The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, May 31, 2006
Some updated news in the wake of the ginormous data breach at the US Department of Veterans Affairs (for some background, see: The Canadian Privacy Law Blog: Incident: Personal information about 26.5M US veterans on laptop stolen):
Labels: information breaches
Yesterday's New York Times has a very interesting and wide-ranging article on identity theft, focusing on the growth in this kind of fraud in Arizona. The article illustrates innovative techniques that clever fraudsters have picked up and highlights the connection between meth abuse and ID theft. Finally, it also discusses whether the boom in identity theft is actually caused by how easily financial institutions hand out credit to people whose identities aren't verified. Check it out: Technology and Easy Credit Give Identity Thieves an Edge - New York Times. (Thanks to robhyndman.com for the link.)
For an intersting and contrarian perspective, check out Slate's: The New York Times flips out over "identity theft."
Tuesday, May 30, 2006
Andreas Busch, blogging from Oxford, reports that the data sharing arrangement between the US and the EU has been struck down. Read all about it at his great blog ...
Politics of Privacy Blog: Passenger flight data: European court blocks EU data deal with US:
"The European Court of Justice has today anulled the European Council's decision regarding an agreement to provide US authorities with the data of European flight passengers, and the European Commission's decision that this agreement complies with with the European Union's data protection requirements. (More information about the details can be found in the ECJ's press release)...."
Labels: information breaches
This morning, Toby Keeping of IronSentry and I gave a presentation on business and legal risks of e-mail and other electronic information at the Westin in Halifax. The Chronicle Herald is running a story on the topic, based interviews with Toby and me. Check it out: The ChronicleHerald.ca - E-mail issues causing headaches: Firms search for security in electronic age. E-mail me for a copy of the presentation.
The Federal Privacy Commissioner of Canada has released her Annual Report to Parliament for 2005 (pdf). It is worth a read since it highlights many of the activities of that office that are not reported on elsewhere. It also includes a synopsis of a range of pending applications before the Federal Court of Canada that haven't been referred to elsewhere.
Here is the media release related to the report:
Tabling of Privacy Commissioner of Canada's 2005 Annual Report on the Personal Information Protection and Electronic Documents Act: Commissioner takes tougher stance
Ottawa, May 30, 2006 –There has been progress in advancing the privacy rights of Canadians in the private sector, but the Privacy Commissioner’s Office intends to be more assertive in ensuring that all businesses are complying with the law, according to the Privacy Commissioner of Canada, Jennifer Stoddart, whose 2005 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.
In 2005, the Privacy Commissioner began taking a stronger stance with respect to the recommendations made to organizations in her letters of finding. She began asking organizations that are the subject of well-founded complaints to state the corrective measures they would take – and when these measures would be implemented. In the one situation in which the company did not implement the recommendations, the Commissioner’s Office took the matter forward to the Federal Court. All other organizations have rapidly committed to providing redress and making systemic changes to their personal information management practices.
“Businesses, large and small, have demonstrated goodwill, commitment to community values and openness to change when it comes to protecting privacy,” states Ms. Stoddart in her report. “But I am concerned that apparent compliance does not always result in truly effective privacy and security practice. This goodwill needs to be translated into practice.”
Overall, information handling practices brought to the attention of the Privacy Commissioner’s Office show a high level of compliance with PIPEDA among Canadian companies. And the Commissioner is pleased that a recent trend toward settling complaints is continuing, with almost half of the 400 complaints in 2005 being settled to the apparent satisfaction of all parties.
Another theme of the report relates to technology, consumer trends and national security concerns, which continue to introduce novel uses for personal data and require ever greater amounts of it. It is time to revisit how the operating rules are defined and applied, and how adequate these rules are in a world of such rapid technological change.
Recent polling commissioned by the Privacy Commissioner’s Office suggests that 88 per cent of Canadians feel that it is important that privacy laws are updated to ensure they are keeping up with new technologies that may have an impact on their personal information.
PIPEDA came into effect in stages beginning in 2001, so the Office now has more than five years of experience dealing with the law. It is slated for a full Parliamentary review in 2006, which is expected to commence in the fall. This mandated review is vital and will present a unique opportunity to examine the Act’s effectiveness in protecting privacy rights in the marketplace. It will also give Parliamentarians the chance to help respond to growing attacks on personal information through identity theft, spam and fraudulent on-line activities. The Commissioner is urging the government to consider a similar review of the Privacy Act, the federal public sector privacy law, which has not been substantially amended since its inception in 1983.
As the Commissioner’s Office plans for its participation in this all-important review of PIPEDA, it will also continue to pursue preventive activities such as education, outreach, complaint resolution, as well as audits and reviews. The expectation of additional resources will further assist the Office in fully carrying out this multi-faceted mandate to protect and promote privacy rights.
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.
— 30 —
Sunday, May 28, 2006
Security breaches at universities are such old news that I've stopped reporting them on this blog. But this one is a bit different. A computer security breach has resulted in the compromise of personal information of 135,000 people at Sacred Heart University in Connecticut. (Yawn.) But what's notable is that many of those affected are not alumni, not staff, not students, not applicants. The university had obtained information on prospective students from dozens of sources, likely without the OK of those individuals. And some of this information was compromised in the breach. Yup. That's a new one. And not a good one.
I usually don't write about anything other than privacy law, but I thought I'd make an exception to write a bit about this blog ...
This week I was honoured to be the receipient of the Outstanding Young Canadian Award in the category of Leadership, given by the Junior Chamber of Commerce International, Halifax Chapter. My firm, McInnes Cooper, has made a pretty big deal out of it (Congratulations to David Fraser, our Outstanding Young Canadian!). It was all very flattering and humbling at the same time.
The criteria for the award are:
Leadership: The legal, political, public and governmental sectors have leaders to use their skills to attain goals on a regular basis. They constantly make a difference in their organization and their leadership ability is a key to their success. The nominee for this award has proven leadership abilities.
I fit the "young" part, since I'm between 18 and 40. And it is unusual for a young associate in a large law firm to head a practice group, to develop a niche practice and to have a significant national client base.
I had to give a speech, along with the winners in the other categories, at the gala dinner on Thursday. The organizers suggested something inspiring. Well, I spend a lot of time talking to large groups about privacy law but it was pretty weird to contemplate standing up and talking about myself. But it did make me reflect upon what "got me here". And a significant part of that is this blog.
In building my practice in privacy law, I have spent a lot of time and effort networking, getting know people in the field, doing wider marketing and even making direct pitches to prospective clients, but the one thing that has raised my profile most of all and has resulted in engagements from far-flung clients is this blog. I know from the site's stats that it is read regularly by the Office of the Federal Privacy Commissioner, the provincial privacy commissioners, most major Canadian law firms, the big five Canadian banks, and Canada's equivalent of the Fortune 500.
This blog and its wide readership has led to an invitation to speak at the Canadian Bar Association's annual meeting in Winnipeg in 2004 (The Canadian Privacy Law Blog: Report from the CBA in Winnipeg). Everything I've written for the Canadian Privacy Law Review has started as a posting on this blog. The first times I met each of the British Columbia, Alberta and Ontario privacy commissioners, each of them knew me and commented on my blog. I've given dozens of media interviews for newspapers, radio and TV throughout Canada and into the U.S. on privacy issues and, almost without exception, the reporters and producers found me via the blog. I've also been featured in high-profile articles on Canadian legal bloggers (CBA Magazine: Blogging the spotlight and New Media Marketing, Part I - Blogs: How Lawyers Can Become Thought Leaders in a Niche Market (CBA members-only login)), all thanks to this blog. Also, thanks to this blog, I've met a number of great people from coast to coast, some of whom I've met in the real world and some who I only know through e-mail.
Importantly, all of the above is an unintended consequence. I didn't start out the blog thinking it would raise my profile or would be a good way to meet people. I started it because I wished someone else had put together a "one stop shopping" place for Canadian privacy law and notable news in this area. At the end of 2003, there wasn't such a site to keep privacy lawyers and others up-to-date on this area, so I decided to do it for myself. I was surprised at how easy it was and I was also pleasantly surprised that it didn't take as much time as I thought it would. Everything else has been gravy. Heaps of gravy.
In any event, I'd like to thank my friends, my family, my firm and my blog.
