Identity theft, new law about to send shredding on a tear:

"You've heard about shredding. You understand that it's probably a good idea to shred any receipts that have your credit card numbers or other personal information on them to stop identity theft.

You may have seen shredders at the office or noticed bulging trash bags of thin paper strips in the dumpster when you're walking the dog past a local business at night.

But now there's a law with a provision going into effect this summer that says if you employ even one person - a nanny, a yard man - and you have their personal information because you're doing the right thing and paying Social Security taxes, you have to 'destroy' the information before you throw it away.

You have to shred it or burn it or pulverize it.

Or you could get sued. Or fined. Or become part of a class-action lawsuit by enraged nannies whose personal information has somehow gotten out.

Bet you didn't know that.

The shredder industry does, and it expects sales to go on a tear.... "

The article is referring to the Fair and Accurate Credit Transactions Act (Bill Summary & Status).

Labels: ,

Friday, January 14, 2005

More on the George Mason University hacking incident 

The Washington Post has an excellent article on the recent hacking incident at George Mason University and what's unique about the university context. It goes a long way in answering my question, "What is up with universities?" (See: PIPEDA and Canadian Privacy Law: What is up with universities?.)

George Mason Officials Investigate Hacking Incident (washingtonpost.com)

On Tuesday, the university handed over the hacked computer -- a Windows 2000 server -- to the Fairfax County Police Department. The police and the FBI were running forensic tests, looking for electronic clues to the hacker's identity. GMU is only the latest campus to be hit by a hacker. In the past two years, similar attacks occurred at the University of Georgia, the University of Texas at Austin, the University of Missouri at Kansas City, the University of California at San Diego, and the University of California at Berkeley.

University campuses present a particularly inviting security target, experts say, because their systems house large amounts of personal data. But protecting the information is more complex than for a typical business because universities are built to foster collaboration and free exchange of information.

"This meant few policies, few restrictions" on how computer networks were to be accessed and used, said Rodney J. Petersen, security task force coordinator for Educause, which works on information technology issues for about 2,000 higher-education institutions. "But our greatest strength is now a weakness."

Labels: , ,

Wired foreshadows the privacy fights for 2005 

Thanks to PrivacySpot for pointing me to the intersting article in Wired on the upcoming privacy fights of 2005:

Privacy Battles of 2005 | PrivacySpot.com - Privacy Law and Data Protection:

"Wired is running a nice article about the upcoming privacy fights of 2005. President Bush has plans to expand federal powers under the Patriot Act. Whether that involves passing Patriot II or pushing provisions through piecemeal remains to be seen. What is evident, though, is that privacy advocates have cause for concern. Unfortunately, the SAFE Act, which seeks to counteract some of Patriot's more onerous provisions, is languishing in the House and Senate floors. Also on the horizon as battles over national ID cards, DNA databases, states' rights in passing privacy legislation, and the ubiquitous RFID tags. It promises to be an interesting year, as privacy battles escalate because of two factors: increased demands for privacy restrictions due to terrorism, and the rapid elimination of formerly insurmountable technological barriers."

Labels: , ,

Wednesday, January 12, 2005

Ridge Seeks Fingerprints on Passports 

CNN and the Associated Press are reporting that outgoing Homeland Security Secretary is calling for the fingerprinting of all US passport holders. He says that they can "offer assurances" that the use of the fingerprints would be limited. To what? He doesn't say.

Yahoo! News - Ridge Seeks Fingerprints on Passports:

"WASHINGTON - The United States should put the fingerprints of its citizens on passports to enhance global security, outgoing Homeland Security Secretary Tom Ridge said Wednesday in a recommendation risking a privacy fight at home.

Ridge said passports could ideally include biometric finger scans - for all 10 fingers - to help customs officials quickly and accurately identify U.S. travelers. He offered no details on how the plan might deal with privacy concerns or guard against international identity theft.

'If we're going to ask the rest of the world to put fingerprints on their passports, we ought to put our fingerprints on our passports,' Ridge said in a speech at the Center for Strategic and International Studies before heading overseas to talk about security ties with the European Union (news - web sites).

'Now, culturally, historically, there are a lot of reasons that some countries are averse or very reluctant to give people finger scans,' Ridge said. He said that by offering assurances that use would be limited and benefits would be significant, 'we could get the world to move more quickly toward a common international standard.' ..."

Also on CNN: Ridge presses for fingerprints on passports - Jan 12, 2005

Labels: ,

Incident(s): Hacker breaches T-Mobile systems, reads US Secret Service email 

The Register (via Privacy Digest) is reporting on a staggering breach of security at a US wireless service provider. A hacker apparently had unencumbered access for at least a year to T-Mobile's systems, incuding US Secret Service e-mails, text messages, celebrity phonecam snaps and other sensitive personal information.

Hacker breaches T-Mobile systems, reads US Secret Service email The Register:

"A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor US Secret Service email, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned.

Twenty-one year-old Nicolas Jacobsen was quietly charged with the intrusions last October, after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The informant also produced evidence that Jacobsen was behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board, according to court records.

Jacobsen could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with web access to their T-Mobile email accounts. He did not have access to credit card numbers.

...

T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

Company spokesman Peter Dobrow said Tuesday that nobody at T-Mobile was available to comment on the matter...."

Read the full article ... it's scary reading.

Update: The Associated Press is now carrying this story: Hacker Breaks Into T-Mobile Network:

"WASHINGTON - A hacker broke into a wireless carrier's network over at least seven months and read e-mails and personal computer files of hundreds of customers, including the Secret Service agent investigating the hacker, the government said Wednesday... "

Labels: , , ,

New standard European clauses for data transfers approved 

The European Commission has approved a new set of standard contractual clauses which businesses can use to ensure adequate safeguards when personal data is transferred from the EU to non-EU countries.

Frequenly asked questions are available here, the new clauses are here, and the model privacy contracts page is here.

Thanks to PrivacySpot.com for the pointer.

