The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Sunday, April 30, 2006
The Associated Press (via beSpacific) is reporting that in 2005, the FBI used almost ten thousand "national security letters" to obtain information on more than 3,500 people. National security letters are a mechanism provided for in the USA Patriot Act by which US law enforcement and intelligence agencies can secretly compel information from third parties. See: FBI secretly sought data on 3,501 - U.S. Security - MSNBC.com.
Saturday, April 29, 2006
The British Columbia Government has introduced amendments to the Freedom of Information and Protection of Privacy Act, the province's public sector privacy and access law, to roll back some of the more recent amendments made in response to fears about the USA Patriot Act. (BILL 30 -- 2006: MISCELLANEOUS STATUTES AMENDMENT ACT (No. 2), 2006). The Information and Privacy Commissioner is generally in agreemenet with the cross-border amendments and has issued a statement published on his website:
Bill 30 (Miscellaneous Statues Amendment Act, 2006)––Amendments to the Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Personal Information Protection Act (“PIPA”)––OIPC File No. F05-26470
Further to my letter of April 27, 2006, I have now had an opportunity to consider the other amendments that the above Bill would make to FIPPA and to PIPA. I support these amendments.
In the case of amendments to FIPPA in relation to location of personal information outside of Canada or access to it from outside Canada, I support these amendments as reasonable. I note that they are narrowly tailored and would permit location of personal information outside Canada or access from outside Canada only where a public body official is temporarily travelling outside Canada or for “installing, implementing, maintaining, repairing, trouble shooting or upgrading an electronic system or equipment that includes an electronic system” or “for data recovery that is being undertaken following failure of an electronic system”.
The BC Government Employees Union, which started the USA Patriot Act and oursourcing fuss some time ago, is not at all happy. Here's their statement:
BCGEU: Liberal efforts to weaken privacy protection, .....:FOR IMMEDIATE RELEASE
APRIL 28, 2006
Liberal efforts to weaken privacy protection, limit freedom of information buried in omnibus legislation
The B.C. Government and Service Employees’ Union is adding its name to the list of groups opposed to sweeping changes in privacy protections and access to information contained in the Freedom of Information and Protection of Privacy Act (FIPPA) which the Campbell government tried to bury in an omnibus piece of legislation introduced Thursday in the Legislature.
“These are very troubling measures that are ill advised and just plain dangerous,” warns BCGEU president George Heyman. “It’s a real setback for open and transparent government.”
Heyman says the proposed amendments roll back provisions to protect personal privacy implemented in 2004 to address concerns around the USA Patriot Act, based on recommendations by B.C.’s privacy commissioner. That Act—which was just renewed by the Bush government—gives U.S. security agencies like the FBI sweeping powers to obtain information from companies and individuals in that country.
“Victoria is putting British Columbians’ highly sensitive personal information at risk by weakening current protections—thereby increasing the risk of loss and theft, or exposure to the intrusive powers of the USA Patriot Act.”
Changes to section 33 of FIPPA will severely compromise current privacy protections by giving the green light to public bodies to release British Columbians’ personal information outside B.C. and Canada to a shopping list of officials and interests—including employees of private U.S. companies like Maximus and EDS hired by the government—to administer our personal medical and financial records.
“Given the recent high profile failures of this government to protect sensitive personal information, this is a development that will alarm British Columbians,” says Heyman.
Meanwhile, other changes to sections 17 and 21 of FIPPA will enable Victoria to expand the heavy veil of secrecy around privatization projects and private-public partnerships by giving government sweeping powers to withhold information from the public. “These amendments establish that the interests of private companies will take precedent over British Columbians’ right to know,” Heyman says.
He also cautions that proposed Liberal amendments include provisions that will compound the lengthy delays already faced by British Columbians filing access to information requests with government and public bodies, by allowing the government to manipulate response deadlines.
Earlier this week, at a meeting in Calgary, I heard first-hand the Federal Information Commissioner's views on proposed amendments to the Access to Informaiton Act contained in the omnibus Federal Accountability Act. The FAA is promoted as increasing accountability on the part of government and public servants. The Commissioner, John Reid, is of the view that it is a dramatic step backwards. Though it adds a handful of government and crown agencies under the Access to Information Act's purview, it also adds to the exceptions to the general principle of access.
The Commissioner has taken the very unusual step of issuing a special report to parliament to share his views. Here is an extract from the report's introduction:
Office of the Information Commissioner: Reports - Response to the Report of the Access to Information Review Task Force
... Finally, and most important, the content of the Federal Accountability Act, and the government’s discussion paper on access reform, is a cause for grave concern. What the government now proposes – if accepted – will reduce the amount of information available to the public, weaken the oversight role of the Information Commissioner and increase government’s ability to cover-up wrongdoing, shield itself from embarrassment and control the flow of information to Canadians.
No previous government, since the Access to Information Act came into force in 1983, has put forward a more retrograde and dangerous set of proposals to change the Access to Information Act. Most recently, in 2002, the Liberal government of Jean Chrétien established a Task Force of government insiders to come up with recommendations for "reform" of the access law. The result was so pro-secrecy that it prompted this Information Commissioner to table a Special Report to Parliament, in September 2002, raising this alarm:"Once again we are, with this Task Force Report, confronted with the reality that bureaucrats like secrets – they always have; they will go to absurd lengths to keep secrets from the public and even from each other. Bureaucrats don’t yet grasp the profound advance our democracy made with the passage, in 1983, of the Access to Information Act. They continue to resent and resist the intentional shift of power, which Parliament mandated, away from officials to citizens. A bureaucrat’s dream of reform is to get back as much lost power over information as possible" (p. 10).
The current government’s proposals are every bit as much "a bureaucrat’s dream" as were those of the Chrétien government.
This Special Report, as did the 2002 Special Report, sounds this alarm: The government’s access to information reform plan will not strengthen the accountability of government through transparency – it will weaken it.
There is no more eloquent testimonial to the power of the forces of secrecy in government than the radical change they have wrought, in a few short weeks, to the Prime Minister’s election promises for access reform. In his role as Leader of the Opposition, Stephen Harper ridiculed the Martin government’s decision to release a discussion paper, rather than to introduce a bill to reform the Access to Information Act.
Prior to the election, Stephen Harper, also ridiculed the content of the Martin government’s discussion paper saying that: "it proposes to make the government more secretive than it already is, to propose a new 20 year gag order on draft internal audit reports and working papers, and to try to prevent the release of consultant reports for agencies for 20 years." (Conservative Party press release, June 2, 2005).
The new government has done exactly the things for which its predecessor had been ridiculed. The government has issued a discussion paper rather than a comprehensive reform bill and in the proposed Federal Accountability Act, it has thrown a blanket of secrecy over draft internal audit reports and working papers, for 15 years (no need to demonstrate any potential for injury from disclosure!). Also, the government proposes to keep secret forever all records relating to investigations of wrongdoing in government. The previous government pushed through a secrecy provision for such records (over the objections of the Information Commissioner, public service unions and whistleblowers), but limited its operation to a five-year period.
Here a digression on the government’s decision to refer the Commissioner’s proposals for access reform (the Open Government Act) for more study and debate before being introduced into Parliament. Now is the time for action, not talk! That is the message the Commissioner gave the Standing Committee on Access to Information, Privacy and Ethics on October 25, 2005 – and it remains his position.
The most recent of a long list of exhaustive, detailed, open and professional inquiries was the Gomery Commission of Inquiry. Justice Gomery’s second report – Restoring Accountability (February 1, 2006) – was informed by an extensive national consultation with respect, inter alia, to access to information reform, including, the receipt of comments to a website from the public at large, consultations with experts in five moderated roundtables throughout Canada, receipt of written submissions from experts, academics, interested parties and specific commissioned research.
Based on that widespread consultation with all relevant stakeholders, Justice Gomery made recommendations with respect to access to information reform – specifically, with respect to the reforms contained in the Open Government Act which this Commissioner prepared (at the request of the Standing Committee on Access to Information, Privacy and Ethics) and made public in September of 2005. The views and recommendations of Justice Gomery are set out in Appendix "A". They constitute an affirmation that access to information reform is required and an endorsement of the reforms proposed in the Open Government Act.
To end this digression, then, there are no gaps in the knowledge base on which proper policy choices can be made for access to information reform; there has been full opportunity for debate, critique and persuasion. There is no reason – apart from a loss of political will – to refrain from proceeding with the reforms contained in the Open Government Act as endorsed by Justice Gomery, the Conservative election platform and in the Seventh Report of the Standing Committee on Access to Information, Privacy and Ethics presented to the House of Commons on November 21, 2005.
Here's some media coverage of the Commissioner's report:
Labels: information breaches
According to a new study (2.5MB) undertaken by the Ponemon Institute for White & Case, American companies are more advanced in protecting personal information than companies in the European Union. This may come as a surprise in light of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. See the White & Case press release: White & Case LLP - News & Events - Despite Stricter Rules in Europe, US Companies More Advanced in Protecting Data.