Wednesday, May 24, 2006
At least Paxx Telecom LLC thinks so. They have just issued a press release advertising that their service lets you thumb your nose at the NSA, et al:
Phone Company, In Response To Concerns About Phone Privacy, Shows Customers How To Tell The NSA To Take A Hike - Yahoo! News
(PRWEB) - Scottsdale, AZ (PRWEB) May 24, 2006 -- The recent revelation first made by USA Today that the National Security Agency (NSA) has been commandeering phone records of tens of millions of ordinary Americans has shocked those who cherish their privacy and do not agree with unnecessary snooping by their government.
It’s hard to know which phone companies are prepared to protect the privacy of telephone records from the NSA’s prying eyes. Certainly many of the nation’s largest phone companies are not, according to USA Today.
With the cooperation of the nations largest phone companies, the NSA has amassed the largest ever database of “call detail” information including who called what number, when and for how long.
Less understood is that while the public is “assured” no personal data is being collected, it’s only a small step required in order to “connect-the-dots”. Revealing the owner of most phone numbers is often as simple as typing the number into Google.
Even a pre-paid calling card purchased for cash is not anonymous. All calls originating from that card are recorded based on their authorization code, and it’s just a few simple steps to identify the caller.
“This is nothing new”, reports Paul Schmidt, CEO of Paxx Telecom LLC. “We reported back in 2002 that the a number of the major phone companies informed their customers that they intended to distribute or sell customers’ private information after a Federal Court gave them blanket permission to do so.”
“At Paxx Telecom, our records are secured offsite and we guarantee never to turn over any records to the government or anyone else without a court order. All our customers need do is dial a short access number in front of the number they want to reach. As a result, the local phone company will show only the connection to Paxx Telecom. It will have no record of the actual number the customer talked to", he said. “In addition, we keep call records on our servers only temporarily to give customers access to verify proper invoicing, after which the calling information will be extinguished.”
Paxx Telecom LLC is a privately owned long distance provider, incorporated in the state of Arizona in 1999. Paxx Telecom offers domestic and international long distance services to residents of the USA and Canada, and it offers International callback services in most countries overseas. Paxx Telecom has agreements to use the network backbones of some of the world’s largest communication providers. For optimal call clarity, Paxx Telecom is using traditional voice-quality networks rather than VOIP or other Internet technology. Additional information about Paxx Telecom services is available at www.PaxxTelecom.com
More information about Paxx Telecom’s secure phone system can be found at www.paxxtelecom.com or by calling 1-800-664-4977.
Tuesday, May 23, 2006
Asian economic powerhouse Singapore is about two years away from a data protection law as the country moves through a consultation process toward that objective:
SINGAPORE: A committee that is looking at how to protect private information is expected to submit its report to the government next month.
Experts believe one of the key features of the upcoming data protection law is clamping down on private companies that collect and disseminate personal information freely.
Currently, when a person fills out their personal information on forms or lucky draw coupons, the companies will usually store the information in their databases and disseminate it without the person's knowledge or permission.
The upcoming law will likely make sure that that will not happen.
Experts believe the law may be ready in about 2 years.
"Data collectors would have to get your consent if they're going to use it for direct marketing and if you discover that your particulars are being used by direct marketing by a particular company, you'd have a right to go to the company and demand that they stop doing it. It's the sort of thing I could envisage in the legislation coming," said S Suressh, a partner at Harry Elias Partnership.
Singaporeans are increasingly using the internet to conduct transactions.
So it's timely for the government to study and develop laws to protect personal details.
"As we develop, there're more and more demands for rights and one of the rights is of course the right to privacy. So the government's probably decided that we have reached a certain level of development and that businesses can probably cope with the increased burden and cost of this," said Asst Prof Terence Tan from the Law Faculty at NUS.
The existing laws cover mainly government agencies such as the Inland Revenue Authority of Singapore, requiring they protect your personal information.
But data collection and protection are unregulated among private companies, which will change with the coming of new laws. - CNA /dt
Labels: information breaches
With 70% of critical business information contained in email, small and medium sized companies face numerous challenges. Legal concerns including privacy, retention, and accountability are forefront, but improper use, hardware requirements, and the ability to recover old emails are also highly important to today’s business owner.
Join Toby Keeping (IronSentry Inc.) and David Fraser (McInnes Cooper) in an information session as they discuss these and other issues that small and medium sized companies have to address with electronic information.
For more information, or to register, click here.
Contact: Toby Keeping, 902.463.4485 x1401 or email@example.com
Monday, May 22, 2006
The Privacy Commissioner of Australia is poised to investigate a controvertial "reverse directory" in that country. The site, www.boonghunter.com, provides names, addresses and numbers of residents based on partial information, including just the streets they live on. Women in particular are afraid that it'll make a good tool for stalkers.
The Advertiser: Women fear website puts them in danger [23may06].
By MICHAEL OWEN
AN unauthorised telephone directory website has alarmed women, who fear it will increase the risk of stalking and endanger women and children seeking refuge from domestic violence.
The website - www.boonghunter.com - also has disturbed Telstra, which yesterday described it as "a gross invasion of privacy".
The website and the source of its information was last night under investigation by federal authorities, including the Australian Communications and Media Authority and the Office of the Federal Privacy Commissioner. Sensis, Telstra's online directory division, said it was "appalled" by the website, which provides "reverse search" access to address and telephone numbers of individuals.
"Unlike the White Pages directory, where you need to know the name of the person you are searching for before you can find their details, reverse searching enables people to search for your private details without knowing who you are," Sensis Corporate Affairs Manager Karina White said.
"For example, you can find out someone's personal details just by knowing the street they live on.
"Whoever is behind this website has no regard for Australians' rights to have their personal contact information handled responsibly and with respect."
Karen Barnes, chairperson of the Kilburn-based Women's Housing Association, was concerned for the safety and security of women and children trying to flee abusive situations.
"We will be pursuing a formal inquiry to try and get this website closed down," Ms Barnes said.
Telecommunications industry sources last night said initial inquiries indicated an overseas computer hacker had gained access to the Integrated Public Number Database, which contains the names, addresses, phone numbers and phone location of all residential and business customers in the country. The database is managed by Telstra on behalf of the telecommunications industry.
The INPD is used by telcos to develop their own directories and is also available to authorised members of the Australian police and emergency services.
ACMA last night confirmed it had started investigating the source of the information on the website.
Privacy Commissioner Karen Curtis was last night preparing to launch a formal investigation.
The domain http://www.boonghunter.com is being redirected to http://www.indigenoushunter.com/. I understand the term "boong" (which I must confess I've never heard before) is an offensive term used to refer to aboriginal Australians.
An employee of the United States Department of Veterans' Affairs took home a laptop containing data on 26.5 million American veterans, which was subsequently stolen from his home. Authorities do not think the information has been misused:
Personal Data of 26.5M Veterans Stolen - Yahoo! News
WASHINGTON - Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday.
Veterans Affairs Secretary Jim Nicholson said there was no evidence so far that the burglars who struck the employee's home have used the personal data — or even know they have it. The employee, a data analyst whom Nicholson would not identify, has been placed on leave pending a review.
"We have a full-scale investigation," said Nicholson, who said the FBI, local law enforcement and the VA inspector general were investigating. "I want to emphasize, there was no medical records of any veteran and no financial information of any veteran that's been compromised."
"We have decided that we must exercise an abundance of caution and make sure our veterans are aware of this incident," he said in a conference call with reporters.
The theft of veterans' names, Social Security numbers and dates of birth comes as the department has come under criticism for shoddy accounting practices and for falling short on the needs of veterans.
Last year, more than 260,000 veterans could not sign up for services because of cost-cutting. Audits also have shown the agency used misleading accounting methods and lacked documentation to prove its claimed savings.
Veterans advocates immediately expressed alarm....
The federal government has put up an information page here:
Latest Information on Veterans Affairs Data Security -- Firstgov.gov
Latest Information on Veterans Affairs Data Security
The Department of Veterans Affairs (VA) has recently learned that an employee, a data analyst, took home electronic data from the VA, which he was not authorized to do. This behavior was in violation of VA policies. This data contained identifying information including names, social security numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings. Importantly, the affected data did not include any of VA's electronic health records nor any financial information. The employee's home was burglarized and this data was stolen. The employee has been placed on administrative leave pending the outcome of an investigation.
Appropriate law enforcement agencies, including the FBI and the VA Inspector General's office, have launched full-scale investigations into this matter. Authorities believe it is unlikely the perpetrators targeted the items because of any knowledge of the data contents. It is possible that they remain unaware of the information which they possess or of how to make use of it. However, out of an abundance of caution, the VA is taking all possible steps to protect and inform our veterans.