Labels:

Tuesday, January 11, 2005

Fallout from the Englander decision 

ITBusiness.ca, which is consistently one of the best sources of privacy news in Canada, is reporting on a discussion of the fallout of the Englander decision. (For more info on the case, check out PIPEDA and Canadian Privacy Law: FCA hands privacy victory to the "little guy".)

Michael Geist expressed fears that the Englander decision, in which the Federal Court of Appeal reversed a finding of the federal Privacy Commissioner, may have exposed the Commissioner as toothless. She has no order-making powers and individuals have to pursue a remedy in the courts. Michael's comments are also informed by his recent experience as a success complainant in a ground-breaking spam decision, in which the Assistant Commissioner concluded that his work e-mail address is "personal information", notwithstanding the definition of personal information in the Act. Many of the comments he has received suggest that many think the finding is of little value unless it is taken to the Federal Court for enforcement. (Others, I might add, want it to go to the Court to be reversed.)

Telus case calls role of Privacy Commissioner into question:

"1/11/2005 5:00:00 PM - After an appeals court supports Matthew Englander's right to keep his name out of the phone book, experts are left wondering what power the federal office really has. Also: where PIPEDA fits in

A recent federal court decision to overturn one of the Privacy Commissioner of Canada's first findings under the country's privacy act has raised questions about how well the Commissioner can enforce the law."

From a consumer's point of view, one of the harshest lessons to be learned from Mathew Englander's experience is that going to the Court is not to be taken lightly. He disagreed with the Commissioner's finding, so he took it to the Federal Court. The Court upheld the Commissioner's finding and hit Mathew with $18,000 in costs. He was ultimately vindicated by the Court of Appeal, but the message sent by the Court is loud and clear: only advocacy groups or well-funded consumers should take the risk of going to court. The Commissioner's office can go to court on behalf of a complainant, but they are under huge budgetary constraints and I don't think they'll go to have their own finding reversed.

Labels: ,

Customers always willing to trade privacy for services 

Privacyspot is linking to a survey that confirms what most privacy-aware folks know. Consumers will trade privacy for services and convenience:

Internet Marketing Survey Finds Consumers Willing to Share Information . . . Sometimes PrivacySpot.com - Privacy Law and Data Protection:

"A survey of 1,799 Internet users in the United States shows that '89% would let a trusted marketer share their personal interests with a third party without permission in order to increase the quality of services and products produced. However, only 20% would let a marketer share information in order to track their buying behavior and project future purchasing decisions.'

In other words, as long as there is an immediate, direct benefit to the consumers, they are willing to allow their information to be shared.... "

Labels:

Companies Simplify Data Privacy Notices Based On European Recommendations 

In November, the Article 29 Working Party on privacy of the European Union recommended a new format for privacy notices that is more concise and focused. (See Opinion on More Harmonised Information Provisions)

According to Computerworld, the new harmonised format is making its way into the privacy policies of major US companies:

Companies Simplify Data Privacy Notices - Computerworld:

"P&G, Microsoft are in forefront of move to make Web site disclosures more user-friendly

News Story by Jaikumar Vijayan

JANUARY 10, 2005 (COMPUTERWORLD) - A European Union initiative to develop standards for shorter and more readable data-privacy notices on Web sites is shining a spotlight on a similar need in the U.S., and large companies such as Microsoft Corp. and The Procter & Gamble Co. are already adopting the condensed format.

On its corporate Web site, P&G has created a 'privacy notice highlights' page that uses a modular format identical to the one approved by an EU panel in late November. The modular approach lets companies provide Web site visitors with capsule descriptions of their privacy policies as the initial step in the disclosure process.

Sandy Hughes, P&G's global privacy executive, said last week that the Cincinnati-based maker of consumer goods set up the new page after a survey of users who visited the Web site showed that 95% of them found shorter data privacy notices helpful.... "

Labels:

Monday, January 10, 2005

What is up with universities? 

Today, I fiind myself asking the question, "what is up with universities?" I'm not just asking this because I am posting from the computer lab at Dalhousie Law School after teaching my class, but because they are leaking personal information like sieves.

Earlier today, I posted about a hacker-caused privacy breach at a university in Kansas. (Click here -- PIPEDA and Canadian Privacy Law: Incident: Kansas Univeristy computer containing personal information hacked -- or scroll down a page or two.) Now CNET is reprting that George Mason University has seen hackers take personal information on more than thirty thousand students. Thirty thousand.

Hackers steal ID info from Virginia university | CNET News.com:

"George Mason University confirmed on Monday that the personal information of more than 30,000 students, faculty and staff had been nabbed by online intruders.

The attackers broke into a server that held details used on campus identity cards, the university said. Joy Hughes, the school's vice president for information technology, said in an internal e-mail sent over the weekend and seen by CNET News.com that 'the server contained the names, photos, Social Security numbers and (campus ID) numbers of all members of the Mason community who have identification cards.'... "

Labels: ,

Recording of Bill Good show (CKNW) 

On January 4, 2005, I was a guest on the Bill Good show on CKNW Vancouver. It was an open-line show with a quite a few interesting callers with privacy questions. If you missed it live and want to hear it, they were kind enough to send me an MP3 of the show.

Labels:

Tune in ... 

I've been invited to be on the Roy Green Show in Hamilton, Ontario (just briefly, I gather) sometime today between 10:30 and 11:00 (eastern time). If you want to listen via Windows Media, go to http://www.900chml.com/ and click on "listen live".

Labels:

Consumer advocacy group releases report on PIPEDA 

I don't know how I missed this one, but in November, the Public Interest Advocacy Centre released a fifty-five page report by John Lawford entitled Consumer Privacy Under PIPEDA: How Are We Doing?. It's very critical of PIPEDA and its enforcement, and an interesting read as it also reviews (in some detail) a number of the findings that PIAC has been involved in.

Labels: ,

WA state hospital association calls for uniform and more relaxed interpretation of HIPAA 

The Washington State Hospital Association's Board of Trustees is asking the state's hospitals to adopt a more uniform and relaxed interpretation of HIPAA to ease information sharing with family members:

Patient privacy rules may relax: "The Washington State Hospital Association Board of Trustees passed a resolution last month asking hospitals to adopt a uniform policy allowing family members and friends to find loved ones while still maintaining federal patient privacy laws.