Labels: information breaches
With most personal information mostly in digital form, it is easily reproduced and highly portable. Not only can it be e-mailed and FTP'd, it is increasingly finding its way onto USB drives. These drives can easily be stolen (and wind up on the black market in Kabul) or can be used by malevolent employees to commit fraud. Lifehacker is linking to Remote Administration for Windows, which has posted a simple registry change that apparently disables USB drives in Windows (Remote Administration For Windows - Windows administration tricks and tips.: Disable USB Drives). I have no idea whether it disables iPODs, USB external hard-drives or other USB-connected mass storage, but it apparently does not interfere with other USB devices.
Usual disclaimers apply ...
Labels: information breaches
Levi's is apparently rolling out a test of using radio frequency ID tags (RIFDs) to track inventory in a select number of retail outlets. The RFIDs, which contain an individual serial number are on a dangling tag marked "Please discard this tag if it is not removed at the point of purchase." Not surprisingly, some see conspiracy afoot and are concerned about the privacy aspects of wider adoption of RFIDs on consumer goods. See: Advertising Age - Privacy Group Slams Levi's for Radio ID Tags.
Friday, April 28, 2006
In the hundreds of security and privacy breaches reported in the last few years, the companies involved that have fared the best are those that have been forthcoming with information and appear to be genuinely interested in the well being of the people involved. (I say "appear to be" because it doesn't really have to be sincere, but it has to benefit the individual. Once you can fake sincerity, you've got it made.) Those that have fared the worst are those that lied, misled customers, otherwise tried to cover it up or trivialize the breach.
Accidents happen and any company that has customer data on hand is at risk, to some degree or another. No security system is perfect. The biggest consequence of a breach is probably not an award of damages from the court but the loss of trust of customers and other stakeholders. The senior director at Lexis Nexis is quoted in a recent Network World article (Disclosure meant less pain in data theft) as confirming this:
But when the damage became clear, LexisNexis made an immediate decision to be forthcoming and transparent about the breach, he said. "We tried to do the best job we could," he said.
The company contacted all those who were affected by the attack using the framework of a California data security disclosure law passed in 2003 as a guide, Cronin said.
The law is catching up after the high-profile cases of last year, including ChoicePoint, a data broker that acknowledged divulging sensitive personal information to identity thieves posing as customers. So far in the U.S., 20 states have implemented notification laws, and a federal law is under consideration.
After the data breach, LexisNexis took several steps to implement stronger security, Cronin said. The company reviewed the security of all its Web applications and created new procedures for verifying customers with access to sensitive data, he said.
LexisNexis encouraged certain customers to sign up for anti-virus software. It revamped online security access, looking at password complexity and expiration times. The company also implemented measures to automatically detect anomalies in use of its products to identity potential security problems, Cronin said.
LexisNexis learned other lessons. Passwords are dead, Cronin said, and two-factor authentication is recommended. But front-door perimeter attacks are less likely than the persistent weak link: people.
Now ask yourself why ChoicePoint is synonymous with "privacy breach" and not Lexis Nexis.
The Office of the Information and Privacy Commissioner for BC has released a guide to PIPA and the Hiring Process. For those outside of British Columbia, it's an interesting read and embodies some good practices for dealing with personal information of employment applicants. But be careful: PIPEDA does not have the same consent exceptions that are described in this publication.
Thursday, April 27, 2006
Though this involves names and social security numbers of 39,000 students, faculty and staff, I was thinking that these university incidents may be becoming too frequent and mundane to report about...
KTVA - Local:
"Hacker gets into UAF database
The University of Alaska Fairbanks is taking steps to prevent another computer breach.
Steve Smith, U.A.'s chief information technology officer, says the university's Computer Incident Response Team, has conducted a security sweep. And he says a consultant has been hired to help strengthen the walls around the university's computer network.
The problem showed up on a server at the Kuskokwim campus in Bethel. The files have been taken off-line, as well as four similar ones recently found during a search of other university servers.
University officials say the hacker had access to the names, Social Security numbers and partial e-mail addresses of nearly 39-thousand current and former University of Alaska Fairbanks students, faculty and staff.
And they say the hacker had access to the information for nearly a year. "
Labels: information breaches
Tuesday, April 25, 2006
Unisys and the Ponemon Institute have undertaken what it describes as a global survey of privacy preferences, particularly focusing on credentialing and identity management. The results suggest, not too surprisingly, that consumers are prepared to trade privacy for convenience. Here's the press-release:
Unisys Majority of Consumers Worldwide Would Relinquish Some Privacy for Convenience, Says Unisys Global ID Management Study Majority of Consumers Worldwide Would Relinquish Some Privacy for Convenience, Says Unisys Global ID Management Study Research to support Unisys call for standardized identity authentication practices and new definition of security at 15th World Congress on IT
BLUE BELL, Pa., April 25, 2006 – While privacy remains a major concern of people around the world, new research from Unisys Corporation (NYSE: UIS) debunks some of the traditional myths concerning protection and use of identity credentials. The results show that a majority of consumers would share personal data if they knew the end user will securely protect their information and they can perceive a clear benefit in convenience gained.
In the first global survey of its kind, the Unisys research also found that most consumers (71 percent) worldwide are willing to have a multi-purpose identity credential that many organizations would accept to verify a person’s identity before providing access to secure records or locations. The most important functions cited for a multi-purpose credential are to prove identity for access to transportation channels (such as airplanes, trains and buses), enter public locations (stadiums, airports and others), cross borders (customs), and access Internet accounts.
“Of course people demand and deserve their privacy,” said Mark Cohn, vice president of homeland security solutions, Unisys Corporation,” but when there are visible benefits of sharing information, most people will give up some privacy for convenience. It’s clear there can be voluntary adoption with ID authentication between parties who trust each other.”
The research also pointed to preferable methods of technology for identity verification, revealing that more than two-thirds (67 percent) of consumers worldwide would support using biometrics such as voice recognition or fingerprints. When comparing biometrics to other security devices such as smart cards and tokens, 66 percent also favored biometrics as the ideal method to combat fraud and identity theft. This finding shows a slight increase from previous research that Unisys conducted in September 2005, which found 61 percent of consumers worldwide favored biometrics as the preferred method to fight fraud and identity theft.
Additional identity management findings from the current study include:
- Banking institutions are the most trusted by consumers to issue and manage a multi-purpose identity credential (cited by 46 percent of respondents), followed by a government agency established to issue identity cards (45 percent). In contrast, law enforcement (police) are the least trusted (40 percent) to issue identity credentials, followed by a private company established to issue identity cards (38 percent).
- More than 68 percent of individuals believe it is important that the credential can operate across international borders.
- North American and Asia-Pacific consumers are willing to share more personal data than Europeans and Latin Americans.
- People in North America, Europe and Asia-Pacific are more willing to share sensitive personal information with a government organization rather than a business. In contrast, respondents in Latin America are more willing to share personal data with a business rather than government.
The Ponemon Institute, a leading independent firm that specializes in privacy and security research, conducted the survey on behalf of Unisys.
“I’ve studied identity management and privacy issues for more than 20 years and this is the first time anyone has looked at consumer preferences so broadly from a global perspective,” Dr. Larry Ponemon, chairman of the Ponemon Institute and a noted security expert, said. “I’m surprised by these findings, which imply that consumer education on privacy perhaps has made a positive impact. While clearly a concern, privacy might not be as big of a roadblock to identity authentication as some pundits claim.”
The current research is part of a broader analysis of identity authentication that Unisys will spearhead at the upcoming 15th World Congress on Information Technology (WCIT 2006). Unisys also will present policy proposals to WCIT delegates on the need for standards around procedures and practices in global identity authentication. The Congress is expected to draw 2,000 business, government and academic leaders from 80 countries. WCIT’s goal is to explore pertinent issues in security and privacy, digital access and healthcare, and to make specific, actionable policy recommendations to the global IT community. A biennial global event, the 15th Congress will take place in Austin, Texas, May 1-5, 2006.
Unisys President and CEO Joseph W. McGrath will keynote at WCIT 2006, as well as participate in a dialogue of government and private sector leaders who will discuss how to redefine security to address rapidly changing security and privacy requirements of individuals, businesses and governments worldwide – including the need for international uniform standards for identity authentication.
About the research and the Ponemon Institute
The research consisted primarily of a Web-based survey of randomly chosen consumers in 14 countries: Australia, Argentina, Brazil, Denmark, Canada, France, Germany, Japan, Korea, Mexico, Taiwan, Thailand, the United Kingdom and United States. The Ponemon Institute sent invitations to 16,683 adult-aged individuals throughout the world, via e-mail or letter, from which it received 1,661 usable responses, resulting in an overall 9.96 percent response rate. Of these respondents, 464 are North Americans, 427 are Europeans, 450 reside in Asia-Pacific, and 320 are Latin Americans. The Ponemon Institute also conducted an additional 262 direct interviews (either in-person or via telephone) in four countries to validate the Web-based survey findings.
The Ponemon Institute is a “think tank” dedicated to advancing responsible information practices in businesses and government. To achieve this objective, Ponemon Institute conducts independent research on privacy and information security, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations. The Institute is headquartered in Michigan. For more information, visit www.ponemon.org or contact (800) 887-3118.