The VA is working with members of Congress, the news media, veterans service organizations, and other government agencies to help ensure that veterans and their families are aware of the situation and of the steps they may take to protect themselves from misuse of their personal information. The VA will send out individual notification letters to veterans to every extent possible. Additionally, working with other government agencies, the VA has set up a manned call center that veterans may call to get information about this situation and learn more about consumer identity protections. That toll free number is 1-800-FED INFO (1-800-333-4636). The call center will operate from 8 am to 9 pm (EDT), Monday-Saturday as long as it is needed.
Here are some questions you may have about this incident, and their answers.
I'm a veteran. How can I tell if my information was compromised?
At this point there is no evidence that any missing data has been used illegally. However, the Department of Veterans Affairs is asking all veterans to be extra vigilant and to carefully monitor bank statements, credit card statements and any statements relating to recent financial transactions. If you notice unusual or suspicious activity, you should report it immediately to the financial institution involved and contact the Federal Trade Commission for further guidance.
What is the earliest date at which suspicious activity might have occurred due to this data breach?
The information was stolen from an employee of the Department of Veterans Affairs during the month of May 2006. If the data has been misused or otherwise used to commit fraud or identity theft crimes, it is likely that veterans may notice suspicious activity during the month of May.
I haven't noticed any suspicious activity in my financial statements, but what can I do to protect myself and prevent being victimized by credit card fraud or identity theft?
The Department of Veterans Affairs strongly recommends that veterans closely monitor their financial statements and review the guidelines provided on this webpage or call 1-800-FED-INFO (1-800-333-4636).
Should I reach out to my financial institutions or will the Department of Veterans Affairs do this for me?
The Department of Veterans Affairs does not believe that it is necessary to contact financial institutions or cancel credit cards and bank accounts, unless you detect suspicious activity.
Where should I report suspicious or unusual activity?
The Federal Trade Commission recommends the following four steps if you detect suspicious activity:
- Step 1 – Contact the fraud department of one of the three major credit bureaus:
Equifax: 1-800-525-6285; http://www.firstgov.gov/external/external.jsp?url=http://www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
Experian: 1-888-EXPERIAN (397-3742); http://www.firstgov.gov/external/external.jsp?url=http://www.experian.com; P.O. Box 9532, Allen, Texas 75013
TransUnion: 1-800-680-7289; http://www.firstgov.gov/external/external.jsp?url=http://www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
- Step 2 – Close any accounts that have been tampered with or opened fraudulently.
- Step 3 – File a police report with your local police or the police in the community where the identity theft took place.
- Step 4 – File a complaint with the Federal Trade Commission by using the FTC's Identity Theft Hotline by telephone: 1-877-438-4338, online at http://www.firstgov.gov/external/external.jsp?url=http://www.consumer.gov/idtheft, or by mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580.
I know the Department of Veterans Affairs maintains my health records electronically; was this information also compromised?
No electronic medical records were compromised. The data lost is primarily limited to an individual's name, date of birth, social security number, in some cases their spouse's information, as well as some disability ratings. However, this information could still be of potential use to identity thieves and we recommend that all veterans be extra vigilant in monitoring for signs of potential identity theft or misuse of this information.
What is the Department of Veterans Affairs doing to insure that this does not happen again?
The Department of Veterans Affairs is working with the President's Identity Theft Task Force, the Department of Justice and the Federal Trade Commission to investigate this data breach and to develop safeguards against similar incidents. The Department of Veterans Affairs has directed all VA employees complete the "VA Cyber Security Awareness Training Course" and complete the separate "General Employee Privacy Awareness Course" by June 30, 2006. In addition, the Department of Veterans Affairs will immediately be conducting an inventory and review of all current positions requiring access to sensitive VA data and require all employees requiring access to sensitive VA data to undergo an updated National Agency Check and Inquiries (NACI) and/or a Minimum Background Investigation (MBI) depending on the level of access required by the responsibilities associated with their position. Appropriate law enforcement agencies, including the Federal Bureau of Investigation and the Inspector General of the Department of Veterans Affairs, have launched full-scale investigations into this matter.
Where can I get further, up-to-date information?
The Department of Veterans Affairs has set up a special website and a toll-free telephone number for veterans that features up-to-date news and information. Please check this webpage for further updates or call 1-800-FED-INFO (1-800-333-4636).
Page last updated, May 22, 2006
Sunday, May 21, 2006
99.97% accuracy sounds pretty good, unless you are one of the 1500 people in the UK incorrectly labeled as a criminal.
The Criminal Records Bureau is unapologetic that it errs on the side of caution in managing its databases. See: BBC NEWS | UK | Hundreds wrongly dubbed criminals.
Labels: information breaches
Child protection authorities in Scotland are planning to phase in an enormous database on all children born in the country in an effort to identify children at risk of abuse. Not surprisingly, the initiative is being referred to as "Orwellian":
Edinburgh Evening News - Edinburgh - 'Big Brother' plan to store every baby on computer: "'Big Brother' plan to store every baby on computer
EVERY newborn child in Edinburgh and the Lothians faces being stored on a "Big Brother-style" national database under a major shake-up of Scotland's child protection system.
The computerised files would be kept "live" until the child reaches the age of 16 and will include personal details of their health, family life and education.
The child's file will be closed when they reach 16, but it will then be kept on record for up to 75 years.
Teachers, police, GPs and social workers will be able to access the files to check for signs of abuse.
If the child is regularly late for school or their behaviour changes dramatically, the details could be put into the system where it is hoped it will build up a picture of the child's overall welfare.
The national database is being planned by ministers to revolutionise information sharing between different agencies and improve protection for vulnerable children.
The move follows a series of high-profile cases of child protection failures in Edinburgh and the Lothians.
In March, two-year-old East Lothian boy Derek Doran died after drinking his parents' methadone. He had been found dead in his bed by his mother last December at their home at Elphinstone, near Tranent.
And last year, three-year-old Michael McGarrity was found alone in a Leith flat with the body of his drug-addict mother, having survived for six weeks on scraps of food.
The scheme is to be piloted in Highland Council from September 3 before being extended across the country, according to the Scottish Executive.
Every newborn child in the Highland region and around 500 Inverness schoolchildren will be logged into the system during the trial.
Families have been told they will be consulted about the nature of information that is held.
A spokesman for the Scottish Executive said: "Highland's experience will also be used to help other local authorities prepare for the roll-out of the new systems."
But a human rights expert warned the new system may be open to abuse.
John Scott, former head of the Scottish Human Rights Centre, said: "The positive aspects of this are fairly obvious but bringing so much information into one place brings with it the scope for abuse.
"The important thing it to ensure there are very clear safeguards in place."
Thanks to Pogo Was Right for the link.
This is interesting (and unexpected):
The Department of Homeland Security's Privacy Office has issued a draft report that strongly criticizes privacy and security risks of using radio frequency identification devices for human identification. Public comment on the paper is being taken until May 22.
The privacy office says the technology offers little performance benefit for identification purposes compared with other methods and could turn the government's identification system into a surveillance system.
Yesterday's San Francisco Chronicle has a very interesting article on attitudes toward privacy held by the "younger generation". You know them: they're more than happy to detail their most personal thougts in blogs and on MySpace but freak out when they think someone from the government might be listening.
The age of privacy / Gen Y not shy sharing online -- but worries about spying
Over the past 12 years, Melissa Gira has cultivated a daily audience of 4,000 strangers, whom she lets watch her most intimate moments on her Web site. They have watched her wake up and recall her dreams, and they have watched her suffer through breakups. In more recent years, some have paid hourly fees to watch her perform "digital sex."
Gira, a.k.a. m. Shakti, was one of the first "Web cam girls" who, using a real-time camera, intentionally exposed the details of her life online 24 hours a day, seven days a week.
"I shared secrets there I wouldn't share with anyone else," Gira said. "Things I said only to therapists, best friends."
Yet when the 28-year-old San Francisco resident learned last week, along with millions of Americans, that the National Security Agency had collected the telephone records of unsuspecting citizens, it crossed Gira's privacy line.
Labels: information breaches
Saturday, May 20, 2006
Labels: information breaches
David Canton's regular IT column in the London Free Press is about the practice of printing full debit and credit card numbers on receipts. (See: London Free Press - David Canton - Printing card data not smart.)