The association issued the recommendation after an advocacy group demanded a better system. Members were frustrated by officials at local hospitals who wouldn't disclose information about their hospitalized loved ones.

'HIPAA is a little unclear,' said Cassie Sauer, spokeswoman for Washington State Hospital Association. 'It was being implemented with great variation across the state. Family members who couldn't get information were freaked out and really mad.'

HIPAA - the Health Insurance Portability and Accountability Act - was passed by Congress to protect patient privacy by preventing hospitals from releasing confidential patient information. It was intended to protect patients from having their records sold to pharmaceutical companies, for example, that might specialize in treating their particular illnesses...."

Labels: ,

Incident: Kansas Univeristy computer containing personal information hacked 

I'm not sure if university computers are more vulnerable, or if universities are just more forthright about reportiing these incidents. In any event, there seem to be a lot of reports like this one:

LJWorld.com : KU center reports computer hacking:

"For the third time in two years, the FBI is investigating a computer hacking crime on a Kansas University computer containing personal information.

KU began sending out letters this week to those who might have been affected by the security breach, which involved a server at KU's Life Span Institute at Parsons.

'It was kind of shocking to us,' said Susan Roberts, a Lawrence resident whose husband, Harold, received a notification letter Thursday. 'These kinds of things are scary.'

The letter Roberts received said information on the server included the name, address, phone number, date of birth, health status and special needs of those who have accessed services in Parsons...."

Labels: , , ,

You need a social security number for what? 

Folks in Galveston County, Texas, are about to challenge a local ordinance that requires residents to supply their social security number to have their garbage picked up.

The Galveston County Daily News: Residents to question city ordinance:

"LA MARQUE - Residents of Omega Bay will voice their concerns today about a La Marque ordinance that requires people to supply their Social Security numbers when applying for utility services, specifically garbage pickup."

Labels:

Sunday, January 09, 2005

Followup: Google Exposes Web Surveillance Cams 

Earlier, I posted about being able to find things on the web that the owners probably thought were hidden. (See: PIPEDA and Canadian Privacy Law: Beware what you put online ... there be google hackers.) Slashdot.org has an interesting discussion on the topic, providing the critical techie perspective.

Slashdot | Google Exposes Web Surveillance Cams:

"Posted by CmdrTaco on Sunday January 09, @10:00AM
from the pick-a-password-people dept.

An anonymous reader writes 'Blogs and message forums buzzed this week with the discovery that a pair of simple Google searches permits access to well over 1,000 unprotected surveillance cameras around the world - apparently without their owners' knowledge.' Apparently many of the cams are even aimable. Oops! "

Labels: , , ,

Privacy and Public Records 

Probably, the next big privacy issue to hit Canada will be the availability of public records in electronic form. "Public records" are, by their very nature, open to public view but electronic avaiability means that they are infinitely more available, mineable (if that's a word) and may be connected with other public and private data in an unprecedented way. This is entirely a new issue, particularly in the United States, where companies like ChoicePoint, Abika and Lexis Nexis collect disparate bits of data, assemble them, link them and make them available to marketers, insurers, lenders and government.

In Canada, we've seen some controversy with Abika, following a complaint made against the company to the Canadian Privacy Commissioner. (Which was not pursued by the Commissioner because the company has no presence in Canada. See PIPEDA and Canadian Privacy Law: CIPPIC complaint raises a number of novel and interesting issues, Jurisdictional limitations on Canadian privacy law, CIPPIC v Abika.com: Part deux.)

Under PIPEDA, public records are treated in a peculiar way. You can collect, use and disclose publicly available information without consent as designated in the regulations:

7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if ...
(d) the information is publicly available and is specified by the regulations.

As with so many aspects of PIPEDA, it is never straightforward. The regulations not only designate what is "publicly available", but tell you how you can use it without consent:

Regulations Specifying Publicly Available Information:

"1. The following information and classes of information are specified for the purposes of paragraphs 7(1)(d), (2)(c.1) and (3)(h.1) of the Personal Information Protection and Electronic Documents Act:

(c) personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry;

(d) personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and ..."

So public records can only be used in a manner that is consistent with the puropse for which it is made available in the first place. This means that you have to ask yourself: Why does the registry of deeds exist? Why are court records open? Why are tax assessments available? I'm relatively confident that they are not public records so they can be mined by marketers. Other than that, it's a matter of interpretation.

PIPEDA only applies to commercial activities, however, so there is no restriction on the ability of journalists or your busy-body neighbours to peruse databases. And criminals, who can glean social security numbers from public filings in the US, are not too concerned with the law. So it falls to the governments in question to consider whether it is prudent to put this information online.

On a related note, a quick Google News search turned up a number of interesting articles, starting with this editorial that argues that accident records should continue to be available to keep the government on its toes:

The Sanford Herald: What others say:

"By law and by tradition, government records in North Carolina are open to the public. It is a healthy policy that allows citizens to find out what their government is up to - and to make it accountable to the people it serves.

So it's especially troubling when electronic advances that make it easier for governments to create and maintain records also keep those records out of the public's hands. A prime example is a new software program the state Department of Transportation began using last year that lets law enforcement officers file accident reports directly from their patrol cars instead of filing a paper copy...."

Newsday.com - State/Region News:

"COLUMBIA, S.C. -- Officials in two South Carolina counties have asked a company to stop posting some county government land records online after concerns about the availability of residents' Social Security numbers.

Officials in York and Berkeley counties asked to have some documents removed from the Web site registered to Dallas-based Affiliated Computer Services, Inc...."

Way sought to make court file data honest:

"TALLAHASSEE - A panel helping the Florida Supreme Court figure out how to balance the public's right to access with the right to privacy wants to stop inflammatory documents from getting into court files.

The panel's recommendations are intended to help the state's 67 clerks of court cope with the advent of Internet access to court files and its effect on 'practical obscurity,' the privacy afforded litigants and defendants when court documents pile up in file rooms and warehouses.

Now, paper that once gathered dust can be read, copied, transmitted and analyzed instantly when it enters the court record.