Unisys is a worldwide technology services and solutions company. Our consultants apply Unisys expertise in consulting, systems integration, outsourcing, infrastructure, and server technology to help our clients achieve secure business operations. We build more secure organizations by creating visibility into clients’ business operations. Leveraging Unisys 3D Visible Enterprise, we make visible the impact of their decisions – ahead of investments, opportunities and risks. For more information, visit www.unisys.com.
From Computerworld, the headline says it all: Breach at Univ. of Texas - Austin exposes data on 197,000 people - Computerworld.
Labels: information breaches
Monday, April 24, 2006
The Depatrment of Homeland Security and the Department of Health and Human Services have signed a deal to allow unprecedented data sharing to address pandemics and other travel-related health concerns. This goes far beyond the "Safe Traveler" deal previously worked out and critics say that it violates the US/EU pact related to passenger info. To make matters worse, the agencies involved did not publish a privacy impact assessment, though one is required for projects such as this. See: http://www.govhealthit.com/article94159-04-24-06-Print
Posted on my Blackberry from Calgary, so my apologies for the formatting.
Sunday, April 23, 2006
It is puzzling that these sorts of incidents keep on happening. According to yesterday's Winnipeg Sun, the Ombudsman of Manitoba is investigating a potential breach of the province's Personal Health Information Act after old dental records were found in a landfill. See: winnipegsun.com - Winnipeg News - Forgotten dental records investigated.
Saturday, April 22, 2006
The Supreme Court of Canada doesn't often hear cases related to the Access to Information Act and the Privacy Act, but it did so in a decision released yesterday. In H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), 2006 SCC 13, the Supreme Court determined that a court, in a review under s. 44 of the Access to Information Act is permitted to consider issues related to the privacy of personal information.
The s.44 scheme is generally understood to relate to confidential business information. Under the Act, if an applicant requests access to information that may be confidential business information, the head of the government body is required to give notice to the third-party who may be affected, who can make a representation that the information should not be disclosed. If the government proposes to release the information despite the third party's objections, the third party can make an application to the Court to have that decision reviewed.
The Access to Information Act does not have any similar review provision if the information in question is "personal information". In this particular case, the third party attempted to argue that the information was also personal information and should not be released. The Supreme Court of Canada concluded that a court may, on a s. 44 review, consider the personal information exemption as well as the confidential business information exemption. In the decision, the Court had some interesting things to say about privacy. Here's the headnote for the case:
Citation: H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), 2006 SCC 13
Date: 20060421 Docket: 30417
File No.: 30417.
2005: November 7; 2006: April 21.
Present: McLachlin C.J. and Bastarache, Binnie, LeBel, Deschamps, Fish and Abella JJ.
on appeal from the federal court of appeal
Access to information — Exemptions — Personal information — Third party information — Review by Federal Court — Application by third party under s. 44 of Access to Information Act for review of government institution’s decision to disclose record — Whether third party can raise exemption for personal information on s. 44 review — Access to Information Act, R.S.C. 1985, c. A‑1, ss. 19, 20(1), 44.
A federal agency received a request under the Access to Information Act (“Access Act”) for access to certain records pertaining to the respondent company, a third party within the meaning of the Act. The agency determined that some of the records might contain confidential business or scientific information, as described in s. 20(1) of the Act, and requested, pursuant to ss. 27 and 28, that the company make representations as to why the information should not be disclosed. The company submitted its representations and after reviewing them, the agency concluded that the records should be disclosed, subject to certain redactions. The company commenced a review proceeding pursuant to s. 44 of the Access Act and, in addition to the confidential business information exemption, sought to raise the personal information exemption set out in s. 19 of the Act. The application judge concluded that the company could raise the s. 19 exemption on a s. 44 review and ordered the severance of certain records containing personal information. The Federal Court of Appeal upheld the decision.
Held (McLachlin C.J. and Bastarache and LeBel JJ. dissenting): The appeal should be dismissed.
Per Binnie, Deschamps, Fish and Abella JJ.: A third party may raise the exemption for personal information set out in s. 19 of the Access Act in a s. 44 review. The plain language of the statute, together with the legislative context and combined purposes of the Access Act and the Privacy Act, provides ample foundation for this conclusion. [22‑46]
It is apparent from the scheme and legislative histories of the Access Act and the Privacy Act that the combined purpose of the two statutes is to strike a careful balance between privacy rights and the right of access to information. However, within this balanced scheme, the Acts afford greater protection to personal information. By imposing stringent restrictions on the disclosure of personal information, Parliament clearly intended that no violation of privacy rights should occur. Where a third party becomes aware that a government institution intends to disclose a record containing personal information, nothing in the plain language of ss. 28, 44 and 51 of the Access Act prevents the third party from raising this concern by applying for review. These sections do not limit the court’s discretion to a consideration of the s. 20(1) exemption. Furthermore, s. 44 is the sole mechanism under either the Access Act or the Privacy Act by which a third party can draw the court’s attention to an intended disclosure of personal information in violation of s. 19 of the Access Act, and by which it can seek an effective remedy on behalf of others whose privacy is at stake. While the Privacy Commissioner and the Information Commissioner play a central role in the access to information and privacy scheme and have extensive responsibilities, their role is limited by an inability to issue injunctive relief or to prohibit a government institution from disclosing information. A reviewing court is in a position to prevent harm from being committed and the statutory scheme imposes no legal barrier to prevent the court from intervening. An interpretation of s. 44 that forces an individual to wait until the personal information is disclosed and the damage is done, or that imposes an onerous burden on the person seeking to avert the harm, fails to give proper content to the right to privacy and also fails to satisfy the clear legislative goals underlying the Access Act and the Privacy Act. A narrow interpretation of s. 44 would weaken the protection of personal information and dilute the right to privacy.  [31‑35]   Although a review under s. 44 of the Access Act is triggered by a third party’s right to notice where requested records may contain confidential business information, Parliament’s failure to provide a similar notice where personal information is involved does not indicate that the legislature intended that s. 19 should be unavailable on a s. 44 review. The right to notice accorded to third parties follows logically from the specific nature of the confidential business information exemption and does not limit the right of review provided for in s. 44. First, in the case of confidential business information, the assistance of the third party is necessary for the government institution to know how, or if, the third party treated the information as confidential. Second, the mandatory nature of s. 19 precludes the need for a notice provision. Under the Access Act, notice is a right intended to enable a party to contest the release of information and is therefore required only where the statute contemplates the possibility of making information public, as is the case with confidential business information under s. 20(1). In the specific circumstances in which the Access Act does authorize the disclosure of personal information, a notice provision is either superfluous or has in fact been provided for in the legislative scheme (s. 8(5) of the Privacy Act). Given the underlying presumption that personal information will not be disclosed as well as the paramount importance of individual privacy, it would be absurd not to allow third parties to use the mechanism provided for by the legislature to prevent a violation of the spirit and the letter of the Access Act and the Privacy Act. Allowing the company to raise the s. 19 exemption on a s. 44 review does not create a “second tier” of third parties, but allows the only third party who has access to s. 44 to use this remedy to prevent harm from occurring needlessly.  [50‑58]
Per McLachlin C.J. and Bastarache and LeBel JJ. (dissenting): A third party cannot raise the s. 19 exemption for personal information on a s. 44 review. In interpreting s. 44 of the Access Act, it is necessary to preserve the integrity of the mechanism Parliament has selected. In order to balance the competing rights of access and privacy, Parliament has selected a complaint and investigation process. Where the personal information of individuals is improperly disclosed, those individuals can bring a complaint to the Privacy Commissioner under s. 29 of the Privacy Act. There is no notice provision prior to the disclosure of a requested record that might contain exempted personal information, nor does the unlawful disclosure of exempted personal information give rise to a right of judicial review under the Access Act or the Privacy Act. By virtue of ss. 27, 28 and 29 of the Access Act, the legislative scheme provides notice prior to the actual disclosure only where the requested record may contain confidential business information. Since the right to bring a s. 44 review flows from the notice a third party receives because of the believed presence of confidential business information in the requested record, considered in its proper statutory context, s. 44 has nothing to do with the s. 19 exemption. The structure of the Access Act and of the Privacy Act suggests that Parliament intended that the protection of personal information be assured exclusively by the Office of the Privacy Commissioner. In order to give effect to the legislative intent, the complaint and investigation process contained in s. 29 must be respected. [94‑97]  
Unless the opportunity to raise exemptions at a s. 44 review proceeding is limited to the s. 20 exemption for confidential business information, third parties who have received notice pursuant to s. 28(1)(b) will be afforded an opportunity to raise the s. 19 exemption for personal information in circumstances where no comparable right exists for a third party claiming only that the record contains personal information belonging to it. The effect of the proposed extension of the s. 44 review would be to create two categories of third parties: those who have relevant confidential business information and those who do not. Such a result would be absurd insofar as it would allow greater protection of certain individuals’ personal information, depending on the possible application of s. 20. There is no basis for such a two‑tiered system in either the Access Act of the Privacy Act. Furthermore, that right of review may not even belong to the individual whose personal information actually appears in the requested record. In the present case, only the company has the right to apply for a review, notwithstanding that the personal information contained in the record actually belongs to its employees. While both the Access Act and the Privacy Act expressly allow an authorized agent to bring complaints to the Information Commissioner or to the Privacy Commissioner, respectively, s. 44 does not so provide. [98‑102] 
Although a third party cannot raise the s. 19 exemption on a s. 44 review, where a government institution acts without or beyond its jurisdiction, it remains open to a party directly affected by the decision to bring an application for judicial review pursuant to s. 18.1 of the Federal Courts Act. The decision of the government institution to disclose the requested record is reviewable for jurisdictional error, and the remedy of prohibition is available. The Federal Court judge hearing the judicial review application will only decline to exercise his jurisdiction if satisfied that the statutory scheme provides an adequate alternative remedy. Here, the statutory scheme does not provide the company with an adequate alternative remedy.   [117‑118]
In view of the critical differences between the two proceedings, there are valid reasons for refusing to collapse a s. 18.1 review within a s. 44 review. However, the Federal Court judge could proceed with both applications at the same time or consecutively, thereby addressing the concerns about unwarranted use of resources. [119‑121]
Update (20060423): Check out Michael Geist's comment on the importance of this case: Michael Geist - The Supreme Court on Privacy.