This is a practice that really bugs me. In three days in Toronto last week, every debit and credit card receipt I accumulated had my full number and expiry date printed on it. I was in Toronto for a Canadian Institute conference on Privacy Compliance, which I co-chaired. The topic of receipts came up in discussions with the Assistant Privacy Commissioner of Canada, the Alberta Commissioner and the British Columbia Commissioner. The Alberta Commissioner, Frank Work, discussed the incident that David mentions in his column and one of the more interesting things he discovered in his investigation: there's a black market for these receipts and they are $25.00 each.
The assistant federal commissioner, Heather Black, mentioned that the Commissioner's office had canvassed most of the POS suppliers in Canada, who assured them that they are rolling out upgraded machines as fast as they can. Not fast enough, in my personal opinion.
For those retailers whose receipts are generated through a full POS system, I expect it's just a software patch that would do the job. The dedicated card terminals may need something more.
But even if it is a "hardware problem", why not give cashiers a jiffy marker to black out the digits? There's no reason to have them on the receipt since it is all settled electronically and the transaction code is enough to reconcile the day's accounts. As for me (at least in restaurants, where I'm asked to sign the slip and have the time to linger), I black out my card number myself.
Thursday, May 18, 2006
Run, do not walk, to read this very interesting comment by Bill Schneier: Wired News: The Eternal Value of Privacy. Here's a taste:
The most common retort against privacy advocates -- by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures -- is this line: "If you aren't doing anything wrong, what do you have to hide?"
Some clever answers: "If I'm not doing anything wrong, then you have no cause to watch me." "Because the government gets to define what's wrong, and they keep changing the definition." "Because you might do something wrong with my information." My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.
I recently blogged about a recent decision from the Nova Scotia Court of Appeal that held individual physician billing information should not be disclosed under the province's Freedom of Information and Protection of Privacy Act (See: The Canadian Privacy Law Blog: Doctors' billings in Nova Scotia is private information under FOIPOP). This is a different result than that reached in Manitoba and British Columbia and is an important interpretation of the Act in Nova Scotia.
The decision is not yet up at the Courts' website, but here's a copy:
2006 NSCA 59
Counsel: Cynthia Scott for Appellant
Edward Gores, Q.C. for Respondent, Her Majesty the Queen
Graham Steele for Respondent, Joanna Redden
Ms. Redden applied under Nova Scotia's Freedom of Information and Protection of Privacy Act for disclosure of records with the provincial Department of Health showing named physician billings from 2000 to 2004, later revised to 2002-2004. The Supreme Court ordered disclosure. Doctors Nova Scotia, representing physicians, appeals. Doctors Nova Scotia says that the disclosure of named physicians' individual billings would unreasonably invade the physicians' privacy. It is common ground that the request is for personal information. There are two issues. (1) Does the requested information reveal details of "a contract to supply services to a public body" (which is deemed not to unreasonably invade privacy) under s. 20(4)(f) of the Act? (2) If not, does a consideration of the circumstances cited in s. 20(2) rebut the statutory presumption that disclosure would unreasonably invade the physicians' privacy?
The Freedom of Information and Protection of Privacy Act, S.N.S. 1993, c. 5, as am. ("Act") prescribes the procedure for access to records possessed by public bodies, including provincial government departments. On July 21, 2004, the respondent Joanna Redden applied under s. 6(1) of the Act for copies of records possessed by the Department of Health showing "the total physician billing, by physician, in Nova Scotia from 2000 to the present." Ms. Redden is on staff with the New Democratic Party.
Under s. 22 of the Act, the Department of Health gave notice of Ms. Redden's request to the appellant Doctors Nova Scotia ("DNS"). DNS represents physicians in the Province, and was formerly known as the Medical Society of Nova Scotia. DNS objected to Ms. Redden's request. DNS said the disclosure would unreasonably invade physicians' privacy.
The Department of Health responded to DNS with a letter of September 17, 2004 stating:
Wednesday, May 17, 2006
A friend sent me this earlier today and I thought I'd pass it along:
Labels: information breaches
Some of the biggest names in privacy in Canada have joined together to lobby the new Conservative government about potential privacy effects of legislative changes enshrining digital rights management in Canadian copyright law. The new group (IntellectualPrivacy.ca) has sent a letter and a background paper to Culture minister Maxime Bernier asking that privacy issues be carefully considered before embarking on changes to copyright laws that could have a significant privacy impact upon Canadians. The privacy commissioners of Canada, Ontario and British Columbia have also each sent separate letters to the Minister on the topic.
In short, the group is seeking assurances from the government that:
- any proposed copyright reforms will prioritize privacy protection by including a full privacy consultation and a full privacy impact assessment with the introduction of any copyright reform bill;
- any proposed anti-circumvention provisions will create no negative privacy impact; and
- any proposed copyright reforms will include pro-active privacy protections that, for example, enshrine the rights of Canadians to access and enjoy copyright works anonymously and in private.
In the fallout of the most recent privacy scandal (The Canadian Privacy Law Blog: NSA collection of info on ordinary Americans wider than originally suspected), Verizon and Bellsouth are denying having given calling information to the National Security Agency in the first place. (See: NPR : Phone Companies Distance Themselves from NSA.) Another major carrier, Qwest, got some publicity for first saying they were asked by the NSA but refused. (See: Qwest Goes From the Goat to the Hero - New York Times.) There's nothing I can find in a quick search of the conventional media or in the blogosphere suggesting that AT&T have issued any statements one way or another.
Labels: information breaches
Tuesday, May 16, 2006
(Update 20060516) Here's an interesting lesson about assuming that RSS feeds are recent: The story below that I posted about earlier today is actually six years old. It was originally published in October 2000. Thanks to the reader who e-mailed to point that out! (I thought it was oddly familiar ...)
The Attorney General of Texas has stepped in to try to limit the resale of defunct Living.com's customer data as part of a bankruptcy sale. According to Computer World, the AG has filed a lawsuit against the company's bankruptcy trustee to require the destruction of sensitive financial customer information (credit card data, social security numbers, etc) and a requirement that the customers in question be given a chance to opt out before their remaining data is transferred. See: Texas Attorney General Sues to Stop Living.com Data Sale.
Labels: information breaches
Critics are urging citizens to call and e-mail legislators about proposed amendments to Alberta's access to information law that will keep certain government information unreachable for a longer period of time:
The Calgary Sun - Canada's 'private' province slammed:
New secrecy laws irk Alberta critics
By DARCY HENTON, LEGISLATURE BUREAU
EDMONTON -- Critics say the most secretive government in Canada is about to get even worse with new legislation it hopes to ram through the House this week.
They say Alberta's Freedom of Information and Privacy law is already so restrictive that even government MLAs have joked FOIP actually stands for (expletives deleted) It's Private.
Liberal Government Services critic Mo Elsalhy says new amendments to exclude ministerial briefing notes from being accessed for five years would have prevented the uncovering of the AdScam scandal.
'Everyone is talking about openness and transparency. This government is going in the opposite direction.
'They're adding more layers of secrecy to a government that's already too secretive.'
The FOIP amendments also will delay access to documents from the government's chief internal auditor for 15 years and include other measures to delay the release of information, Elsalhy said....
Here's some coverage from the Canadian Press (via Yahoo!):
Alberta government forcing through changes on contentious info law - Yahoo! Canada News:
EDMONTON (CP) - Alberta's freedom of information law, once described by a journalism group as the most secretive in Canada, is about to get even more restrictive.
The Conservative government is pushing through changes this week to Alberta's Freedom of Information and Protection of Privacy Act to put a five-year blackout on briefing documents and other records that show how Premier Ralph Klein ran the province for more than a dozen years. "This Conservative government seems hell bent to ram through legislation this week to make Canada's most secretive government even more tight-lipped," Liberal Leader Kevin Taft said Monday in the legislature.
Taft accused the Tories of putting the interests of two dozen cabinet ministers ahead of three million Alberta residents.
But Klein said the Liberals are complaining because they won't be able to make political hay with cabinet briefing documents.
"There is no way that the opposition is going to get this briefing book," Klein, waving his notes in the air, told the legislature.
"They will use it for purely political purposes."
Klein's Conservatives are using their majority to limit further debate on Bill 20 as the spring sitting of the legislature winds down this week.