In 2003, the state Supreme Court placed a moratorium on electronic filing of court records until a panel recommends how to protect the public from 'data-miners' - data collection agencies that gather information about individuals. That moratorium came after the Florida Legislature ordered all court records to be put online by 2006...."

Labels: , , ,

Saturday, January 08, 2005

Better develop a "culture of privacy" 

David Canton, of eLegal Canton fame, is a regular contributor to the London Free Press. In today's business section, David recommends that all businesses need to adopt a "culture of privacy" to prevent the sorts of privacy fiascos that we have seen in the last few months:

London Free Press: Business Section - Privacy culture necessary:

"Just when you thought your bank and government have your privacy interests protected -- think again. Recent privacy gaffs show privacy breaches can happen despite the best intentions of business or government.

Protection of privacy rights is not an automatic concern for many. However, people are becoming more aware of the repercussions of not having privacy top of mind....

And perhaps most importantly, create a culture of privacy within your organization. All organizations will have a chief privacy officer, but that person alone cannot do the job. All employees should understand the importance of keeping certain information confidential."

I couldn't agree more. So many of the high-profile screwups and a huge portion of the negative findings of the Office of the Privacy Commissioner stem from employees not having privacy at the top of their minds. In my experience, the lack of privacy culture leads directly to non-compliance or to not dealing with the incident properly when it comes to the company's attention.

The best example of this is an incident that happened in Ontario in 2003. If memory serves (the media reports about it are no longer online), a woman was suspecting that her spouse was having an affair. So she calls his cellphone company [the phone was not in her name] and says, essentially, "Hi, this is Mrs. Smith. I'm doing the bills and I don't know what all these charges are. Can you fax me the calling details for the last few months so I can figure these out?" The customer service person, thinking that s/he was providing the best customer service possible, says "sure thing!" and faxes them right over. So the list of numbers leads to the mistress, causing all sorts of problems for both the mistress and the ex-husband. The ex-husband gets upset and goes to the media with the story of how his phone company violated his privacy.

So, what went wrong? The customer service representative didn't think about privacy. S/he may have known about the company's policy of not disclosing this sort of information to anyone who is not listed on the account, but s/he was not thinking about privacy in a meaningful way. She sould have told the inquiring spouse that "at XYZ cellular, we respect our customers' privacy. You're not listed on the account, so I can't send you that information. Please have Mr. Smith give is a call to add you to the account, so you can get this information now and in the future, of ask Mr. Smith to request the information directly." But she didn't. As a result, her company's name was dragged through the mud.

Customer privacy needs to be the first thing your employees think about.

Labels:

Friday, January 07, 2005

Fallout from naming/not naming Canadian victims 

In the last few days, the Toronto Star decided to release an unofficial list of missing and dead Canadians in South Asia after Canadian authorities suggested that their hands were tied by the Privacy Act. The Privacy Commissioner and others corrected them, pointing out the public interest exception in s. 8 of the Act. All of this has led to two interesting letters to the editor in the Toronto Star:

TheStar.com - Release official list to world: Circulate listing via e-mail to every hotel, resort and set of bungalows — especially in Thailand:

"Search for the dead

Jan. 6.

After days of citing the Privacy Act as a barrier to disclosing names of the missing and dead Canadians in southern Asia, the federal government has conceded it made a discretionary decision not to release the information. And yet, in practical terms, releasing the names may very well help in ascertaining the fate of Canadians missing in Asia.

Prime Minister Paul Martin and a series of Foreign Affairs officials invoked Canada's Privacy Act as a reason for not releasing the names of the Canadians missing and feared dead in the Boxing Day tsunami. However, Jennifer Stoddart, Canada's privacy watchdog, is concerned that federal officials are "misquoting" the Privacy Act to justify withholding the names of the estimated 150 Canadians missing and feared dead in the tsunami. "The Privacy Act does allow exceptional release of names where there's a public interest that outweighs an invasion of privacy," she says.

With all due respect to anyone upset, if publishing an unofficial list, in the Star, "derived from many sources," has now confirmed that 50 on that list are in fact safe — all the better! It's now the rest — and others — that we should all be focused upon. If publishing the official listing helps to find only one — even better. Rather than waving an index finger at the Star for its efforts, get the official listing out — it is not an infringement on privacy rights. Circulate that listing via e-mail to every hotel, resort and set of bungalows — particularly in Thailand. And get them to start double-checking their guest registries. These are developing countries and we must not assume that everything functions like it does in the developed world, particularly during a crisis.

Prime Minister Martin, please give us the official listing so that those of us who can, are able to search even from afar. No one will think badly of you.

Keith Dériger, Ottawa

Canadians in Thailand

Jan. 5.

I am certain that Star editors have the best of intentions in publishing a list of known dead and/or missing people from this recent tragedy. But it is an unfair sleight of hand to circumnavigate privacy laws. The privacy laws exist for just that reason, to preserve privacy — pure and simple — no questions to be asked.

The Star notes the list was complied by reference to information provided to the government "from reports by worried friends and relatives." Is it not just possible this information was provided to the government by some people who did not expect to see it on page A3 of Canada's largest newspaper? In short, some of these friends and relatives may have wished for privacy or had a reasonable expectation of privacy. Did the Star canvass the friends and relatives to see who wanted to see their enquiries end up on page A3 ? Would all missing wish to have their names published? How generous of the Star to speak for all these people.

In many cases newspapers publish information that may indicate secret corporate, government or individual malfeasance — possibly stopping an unjust practice. This is not the case here. This is not a public service. Why do readers have to know this information?

David S. Faul, Ajax"

Labels:

Letterman: Top Ten Signs Your Boss is Spying On You 

From last night's Late Show with David Letterman:

CBS | Late Show Top Ten Archive: January 06, 2005:

"Top Ten Signs Your Boss Is Spying On You

10. Wherever you go you're followed by a potted plant in loafers.
9. The bracelet he gave you for Christmas beeps if you leave your cubicle.
8. Office coffee has hint of hazelnut and sodium pentothal.
7. Your name:'Sam.' Next to your parking spot: 'Reserved for the guy following Sam'
6. Find yourself getting tasered more than with previous bosses.
5. Your new secretary looks a lot like that chick from 'Alias'
4. Instead of photos of wife and kids on his desk, he has a photo of you sleeping.
3. When you're alone in the men's room, a voice tells you to quit blocking the lens.
2. Boss critical of typos in your personal e-mails.
1. The fax machine just coughed."