Labels: information breaches
Peter Timmins at Open and Shut, a blog about privacy and access law in Australia, has a comment about a recent case there in which a hospital claimed public interest privilege when it tried to prevent an investigation board from obtaining the records of a woman who had received a late-term abortion in the hospital. The argument was not successful and the Court ordered that the records be provided. See: Open and Shut: Landmark privacy decision in abortion case.
Thursday, April 20, 2006
In case you were wondering whether printing credit card numbers on receipts is a risky venture, think about Monarch Beauty Supply in Edmonton, Alberta. The company, like many others, prints this information on receipts. And this company threw them out in a dumpster behind the store.
Edmonton Police received from an anonymous informant copies of that confidential information and began an investigation. The Information and Privacy Commissioner of Alberta also received a complaint from a customer of Monarch Beauty Supply that her credit card had been fraudulently used to buy a laptop. The investigation found that other personal information originating with the company had found its way into the hands of criminals.
The Commissioner found that the company did not adequately safeguard personal information, in violation of PIPA. The Commissioner also noted that there was inadequate training of staff because store managers were not trained in privacy.
Under most of Canada's privacy laws, individuals who have been harmed by a company's violation of the law can seek damages from the company that violated the law. Victims of identity theft can seek compensation for all the damage done because of a company's screw up.
See the Commissioner's report:
Investigation Report P2006-IR-003
Information and Privacy Commissioner's investigation finds Monarch Beauty Supply improperly disposed of over 2600 customer receipts by placing them in a dumpster. The Alberta business failed to protect personal information from identity thieves.
Click to view more information Investigation Report P2006-IR-003
See coverage from the Edmonton Sun: Crook used dumped credit data.
Tuesday, April 18, 2006
The Bank Lawyer's Blog just linked to my recent post The Canadian Privacy Law Blog: Incident: Bank employee uses access to account information to harass customers. Kevin has some additional insights based on his own experience with advising banks on pre-employment screening. Check it out: Bank Lawyer's Blog: The Worm Within.
Labels: information breaches
Convicted sex offenders aren't a sympathetic bunch, but I expect we'll hear something about the risks of putting their personal information online after a young Nova Scotia allegedly used the State of Maine's sex offender registry to track down and murder two residents of that state who were listed in the registry. The database includes names, conviction information and address. See: CBC News: Suspected killer accessed online sex offender registry.
Update: David Holtzman at Global POV has an interesting comment on this post and the issue in general. See: GlobalPOV: Listless in Maine (20060419).
The Toronto Star's editorial advocates keeping registries private: TheStar.com - Editorial: Keep registries secret (20060419).
Update - 20060421: Tamara Thompson at PI Buzz notes that the Maine sex offender registry has been taken offline. She also discusses that the law enforcement agencies who maintain the site don't have any authority to do so since the Maine law setting up the site simply says that they shall make this information available to the public on the internet. See: PI Buzz - Maine yanks sex offender registry
Labels: information breaches
Sunday, April 16, 2006
Another laptop theft, another privacy incident.
From the Chilliwack Progress in British Columbia:
Data privacy breach affects FHA
By Jeff Nagel
Apr 16 2006
Fraser Health Authority (FHA) employees have been warned that some of them who used an ultra-confidential counselling service may have had their privacy breached as a result of a theft of a computer.
The computer with a disk inside it went missing in March from the Vancouver office of the Employee and Family Assistance Program (EFAP) run by the Vancouver Coastal Health Authority.
The disk contained the names, birth dates, contact information and referral reasons for thousands of Lower Mainland health workers who sought help for intensely personal problems.
The service offers help with relationship counselling, drug or alcohol addictions, sexuality questions, abuse, loss and grief, and stress or emotional traumas - among other issues.
"People who use the EFAP program are often going through a crisis of some kind," said Hospital Employees' Union spokesman Mike Old. "The theft of that information is of great concern to the union and its members....
The Cadillac News, in Cadillac, Michigan is reporting on a former employee of Fifth Third Bank who allegedly used access to account information to harass customers, most of whom are women:
Internal theft of personal bank data rare
By Matt Whetstone, Cadillac News
CADILLAC - There's a first time for everything - even a bank employee using his job to compromise the personal information of customers.
Fifth Third Bank has the designation of being the first after an employee at an Indiana banking center accessed account information and harassed customers, who were primarily women.
“Fifth Third puts our employees through extensive training on the use of client information,” said Peggy Janei, spokeswoman for the company. “We have strict policies and procedures about that.”
The man, 39-year-old Marco Antonio Munoz, is no longer working for the institution but his alleged trail of identity theft could span the Midwest and hundreds, if not thousands, of bank customers.
“We don't know what we have here yet,” said Det. Sgt. Jeff Herweyer, who handled the case on behalf of the Michigan State Police Cadillac Post.
What police do have is 73 pages of names that Munoz accessed over the last four years, with the most activity in the last two.
Munoz passed the bank's screening process. Had he had a criminal background in the past, he would not have been hired, Janei said.
“We continue on a daily basis to enforce with our employees' appropriate use of customer information, we never sell client names,” she said.
Fifth Third of Northern Michigan President and CEO John Pelizzari said it is a very unusual occurrence. He has been in the business for 30 years and said this is the first such case he has seen.
Special Agent Terry Booth of the Federal Bureau of Investigation office in Detroit said the agency has handled cases of bank employees taking money out of accounts but this case seems to be unique.
“Quite frankly, I've never heard of that,” Booth said. “It's news to me they would use it for that type of activity.”
Robert Marcus, branch manager for Citizens Bank in Cadillac, said he is quite surprised of the nature of the incident.
Like Fifth Third, Citizens has security measures in place to ensure customers' personal information is kept safe. Anyone who develops a trend of looking up a lot of client information without a need will set off a red flag.
The measures, Marcus said, are necessary to protect people at a time when identity theft and fraud are on the rise. The institution also has policies where personal information must be kept in a safe place, off desks or out of plain sight, to avoid any potential for someone gathering information through that method, he said.
Even potential new customers are carefully reviewed to ensure they are who they say they are, he added.
Friday, April 14, 2006
Thanks to Gerry Riskin of the Edge Group and author of Amazing Firms, Amazing Practices for passing this along.
Recently, high winds went whipping through downtown Indianapolis, blowing windows out of buildings and generally making a mess of things. Part of the mess was documents from two law firms, which were scattered throughout the downtown area. Most of the papers, which included at least one will, have been recovered. Other businesses lost documents, some of which contained pretty sensitive personal information.
Whether it's personal or privileged, you just don't want them blowing around town.
See: When wind hit, privacy flew out the window | IndyStar.com. My favorite quote from the article: "Privacy experts say that's bad."
Labels: information breaches
It is always interesting to see how the courts are dealing with privacy laws.
I just came across a somewhat interesting case from British Columbia, in which the Court was asked to determine whether the Personal Information Protection Act could be used to refuse to identify a witness based on the "privacy" of that witness. The answer, not surprisingly, is no:
Shilton v. Fassnacht, 2006 BCSC 431 (CanLII)
 The plaintiffs object to disclosure on a number of bases. First, they submit that the opening words of Rule 27(22) give the court a discretion to order non-disclosure. They submit that non-disclosure should be ordered here for reasons of privacy and privilege.
 On the privacy issue, the plaintiffs referred to the Personal Information Protection Act, S.B.C. 2003, c. 63. That Act governs the collection, use and disclosure of personal information by organizations. In the Act “organization” is defined as including a person. However, s. 3(4) provides:3(4) This Act does not limit the information available by law to a party in a proceeding.
 Given other definitions in the Act, it is clear that the present lawsuit comes within the meaning of “a proceeding.” Moreover, s. 1 of the Act specifies that “personal information” does not include “contact information.”
 In my view, there is nothing in the Personal Information Protection Act that would limit the defendant’s right under Rule 27(22) to obtain the names and contact information of relevant witnesses.
Even more interesting is the way the Court considered the Personal Information Protection and Electronic Documents Act. The Judge concluded that PIPEDA does not apply in British Columbia because of the effect of s. 30(1) of that Act:
 It is even clearer that the federal Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 has no application here by virtue of s. 30(1), which provides:30(1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.