Klein has said cabinet briefings are sometimes brutally frank and sharing this anytime soon with the public might be embarrassing for his staff and other bureaucrats.
"There are some sensitive pieces of information that were put together by the administration," Klein told the assembly.
"Noxious! That's the word used by a top expert in government secrecy when asked to describe this government's Bill 20," said Taft, who was referring to Alasdair Roberts, a Canadian author and professor teaching at Syracuse University in New York state.
Frank Work, Alberta's information commissioner, has also criticized Bill 20, saying the restrictions are unnecessary, since most cabinet documents are already kept confidential for an infinite period.
Raj Pannu, information critic for the NDP, said Klein is trying to cover his tracks before retiring later this year.
Pannu said people need to remember that Tory leadership contender Lyle Oberg was fired from cabinet recently after saying he knew about the "skeletons" in the government's past.
"There are lots of skeletons in the closet for this government and they want to keep them in the closet for as long as they can," Pannu said Monday in an interview.
On Friday, the Nova Scotia Court of Appeal ruled that individual billings by physicians in the province should not be disclosed under the Freedom of Information and Protection of Privacy Act. The decision isn't online yet at www.courts.ns.ca or www.canlii.org, but I'll post a link when it's up.
In the meantime, here's some coverage from the Halifax Chronicle Herald:
Court keeps doctors’ payments secret
By JENNIFER STEWART Staff Reporter
Nova Scotia doctors will not be required to disclose to government their fees for services rendered, the Nova Scotia Court of Appeal ruled Friday.
In April, members of Doctors Nova Scotia appealed an earlier Supreme Court of Nova Scotia decision that ordered all physicians in the province to hand over any MSI fee-for-service billing records, with their names attached.
Joanna Redden of the NDP made the request in July 2004, claiming the information was pertinent to helping solve the province’s health-care crisis.
The doctors had no problem providing the financial information but said the inclusion of the physicians’ names was a gross invasion of privacy.
Justices Joel Fichaud, Thomas Cromwell and Linda Oland, who heard the appeal on April 5, agreed.
"The disclosure of the names of individual physicians would be an unreasonable invasion of the physician’s privacy," the decision says.
Labels: information breaches
Monday, May 15, 2006
It was reported last week that the Information and Privacy Commissioner of Prince Edward Island has temporarily taken leave due to stress. (See: CBC Prince Edward Island - Privacy commissioner takes sick leave and CBC Prince Edward Island - Minister surprised by overwork complaint) I didn't blog about it, principally because her health is her own business and shouldn't be the topic of public discussion. However, it has caused some discussion of real public interest on the role of the Information and Privacy Commissioner in that province and, particularly, the resources that should be devoted to the function.
Currently, the province's Commissioner is a part-time position, at 22.5 hours a week and with part-time administrative support. Her annual report, filed at the beginning of the month, outlines the backlog that her office is having to deal with.
Now today's Guardian has an editorial on the situation:
The Guardian: Province at crossroads on information
Either put more resources into the info commissioner’s office or tell the public to expect longer waits for information.
By The Guardian
Based on the recent report of P.E.I.’s information and privacy commissioner, government has two choices. It can lighten the demand on the office so that the current staff can handle it, or it can beef up resources so it can meet the targets set out in legislation.
If government has a genuine appreciation of the role of this newly created office, it should do the latter.
In her report to the legislature presented last week by Speaker Greg Deighan, Rebecca Wellner, part-time information and privacy commissioner, urged government to make the position of commissioner and her assistant full-time and increase their financial resources.
Why? The report identifies a growing backlog of incomplete files. In spite of the law requiring the office to process cases within 90 days of the date of filing, only three of 27 files that resulted in orders from the commissioner from 2003-2004 were dealt within the allotted time.
It appears the office is swamped with work and lacks the resources it needs to respond. If that’s the case, it’s unfair to the staff trying to get the job done, unfair to the parties who’ve filed requests with the office expecting they’ll get timely results, and it’s unfair to taxpayers who are paying for the service.
P.E.I. was one of the few provinces without access to information legislation until a few years ago when government finally adopted it. Suffice to say, it’s been a work in progress. Some of those who’ve used it say it’s costly and cumbersome, although these are seen as common problems that must simply be worked out.
In an era where voters are demanding more openness and accountability from their governments, this legislation is seen as a necessary tool to access public documents and information. It’s obvious that when the P.E.I. government created the office of the information and privacy commissioner, it attempted to ensure reasonable accessibility. Why else would it have put into law the requirement that cases be processed within 90 days?
However, the current staffing of the office doesn’t appear to be adequate to allow for this. Government must either revise the legislation and provide a longer period for case completion or address the staff inadequacies.
If government doesn’t want to render the office ineffective — and we assume that to be the case — it should follow Ms. Wellner’s recommendation and make the position of commissioner and her assistant full time. It’s the price we have to pay to ensure that our information and privacy legislation remains active and effective for Islanders.
Sunday, May 14, 2006
A TV service provider in London has rolled out a pilot project in which feeds from hundreds of "crime fighting" CCTV cameras are being rebroadcast for in-home viewing:
Telegraph | News | CCTV channel beamed to your home:
Shoreditch TV is an experiment in beaming live footage from the street into people's homes and promises to be every bit as fascinating as the courtship rituals of Celebrity Big Brother contestants Chantelle and Preston.
Viewers can watch the dog walkers on the street below, monitor the appearance of new graffiti and keep an eye on the local pub.
This summer 22,000 Londoners will be tuning in and homes across Britain are getting their own version next year. But despite being a curtain-twitcher's paradise, the channel is about 'fighting crime from the sofa', not entertainment.
In return for a package that includes footage from 12 security cameras, a police advice channel and an array of standard cable fare, the residents of Haberdasher Estate are expected to shop any yobs that they catch on camera.
Check out, also, the Slashdot discussion: Slashdot | London 2006, Meet London 1984.
In this recent complaint to the Privacy Commissioner, an individual objected to an insurance company's policy of providing access to medical information by giving it to the individual's physician, who would then provide the information to the individual. This practice is contemplated by Principle 4.9 in Schedule I to PIPEDA. The Commissioner found that the insurance company had not violated its obligations under PIPEDA in providing access in this manner.
In this recent finding, the Commissioner dealt with a complaint by a bank customer who had contacted his bank asking not to be marketed to but subsequently was contacted a number of times by his branch about products and services.
The bank informed the Commissioner that there are two circumstances where the customer may be contacted notwithstanding a "do not solicit" flag on his or her file: (a) in-branch generated sales leads and (b) leads developed by data mining but taking advantage of service-related communication opportunities such as GIC and mortgage renewals.
The Commissioner considered that the bank had not followed the consent principle 4.3 and determined the complaint to be well-founded and resolved.
In this just-released finding, an individual complained that a credit bureau required that the individual provide two pieces of identification before providing him a copy of his credit report. The Commissioner consulted with another credit bureau and found that their policy was the same.
In this case, the Commissioner relied on principle 4.9.2, in which an organization can require additional information in order to fulfil an access request. The complaint was not well founded as the credit bureau has to authenticate an individual's identity before handing over this sensitive information. (As an aside: I expect they'd be risking a complaint about inadequate security if they did not do so.)
One of the most commonly identified "defects" with PIPEDA is that it does not contemplate and efficiently handle the disclosure of personal information in connection with the sale of a business, including pre-sale due diligence. This complaint dealt with the sale of a dentist's practice before the Ontario health information privacy law came into effect and was declared to be "substantially similar" to PIPEDA.
In this particular case, the complainant was given a "consent form" that contemplated that patient records may be disclosed in connection with the sale of the dental practice. It is not clear what the form actually said and whether it purported to obtain patients' consent. (Again, we have a situation where the lack of full detail in the summarized finding makes it very difficult to pull out best practices for the future.)
The Commissioner determined that the disclosure of certain patient records in connection with pre-purchase due diligence in this case was not contrary to PIPEDA. She reasoned:
Does this mean that a company that is not "subject to numerous regulations concerning privacy" can't disclose customer information as part of the sale process? I don't know.
In a finding by the Office of the Privacy Commissioner released on Friday, two individuals complained that a credit bureau was keeping positive credit information on file for too long. Retention of negative information is limited by provincial law, but there was no self-imposed retention period for favourable information. During the course of the investigation, the bureau decided on twenty years and also decided to give individuals the right to have it removed before then. The Commissioner therefore considered the complaint to be resolved.