Labels:

Thursday, January 06, 2005

E-mail in litigation: Delete, delete, damn e-mail! 

The front page of today's Globe and Mail Report on Business is full of coverage of a high-profile lawsuit between CIBC and Genuity. The most compelling evidence in the case is a bunch of e-mails that the senders and recipients thought were private:

Globetechnology: E-mail used as weapon in court case

The Canadian Imperial Bank of Commerce has turned employee e-mails into a potent legal weapon in an acrimonious court battle with a team of top executives who left the bank last year to form a competing investment firm.

In a lawsuit filed in the Ontario Superior Court, CIBC alleged that six former senior executives, including its one-time vice-chairman David Kassie, improperly recruited bank employees and took confidential bank data to their new company, Genuity Capital Markets....

The revealing e-mails are a stark reminder to employees in the digital age that messages they zap into the Internet ether can come back to haunt them....

CIBC was able to tap into messages sent by BlackBerrys that the former executives apparently believed were protected by a private system of e-mail communications known as PINning, which involves personal identification numbers or PINs.

The bank's ability to read and publish the BlackBerry e-mails is expected to send chills through the legions of investment bankers and lawyers who conduct all kinds of communications through the ubiquitous portable e-mail devices.

“You mean they broke into the PIN messages, how did they do that?” gasped one Bay Street lawyer and frequent BlackBerry PIN user who declined to be identified.

The CIBC isn't saying how it accessed the BlackBerry messages, but states in its lawsuit that the executives “seemed to have believed [they] did not create any record of their e-mails on the [Bank's] central computer systems.” ...

If you don't want to see it again, don't put it in writing, don't e-mail it, and don't text it.

Labels: ,

Voyeur CCTV attendants suspended for using awesome powers for evil 

This sort of stuff is what makes many people nervous about widespread surveillance cameras in public places. The Register is reporting that two employees entrusted with keeping the streets safe though CCTV have been suspended for using the technology to peep into a woman's apartment:

Council suspends CCTV Peeping Toms | The Register:

"Police are investigating a a trio of municipal 'Peeping Toms' from Sefton, Merseyside who reportedly trained a street safety CCTV camera on a woman's flat in Liverpool's Bootle district, UK tabloid the Sun reports.

The three have been suspended 'pending a full internal investigation into alleged breaches of the council's policies and procedures,' as a Sefton council spokesman put it. Police confirmed that they are 'currently investigating allegations under the Sexual Offences Act 2003 and we are talking to a number of people', although no-one has been arrested.

The triumvirate of alleged snoops work in the Sefton council street safety camera centre, which controls 70 CCTV cameras across Merseyside."

Labels: , , ,

Commissioner speaks up on interpretation of the Privacy Act and naming tsunami victims 

Jennifer Stoddart has spoken up, correcting politicians and public servants about the Privacy Act and its effect on the ability of the government to name tsunami victims. While the Act does generally prevent the disclosure of personal information, it does contain a public interest exception that the PM or the Minister of Foreign Affairs can invoke at any time. (See my very reference to the pubilc interest exception in PIPEDA and Canadian Privacy Law: Editorial urges that naming Canadian tsunami victims is in the public interest.)

Victoria Times Colonist - Naming the missing not a privacy issue:

"Watchdog: Commissioner says law does not prevent government from listing Canadians feared dead

OTTAWA -- Canada's privacy watchdog says she is concerned that federal government officials are 'misquoting' the Privacy Act to justify withholding the names of the estimated 150 Canadians missing and feared dead in the South Asian tsunami.

And Jennifer Stoddart said that she plans to discreetly warn government officials to stop misrepresenting the act to Canadians.

'When we read that the Privacy Act is being misquoted we usually follow up informally,' Stoddart said in an exclusive interview Wednesday.

'I continue to be concerned when I hear in the media public officials declaiming what the Privacy Act does not allow them to do,' Stoddart added.

'The Privacy Act does allow exceptional release of names where there's a public interest that outweighs an invasion of privacy.'

Stoddart's comments come after Prime Minister Paul Martin and a series of Foreign Affairs officials invoked Canada's Privacy Act as a blanket reason for not releasing the names of the 146 Canadians missing and feared dead in the Boxing Day tsunami that ravaged the Indian Ocean...."

Labels: ,

Scanning license plates to find stolen cars 

I've seen SUVs with roof mounted cameras and stickers from the Insurance Bureau of Canada strolling down the lanes of Halifax and Vancouver, apparently checking license plates of parked cars against a database of stolen vehicles. Now police in Ohio are using a similar system that checks every car that enters the Ohio Turnpike. Techdirt has a pointer and a comment or two on this type of surveillance:

Techdirt:Don't Try Driving On The Ohio Turnpike In A Stolen Car:

"from the or,-um,-change-the-plates-first dept.

Beck writes 'The Ohio State Highway Patrol reports that they tested a license plate scanning system on the Ohio Turnpike last summer. The system scanned the plates of cars entering the Turnpike, and alerted the Patrol when it detected a car that was reported stolen, or was owned by a wanted fugitive. Troopers were then able to locate the car and pull it over. They say that the system identified 24 stolen cars during the test. The Highway Patrol says that the scanners only looked at lists of stolen cars and fugitives and did not access BMV records, nor did they retain a record of scanned plates.' "

Labels: ,

PM decides it is not in the "public interest" to name Canadian tsunami victims 

Further to my earlier posting "PIPEDA and Canadian Privacy Law: Editorial urges that naming Canadian tsunami victims is in the public interest", the Toronto Star is reporting that the Prime Minister made the call not to publicy name those Canadians affected by the Asian tsunami. The article also refers to the ability of government to release names "in the public interest":

TheStar.com - PM made decision not to release information:

"Privacy Act allows for disclosure `in public interest' Martin's office cites `respect for families'

TONDA MACCHARLES
OTTAWA BUREAU

OTTAWA—After days of citing the Privacy Act as a barrier to disclosing names of the missing and dead Canadians in southern Asia, the federal government conceded yesterday it made a discretionary decision not to release the information.