 The present lawsuit relates to matters wholly within the province of British Columbia and the federal act has no application.
With the greatest respect to the judge and to the party that made the argument, this is just plain wrong. It is true that PIPEDA does not apply to the provincially-regulated private sector in BC, but it has nothing to do with s. 30(1) in 2006. If you look at all of s. 30, you'll see that s. 30(1) is no longer in effect.
30. (1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.
(1.1) This Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.
*(2) Subsection (1) ceases to have effect three years after the day on which this section comes into force.
* [Note: Section 30 in force January 1, 2001, see SI/2000-29.]
*(2.1) Subsection (1.1) ceases to have effect one year after the day on which this section comes into force.
* [Note: Section 30 in force January 1, 2001, see SI/2000-29.]
The Act came into force on January 1, 2001, so s. 30(1) ceased to have any effect on January 1, 2004.
The real reason why PIPEDA does not apply to the provincially regulated private sector in British Columbia is because of the effect of s. 26(2):
(2) The Governor in Council may, by order,
(b) if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.
The Governor in Council did make such an order (Organizations in the Province of British Columbia Exemption Order ) on October 12, 2004. For this reason, if PIPA (BC) does apply, PIPEDA will not.
Thursday, April 13, 2006
I was interviewed yesterday by a reporter from the Regina Leader Post about privacy and open courtrooms. The issue has come to the fore in the province of Saskatchewan as a result of the trial of a former football player who is charged with aggravated sexual assault. He is alleged to have had unprotected sex with a number of women without revealing that he is HIV positive.
Smith case takes another step :
While proceedings in Canada's court system are usually open to the public and media, exceptions -- while rare -- are certainly not unheard of, said David T.S. Fraser, a Nova Scotia lawyer who specializes in Canadian privacy law.
'The rights in our charter are not absolute,' he said. 'They're all subject to reasonable limitations that are compatible with the democratic and generally open society, and that's the sort of question the judge has to ask and answer.'
Fraser said there is a very strong precedent to close courts in particular circumstances. In addition to cases involving confidential medical information, public access to trials is most often restricted in cases that involve victims of sexual assault, children and national security issues.
Wednesday, April 12, 2006
The Information Commissioner in the UK has issued a guidance document outlining how transfers of customer databases upon the insolvency of a business or the sale of a business. In short, databases can be transferred without consent as long as the customers are given notice after it is transferred and as long as the information is only used for the original purposes for which it was collected. Read the Guidance Document here. (Link via Silicon.com and Pogo Was Right.)
The CBC, via Yahoo! News, is reporting that a computer containing personal health information on Saskatchewan residents has been stolen from the Toronto office of a contractor. The information apparently was "heavily encrypted" and didn't contain any names or other identifying information, other than "health registration numbers". The article is unclear whether this is a medicare number or some other number.
The contractor apparently had access to this information as part of a project involving the analysis of long-term patient care in Saskatchewan. The Privacy Commissioner for the province has been consulted, but there's no mention of the reaction.
The government of Alberta has just introduced amendments to the Health Information Act. Bill 31, the Health Information Amendment Act 2006 makes some mundane changes to the law, but some are more substantial.
For example, new sections allow certain disclosures of personal health information to deal with suspected fraud by patients and healthcare providers.
Disclosure to prevent or limit fraud or abuse of health services
37.1(1) A custodian may disclose individually identifying health information referred to in subsection (2) without the consent of the individual who is the subject of the information to a police service or the Minister of Justice and Attorney General where the custodian reasonably believes(a) that the information relates to the possible commission of an offence under a statute or regulation of Alberta or Canada, and
(b) that the disclosure will detect or prevent fraud or limit abuse in the use of health services.
Disclosure to prevent or limit fraud or abuse of health services by health services providers
37.2(1) A custodian may disclose individually identifying health information referred to in subsection (2) without the consent of the health services provider who is the subject of the information to a police service or the Minister of Justice and Attorney General where the custodian reasonably believes(a) that the information relates to the possible commission of an offence under a statute or regulation of Alberta or Canada by the health services provider, and
(b) that the disclosure will detect or prevent fraud or limit abuse in the provision of health services.
Also, a new subsection 170(5.1) appears to be meant to counter the USA Patriot Act:
(5.1) No person shall knowingly disclose health information to which this Act applies pursuant to a subpoena, warrant or order issued or made by a court, person or body having no jurisdiction in Alberta to compel the production of information or pursuant to a rule of court that is not binding in Alberta.
(7) A person who contravenes subsection (5.1) is guilty of an offence and liable(a) in the case of an individual, to a fine of not less than $2000 and not more than $10 000, and
(b) in the case of any other person, to a fine of not less than $200 000 and not more than $500 000.
According to the NYT, the US IRS has gotten approval from a Federal Court to get taxpayer information from PayPal. The information sought is about American taxpayers who have bank accounts, credit cards or debit cards issued in more than 30 countries that are reputed to be tax havens. This is part of a wider effort to stem tax evasion. PayPal is just another means that those with money stashed offshore can spend it in the US. See: I.R.S. Asks PayPal for Taxpayer Data - New York Times.
Labels: information breaches
I wrote on Tuesday about a Vancouver law firm's files found blowing around an alley. My anonymous Vancouver correspondent has found the video about the story on the CTV website: CTV Video - CTV Vancouver: privacy-lawfirm-clip. Alternate link.
Labels: information breaches
Tuesday, April 11, 2006
The other day, I blogged about the CRA sending a Toronto taxpayer's information to the wrong address (in the aptly entitled post: CRA sends Toronto taxpayer's information to the wrong address). The CRA has made a statement along the lines of "stuff happens ... We're really busy in April and it could happen to anyone."
Amazingly comforting. I feel better already.
Labels: information breaches
I am advised by a correspondent from Vancouver that the local CTV affiliate reported yesterday that hundreds of confidential documents, including individuals' medical and financial data, were blowing around an alley in downtown Vancouver yesterday afternoon. CTV says the documents appear to have come from a law firm that handles personal injury matters, which I'd rather not name until I can track down further information on the incident. The firm that was named did not put anyone on camera, but gave a statement to CTV that they don't know how this could have happened and are reviewing their procedures.
Labels: information breaches
Over at the Bank Lawyer's Blog, the author is writing about discussions at a recent conference on privacy held at the Wharton School at the University of Pennsylvania. Definitely worth a read: Bank Lawyer's Blog: Privacy: Do Consumers Really Care?.
Labels: information breaches
About 99% of this is marketing speak, but parts of this press release from ChoicePoint look interesting:
ChoicePoint Announces New PATRIOT Act Compliance and OFAC Compliance Software:
New Bridger Insight XG™ to Streamline Customer Screening
ALPHARETTA, GA (PRWEB) April 4, 2006 -- ChoicePoint today announced the official launch of Bridger Insight XG, a new Office of Foreign Asset Control (OFAC) and USA PATRIOT Act (PATRIOT Act) compliance solution. The new solution is now available to more than 4,000 existing Bridger Insight clients and other businesses across the banking and finance, insurance, securities, mortgage, automotive, gaming and public sectors.
Bridger Insight XG will reduce manual workload and streamline PATRIOT Act compliance and OFAC compliance workflow across an organization using new technologies designed to greatly simplify customer screening (including OFAC checks and ID verification) and due diligence processes. The new product is designed to help businesses more efficiently identify suspected terrorists and prevent crimes such as money laundering and ID theft.
Through new automated compliance workflow and case management tools, this new OFAC and PATRIOT Act compliance software can help users realize significant cost savings and greatly reduce false positive hits. Turn-key enterprise-wide deployment is another feature of the new software, which is equipped with the latest security and expanded audit capabilities.
Bringing extensive experience as a pioneer of OFAC compliance and PATRIOT Act compliance software, Bridger Insight XG helps clients make informed decisions, while saving time and reducing workload costs.
Bridger Insight solutions are used every day by the majority of the top 25 U.S. banks and thousands other businesses across the financial, insurance, securities, mortgage, automotive, gaming and public sectors to perform real-time and scheduled batch customer screening, utilizing more than 24 up-to-date watch lists, with access to extensive business and individual identity information, Factiva® Media and in-depth politically exposed persons databases.
More information about Bridger Insight XG can be obtained at www.BridgerInsight.com/XG.
Anyone know what a "in-depth politically exposed persons database" is? If so, leave a comment. Sounds interesting...
Monday, April 10, 2006
From Computerworld (via beSpacific: Sensitive Personal Data Posted on Florida County Public Records Site):
Florida county posts residents' sensitive data on public Web site - Computerworld:
APRIL 10, 2006 (COMPUTERWORLD) - The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents in Florida's Broward County are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on the county's Web site.
Labels: information breaches
A Toronto woman is up in arms after the Canada Revenue Agency accidentally mailed her tax information to the wrong person.
TorontoSun.com - Toronto And GTA - Breach of privacy:
"When Renata Mehta called Canada Revenue Agency last Monday asking for a copy of the T4E she filed with her tax return, she didn't expect the government to act so quickly.
And she certainly didn't expect the confidential form to be mailed to another woman.