Saturday, May 13, 2006
The consumer columnist in the Toronto Star, Ellen Roseman, is focusing on three privacy-related complaints. See: TheStar.com - Playing fast and loose with privacy. Thanks to Pogo Was Right for the link.
Labels: information breaches
Most Canadians are familiar with the War Amps key tag program. This amazing organization, whose chief purpose is to assist amputees in Canada, creates numbered key tags in a sheltered workshop and sends them to Canadians. If you put the tag on your keychain and your keys are lost, they'll find their way back to you if the finder drops them in a mailbox or calls the toll free number printed on the tag. One way that the organization has obtained names and addresses is through agreements with the provinces. Recently, they've encountered problems with the province of Alberta, where the Freedom of Information and Protection of Privacy Act limits the province's ability to disclose personal information to third parties. The Calgary Sun is reporting that the War Amps and the province have reached a deal that is a real compromise: all Albertans will be asked if they consent to the disclosure of their personal information when they renew their drivers' licenses. The War Amps is concerned that not all will consent and that it'll increase their costs. See: The Calgary Sun - Privacy form key to deal.
Friday, May 12, 2006
Nova Scotia's proposed Personal Information International Disclosure Protection Act is set to die on the order paper as the new Premier is expected to ask the Lieutenant Governor of Nova Scotia to disband the legislature and call an election for June 13.
For coverage of the imminent election call, see: The ChronicleHerald.ca: Premier poised for June vote: Election announcement "matter of hours now,’ Tory source says
For more on Bill 16, see The Canadian Privacy Law Blog: Bill 16: The Personal Information International Disclosure Protection Act (Nova Scotia) and The Canadian Privacy Law Blog: Nova Scotia introduces amendments to thwart USA Patriot Act.
Phillipa Lawson of the Canadian Internet Policy and Public Interest Clinic has a thing or two to say about the practice of taking thumbprints from LSAT test-takers:
blog*on*nymity - blogging On the Identity Trail: Mandatory thumbprinting for the LSAT: an appropriate use of biometrics?:
...In any case, LSAC must still explain why other, less intrusive identification methods (such as the presentation of photo ID) are inadequate for the purpose of deterring fraud. Perhaps it is necessary to collect and store individual identifiers for some time after the test is administered, in order to be able to authenticate identities after the fact, in response to allegations of fraud. If so, are non-digitized thumbprints the least intrusive method? ...
For some additional background, see: The Canadian Privacy Law Blog: Complaint about LSAT fingerprinting
The US Federal Trade Commission has just settled a case with Nations Title Agency and its parent company, Nations Holding Company, for dumping customers' loan applications in dumpsters instead of properly disposing of them. There does not appear to be a fine involved. See:
Feds Ding Data 'Dumpster'
The Kansas City-based NHC settled with the FTC Wednesday, agreeing to not misrepresent the extent of its data protection safeguards. The company also agreed to establish and maintain a comprehensive information security program subject to third-party audits for the next 20 years.
Labels: information breaches
Thursday, May 11, 2006
Sorry folks, I don't make this stuff up ...
A school board on Cape Cod in Massachusetts has caused a minor kerfuffle by requiring students to fill out a form on their intended prom dates so that the school board can run a criminal records check on them. Tonya Dockray is a little peeved that her boyfriend's old pot bust means she'll be flying solo at the prom. Check it out: School Bans Some Dates From Senior Prom - Yahoo! News.
Update (20060513): Apparently the school authorities have backed off: BostonHerald.com - Local / Regional News: Prom-ising ending: School backs off ban on dates amid probe.
Labels: information breaches
USA Today is reporting that the US National Security Agency, which has already been linked to warrantless wiretaps, has been collecting data on virtually all phone calls made in the United States of America since the end of 2001. The data for this mammoth collection effort was provided by AT&T, Verizon and BellSouth. While the contents of the calls are not reported to have been collected, the effort was focused at analyzing calling patters to ferret out terrorists.
From USA Today:
NSA has massive database of Americans' phone calls - Yahoo! News
The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY.
The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans - most of whom aren't suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.
"It's the largest database ever assembled in the world," said one person, who, like the others who agreed to talk about the NSA's activities, declined to be identified by name or affiliation. The agency's goal is "to create a database of every call ever made" within the nation's borders, this person added.
For the customers of these companies, it means that the government has detailed records of calls they made - across town or across the country - to family members, co-workers, business contacts and others.
The three telecommunications companies are working under contract with the NSA, which launched the program in 2001 shortly after the Sept. 11 terrorist attacks, the sources said. The program is aimed at identifying and tracking suspected terrorists, they said.
The sources would talk only under a guarantee of anonymity because the NSA program is secret. ...
An Edmonton pawnbroker says he will not back down from his fight against a new bylaw that requires vendors of second-hand goods to transmit personal information on customers to a central database. He has complained to the Alberta Privacy Commissioner and expects a public hearing in due course. See: edmontonsun.com - Edmonton News - Pawnbroker won't quit privacy fight.
This isn't a new fight. I've blogged about similar bylaws here before:
Wednesday, May 10, 2006
Thanks to a regular Vancouver correspondent for passing this along ...
The British Columbia CTV news is reporting that the BC Cancer Agency accidentally sent 977 sets of mammogram results to the wrong addresses. It was caused by "operator error" in using a letter stuffing machine. The agency sent letters to the 977, informing them of the error. This story only came to the media's attention because CTV's health correspondent was one of the unlucky recipients.
The only coverage I can find is from the CTV's news broadcast: video here (scroll to 15:14). There's nothing on the Cancer Agency website.
Tuesday, May 09, 2006
Today's New York times has an interesting essay that describes how a woman reviewed her own medical file and secretly removed all references to the fact that she has a family history of Huntington's disease. She did so out of fear that the information, in the hands of insurance companies, might prejudice her children and their ability to get coverage.
It's an interesting illustration that not only are some patients not being forthright with their physicians out of fear where their information may end up, but some will take more drastic action. Both can have a serious impact upon the health care they receive. See: The Quest for Privacy Can Make Us Thieves - New York Times.
Monday, May 08, 2006
Bill 16, the proposed Personal Information International Disclosure Protection Act (Nova Scotia) was introduced in the Nova Scotia legislature last week, but the full text hasn't appeared yet on the legislature's website. For those who are too impatient to wait, here is a pdf copy of Bill 16: http://www.privacylawyer.ca/Bill_16_PIIDPA.pdf. I tried to OCR it for posting the text, but the quality of the fax isn't that great.
Update (20060508): The text of the bill is now online at the official Nova Scotia government legislature site here.
Michael Geist's latest Law Bytes article in the Toronto Star addresses the recent Heinz decision from the Supreme Court of Canada (see: The Canadian Privacy Law Blog: New Supreme Court of Canada decision considers privacy aspects of Access to Information Act review procedure). Here's an extract:
TheStar.com - Supreme court tips its hand on privacy:
"A divided court ultimately sided with the company by ruling that privacy considerations were too important to be left out. The majority of the judges feared that once the personal information was disclosed, the only recourse would be to launch a complaint with the Privacy Commissioner of Canada. That option was viewed as insufficient, with the court candidly concluding that 'the Privacy Commissioner and the Information Commissioner are of little help because, with no power to make binding orders, they have no teeth.'
Indeed, the court had little confidence in the complaints mechanism, which it viewed as inadequate because 'the Privacy Commissioner has no authority to issue decisions binding on the government institution or the party contesting the disclosure. Nor does the Commissioner have an injunctive power which would allow it to stay the disclosure of information pending the outcome of an investigation.'
In other words, the current framework simply does not provide adequate privacy protection.
Given the importance of privacy -- the majority characterized the Privacy Act as 'quasi-constitutional' because of the role privacy plays in the preservation of a free and democratic society -- the court was unwilling to allow for a potential privacy breach with little prospect for subsequent protection."
Labels: information breaches
Sunday, May 07, 2006
Michael Fitzgibbon at Thoughts from a Management Lawyer just posted that his blog's third birthday recently passed by. (Thoughts from a Management Lawyer: Another Day, Another Blog Anniversary) Happy anniversary, Mike!
One of the great, but unanticipated, benefits of starting my own blog has been the chance to get to know Mike and, more recently, meet him in person.
All the best for the next three (and more) years ...
Labels: information breaches
Canadian immigration authorities are starting a "low key" biometrics trial in a number of centres, including a handful of border crossings in British Columbia and Ontario.