Pressure grew yesterday on the government to release names, especially after the Toronto Star reported it had found several individuals previously presumed missing.

The federal Privacy Act in fact allows a minister to override the privacy law to reveal such information — and it frequently does — in cases that it deems "in the public interest."

There is no definition of what that is or is not.

Here's what section 8.2 (m) of the law actually says:

"Personal information under the control of a government institution may be disclosed ... for any purpose where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure."

In the end, it is now clear, the decision to keep the names secret was Prime Minister Paul Martin's, and not Foreign Affairs Minister Pierre Pettigrew's.

Martin's communications director, Scott Reid, said yesterday the Prime Minister's decision to withhold the names was "triggered by common sense and basic respect for the families involved."

"There is no compelling public interest that would result in the publication of the names of the 146 officially missing Canadians. Quite the contrary, the Prime Minister's strongly held view is that the public interest dictates that we should work closely with the families involved, offering support and assistance in any way possible while respecting their right to privacy."

"In truth, this was not a difficult decision. If families wish to speak publicly about their lost or missing loved ones, that is their decision. But the government will not presume or take that decision for them."

...

Renée Couturier, a spokesperson for federal Privacy Commissioner Jennifer Stoddart, says the federal government occasionally invokes the "public interest" exemption to privacy.

...

In fact last year, Ottawa invoked the "public interest" 67 times, according to Stoddart's annual report.

But this week, the prevailing view within the foreign affairs department was the information should not be released so as not to cause "further anguish and suffering" to the families, said spokesperson Reynald Doiron.

But Doiron indicated families were not asked if they would consent to a release of their relative's name.

Consultations were held with the Prime Minister's Office, the Privy Council Office, the federal privacy commissioner's office, and the justice department.

It was the Prime Minister who made the final call, said Reid.

In this case, one observer of privacy laws, John Lawford of the Public Interest Advocacy Centre, said yesterday the government should not be knocked for a decision made while the "chaos" of the disaster is still fresh.

He said it would be a greater concern if the government uses that as a long-term justification for withholding names...."

Labels: ,

Wednesday, January 05, 2005

Red light cameras may cause accidents 

Red light cameras, which are appearing on an increasing number of street corners, may actually cause accidents, according to a report from the New York Times: The New York Times > Technology > Circuits > With Cameras on the Corner, Your Ticket Is in the Mail.

Nervous drivers, it appears, may slam on the brakes when they should have cruised through the yellow light. (Privacy nerds, on the other hand, are so easily distracted by cameras that they may not pay close enough attention to traffic.)

Labels:

David Fraser on Holder Tonight on CJAD 

On Monday night, I was a guest on the Peter Anthony Holder show on CJAD in Montreal. The topic of discussion was (surprise!) privacy and we received some interesting calls from listeners, most of them concerned about their social insurance numbers and whether they have to disclose them to banks and others. You can listen to an MP3 of the show here [16,623 KB].

Yesterday, I was on the Bill Good show on CKNW in Vancouver. When I have an MP3 to share, I'll put it online as well.

Labels:

Editorial urges that naming Canadian tsunami victims is in the public interest 

Futher to my earlier posting (PIPEDA and Canadian Privacy Law: Canadian consular officials struggle with whether to name tsunami victims), the Toronto Star has an editorial urging that the Canadian government identify those who are missing or dead in the tsunami disaster:

TheStar.com - Privacy law handcuffs government:

It is now grimly probable that the tsunami disaster in Asia 10 days ago has claimed the lives of some 150 Canadian tourists in Thailand. Today the Star is publishing the best information available to Ottawa about the missing Canadians. Handcuffed by privacy laws, the federal government is unable to release the list of names it has compiled from reports by worried friends and relatives.

We believe it is a matter of overwhelming public interest that the information should flow freely so relatives or friends in Canada can tell the authorities if they know someone on the missing list is, in fact, safe. - Giles Gherson Editor-in-Chief"

Section 8 of the Privacy Act allows the government to disclose personal information where it is in the public interest:

8(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed

...

(m) for any purpose where, in the opinion of the head of the institution,

(i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or

(ii) disclosure would clearly benefit the individual to whom the information relates.

Labels: ,

Beware what you put online ... there be google hackers 

It seems to be common sense that you shouldn't expect anying you put online to stay private. Security through obscurity does not really exist in the face of the almighty google. Metafilter has a post (with comments) about how a simple google search can find networked surveillance cameras, many of which I am sure are only meant for "internal use". (See Join Google, see the world | Metafilter.) This is but one amusing example of "google hacking".

Google hacking is a technique that can be used to find "private" information that has been indexed by Google, probably without the user's knowledge. (See Google Hacking Database.) Some google hacks can even lead to lists of credit card numbers (Google queries provide stolen credit cards | CNET News.com) and passwords.

On a related note, a high-profile couple from Utah has recently learned the hard way that if you put nude photos of yourself in an online photo service, you're asking for trouble:

deseretnews.com | 'Raid' can be embarrassing - or worse:

" A prominent, married Utah couple recently photographed each other in the nude. They thought that storing the private shots at one of the new free, online photo storage-and-sharing sites would clear up space on their home computer, and that it would be secure.

They were wrong, which they learned when copies of their photos were sent to the news media.

'This has been an absolutely horrendous, mortifying experience,' the husband says. 'We never wanted anybody to see them.'

While the media chose not to publish the photos or identify the couple, judging that would unfairly intrude on their privacy, the pair became unwitting examples of just how dangerous it can be to store anything sensitive online, or on any computer that connects to the Internet, without serious firewalls.

The couple insists they never told anyone the photos existed or ever shared them. Computer experts say that is possible, and that enemies or thieves can remotely raid computers of the unwary to find and exploit files and passwords. But they add that most people are careless enough that the most high-tech types of raids are not really needed."