In what Mehta calls 'an enormous breach of privacy,' the Mississauga woman's documents, along with 2004 income tax return information of a 53-year-old Burlington woman, was sent to Margaret McLellan's apartment in East York.
Like the other two women, McLellan had called Revenue Canada last Monday to request personal documents.
Yesterday going through the stack of papers that were all packed into an envelope Tuesday, it took McLellan a minute to realize it was someone else's private information.
'I was going through the pages and said, 'Wait a minute, this isn't my name.'' ...
Labels: information breaches
Sunday, April 09, 2006
Google and Earthlink have teamed together to offer a wifi network throughout the San Francisco area. Google can't do anything without causing worry about privacy among some. The concern with this initiative is that now Google will not only know where you've been online, but where you've been in real life. Interestingly, most commentary is not about whether Google knows, but the fact that they'll retain a handy drove of location information that may be of interest in law enforcement and PIs. See: Boing Boing: Privacy worries over Google/Earthlink WiFi plans in SF. See also a fair amount of coverage in the traditional online media.
Saturday, April 08, 2006
According to the United Press International, a San Francisco man has been arrested for fraud and forgery with an iPod. OMG!
Before breathless hysteria leads some legislator to ban iPods as ID theft tools, pause a moment. Count to ten. Here are other "ID theft tools" that can hold personal information that legislators may want to think about as well:
Check out the original story: United Press International - NewsTrack - IPod stored data for identity theft.
The Electronic Frontier Foundation is leading a class action lawsuit against AT&T in connection with the alleged illegal wiretapping of telecommunications in the US. The latest news is that AT&T allowed the National Security Agency to install data-mining equipment at the telco's international and long distance switches in San Francisco, Seattle, San Jose, Los Angeles and San Diego. From Wired's coverage:
Wired News: Whistle-Blower Outs NSA Spy Room
AT&T provided National Security Agency eavesdroppers with full access to its customers' phone calls, and shunted its customers' internet traffic to data-mining equipment installed in a secret room in its San Francisco switching center, according to a former AT&T worker cooperating in the Electronic Frontier Foundation's lawsuit against the company.
Mark Klein, a retired AT&T communications technician, submitted an affidavit in support of the EFF's lawsuit this week. That class action lawsuit, filed in federal court in San Francisco last January, alleges that AT&T violated federal and state laws by surreptitiously allowing the government to monitor phone and internet communications of AT&T customers without warrants.
On Wednesday, the EFF asked the court to issue an injunction prohibiting AT&T from continuing the alleged wiretapping, and filed a number of documents under seal, including three AT&T documents that purportedly explain how the wiretapping system works.
According to a statement released by Klein's attorney, an NSA agent showed up at the San Francisco switching center in 2002 to interview a management-level technician for a special job. In January 2003, Klein observed a new room being built adjacent to the room housing AT&T's #4ESS switching equipment, which is responsible for routing long distance and international calls.
"While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet (AT&T's internet service) circuits by splitting off a portion of the light signal," Klein wrote.
The split circuits included traffic from peering links connecting to other internet backbone providers, meaning that AT&T was also diverting traffic routed from its network to or from other domestic and international providers, according to Klein's statement.
In a letter to the EFF, AT&T objected to the filing of the documents in any manner, saying that they contain sensitive trade secrets and could be "could be used to 'hack' into the AT&T network, compromising its integrity."
Thanks to Secondary Screening: Ex-AT&T Employee on NSA Wiretap Room for the link.
UPDATE (20060430): It appears that US Government is about to use the "state secrets" privilege to have this lawsuit by EFF thrown out. See: 27B Stroke 6: Feds Drop Bomb on EFF Lawsuit.
Labels: information breaches
Friday, April 07, 2006
Canadian police have today arrested two former employees of a prominent outsourcing company who allegedly used personal information on holders of Canada Savings Bonds to defraud the Bank of Canada of around $100,000. The company is the data processor for the Bank and the employees are said to have used data obtained on the job. The leads that led to the arrest came from the company itself.
Labels: information breaches
Thursday, April 06, 2006
Jay Cline writes in Computerworld about the four ways that American companies can export personal information from Europe in compliance with the EU Data Protection Directive:
Labels: information breaches
The Government of Canada, through the Treasury Board Secretariat, has released its long-awaited Report on Assessment of Privacy Concerns Related to USA PATRIOT Act, including a multipart federal strategy: Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows
I haven't had a chance to review it yet, but here's the executive summary. Hopefully, I'll have something more substantive to say shortly:
Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows - Part 2 of 10
The Government of Canada takes the issue of privacy very seriously, including concerns about possible privacy risks posed by foreign legislation, such as the USA PATRIOT Act.*
These laws point to the need for current privacy best practices to become more uniform throughout the federal government and for additional measures to build upon and complement the existing safeguards.
For over a quarter century, Canada has been a world leader in privacy. It has introduced ground‑breaking legislation and policies designed to respect the personal information of its citizens.
Recent trends and events, however, have raised new concerns about whether the personal information of Canadians is adequately protected by governments and companies when it travels outside of Canada’s borders.
Transborder data flows and contracting
The emergence of new information technologies, such as the Internet, allows information to be transferred quickly and easily across borders. This includes personal information and other sensitive information. The transfer of such information across borders is known as “transborder data flows.”
Transborder data flows are becoming more common as companies and governments take advantage of outsourcing, a practice in which a supplier is hired under contract to manage certain activities, often because the institution does not have adequate internal resources to improve efficiency and levels of service. Federal government institutions are among the organizations that contract out or outsource some programs and services.
Information under foreign laws
It is not uncommon for an organization in Canada to outsource the management of personal information about Canadians to a company in the U.S. or elsewhere. Information stored or accessible outside of Canada can be subjected not only to Canadian laws but also to laws in the other country.
One such law is the USA PATRIOT Act. The Act permits U.S. law enforcement officials to seek a court order allowing them to access the personal records of any person for the purpose of an anti‑terrorism investigation, without that person’s knowledge.
In theory, it means U.S. officials could access information about Canadians if that information is physically within the U.S. or accessible electronically.
British Columbia court case sparks national debate
In 2004, a court case in British Columbia (B.C.) sparked a national debate on the potential impact of the USA PATRIOT Act on the privacy of Canadians.
The British Columbia Government and Service Employees’ Union sought an order to stop the provincial government from hiring the Canadian affiliate of a U.S. company to administer the province’s medical records, claiming that the contract would make the records vulnerable under the USA PATRIOT Act.
The union lost the court case and is appealing. The province, meanwhile, proceeded with the contract using the U.S.-based firm but added new privacy measures.
In addition to the court case, the Information and Privacy Commissioner for B.C. conducted a review. The Commissioner for B.C. concluded that the issue was larger than the USA PATRIOT Act, that transborder data flows could make Canadians’ information accessible under other foreign laws, and that the matter should be addressed by both the public and private sectors.
The Privacy Commissioner of Canada agreed with the results of the B.C. review, and together with the B.C. Commissioner, called for actions to be taken by the federal government to enhance protection of Canadians’ personal information that can flow across borders.
The federal government’s strategy
The Government of Canada responded to the USA PATRIOT Act concerns and other transborder data issues with a federal strategy. It is confident that the right to privacy related to key federal personal and sensitive information can be both respected and achieved.
The strategy was created with the following factors in mind.
Shared responsibility: The federal government is not alone. Other governments, the private sector, and Canadians themselves all have a role to play in the protection of privacy.
Balanced approach: Privacy needs to be weighed against other important considerations. Among these are the following: the need to ensure that contracting protects privacy and results in improved service to Canadians; international trade agreements that allow for fair and equitable treatment of foreign companies and play a major role in the health of Canada’s economy; and the need to protect the public safety and national security.
Build on existing measures: The latest measures are an extension of privacy safeguards put into place long before the USA PATRIOT Act was enacted. They complement previous statutes such as the Privacy Act, enacted in 1983 to impose obligations on federal government institutions to respect the privacy rights of Canadians. The Personal Information Protection and Electronic Documents Act (PIPEDA), which took full effect in January 2004, protects personal information held by the private sector. In addition, the Government of Canada was the first national government in the world to introduce a mandatory Privacy Impact Assessment Policy. The Policy requires government departments to build in privacy protection when changing or creating programs and services that collect personal information.
Informational privacy can also find constitutional protection under section 8 of the Canadian Charter of Rights and Freedoms.
The federal strategy consists of the following steps.
- Awareness: The government made all of its 160 institutions that are subject to the federal Privacy Act aware of the privacy issues raised by the USA PATRIOT Act.
- Risk identification and mitigation: Institutions reviewed their contracting and outsourcing arrangements to identify any risks under the USA PATRIOT Act, assess the seriousness of those risks, take corrective actions as needed, and report to the Treasury Board of Canada Secretariat (the Secretariat).
Here are the results reported to the Secretariat:
Most of the federal institutions, 83 per cent, had their contracting classified as “no risk” (77 institutions) or “low risk” (57 institutions) under the USA PATRIOT Act or other foreign legislation. Of the remaining institutions, many with mandates that include international activities, contracting risks were rated as “low to medium” (19 institutions) and “medium to high” (7 institutions). It should be noted that, if an institution identified only one contract as high risk, the institution was classified in the high risk category. That said, in all cases where risks were identified, institutions have taken, or are planning, remedial actions to mitigate risks.
- Guidance on privacy in contracting: For many years, federal institutions have had privacy and security safeguards in place to protect personal and other sensitive information that is handled or accessible under contract. Risk management strategies are also in place to cope with emerging privacy issues and, where necessary, institutions have outlined further measures to mitigate risk.
Existing Best Practices include the following: Prior to initiating a contract, inspections of private sector facilities may be carried out by government security experts to ensure that adequate protection is available for information handled or stored off government premises by a contractor; the requirement that core information stays at home—in other words, part or all of the work must be completed within the department or within Canada; the return of records or approved destruction of all records at the end of a contract; the inclusion of contractual clauses to address confidentiality; and the signing of non-disclosure agreements.
Guidance document: The government has recently issued a policy guidance document for federal institutions that provides a privacy checklist and upfront advice on considering privacy prior to initiating contracts. It also includes specific considerations for maximizing privacy protection that can be used to develop clauses to include in requests for proposals (RFP) and contracts.
- Follow up: The government will be taking additional steps to further mitigate risk.
Highlights of ongoing measures and those planned for within the next year:
- Follow-up assessment of federal contracting activities, ongoing contract advice, and implementation of risk management strategies for contracting where information may potentially be at risk under the USA PATRIOT Act or other foreign laws.
- Ensuring that key government policies are in step with privacy issues and reflect the new global reality.
- The exploration of technology and data architecture solutions to protect information flows, including the use of encryption technology and electronic audit trails.
- Continued monitoring of new technologies, trends, and events to address their possible effects on privacy.
- The development of additional guidelines to cover government-to-government information sharing (within Canada and abroad), auditing of contracts, and technical solutions to protect privacy.
- Increased awareness and training related to transborder data flows and existing federal safeguards.
Highlights of planned measures between one to two years:
- A scheduled 2006 review of the PIPEDA and determination if the federal Privacy Act should also be reviewed.
- The development of a privacy management framework to establish high standards of privacy protection throughout the federal government.
- Addressing privacy and transborder data flows for the recently announced Security and Prosperity Partnership (SPP) between Canada, Mexico, and the U.S.
The federal government will also continue to share best practices in protecting transborder data flows with provincial and territorial governments as well as the private sector and foreign governments.
Democratic Congressman Patrick Kennedy is about to introduce a new bill to protect the privacy of medical information from "glaring holes" in existing laws. See: Rep. Kennedy to introduce health records privacy bill
According to the Georgia Straight, the Campbell government of British Columbia may be poised to loosen the amendments that the government made to the Freedom of Information and Protection of Privacy Act over USA Patriot Act concerns. Complaints from public servants that the new law is inflexible are apparently responsible. See: Straight.com Vancouver | Victoria Secrets | Will privacy law be eased?.
Tuesday, April 04, 2006
Thanks to beSpacific for the pointer to the following, which probably isn't a great surprise:
Data Brokers Supplying Gov't Don't Consistently Protect Privacy of Citizen Info"In fiscal year 2005, the Departments of Justice, Homeland Security, and State and the Social Security Administration reported that they used personal information obtained from resellers for a variety of purposes, including performing criminal investigations, locating witnesses and fugitives, researching assets held by individuals of interest, and detecting prescription drug fraud. The agencies spent approximately $30 million on contractual arrangements with resellers that enabled the acquisition and use of such information...The major information resellers that do business with the federal agencies GAO reviewed have practices in place to protect privacy, but these measures are not fully consistent with the Fair Information Practices."...resellers generally limit the extent to which individuals can gain access to personal information held about themselves, as well as the extent to which inaccurate information contained in their databases can be corrected or deleted. Agency practices for handling personal information acquired from information resellers did not always fully reflect the Fair Information Practices. That is, some of these principles were mirrored in agency practices, but for others, agency practices were uneven. For example, although agencies issued public notices on information collections, these did not always notify the public that information resellers were among the sources to be used."
Labels: information breaches
Reuters (via Yahoo!) is running a story about the apparent revival of the town of East Orange, New Jersey. The revial is said to be attributable to the pervasive use of surveillance cameras, gunshot detectors and a virtual citizens' patrol that allows residents to use police cameras to view their own neighbourhoods. According to the article, the technology was provided virtually free by its manufacturer, which hopes to use East Orange as an example of what their technology can do. See: Big Brother cleans up crime - Yahoo! News.
Monday, April 03, 2006
A coalition of privacy and civil liberties groups is calling for stronger privacy protection as the US moves closer to electronic medical records:
Pogo Was Right - We have met the enemy, and he is us!:
Congress is moving to create a national electronic health record system, and groups, including EPIC, ACLU, American Conservative Union, and Patient Privacy Rights, are urging lawmakers to build privacy safeguards into this system. National research has shown that Americans will avoid treatment, omit critical medical data and delay care if they are compelled to share sensitive medical data without strong privacy protections. A press conference (pdf) about the issue will be held at 10:30 am on Wednesday April 5 at Cannon House Office Building in Washington, D.C.
Source - EPIC
Labels: information breaches
Saturday, April 01, 2006
Astratel, an Australian internet service provider, has apparently been having problems with the "security locks" of its website. According to Austrialian IT, anybody can enter a customer's phone number and obtain access to that customer's account data, including calling logs. A customer went to the media after repeated attempts to contact the ISP were unacknowledged. See: Australian IT - Privacy breach at ISP (Andrew Colley, MARCH 31, 2006).
Labels: information breaches
Faculty and students are being notified that personal information may have been compromised after a student has been arrested for allegedly hacking into Shorter College in Georgia's systems. See: WIStv.com Columbia, SC: Shorter College students, faculty told be cautious after hacking.
Labels: information breaches
Bob Aaron, in the Toronto Star, writes about a recent decision from the Assistant Information and Privacy Commissioner of Ontario that may force the province's police forces to disclose lists of all houses that have been used for marijuana "Grow Ops" or chemical labs (TheStar.com - Ruling may force police to list grow houses). In response to a request for this information from the media under Ontario's freedom of information law, the London police force refused on the basis that such a disclosure would interfere with law enforcement and would be an invasion of privacy. The Assistant Commissioner dismissed both those claims and concluded that the public interest was an over-riding concern. The decision, dated February 17, 2006 is here.
According to Techweb, the US Congress House Energy and Commerce Committee have unanimously approved HR 4127, the Data Accountability and Trust Act. This sends the bill to the full house for a vote (see: TechWeb News Privacy Groups Herald House Data Breach Bill)
Below is the full text of the bill, but I have a few observations first. (Remember, I am not a US lawyer, so I will happy accept corrections on my interpretation of the text):
Despite the above, both the Center for Democracy and Technology and the Privacy Rights Clearinghouse have urged that this bill be passed.
Without further ado, here's HR 4127:
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the `Data Accountability and Trust Act (DATA)'.
SEC. 2. REQUIREMENTS FOR INFORMATION SECURITY.
(a) General Security Policies and Procedures-
(1) REGULATIONS- Not later than 1 year after the date of enactment of this Act, the Commission shall promulgate regulations to require each person engaged in interstate commerce that owns or possesses data in electronic form containing personal information to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information that are consistent with--
(A) the size of, and the nature, scope, and complexity of the activities engaged in by, such person;
(B) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and
(C) the cost of implementing such safeguards.
(2) REQUIREMENTS- Such regulations shall require the policies and procedures to include the following:
(A) A security policy with respect to the collection, use, sale, other dissemination, and maintenance of such personal information.
(B) The identification of an officer or other individual as the point of contact with responsibility for the management of information security.
(C) A process for identifying and assessing any reasonably foreseeable vulnerabilities in the system maintained by such person that contains such electronic data.
(D) A process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process required by subparagraph (C), which may include encryption of such data, implementing any changes to security practices and the architecture, installation, or implementation of network or operating software.
(b) Special Requirements for Information Brokers-
(1) SUBMISSION OF POLICIES TO THE FTC- The regulations promulgated under subsection (a) shall require information brokers to submit their security policies to the Commission on an annual basis.
(2) POST-BREACH AUDIT- Following a breach of security of an information broker, the Commission shall conduct an audit of the information security practices of such information broker. The Commission may conduct additional audits, on an annual basis, for a maximum of 5 years following the breach of security or until the Commission determines that the security practices of the information broker are in compliance with the requirements of this section and are adequate to prevent further breaches of security.
(3) INDIVIDUAL ACCESS TO PERSONAL INFORMATION-
(A) ACCESS TO INFORMATION- Each information broker shall--
(i) provide to each individual whose personal information it maintains, at the individual's request at least one time per year and at no cost to the individual, a means for such individual to review any personal information of the individual maintained by the information broker and any other information about the individual maintained by the information broker; and
(ii) place a conspicuous notice on its Internet website (if the information broker maintains such a website) instructing individuals how to request access to the information required to be provided under clause (i).
(B) DISPUTED INFORMATION- Whenever an individual whose information the information broker maintains files a written request disputing the accuracy of any such information, unless there is reasonable grounds to believe such request is frivolous or irrelevant, the information broker shall clearly note in the database maintained by such information broker, and in any subsequent transmission of such information by such information broker, that such information is disputed by the individual to whom the information relates. Such note shall include either the individual's statement disputing the accuracy of such information or a clear and concise summary thereof.
SEC. 3. NOTIFICATION OF INFORMATION SECURITY BREACH.
(a) Nationwide Notification- Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data--
(1) notify each individual of the United States whose personal information was acquired by an unauthorized person as a result of such a breach of security;
(2) notify the Commission;
(3) place a conspicuous notice on the Internet website of the person (if such person maintains such a website), which shall include a telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the security breach or the information the person maintained about that individual; and
(4) in the case of a breach of financial account information of a merchant, notify the financial institution that issued the account.
(b) Timeliness of Notification- All notifications required under subsection (a) shall be made as promptly as possible and without unreasonable delay following the discovery of a breach of security of the system and any measures necessary to determine the scope of the breach, prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system.
(c) Method and Content of Notification-
(1) DIRECT NOTIFICATION-
(A) METHOD OF NOTIFICATION- A person required to provide notification to individuals under subsection (a)(1) shall be in compliance with such requirement if the person provides conspicuous and clearly identified notification by one of the following methods (provided the selected method can reasonably be expected to reach the intended individual):
(i) Written notification.
(ii) Email notification, if the individual has consented to receive such notification and the notification is provided in a manner that is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global Commerce Act (15 U.S.C. 7001).
(B) CONTENT OF NOTIFICATION- Regardless of the method by which notification is provided to an individual under subparagraph (A), such notification shall include--
(i) a description of the personal information that was acquired by an unauthorized person;
(ii) a telephone number that the individual may use, at no cost to such individual, to contact the person to inquire about the security breach or the information the person maintained about that individual;
(iii) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and
(iv) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft.
(2) SUBSTITUTE NOTIFICATION-
(A) CIRCUMSTANCES GIVING RISE TO SUBSTITUTE NOTIFICATION- A person required to provide notification to individuals under subsection (a)(1) may provide substitute notification in lieu of the direct notification required by paragraph (1) if such direct notification is not feasible due to--
(i) excessive cost to the person required to provide such notification relative to the resources of such person, as determined in accordance with the regulations issued by the Commission under paragraph (3)(A); or
(ii) lack of sufficient contact information for the individual required to be notified.
(B) CONTENT OF SUBSTITUTE NOTIFICATION- Such substitute notification shall include notification in print and broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside. Such notification shall include a telephone number where an individual can, at no cost to such individual, learn whether or not that individual's personal information is included in the security breach.
(3) FEDERAL TRADE COMMISSION REGULATIONS AND GUIDANCE-
(A) REGULATIONS- Not later than 270 days after the date of enactment of this Act, the Commission shall, by regulation, establish criteria for determining the circumstances under which substitute notification may be provided under paragraph (2), including criteria for determining if notification under paragraph (1) is not feasible due to excessive cost to the person required to provide such notification relative to the resources of such person.
(B) GUIDANCE- In addition, the Commission shall provide and publish general guidance with respect to compliance with this section. Such guidance shall include--
(i) a description of written or email notification that complies with the requirements of paragraph (1); and
(ii) guidance on the content of substitute notification under paragraph (2)(B), including the extent of notification to print and broadcast media that complies with the requirements of such paragraph.
(d) Other Obligations Following Breach- A person required to provide notification under subsection (a) shall provide or arrange for the provision of, to each individual to whom notification is provided under subsection (c)(1) and at no cost to such individual, consumer credit reports from at least one of the major credit reporting agencies beginning not later than 2 months following a breach of security and continuing on a quarterly basis for a period of 2 years thereafter. The Commission shall, by regulation, provide alternative requirements under this subsection for persons who qualify to provide substitute notification under subsection (c)(2).
(e) Website Notice of Federal Trade Commission- The Commission shall place, in a clear and conspicuous location on its Internet website, a notice of any breach of security that is reported to the Commission under subsection (a)(2).
SEC. 4. ENFORCEMENT BY THE FEDERAL TRADE COMMISSION.
(a) Unfair or Deceptive Acts or Practices- A violation of section 2 or 3 shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
(b) Powers of Commission- The Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates such regulations shall be subject to the penalties and entitled to the privileges and immunities provided in that Act. Nothing in this Act shall be construed to limit the authority of the Commission under any other provision of law.
SEC. 5. DEFINITIONS.
In this Act the following definitions apply:
(1) BREACH OF SECURITY- The term `breach of security' means the unauthorized acquisition of data in electronic form containing personal information that establishes a reasonable basis to conclude that there is a significant risk of identity theft to the individual to whom the personal information relates. The encryption of such data, combined with appropriate safeguards of the keys necessary to enable decryption of such data, shall establish a presumption that no such reasonable basis exists. Any such presumption may be rebutted by facts demonstrating that the method of encryption has been or is likely to be compromised.
(2) COMMISSION- The term `Commission' means the Federal Trade Commission.
(3) DATA IN ELECTRONIC FORM- The term `data in electronic form' means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.
(4) ENCRYPTION- The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.
(5) IDENTITY THEFT- The term `identity theft' means the unauthorized assumption of another person's identity for the purpose of engaging in commercial transactions under the name of such other person.
(6) INFORMATION BROKER- The term `information broker' means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not customers of such entity for the sale or transmission of such information or the provision of access to such information to any third party, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity.
(7) PERSONAL INFORMATION-
(A) DEFINITION- The term `personal information' means an individual's first and last name in combination with any 1 or more of the following data elements for that individual:
(i) Social Security number.
(ii) Driver's license number or other State identification number.
(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account.
(B) MODIFIED DEFINITION BY RULEMAKING- The Commission may, by rule, modify the definition of `personal information' under subparagraph (A) to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.
(8) PERSON- The term `person' has the same meaning given such term in section 551(2) of title 5, United States Code.
SEC. 6. EFFECT ON OTHER LAWS.
(a) Preemption of State Information Security Laws- This Act supersedes any provision of a statute, regulation, or rule of a State or political subdivision of a State that expressly--
(1) requires information security practices and treatment of personal information similar to any of those required under section 2; and
(2) requires notification to individuals of a breach of security resulting in unauthorized acquisition of their personal information.
(b) Additional Preemption-
(1) IN GENERAL- No person other than the Attorney General of a State may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act.
(2) PROTECTION OF CONSUMER PROTECTION LAWS- This subsection shall not be construed to limit the enforcement of any State consumer protection law by an Attorney General of a State.
(c) Protection of Certain State Laws- This Act shall not be construed to preempt the applicability of--
(1) State trespass, contract, or tort law; or
(2) other State laws to the extent that those laws relate to acts of fraud.
SEC. 7. EFFECTIVE DATE AND SUNSET.
(a) Effective Date- This Act shall take effect 1 year after the date of enactment of this Act.
(b) Sunset- This Act shall cease to be in effect on the date that is 10 years from the date of enactment of this Act.
SEC. 8. AUTHORIZATION OF APPROPRIATIONS.
There is authorized to be appropriated to the Commission $1,000,000 for each of fiscal years 2006 through 2010 to carry out this Act.
The Information and Privacy Commissioner of BC has released his report into the sale of backuptapes containing private records of British Columbians (for background, see: The Canadian Privacy Law Blog: Incident: British Columbia government actioned off surplus backup tapes with sensitive health information).
From the IPC of BC:
PRIVACY COMMISSIONER RELEASES REPORT ON SALE OF TAPES OF PERSONAL INFORMATION
FOR IMMEDIATE RELEASE
March 31, 2006
Victoria—Government mechanisms for the secure destruction of media containing personal information are inadequate and were in any event not followed, Information and Privacy Commissioner David Loukidelis found in an investigation report released today.
The investigation was conducted following reports in early March by The Vancouver Sun that 41 computer backup tapes had been sold by the provincial government. The tapes contained highly sensitive personal information on thousands of people, including information about medical conditions, mental illness, substance abuse, social insurance numbers, dates of birth and financial information. The Commissioner found that the tapes were mistakenly sent for sale during a reorganization of the Ministry of Employment and Income Assistance when a Vancouver regional office was closing down in 2005.
BC’s privacy law requires public bodies, and private sector organizations, to take all reasonable steps to protect personal information from unauthorized disclosure. “In this case,” the Commissioner stated, “whatever written policies or procedures were in place, reasonable security measures were clearly not taken. The many human errors and system gaps that our investigation detected and that the government’s own report confirms, fell far short of objectively reasonable security arrangements, bearing in mind the very sensitive and extensive personal information at stake, the relatively simple steps that could have been taken to ensure the safe and proper disposal of the personal information and the predictability of risk of disorder at the time of an office move.”
The Commissioner recommended the creation of central provincial government policy and responsibility for secure destruction of personal information. He also recommended that the provincial government adopt a strategy for encryption of sensitive personal information. “Citizens of this province have no choice in the matter when government collects or compiles our personal information,” the Commissioner stated. “Personal information security is a serious matter and the provincial government needs to commit resources and energy to restoring and then retaining public trust in the government’s handling of our personal information.” The entire report can be found at http://www.oipc.bc.ca/investigations/reports/InvestigationReportF06-01.pdf.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.