The fact of the trial is interesting enough, but the polling and spin plan referred to in the following article is also very interesting:
Print Story - canada.com network
Biometric screening program planned
The controversial technology would be used on immigrants and refugees
Saturday, May 06, 2006
OTTAWA -- The Conservative government, concerned about negative media coverage and public concerns over privacy issues, is taking a "low-key" approach to its plans to launch a six-month trial later this year of controversial biometrics screening technology at key entry points for immigrants and refugees, according to internal documents.
The $3.5-million trial program will take place at two Canada-U.S. border stations in B.C., Vancouver International Airport, a refugee processing centre in Etobicoke, Ont., and visa offices in Seattle and Hong Kong.
The trial marks one of the government's first moves into the controversial use of biometrics -- the use of physical characteristics such as DNA or face, iris or fingerprint scans -- to confirm identity documents.
Privacy Commissioner Jennifer Stoddart has raised questions about biometrics in the context of broader post 9/11 concerns about how the personal information of Canadians can be distributed, often without their knowledge, to governments, corporations and even U.S. security agencies through the powerful and intrusive Patriot Act.
Polls show that numerous Canadians don't trust the technology, fear who may have access to it, and view their physical characteristics as "extremely personal," said Florence Nguyen, a media spokeswoman at Stoddart's office.
"They're very concerned."
CIC officials consulted Stoddart's office on the trial program, which was first funded by the former Liberal government in 2003. Nguyen said privacy officials proposed changes to improve privacy protection, and will await results on the trial program before passing final judgment.
A March 15, 2006 slide presentation to Solberg described the trial as a "sensitive issue."
It noted that an internal poll found that more than 70 per cent of Canadians support biometrics for use in passports and at borders, but that the polling also indicates "mixed opinions" and added that "security still surpasses privacy concerns but is weakening."
The presentation, noting that media coverage of biometrics has been "negative" due to privacy concerns, argues against strongly publicizing the initiative.
"Communications strategy takes this into consideration, proposing a low-key approach and news release upon launch of the trial," states the plan, obtained by Ottawa researcher Ken Rubin through the Access to Information Act.
Charette's March 15 partly-censored briefing note predicts a strong reaction from media and non-governmental organizations to the trial and says "communications strategy will include the preparation of "media lines" for Solberg and a "broad communications strategy on the field trial."
The third component of the media strategy is also whited out, although Access to Information officials at Citizenship and Immigration Canada refused to disclose in the document which specific section of the legislation was used to justify the exclusions.
There are indications CIC is following through on the plan to lay low about the trial.
CIC published a brief notice of the trial on its website last month announcing the trial, identifying Unisys Canada Inc. as the company that has won the contract to supply the biometrics technology. However, no formal news release was issued, and CIC spokeswoman Sheila Watson said the department can't explain why it issued a notice rather than a press release, and couldn't explain whether the two forms of communication have different distribution networks to the media and other organizations.
Saturday, May 06, 2006
If you have a friend, acquiaintance, colleague, contact, chum, pal, neighbour or customer who is involved in decommissioning any (ANY!) information technology assets, please tell him or her that the surest route to the unemployment queue is to disposte of any media containing business or personal information without securely wiping the contents. The latest example of this is from ComputerWorld (Idaho utility hard drives -- and data -- turn up on eBay), but it is just one of hundreds of similar incidents. I would have thought that the word would have gotten out by now, but I guess some people just don't read the news. If I were to buy a used hard-drive on eBay, the first thing I'd do is run an unerase program just to see what's there. Hundreds of other people would do it and either (i) call the media or (ii) rip off your customers. It doesn't have to be that way. Just don't let it happen.
Labels: information breaches
Yesterday, in the second day of the spring sitting of the provincial legislature, Nova Scotia's Justice Minister, Murray Scott, tabled Bill No. 16 - Entitled an Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada. (Hon. Murray Scott), (the full text is not yet available online). It will amend the Freedom of Information and Protection of Privacy Act to address the perceived threat to privacy posed by the USA Patriot Act if the processing or storage of personal information is outsourced by Nova Scotia public bodies to companies operating in the US (or US companies operating in Canada).
The appearance of the bill was foreshadowed by consultations among public bodies and IT service providers (see: The Canadian Privacy Law Blog: Nova Scotia consultations on Patriot Act amendments to FOIPOP).
Here's the press release from the Nova Scotia government:
News Release: Department of Justice:
"New Legislation to Protect Privacy
Department of Justice
May 5, 2006 11:15
New provincial legislation will better ensure that Nova Scotians' personal information is not disclosed under the U.S. Patriot Act.
The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.
"We know that American security legislation has led to concerns about the ability to access personal information of Nova Scotians held outside Canada," said Murray Scott, Minister of Justice. "This legislation clearly outlines the responsibilities of public bodies, municipalities and technology service providers, and the consequences if they are not fulfilled."
The act provides protection regarding storage, disclosure and access to personal information outside of Canada in the custody or under the control of a public body or municipality.
Under the act, the minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. It also requires that service providers storing information only collect and use personal information necessary for their work for a public body or municipality.
The act also address "whistleblower" protection for employees of external service providers to ensure they are protected if they report an offense under the act. Whistleblower protection for Nova Scotia government staff already exists under the Civil Service Act.
"In order for these measures to be successful, staff must be sure they will be protected if they come forward to report wrongdoing under this act," said Mr. Scott.
Penalties under the act include up to $2,000 per government employee for malicious disclosure by employees of public bodies and municipalities. The act also creates offences for service providers, with penalties of up to $2,000 for employees and $500,000 for companies.
Offences relate to the improper storage, collection, use, or disclosure, failure to notify the minister of Justice of foreign disclosure demands, and improper discipline or termination of employees.
"We are putting in place serious and significant penalties to protect the privacy of Nova Scotians," said Mr. Scott.
The minister also announced that the Wills Act is being amended. Updates will bring it more in line with other Canadian jurisdictions. The amendments respond to recommendations of the Law Reform Commission and will make it easier for people to ensure their final wishes are fulfilled by clarifying the effect divorces have on wills and the distribution of property in Nova Scotia under wills made outside the province. It will also permit handwritten wills.
The province is also introducing a number of housekeeping amendments under the Justice Administration Act.
FOR BROADCAST USE:
Justice Minister Murray Scott has introduced new provincial legislation that will help ensure Nova Scotians' personal information is not at risk from activities under the U.S. Patriot Act.
The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.
The act provides protection regarding storage, disclosure and access to personal information in the custody or under the control of a public body or municipality.
I'll definitely have more to say about this once I've had a chance to review Bill 16 in some detail.
Alec Saunders, at saunderslog.com is a little upset about receiving some unsolicited e-mail from the liberal party and Bill Graham (How to Stop the Liberal Party of Canada From Spamming You -- Alec Saunders .LOG):
And here, of course, is the irony. It was a Liberal Government which introduced the Personal Information Protection and Electronic Documents Act.
Whether this is a violation of PIPEDA depends upon whether that law applies at all. PIPEDA only regulates the collection, use and disclosure of personal information in the course of commercial activities (and information about employees of federal works, undetakings and businesses). This generally excludes non-profits, like political parties. Some activities are deemed to be commercial, like the sale or trade of personal information by a non-profit organization.
It's arguable that PIPEDA wouldn't apply in the case of political spam, unless one organization has traded the e-mail address with another. But if it bugs you enough, complain to the Privacy Commissioner and see if she agrees...
Wired is running an article on RFID hackers, highlighting that it is rather easy for RFID chips to be hacked/cloned/altered/abused using a little knowledge and some off the shelf equipment: Wired 14.05: The RFID Hacking Underground.
Friday, May 05, 2006
According to the Halifax Chronicle-Herald, a Nova Scotia man is the first in the province (and perhaps the country) to be charged under Canada's recent voyeurism amendments to the Criminal Code. Gist:
Man, 33, first to face voyeurism charge
By TOM McCOAG Amherst Bureau
AMHERST — A Cumberland County man has become the first Nova Scotian to be charged under the new voyeurism section of the Criminal Code.
Winston Charles Patriquin, 33, of Port Howe is alleged to have used a video camera to secretly tape a girl having a shower. He is also charged with one count of knowingly accessing child pornography through a computer for his own use, making child pornography and possession of child pornography.
"This is definitely the first case of (voyeurism) to be tried in the province, and we think it may be the first case in Canada," Chris Hansen, spokeswoman for the Nova Scotia Public Prosecution Service said Thursday. ""We’re not exactly sure of the latter, but if it isn’t the first, it certainly is among the first charges under this newly created section to be laid in the country."
The bill that added voyeurism to the code passed last fall and increases the sentences for people convicted for possessing, making and distributing child pornography or committing an act of child molestation by "ensuring that those convicted of those crimes will serve jail time." ...
Labels: information breaches
Wednesday, May 03, 2006
The Guardian Online has a very interesting special report on identity theft, using a discarded boarding pass to track down huges troves of information on the poor guy who discarded it. It's a tale of how much information is collected and how easy it is for bad guys to get ahold of it. Read on:
Guardian Unlimited | Special reports | Q. What could this boarding pass tell an identity fraudster about you? A. Way too much:
"... We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.
Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.) ..."
Recent scandal in the United States over warrantless wiretapping by the NSA under the USA Patriot Act has led to increased scrutiny of Canada's Communications Security Establishment and its actions under the Anti-terrorism Act. Gist:
CTV.ca | U.S. wiretapping scandal sparks Canadian inquiry:
OTTAWA -- Allegations of illegal eavesdropping by U.S. spies prompted pointed questions from the federal watchdog who oversees their Canadian counterparts, newly released records reveal.
Correspondence obtained by The Canadian Press shows the public controversy about U.S. National Security Agency spying on American citizens led to a series of highly classified exchanges in Ottawa.
John Adams, chief of the ultra-secret Communications Security Establishment, was forced to respond to detailed inquiries spanning two months from the office of Antonio Lamer, the former Supreme Court chief justice who, as CSE commissioner, serves as watchdog over the spy outfit.
But it is clear from the records, obtained under the Access to Information Act, that Lamer's office wanted to ensure the CSE, a wing of the Defence Department, wasn't contravening Canadian law by conducting excessive snooping in the fight against terrorism.
The CSE works closely with the signals intelligence services of allied countries, including the massive Maryland-based National Security Agency, which boasts more than 30,000 employees.
The Premier of the Province of New Brunswick is in hot water and one of this senior official has had to resign after a letter from an opposition politician concerning a constituent with an 18-month licence suspension for drunk driving was released to the media by the Premier's Press Secretary. The Secretary has since resigned and the Ombudsman of the province is investigating under the province's privacy legislation. (See: canadaeast.com - CP Atlantic Regional News. Hat tip to Pogo Was Right for the link.)
This sort of thing is not particularly new in New Brunswick, but you would think they'd learn. See: The Canadian Privacy Law Blog: Politics and privacy: New Brunswick MLA resigns from cabinet over alleged violation of NB's privacy laws, The Canadian Privacy Law Blog: Second New Brunswick Minister resigns over new privacy breach.
Labels: information breaches
Tuesday, May 02, 2006
Network World is running two interesting articles on RFIDs and privacy, both of which include reference to IBM's growing role in this field:
IBM demos RFID tag with privacy-protecting features - Network World:
"The latest to tackle the issue is IBM, which this week is expected to demonstrate its design for an RFID tag with a disabling feature that limits - but doesn't kill - a wireless chip's ability to broadcast item information.
The Clipped Tag gives consumers the option to disable RFID tags on items they purchase without eliminating the possibility that the tags could be used later to expedite product returns or recalls, says Paul Moskowitz, a research staff member at IBM's Watson Research Center in Hawthorne, N.Y. The design calls for a product label with perforations 'like a sheet of postage stamps,' he says.
After purchasing a tagged item, a consumer can tear the Clipped Tag label along the perforations to remove a portion of the tag's antenna, reducing its transmission capability. 'When you do that, you do not kill the tag completely. The chip is still there, and it has some of the antenna left. But you've just taken a tag that may have had a 30-foot range and reduced the range to just a few inches.' "
"Companies using RFID tags on products should notify customers in all cases, should tell customers whether they can deactivate the tags and should build security into the technology as a primary design requirement, the group said. "
Monday, May 01, 2006
The Personal Information Protection and Electronic Documents Act is a messy, difficult to understand statute. It is not clearly drafted and lay people have a heck of a time trying to figure out what it means. It should not be a surprise that many lawyers have a hard time getting their heads around its requirements. For those who deal with the statute on a daily basis, there is a consensus on how it works and how it is to be interpreted. These interpretations are generally confirmed by the Commissioners who enforce the laws and the courts, when privacy issues come before them.
It remains surprising to see parties to litigation (and their counsel) making arguments that go completely against the consensus view. It should not be suprising when the Courts make decisions that, with all due respect, are completely wrong. (See, for example, The Canadian Privacy Law Blog: Courts and PIPEDA: Why the federal law does not apply in British Columbia. )
In a recent arbitral decision from Ontario, an arbitrator was faced with the argument that (i) PIPEDA applies to employee information in the provincially regulated private sector in Ontario and (ii) because of PIPEDA, an employer is prohibited from providing certain information to the union as required under the province's occupational health and safety legislation. The union (oddly) did not seriously dispute argument (i). The panel of the Ontario Labour Relations Board didn't agree with the employer and went farther than the union desired: it concluded that the collection of employee information in connection with the administration of the employment relationship is not "commercial activity" for the purposes of PIPEDA. This is critical since section 4(1) of PIPEDA dictates the circumstances under which the law applies:
4. (1) This Part applies to every organization in respect of personal information that
(a) the organization collects, uses or discloses in the course of commercial activities; or
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
Except for employee information of federal works, undertakings and businesses, PIPEDA can only apply if ther personal information in question is collected, used or disclosed in connection withe commercial activities. The arbitration panel concluded:
Although the definition of commercial activity is quite broad and, as a result, subsection 4(1)(a) of PIPEDA would include the collection, use or disclosure by the company of the personal information of its employees’ for commercial purposes, where the employees’ personal information is being collected, used or disclosed for employment-related purposes, subsection 4(1)(a) does not apply. First, the collection, use or disclosure by an organization of the personal information of its employees solely for employment-related purposes cannot reasonably constitute a “commercial activity” under any logical interpretation of that phrase. The mere fact that an organization carries on a commercial activity cannot, on its own, render the collection, use or disclosure of employee personal information for employment-related purposes into a commercial activity. Furthermore, if subsection 4(1)(a) of PIPEDA is intended to include the employment-related collection, use or disclosure by an organization of the personal information of its employees, subsection 4(1)(b) of PIPEDA (under which Part 1 of PIPEDA applies to the personal information of the employees of federal works, undertakings or businesses) would be unnecessary. (See: Re: McKesson Canada and Teamsters Chemical, Energy and Allied Workers Union, Local 424, 136 L.A.C. (4th) 102, G.F. Luborsky).
This conclusion is in accord with the position embraced by most privacy law practitioners and may help to settle some still broadly-held misconceptions.
The case is International Association of Bridge, Structural, Ornamental and Reinforcing Iron Workers and its Local 736 v. E.S. Fox Limited,  O.L.R.D. No. 107 (QL) and the full text is available online here: http://www.lancasterhouse.com/decisions/2006/jan/OLRB-IABSORIWU,736-v-ESFox.pdf
Thanks to the CUPE Local 1356 blog for the pointer to the case.
The Canadian Internet Policy and Public Interest clinic has today released a pair of reports that paint an unflattering portrait of the state of compliance with privacy laws in Canada. The first is a survey of Canadian retailers to determine whether the companies reviewed are complying with PIPEDA and its equivalents. The second is a survey of the data brokering indstry in Canada. Here's the blurb and links from the CIPPIC website:
CIPPIC News = CIPPIC:
CIPPIC study shows widespread violation of privacy laws
May 1, 2006
In a report released today, the CIPPIC provides the results of the first Canadian survey assessing the compliance of retailers with Canadian data protection laws. The results show widespread non-compliance with federal laws requiring openness, accountability, consent, and individual access to personal data. In a companion report also released today, CIPPIC exposes the many ways that detailed personal information about consumers is gathered and traded in the marketplace.
News Release (French version) Report on Retailer Compliance with PIPEDA Compliance Report - Executive Summary (French version) Compliance Report - Appendices Report on Databrokerage Industry Databroker Report - Executive Summary (French version)
Update (20060512): The Ottawa Citizen is reporting on this in today's edition: Online sellers flout privacy rules.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.