The moral of the story is don't put it online if you don't plan to share it with the world. Period.

Labels: , , ,

Tuesday, January 04, 2005

Wired jargon watch: "Privocrats"? 

From Wired's Jargon Watch:

"Privocrats

The label created by conservative columnist Heather Mac Donald for far left and loony libertarians who, she says, put civil rights and personal privacy ahead of national security."

Labels:

New privacy rights for Californians 

January 1, 2004 brought a wide range of new privacy rights for Californians, a development that Wired News believes may have effects across the country:

Wired News: Golden State of Privacy:

"Californians entered the new year with the assurance their cell phone numbers cannot be automatically added to the 411 database, the ability to sue spammers and the comfort of knowing rental car companies cannot track their travels, thanks to a spate of privacy-enhancing laws that went into effect Jan. 1.

Those outside California's borders may benefit as well.

California laws often have effects beyond the state's borders, since companies often find it easier to adapt all of their operations to comply with the Golden State's standards...."

Labels:

Biometrics for Canadian passport office doesn't pass muster 

The Canadian passport office commissioned a report to investigate the feasiblity of biometric facial recognition to spot nasty folks in the password application process. Apparently, the technology is not mature enough to implement:

Facial-scan technology unproven, says internal report on biometrics:

"Facial-scan technology unproven, says internal report on biometrics

Jim Bronskill
Canadian Press

Tuesday, January 04, 2005

OTTAWA (CP) - An internal federal report raises questions about the effectiveness of electronic photo-matching technology, a technique the Passport Office plans to use in an effort to prevent terrorists from obtaining travel documents.

The office recently tested a computer program that compares an image of a face with thousands of other mugshot-style photos and zeroes in on possible matches.

The government report, obtained by The Canadian Press under the Access to Information Act, says while a digital system has the potential to sift through large batches of pictures and return likely matches, "its suitability for this purpose remains uncertain...."

Labels:

British Columbians polled about identity theft 

The BCGEU, which crusaded against the outsourcing of medicare processing, leading to the USA Patriot Act inquiry, has commissioned a poll of British Columbians about privacy attituds. Almost 90% of those polled are deeply concerned about identity theft, among other things:

BCGEU: British Columbians deeply worried about identity .....:

"British Columbians deeply worried about identity theft, according to year end poll

Almost 90 per cent fear personal information will be misused and bills run up, crimes committed in their names

Close to nine out of ten British Columbians are worried they could be victims of identity theft because their personal information falls into the wrong hands.

That's one of the major findings of a year end survey to gauge British Columbian's views about information privacy carried out by the B.C. Government and Service Employees' Union.

BCGEU president George Heyman says the poll shows widespread public unease about the identity theft phenomena.

'Obviously people are well aware of the problem, and they're concerned about safeguarding the privacy of their personal information,' Heyman says. 'Given the poll results, that deeply held anxiety obviously cuts across traditional political lines.

'Logically, you'd expect our provincial government would be moving to shore up protections to reduce the threat of identity theft and safeguard information privacy,' Heyman says. 'However, the Campbell government is moving in the opposite direction.'..."

Thanks to SANS PrivacyBits - Vol: 3, Issue: 1 for the pointer.

Labels: , ,

Canadian consular officials struggle with whether to name tsunami victims 

In the aftermath of the horrendous calamity that struck south Asia on December 26, 2004, Canadian officials are struggling with the question of whether it is in the public interest to release the names of missing and dead Canadians. According to the Toronto Star (Release of names an issue), the decision will be made today. Many countries have decided to keep names confidential out of respect for the families.

To date, the Foreign Affairs Minister has declined to name any Canadians who may be affected by the tsunami, citing the Privacy Act (The Globe and Mail: Four Canadians dead, 87 missing or unaccounted for).

Labels:

Monday, January 03, 2005

Incident: Confidential customer information found behind pharmacy in Detroit 

There is no end to these stories. A Detroit news outlet is reporting on the discovery of personal customer information in a dumpster behind an area pharmacy:

ClickOnDetroit.com - News - Rite Aid Customers' Info Found Behind Store:

"Police Concerned About Identity Theft

POSTED: 2:39 pm EST January 3, 2005

An investigation is under way to find out how folders containing store receipts with confidential customer information ended up behind a local Rite Aid Monday.

Local 4 reported the customer receipts contained credit card numbers, expiration dates, home telephone numbers and addresses, plus customers' signatures.

Clinton Township police discovered the receipts in the dumpster behind the store at 16 Mile and Groesbeck...."

Any organization, but particularly one that deals with health information, needs to adopt a policy that no paper leaves the premises unless it is shredded or in a locked box, headed to the shredders.

See also WXYZ coverage:

WXYZ: Local News:

"...'It may have happened before, and I guess the question would be how many other businesses are doing this?' Mills said. 'If they are, I would highly recommend that they please shred everything. When you get somebody's information like this, you could actually ruin their credit and ruin their life for a long time.'..."

Labels: , ,

National student database raises privacy concerns in the US 

Privacy and student activists in the United States are concerned about the implications of a proposed database that will track all post-secondary students in the United States. The Harvard Crimson has a good overview of the proposed system and the concerns being expressed.

The Harvard Crimson Online :: Feds May Launch Student Database: Records will track academics, tuition payments and financial aid benefits:

"Federal officials are considering a proposal to launch a massive database that would track college students' academic progress, tuition payments and financial aid benefits in an effort to gather improved data on higher education.

Proponents of the move say the expanded database could help officials craft more sensible public policies. Opponents fear that the plan could facilitate large-scale infringements on students' privacy.

The proposal--currently being vetted by Department of Education officials--would expand an existing database to allow researchers to track individual students who drop out of college or transfer between institutions. It would include information ranging from social security numbers to participation in varsity sports."

Before Canadian readers think "how long until this comes to Canada?", they may be surprised to learn that this is already here:

InfoSource: Statistics Canada 7 / 11:

"Postsecondary Student Database

Description: The information in this bank is obtained from the administrative files of Canadian universities and other postsecondary institutions (community colleges, CEGEPs). It includes demographic data, and information relating to the individual's activities as a student, such as qualification sought, discipline of specialization, and previous educational activity. There are no names in this data bank. Consequently, for retrieval purposes, it is necessary to use the number assigned to the individual by the institution and the year(s) the individual has studied at that institution. Class of Individuals: This bank contains annual information on full-time and part-time students in Canadian postsecondary institutions. Purpose: The purpose of this bank is to produce statistical information on student by province, institution, program and sex. Retention and Disposal Standards: The files are to be retained for 55 years. RDA Number: To be established. Related to PR#: STC ECT 170 TBS Registration: 001855 Bank Number: STC PPU 090"

One big difference is that the Canadian database is not available for routine law enforcement and national security browsing thanks to the secrecy provisions of the Statistics Act.

Labels: ,

Penn State stops using Social Security number for student ID 

Penn State University has announced that it will stop using social security numbers as student idenfiers in order to reduce the risk of identity theft for their students: Penn State stops using Social Security number for student ID.

Labels: ,

Editorial on surveillance at schools 

Following the series of articles on privacy and surveillance in Canadian society, the Ottawa Citizen is carrying an editorial on the wisdom of widespread surveillance at public schools. Not surprisingly, the editorial is not in favour of generalized surveillance unless there is a real need for it: The dangers of surveillance.

Labels: ,

Sunday, January 02, 2005

Happy birthday to PIPEDA and Canadian privacy law 

One year ago today -- after a long time of only reading others' blogs -- I launched "PIPEDA and Canadian Privacy Law", the blog you are presently reading. My first hope was that it would be a useful resource for lawyers and others who have an interest in privacy law, both in Canada and abroad. My second hope was that I would have the time and inclination to keep it going. According to Blogger, this will be posting number 431, which means I've managed to post, on average, more than once each of the 366 days it's been up and running. It has managed to keep my interest, and I hope it has done the same for its readers.

The last year has been a very busy one on the privacy front in Canada. On January 1, 2004, the federal privacy law came into full effect after being phased in over the period of 2001 - 2004. That has led to a huge change in how consumer privacy is dealt with in Canada. Also on January 1, 2004, British Columbia and Alberta privacy laws came into effect, though there was a significant overlap in jurisdiction before those laws were declared to be "substantially similar" to PIPEDA by the federal cabinet. More recently, Ontario has passed the Personal Health Information Protection Act, which began to regulate health information custodians in that province on November 1, 2004.

We've also seen consumer privacy hit the media in an unprecedented way, thanks to high-profile incidents involving the personal information of Canadians. Perhaps the highest profile was the CIBC faxing fiasco (PIPEDA and Canadian Privacy Law: Incident: Candian bank's internal faxes went to West Virginia for three years), followed by the discovery of reams of pesonal information of Alberta civil servants during a drug raid (PIPEDA and Canadian Privacy Law: Incident: Massive leak of personal information in Edmonton, Alberta).

The year 2004 was also notable for the new attention being paid to cross-border transfers of personal information, thanks to the investigation by the British Columbia Information and Privacy Commissioner into the effect of the USA PATRIOT Act on the privacy of British Columbians (PIPEDA and Canadian Privacy Law: Article: U.S. Patriot Act worries Privacy Commissioner), which begat a similar study by the Alberta Commissioner (PIPEDA and Canadian Privacy Law: Alberta Commissioner to conduct his own "PATRIOT ACT" outsourcing inquiry).

The courts have also had to deal with PIPEDA in various ways.

We also saw the Privacy Commissioner decline to investigate an alleged breach of PIPEDA because the company in question did not have a presence in Canada (see PIPEDA and Canadian Privacy Law: Jurisdictional limitations on Canadian privacy law). I hope this one is taken to the Federal Court, because so much is at stake in the closely integrated economies of North America.

This would have been an even bigger year on the privacy front if it weren't for the backlog at the Office of the Privacy Commissioner of Canada. Hundreds of complaints brought by consumers this year are still in the investigation process, most of which take many months to work their way through the office. In my own experience, most complaints are dealt with via written correspondence along with a huge lag in response times. (Even those that are urgent languish in someone's inbox for months.)

So that was the year 2004. I expect this new year will be even more fruitful as the law is applied in new settings and complaints wind their way through the system. And I plan to keep on blogging about it. Please feel free to comment on this post if you think I've missed something...

Labels: , , , , , ,

Article: Going after the 'spies' around us 

The New Hampshire Sunday News and Union Leader is carrying an article in its Sunday edition discussing the everyday tracking of consumers and legislative initiatives in New Hampshire to do something about it. The article features an interesting perspective from an NH legislator:
The Union Leader and New Hampshire Sunday News - 02-Jan-05 - Going after the 'spies' around us:

"One proposed bill would make it illegal to sell goods 'with any tracking device in or incorporated into them unless the seller prior to the sale informs the consumer orally or in writing of the existence of the device,' according to Smith.

Rep. Howard 'Crow' Dickinson is the prime sponsor of that measure, as well as the one dealing with receipts. He's worried that people are too willing to give up their privacy in exchange for convenience or saving money.

"We have a tendency to be a nation of sheep," the Center Conway Republican declared. "And it's really sad."

"The American public, it is incredible how they will tolerate this invasion of privacy that goes on."

Dickinson said he makes a point of using a false name and address when he applies for so-called 'loyalty' cards at retailers. And he also purposely signs the customer copy of a credit card receipt and keeps the merchant copy, which he said sometimes includes the entire account number, to ensure that his card number is kept secure. "

Labels: ,

Saturday, January 01, 2005

David Canton looks back to 2004 and forward to 2005 

David Canton, a technology lawyer from London, Ontario, and fellow blogger (eLegal Canton) is a regular writer for the London Free Press. His end of year column discusses the first year of PIPEDA's full application and the likelihood of a private sector privacy law for Ontario. See London Free Press: Business Section - Tech law may shift in 2005.

Labels:

Happy New Year! 

All the best for a happy, healthy and prosperous 2005!

Labels:

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs