The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Wednesday, May 31, 2006

Update on the Veterans' Affairs breach 

Some updated news in the wake of the ginormous data breach at the US Department of Veterans Affairs (for some background, see: The Canadian Privacy Law Blog: Incident: Personal information about 26.5M US veterans on laptop stolen):

Labels: ,

World Privacy Law Library 

I've used the World Legal Information Institute's website for various projects, but never browsed around to discover the WorldLII - Privacy Law Library. If privacy is your thing, bookmark this the main page of this sub-site now. You can search privacy regulators' decisions from around the world and get your hands on some fantastic publications in very short order. (Thanks to Peter Timmins' Open and Shut for leading me to this great resource.)

Labels:

What's new in ID theft? 

Yesterday's New York Times has a very interesting and wide-ranging article on identity theft, focusing on the growth in this kind of fraud in Arizona. The article illustrates innovative techniques that clever fraudsters have picked up and highlights the connection between meth abuse and ID theft. Finally, it also discusses whether the boom in identity theft is actually caused by how easily financial institutions hand out credit to people whose identities aren't verified. Check it out: Technology and Easy Credit Give Identity Thieves an Edge - New York Times. (Thanks to robhyndman.com for the link.)

For an intersting and contrarian perspective, check out Slate's: The New York Times flips out over "identity theft."

Labels: ,

Tuesday, May 30, 2006

European court blocks passenger data sharing deal with US 

Andreas Busch, blogging from Oxford, reports that the data sharing arrangement between the US and the EU has been struck down. Read all about it at his great blog ...

Politics of Privacy Blog: Passenger flight data: European court blocks EU data deal with US:

"The European Court of Justice has today anulled the European Council's decision regarding an agreement to provide US authorities with the data of European flight passengers, and the European Commission's decision that this agreement complies with with the European Union's data protection requirements. (More information about the details can be found in the ECJ's press release)...."

Labels:

E-mail issues causing headaches 

This morning, Toby Keeping of IronSentry and I gave a presentation on business and legal risks of e-mail and other electronic information at the Westin in Halifax. The Chronicle Herald is running a story on the topic, based interviews with Toby and me. Check it out: The ChronicleHerald.ca - E-mail issues causing headaches: Firms search for security in electronic age. E-mail me for a copy of the presentation.

Labels: , , , ,

Federal Privacy Commissioner releases annual report for 2005 

The Federal Privacy Commissioner of Canada has released her Annual Report to Parliament for 2005 (pdf). It is worth a read since it highlights many of the activities of that office that are not reported on elsewhere. It also includes a synopsis of a range of pending applications before the Federal Court of Canada that haven't been referred to elsewhere.

Here is the media release related to the report:

Tabling of Privacy Commissioner of Canada's 2005 Annual Report on the Personal Information Protection and Electronic Documents Act: Commissioner takes tougher stance

Ottawa, May 30, 2006 –There has been progress in advancing the privacy rights of Canadians in the private sector, but the Privacy Commissioner’s Office intends to be more assertive in ensuring that all businesses are complying with the law, according to the Privacy Commissioner of Canada, Jennifer Stoddart, whose 2005 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.

In 2005, the Privacy Commissioner began taking a stronger stance with respect to the recommendations made to organizations in her letters of finding. She began asking organizations that are the subject of well-founded complaints to state the corrective measures they would take – and when these measures would be implemented. In the one situation in which the company did not implement the recommendations, the Commissioner’s Office took the matter forward to the Federal Court. All other organizations have rapidly committed to providing redress and making systemic changes to their personal information management practices.

“Businesses, large and small, have demonstrated goodwill, commitment to community values and openness to change when it comes to protecting privacy,” states Ms. Stoddart in her report. “But I am concerned that apparent compliance does not always result in truly effective privacy and security practice. This goodwill needs to be translated into practice.”

Overall, information handling practices brought to the attention of the Privacy Commissioner’s Office show a high level of compliance with PIPEDA among Canadian companies. And the Commissioner is pleased that a recent trend toward settling complaints is continuing, with almost half of the 400 complaints in 2005 being settled to the apparent satisfaction of all parties.

Another theme of the report relates to technology, consumer trends and national security concerns, which continue to introduce novel uses for personal data and require ever greater amounts of it. It is time to revisit how the operating rules are defined and applied, and how adequate these rules are in a world of such rapid technological change.

Recent polling commissioned by the Privacy Commissioner’s Office suggests that 88 per cent of Canadians feel that it is important that privacy laws are updated to ensure they are keeping up with new technologies that may have an impact on their personal information.

PIPEDA came into effect in stages beginning in 2001, so the Office now has more than five years of experience dealing with the law. It is slated for a full Parliamentary review in 2006, which is expected to commence in the fall. This mandated review is vital and will present a unique opportunity to examine the Act’s effectiveness in protecting privacy rights in the marketplace. It will also give Parliamentarians the chance to help respond to growing attacks on personal information through identity theft, spam and fraudulent on-line activities. The Commissioner is urging the government to consider a similar review of the Privacy Act, the federal public sector privacy law, which has not been substantially amended since its inception in 1983.

As the Commissioner’s Office plans for its participation in this all-important review of PIPEDA, it will also continue to pursue preventive activities such as education, outreach, complaint resolution, as well as audits and reviews. The expectation of additional resources will further assist the Office in fully carrying out this multi-faceted mandate to protect and promote privacy rights.

The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

— 30 —

To view the report: Annual Report to Parliament 2005 — Report on the Personal Information Protection and Electronic Documents Act (Adobe format)

Labels: , ,

Sunday, May 28, 2006

Incident: Sacred Heart computer security breach affects 135,000 

Security breaches at universities are such old news that I've stopped reporting them on this blog. But this one is a bit different. A computer security breach has resulted in the compromise of personal information of 135,000 people at Sacred Heart University in Connecticut. (Yawn.) But what's notable is that many of those affected are not alumni, not staff, not students, not applicants. The university had obtained information on prospective students from dozens of sources, likely without the OK of those individuals. And some of this information was compromised in the breach. Yup. That's a new one. And not a good one.

See: Wtnh.com, Connecticut News and Weather - Sacred Heart computer security breach affects 135,000.

Labels: ,

I'd like to thank the academy. And my blog ... 

I usually don't write about anything other than privacy law, but I thought I'd make an exception to write a bit about this blog ...

This week I was honoured to be the receipient of the Outstanding Young Canadian Award in the category of Leadership, given by the Junior Chamber of Commerce International, Halifax Chapter. My firm, McInnes Cooper, has made a pretty big deal out of it (Congratulations to David Fraser, our Outstanding Young Canadian!). It was all very flattering and humbling at the same time.

The criteria for the award are:

Leadership: The legal, political, public and governmental sectors have leaders to use their skills to attain goals on a regular basis. They constantly make a difference in their organization and their leadership ability is a key to their success. The nominee for this award has proven leadership abilities.

I fit the "young" part, since I'm between 18 and 40. And it is unusual for a young associate in a large law firm to head a practice group, to develop a niche practice and to have a significant national client base.

I had to give a speech, along with the winners in the other categories, at the gala dinner on Thursday. The organizers suggested something inspiring. Well, I spend a lot of time talking to large groups about privacy law but it was pretty weird to contemplate standing up and talking about myself. But it did make me reflect upon what "got me here". And a significant part of that is this blog.

In building my practice in privacy law, I have spent a lot of time and effort networking, getting know people in the field, doing wider marketing and even making direct pitches to prospective clients, but the one thing that has raised my profile most of all and has resulted in engagements from far-flung clients is this blog. I know from the site's stats that it is read regularly by the Office of the Federal Privacy Commissioner, the provincial privacy commissioners, most major Canadian law firms, the big five Canadian banks, and Canada's equivalent of the Fortune 500.

This blog and its wide readership has led to an invitation to speak at the Canadian Bar Association's annual meeting in Winnipeg in 2004 (The Canadian Privacy Law Blog: Report from the CBA in Winnipeg). Everything I've written for the Canadian Privacy Law Review has started as a posting on this blog. The first times I met each of the British Columbia, Alberta and Ontario privacy commissioners, each of them knew me and commented on my blog. I've given dozens of media interviews for newspapers, radio and TV throughout Canada and into the U.S. on privacy issues and, almost without exception, the reporters and producers found me via the blog. I've also been featured in high-profile articles on Canadian legal bloggers (CBA Magazine: Blogging the spotlight and New Media Marketing, Part I - Blogs: How Lawyers Can Become Thought Leaders in a Niche Market (CBA members-only login)), all thanks to this blog. Also, thanks to this blog, I've met a number of great people from coast to coast, some of whom I've met in the real world and some who I only know through e-mail.

Importantly, all of the above is an unintended consequence. I didn't start out the blog thinking it would raise my profile or would be a good way to meet people. I started it because I wished someone else had put together a "one stop shopping" place for Canadian privacy law and notable news in this area. At the end of 2003, there wasn't such a site to keep privacy lawyers and others up-to-date on this area, so I decided to do it for myself. I was surprised at how easy it was and I was also pleasantly surprised that it didn't take as much time as I thought it would. Everything else has been gravy. Heaps of gravy.

In any event, I'd like to thank my friends, my family, my firm and my blog.

Labels: , ,

Wednesday, May 24, 2006

Privacy and security may be a competitive advantage 

At least Paxx Telecom LLC thinks so. They have just issued a press release advertising that their service lets you thumb your nose at the NSA, et al:

Phone Company, In Response To Concerns About Phone Privacy, Shows Customers How To Tell The NSA To Take A Hike - Yahoo! News

(PRWEB) - Scottsdale, AZ (PRWEB) May 24, 2006 -- The recent revelation first made by USA Today that the National Security Agency (NSA) has been commandeering phone records of tens of millions of ordinary Americans has shocked those who cherish their privacy and do not agree with unnecessary snooping by their government.

It’s hard to know which phone companies are prepared to protect the privacy of telephone records from the NSA’s prying eyes. Certainly many of the nation’s largest phone companies are not, according to USA Today.

With the cooperation of the nations largest phone companies, the NSA has amassed the largest ever database of “call detail” information including who called what number, when and for how long.

Less understood is that while the public is “assured” no personal data is being collected, it’s only a small step required in order to “connect-the-dots”. Revealing the owner of most phone numbers is often as simple as typing the number into Google.

Even a pre-paid calling card purchased for cash is not anonymous. All calls originating from that card are recorded based on their authorization code, and it’s just a few simple steps to identify the caller.

“This is nothing new”, reports Paul Schmidt, CEO of Paxx Telecom LLC. “We reported back in 2002 that the a number of the major phone companies informed their customers that they intended to distribute or sell customers’ private information after a Federal Court gave them blanket permission to do so.”

“At Paxx Telecom, our records are secured offsite and we guarantee never to turn over any records to the government or anyone else without a court order. All our customers need do is dial a short access number in front of the number they want to reach. As a result, the local phone company will show only the connection to Paxx Telecom. It will have no record of the actual number the customer talked to", he said. “In addition, we keep call records on our servers only temporarily to give customers access to verify proper invoicing, after which the calling information will be extinguished.”

Paxx Telecom LLC is a privately owned long distance provider, incorporated in the state of Arizona in 1999. Paxx Telecom offers domestic and international long distance services to residents of the USA and Canada, and it offers International callback services in most countries overseas. Paxx Telecom has agreements to use the network backbones of some of the world’s largest communication providers. For optimal call clarity, Paxx Telecom is using traditional voice-quality networks rather than VOIP or other Internet technology. Additional information about Paxx Telecom services is available at www.PaxxTelecom.com

More information about Paxx Telecom’s secure phone system can be found at www.paxxtelecom.com or by calling 1-800-664-4977.

Labels: , ,

Tuesday, May 23, 2006

Singapore moving closer to data protection law 

Asian economic powerhouse Singapore is about two years away from a data protection law as the country moves through a consultation process toward that objective:

Channelnewsasia.com:

SINGAPORE: A committee that is looking at how to protect private information is expected to submit its report to the government next month.

Experts believe one of the key features of the upcoming data protection law is clamping down on private companies that collect and disseminate personal information freely.

Currently, when a person fills out their personal information on forms or lucky draw coupons, the companies will usually store the information in their databases and disseminate it without the person's knowledge or permission.

The upcoming law will likely make sure that that will not happen.

Experts believe the law may be ready in about 2 years.

"Data collectors would have to get your consent if they're going to use it for direct marketing and if you discover that your particulars are being used by direct marketing by a particular company, you'd have a right to go to the company and demand that they stop doing it. It's the sort of thing I could envisage in the legislation coming," said S Suressh, a partner at Harry Elias Partnership.

Singaporeans are increasingly using the internet to conduct transactions.

So it's timely for the government to study and develop laws to protect personal details.

"As we develop, there're more and more demands for rights and one of the rights is of course the right to privacy. So the government's probably decided that we have reached a certain level of development and that businesses can probably cope with the increased burden and cost of this," said Asst Prof Terence Tan from the Law Faculty at NUS.

The existing laws cover mainly government agencies such as the Inland Revenue Authority of Singapore, requiring they protect your personal information.

But data collection and protection are unregulated among private companies, which will change with the coming of new laws. - CNA /dt

Labels:

Upcoming Seminar: E-mail, storage and the law 

Location: Westin Hotel, Halifax, NS
Start Date: Tuesday, May 30, 2006
Time: 8:00am - 11:30am

With 70% of critical business information contained in email, small and medium sized companies face numerous challenges. Legal concerns including privacy, retention, and accountability are forefront, but improper use, hardware requirements, and the ability to recover old emails are also highly important to today’s business owner.

Join Toby Keeping (IronSentry Inc.) and David Fraser (McInnes Cooper) in an information session as they discuss these and other issues that small and medium sized companies have to address with electronic information.

For more information, or to register, click here.

Contact: Toby Keeping, 902.463.4485 x1401 or tkeeping@ironsentry.com

Labels: ,

Monday, May 22, 2006

Australian women fear "stalker" reverse directory 

The Privacy Commissioner of Australia is poised to investigate a controvertial "reverse directory" in that country. The site, www.boonghunter.com, provides names, addresses and numbers of residents based on partial information, including just the streets they live on. Women in particular are afraid that it'll make a good tool for stalkers.

The Advertiser: Women fear website puts them in danger [23may06].

By MICHAEL OWEN

23may06

AN unauthorised telephone directory website has alarmed women, who fear it will increase the risk of stalking and endanger women and children seeking refuge from domestic violence.

The website - www.boonghunter.com - also has disturbed Telstra, which yesterday described it as "a gross invasion of privacy".

The website and the source of its information was last night under investigation by federal authorities, including the Australian Communications and Media Authority and the Office of the Federal Privacy Commissioner. Sensis, Telstra's online directory division, said it was "appalled" by the website, which provides "reverse search" access to address and telephone numbers of individuals.

"Unlike the White Pages directory, where you need to know the name of the person you are searching for before you can find their details, reverse searching enables people to search for your private details without knowing who you are," Sensis Corporate Affairs Manager Karina White said.

"For example, you can find out someone's personal details just by knowing the street they live on.

"Whoever is behind this website has no regard for Australians' rights to have their personal contact information handled responsibly and with respect."

Karen Barnes, chairperson of the Kilburn-based Women's Housing Association, was concerned for the safety and security of women and children trying to flee abusive situations.

"We will be pursuing a formal inquiry to try and get this website closed down," Ms Barnes said.

Telecommunications industry sources last night said initial inquiries indicated an overseas computer hacker had gained access to the Integrated Public Number Database, which contains the names, addresses, phone numbers and phone location of all residential and business customers in the country. The database is managed by Telstra on behalf of the telecommunications industry.

The INPD is used by telcos to develop their own directories and is also available to authorised members of the Australian police and emergency services.

ACMA last night confirmed it had started investigating the source of the information on the website.

Privacy Commissioner Karen Curtis was last night preparing to launch a formal investigation.

The domain http://www.boonghunter.com is being redirected to http://www.indigenoushunter.com/. I understand the term "boong" (which I must confess I've never heard before) is an offensive term used to refer to aboriginal Australians.

Labels: ,

Incident: Personal information about 26.5M US veterans on laptop stolen 

An employee of the United States Department of Veterans' Affairs took home a laptop containing data on 26.5 million American veterans, which was subsequently stolen from his home. Authorities do not think the information has been misused:

Personal Data of 26.5M Veterans Stolen - Yahoo! News

WASHINGTON - Personal data, including Social Security numbers of 26.5 million U.S. veterans, was stolen from a Veterans Affairs employee this month after he took the information home without authorization, the department said Monday.

Veterans Affairs Secretary Jim Nicholson said there was no evidence so far that the burglars who struck the employee's home have used the personal data — or even know they have it. The employee, a data analyst whom Nicholson would not identify, has been placed on leave pending a review.

"We have a full-scale investigation," said Nicholson, who said the FBI, local law enforcement and the VA inspector general were investigating. "I want to emphasize, there was no medical records of any veteran and no financial information of any veteran that's been compromised."

"We have decided that we must exercise an abundance of caution and make sure our veterans are aware of this incident," he said in a conference call with reporters.

The theft of veterans' names, Social Security numbers and dates of birth comes as the department has come under criticism for shoddy accounting practices and for falling short on the needs of veterans.

Last year, more than 260,000 veterans could not sign up for services because of cost-cutting. Audits also have shown the agency used misleading accounting methods and lacked documentation to prove its claimed savings.

Veterans advocates immediately expressed alarm....

The federal government has put up an information page here:

Latest Information on Veterans Affairs Data Security -- Firstgov.gov

Latest Information on Veterans Affairs Data Security

The Department of Veterans Affairs (VA) has recently learned that an employee, a data analyst, took home electronic data from the VA, which he was not authorized to do. This behavior was in violation of VA policies. This data contained identifying information including names, social security numbers, and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings. Importantly, the affected data did not include any of VA's electronic health records nor any financial information. The employee's home was burglarized and this data was stolen. The employee has been placed on administrative leave pending the outcome of an investigation.

Appropriate law enforcement agencies, including the FBI and the VA Inspector General's office, have launched full-scale investigations into this matter. Authorities believe it is unlikely the perpetrators targeted the items because of any knowledge of the data contents. It is possible that they remain unaware of the information which they possess or of how to make use of it. However, out of an abundance of caution, the VA is taking all possible steps to protect and inform our veterans.

The VA is working with members of Congress, the news media, veterans service organizations, and other government agencies to help ensure that veterans and their families are aware of the situation and of the steps they may take to protect themselves from misuse of their personal information. The VA will send out individual notification letters to veterans to every extent possible. Additionally, working with other government agencies, the VA has set up a manned call center that veterans may call to get information about this situation and learn more about consumer identity protections. That toll free number is 1-800-FED INFO (1-800-333-4636). The call center will operate from 8 am to 9 pm (EDT), Monday-Saturday as long as it is needed.

Here are some questions you may have about this incident, and their answers.

I'm a veteran. How can I tell if my information was compromised?

At this point there is no evidence that any missing data has been used illegally. However, the Department of Veterans Affairs is asking all veterans to be extra vigilant and to carefully monitor bank statements, credit card statements and any statements relating to recent financial transactions. If you notice unusual or suspicious activity, you should report it immediately to the financial institution involved and contact the Federal Trade Commission for further guidance.

What is the earliest date at which suspicious activity might have occurred due to this data breach?

The information was stolen from an employee of the Department of Veterans Affairs during the month of May 2006. If the data has been misused or otherwise used to commit fraud or identity theft crimes, it is likely that veterans may notice suspicious activity during the month of May.

I haven't noticed any suspicious activity in my financial statements, but what can I do to protect myself and prevent being victimized by credit card fraud or identity theft?

The Department of Veterans Affairs strongly recommends that veterans closely monitor their financial statements and review the guidelines provided on this webpage or call 1-800-FED-INFO (1-800-333-4636).

Should I reach out to my financial institutions or will the Department of Veterans Affairs do this for me?

The Department of Veterans Affairs does not believe that it is necessary to contact financial institutions or cancel credit cards and bank accounts, unless you detect suspicious activity.

Where should I report suspicious or unusual activity?

The Federal Trade Commission recommends the following four steps if you detect suspicious activity:

  1. Step 1 – Contact the fraud department of one of the three major credit bureaus:

    Equifax: 1-800-525-6285; http://www.firstgov.gov/external/external.jsp?url=http://www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

    Experian: 1-888-EXPERIAN (397-3742); http://www.firstgov.gov/external/external.jsp?url=http://www.experian.com; P.O. Box 9532, Allen, Texas 75013

    TransUnion: 1-800-680-7289; http://www.firstgov.gov/external/external.jsp?url=http://www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

  2. Step 2 – Close any accounts that have been tampered with or opened fraudulently.
  3. Step 3 – File a police report with your local police or the police in the community where the identity theft took place.
  4. Step 4 – File a complaint with the Federal Trade Commission by using the FTC's Identity Theft Hotline by telephone: 1-877-438-4338, online at http://www.firstgov.gov/external/external.jsp?url=http://www.consumer.gov/idtheft, or by mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580.

I know the Department of Veterans Affairs maintains my health records electronically; was this information also compromised?

No electronic medical records were compromised. The data lost is primarily limited to an individual's name, date of birth, social security number, in some cases their spouse's information, as well as some disability ratings. However, this information could still be of potential use to identity thieves and we recommend that all veterans be extra vigilant in monitoring for signs of potential identity theft or misuse of this information.

What is the Department of Veterans Affairs doing to insure that this does not happen again?

The Department of Veterans Affairs is working with the President's Identity Theft Task Force, the Department of Justice and the Federal Trade Commission to investigate this data breach and to develop safeguards against similar incidents. The Department of Veterans Affairs has directed all VA employees complete the "VA Cyber Security Awareness Training Course" and complete the separate "General Employee Privacy Awareness Course" by June 30, 2006. In addition, the Department of Veterans Affairs will immediately be conducting an inventory and review of all current positions requiring access to sensitive VA data and require all employees requiring access to sensitive VA data to undergo an updated National Agency Check and Inquiries (NACI) and/or a Minimum Background Investigation (MBI) depending on the level of access required by the responsibilities associated with their position. Appropriate law enforcement agencies, including the Federal Bureau of Investigation and the Inspector General of the Department of Veterans Affairs, have launched full-scale investigations into this matter.

Where can I get further, up-to-date information?

The Department of Veterans Affairs has set up a special website and a toll-free telephone number for veterans that features up-to-date news and information. Please check this webpage for further updates or call 1-800-FED-INFO (1-800-333-4636).

Page last updated, May 22, 2006

Labels: , , , , , ,

Sunday, May 21, 2006

Almost perfect accuracy still labels hundreds as criminals in the UK 

99.97% accuracy sounds pretty good, unless you are one of the 1500 people in the UK incorrectly labeled as a criminal.

The Criminal Records Bureau is unapologetic that it errs on the side of caution in managing its databases. See: BBC NEWS | UK | Hundreds wrongly dubbed criminals.

Labels:

Scottish 'Big Brother' plan to profile every child in massive database 

Child protection authorities in Scotland are planning to phase in an enormous database on all children born in the country in an effort to identify children at risk of abuse. Not surprisingly, the initiative is being referred to as "Orwellian":

Edinburgh Evening News - Edinburgh - 'Big Brother' plan to store every baby on computer: "'Big Brother' plan to store every baby on computer

EVERY newborn child in Edinburgh and the Lothians faces being stored on a "Big Brother-style" national database under a major shake-up of Scotland's child protection system.

The computerised files would be kept "live" until the child reaches the age of 16 and will include personal details of their health, family life and education.

The child's file will be closed when they reach 16, but it will then be kept on record for up to 75 years.

Teachers, police, GPs and social workers will be able to access the files to check for signs of abuse.

If the child is regularly late for school or their behaviour changes dramatically, the details could be put into the system where it is hoped it will build up a picture of the child's overall welfare.

...

The national database is being planned by ministers to revolutionise information sharing between different agencies and improve protection for vulnerable children.

The move follows a series of high-profile cases of child protection failures in Edinburgh and the Lothians.

In March, two-year-old East Lothian boy Derek Doran died after drinking his parents' methadone. He had been found dead in his bed by his mother last December at their home at Elphinstone, near Tranent.

And last year, three-year-old Michael McGarrity was found alone in a Leith flat with the body of his drug-addict mother, having survived for six weeks on scraps of food.

...

The scheme is to be piloted in Highland Council from September 3 before being extended across the country, according to the Scottish Executive.

Every newborn child in the Highland region and around 500 Inverness schoolchildren will be logged into the system during the trial.

Families have been told they will be consulted about the nature of information that is held.

A spokesman for the Scottish Executive said: "Highland's experience will also be used to help other local authorities prepare for the roll-out of the new systems."

But a human rights expert warned the new system may be open to abuse.

John Scott, former head of the Scottish Human Rights Centre, said: "The positive aspects of this are fairly obvious but bringing so much information into one place brings with it the scope for abuse.

"The important thing it to ensure there are very clear safeguards in place."

Thanks to Pogo Was Right for the link.

Labels: ,

DHS Privacy Office Bashes RFID Technology To Track People 

This is interesting (and unexpected):

DHS Privacy Office Bashes RFID Technology To Track People - Yahoo! News:

The Department of Homeland Security's Privacy Office has issued a draft report that strongly criticizes privacy and security risks of using radio frequency identification devices for human identification. Public comment on the paper is being taken until May 22.

The privacy office says the technology offers little performance benefit for identification purposes compared with other methods and could turn the government's identification system into a surveillance system.

Labels: , , ,

A new generation of privacy attitudes 

Yesterday's San Francisco Chronicle has a very interesting article on attitudes toward privacy held by the "younger generation". You know them: they're more than happy to detail their most personal thougts in blogs and on MySpace but freak out when they think someone from the government might be listening.

The age of privacy / Gen Y not shy sharing online -- but worries about spying

Over the past 12 years, Melissa Gira has cultivated a daily audience of 4,000 strangers, whom she lets watch her most intimate moments on her Web site. They have watched her wake up and recall her dreams, and they have watched her suffer through breakups. In more recent years, some have paid hourly fees to watch her perform "digital sex."

Gira, a.k.a. m. Shakti, was one of the first "Web cam girls" who, using a real-time camera, intentionally exposed the details of her life online 24 hours a day, seven days a week.

"I shared secrets there I wouldn't share with anyone else," Gira said. "Things I said only to therapists, best friends."

Yet when the 28-year-old San Francisco resident learned last week, along with millions of Americans, that the National Security Agency had collected the telephone records of unsuspecting citizens, it crossed Gira's privacy line.

Labels:

Saturday, May 20, 2006

More on Alberta's access to information amendments 

For those interested in the recent amendments to Alberta's access to information legislation (see: The Canadian Privacy Law Blog: Proposed amendments to Alberta's access law slammed), check out Slaw's discussion: Slaw Archive Alberta's FOIP amendments.

Labels:

Printing card data not smart 

David Canton's regular IT column in the London Free Press is about the practice of printing full debit and credit card numbers on receipts. (See: London Free Press - David Canton - Printing card data not smart.)

This is a practice that really bugs me. In three days in Toronto last week, every debit and credit card receipt I accumulated had my full number and expiry date printed on it. I was in Toronto for a Canadian Institute conference on Privacy Compliance, which I co-chaired. The topic of receipts came up in discussions with the Assistant Privacy Commissioner of Canada, the Alberta Commissioner and the British Columbia Commissioner. The Alberta Commissioner, Frank Work, discussed the incident that David mentions in his column and one of the more interesting things he discovered in his investigation: there's a black market for these receipts and they are $25.00 each.

The assistant federal commissioner, Heather Black, mentioned that the Commissioner's office had canvassed most of the POS suppliers in Canada, who assured them that they are rolling out upgraded machines as fast as they can. Not fast enough, in my personal opinion.

For those retailers whose receipts are generated through a full POS system, I expect it's just a software patch that would do the job. The dedicated card terminals may need something more.

But even if it is a "hardware problem", why not give cashiers a jiffy marker to black out the digits? There's no reason to have them on the receipt since it is all settled electronically and the transaction code is enough to reconcile the day's accounts. As for me (at least in restaurants, where I'm asked to sign the slip and have the time to linger), I black out my card number myself.

Labels: , , ,

Thursday, May 18, 2006

Schneier on The Eternal Value of Privacy 

Run, do not walk, to read this very interesting comment by Bill Schneier: Wired News: The Eternal Value of Privacy. Here's a taste:

The most common retort against privacy advocates -- by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures -- is this line: "If you aren't doing anything wrong, what do you have to hide?"

Some clever answers: "If I'm not doing anything wrong, then you have no cause to watch me." "Because the government gets to define what's wrong, and they keep changing the definition." "Because you might do something wrong with my information." My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Labels: , ,

Nova Scotia Court of Appeal decision on physician billing records privacy 

I recently blogged about a recent decision from the Nova Scotia Court of Appeal that held individual physician billing information should not be disclosed under the province's Freedom of Information and Protection of Privacy Act (See: The Canadian Privacy Law Blog: Doctors' billings in Nova Scotia is private information under FOIPOP). This is a different result than that reached in Manitoba and British Columbia and is an important interpretation of the Act in Nova Scotia.

The decision is not yet up at the Courts' website, but here's a copy: 2006 NSCA 59

Doctors Nova Scotia v. Nova Scotia (Department of Health)

Doctors Nova Scotia (Appellant) v. Her Majesty the Queen, in Right of the
Province of Nova Scotia, as represented by the Minister of Health and Joanna
Redden (Respondents)

Nova Scotia Court of Appeal

Cromwell J.A., Fichaud J.A., and Oland J.A.

Heard: April 5, 2006
Judgment: May 12, 2006
Docket: C.A. 255020

Counsel: Cynthia Scott for Appellant
Edward Gores, Q.C. for Respondent, Her Majesty the Queen
Graham Steele for Respondent, Joanna Redden

Fichaud J.A.:

     [1]Ms. Redden applied under Nova Scotia's Freedom of Information and Protection of Privacy Act for disclosure of records with the provincial Department of Health showing named physician billings from 2000 to 2004, later revised to 2002-2004. The Supreme Court ordered disclosure. Doctors Nova Scotia, representing physicians, appeals. Doctors Nova Scotia says that the disclosure of named physicians' individual billings would unreasonably invade the physicians' privacy. It is common ground that the request is for personal information. There are two issues. (1) Does the requested information reveal details of "a contract to supply services to a public body" (which is deemed not to unreasonably invade privacy) under s. 20(4)(f) of the Act? (2) If not, does a consideration of the circumstances cited in s. 20(2) rebut the statutory presumption that disclosure would unreasonably invade the physicians' privacy?

Background

     [2]The Freedom of Information and Protection of Privacy Act, S.N.S. 1993, c. 5, as am. ("Act") prescribes the procedure for access to records possessed by public bodies, including provincial government departments. On July 21, 2004, the respondent Joanna Redden applied under s. 6(1) of the Act for copies of records possessed by the Department of Health showing "the total physician billing, by physician, in Nova Scotia from 2000 to the present." Ms. Redden is on staff with the New Democratic Party.

     [3]Under s. 22 of the Act, the Department of Health gave notice of Ms. Redden's request to the appellant Doctors Nova Scotia ("DNS"). DNS represents physicians in the Province, and was formerly known as the Medical Society of Nova Scotia. DNS objected to Ms. Redden's request. DNS said the disclosure would unreasonably invade physicians' privacy.

     [4]The Department of Health responded to DNS with a letter of September 17, 2004 stating:

The Department of Health has received your written representation explaining that you believe the information should be partially disclosed, without names attached.

Following consideration of the information, your representation, and the relevant provisions of the Act, the Department of Health has reached a decision to grant full access to the requested information.

     [5]DNS filed a request for a review of the Department's decision. The review officer wrote a report dated January 28, 2005. The report notes:

While DNS had no objection to the disclosure of individual MSI billings, it argued that attaching the names of the doctors to the billings was contrary to the requirements of s. 20 of the FOIPOP, a mandatory exemption which obliges a public body to refuse to disclose personal information if such disclosure constituted an unreasonable invasion of an individual's personal privacy.

     The review officer concluded that the requested information revealed details of a contract to supply a service to the provincial government. By s. 20(4)(f) of the Act, such a disclosure is deemed not to unreasonably invade privacy. The review officer recommended disclosure.

     [6]DNS appealed to the Nova Scotia Supreme Court under s. 42(1) of the Act. Section 42(1) states that the Supreme Court "determines the matter de novo." Justice Douglas MacLellan heard the appeal on August 8, 2005. DNS filed an affidavit of Dr. Gary Ernest, the director of DNS. Ms. Redden filed an affidavit of Lori Errington, a researcher with the NDP caucus office.

     [7]The chambers judge issued a decision on August 30, 2005, dismissing DNS' appeal (2005 NSSC 244). He ruled that the disclosure was deemed not to be an unreasonable invasion of privacy by s. 20(4)(f). This provision reads:

20(4) A disclosure of personal information is not an unreasonable invasion of a third party's personal privacy if

...

(f) the disclosure reveals financial and other similar details of a contract to supply goods or services to a public body.

     Later I will discuss the chambers judge's reasoning. He determined:

[30] I conclude that the contract between Doctors Nova Scotia and the Department of Health is a contract for the supply of services and that the fees paid under the contract are financial details of the contract and therefore come within s. 20(4)(f) of the Act.

...

[42] In light of my decision to find that the information requested is covered by s. 20(4)(f) of the Act it is not necessary for me to deal with whether the Third Party here has shown that the presumption of an unreasonable invasion of privacy has been rebutted in light of the fact that all parties agree that the information involved does contain personal information.

     [8]DNS appeals to this court. DNS' factum defines the issue as follows:

119 . . . the Appellants have consented to release of the individual billing amounts on the condition that the names of physicians are severed, substituting numbers for names.

120. The only issue in this case is whether names of physicians are required to be disclosed in connection with the amount of their individual billings.

Appeal Jurisdiction

     [9]The Act says nothing of appeals from the Supreme Court. Section 38(1) of the Judicature Act, R.S.N.S. 1989, c. 240 states that, except where otherwise provided, an appeal lies to the Court of Appeal from any decision of the Supreme Court. Section 38(1) permits an appeal from a Supreme Court decision made under s. 42(1) of the Freedom of Information and Protection of Privacy Act: O'Connor v. Nova Scotia, 2001 NSCA 132, at ¶ 30; Dickie v. Nova Scotia (Department of Health), [1999] N.S.J. No. 116 (C.A.).

Standard of Review

     [10]This is an appeal from a de novo determination by the Supreme Court, not from a judicial review of a decision by an administrative tribunal. So the pragmatic and functional approach does not determine the standard of review. Rather, the standard of review for the Court of Appeal is that which normally applies to a civil appeal from a decision of first instance by a lower court. In O'Connor, at ¶ 28 - 34, Justice Saunders summarized the principle:

Accordingly, in the absence of clear statutory direction to the contrary, the standard of review under the FOIPOP Act of a lower court's findings of fact should be the same as in other civil cases, that is obvious, palpable and overriding error. In matters of law, for example conclusions with respect to the interpretation to be given to legislation, the test is one of correctness. ...

Issues

     [11]The issues turn on s. 20 of the Act. The pertinent wording is:

Section 20

(1) The head of a public body shall refuse to disclose personal information to an applicant if the disclosure would be an unreasonable invasion of a third party's personal privacy.

(2) In determining pursuant to subsection (1) or (3) whether a disclosure of personal information constitutes an unreasonable invasion of a third party's personal privacy, the head of a public body shall consider all the relevant circumstances, including whether

(a) the disclosure is desirable for the purpose of subjecting the activities of the Government of Nova Scotia or a public body to public scrutiny;

(b) the disclosure is likely to promote public health and safety or to promote the protection of the environment;

(c) the personal information is relevant to a fair determination of the applicant's rights;

(d) the disclosure will assist in researching the claims, disputes or grievances of aboriginal people;

(e) the third party will be exposed unfairly to financial or other harm;

(f) the personal information has been supplied in confidence;

(g) the personal information is likely to be inaccurate or unreliable; and

(h) the disclosure may unfairly damage the reputation of any person referred to in the record requested by the applicant

(3) A disclosure of personal information is presumed to be an unreasonable invasion of a third party's personal privacy if

...

(f) the personal information describes the third party's finances, income, assets, liabilities, net worth, bank balances, financial history or activities, or creditworthiness;

(4) A disclosure of personal information is not an unreasonable invasion of a third party's personal privacy if

...

(f) the disclosure reveals financial and other similar details of a contract to supply goods or services to a public body; [emphasis added]

     [12]In Dickie, at ¶ 4 - 18, Justice Cromwell outlined the analytical approach to s. 20. To similar effect: Re House and 144900 Canada Inc. 2000 Carswell N.S. 429 (NSSC) per Moir, J. at ¶ 6. In summary, the court should ask the following questions:

1. Do the requested records contain "personal information" of the third party, in this case the physicians?

2. If so, does s. 20(4) deem the disclosure not to be an unreasonable invasion of the physicians' privacy? If there is deeming by s. 20(4), the information should be disclosed. Section 20(4) does not allow rebuttal.

3. If there is no deeming by s. 20(4), does s. 20(3) presume the disclosure to be an unreasonable invasion of the physicians' privacy? If so, there is a rebuttable presumption that the information should not be disclosed.

4. If there is a presumption by s. 20(3), is the presumption rebutted by a consideration of the circumstances under s. 20(2)? If so, the information should be disclosed. If not, then s. 20(1) directs that the personal information not be disclosed.

     Those are the issues before a Supreme Court judge. The issue in the Court of Appeal is whether the chambers judge committed an appealable error under the standard of review respecting these four questions.

     [13]The first and third questions are not in contention on this appeal:

(a) Paragraphs 3(1)(i)(i) and (vii) define "personal information" as including an "individual's name" and "information about the individual's ... financial history". It is not disputed that the requested income information of named physicians is "personal information" of the physicians. The chambers judge made no contrary finding, and his analysis under s. 20(4)(f) assumes that the requested records included "personal information" of physicians. The answer to the first question is "yes".

(b) Ms. Redden acknowledged in her factum that, if s. 20(4)(f) does not apply, then there is a rebuttable presumption under 20(3)(f). Section 20(3)(f) states that a disclosure of personal information is presumed to be an unreasonable invasion of the third party's privacy if the personal information describes the third party's "income". The chambers judge disposed of the matter under s. 20(4)(f), and did not consider s. 20(3)(f). The requested information relates to physicians' income. I agree that, if s. 20 (4)(f) does not apply, the answer to the third question is "yes".

     [14]The argument in this court focussed on the second and fourth questions. Those are the issues I will address.

Contract to Supply Services to a Public Body - s. 20(4)(f)

     [15]The chambers judge disposed of the claim under s. 20(4)(f), which deems the disclosure not to unreasonably invade the physicians' privacy if the disclosure reveals details "of a contract to supply . . . services to a public body".

     [16]The only contract in evidence, or considered by the chambers judge, was the Agreement dated April 1, 2004 between the Medical Society of Nova Scotia (now "DNS") and Her Majesty the Queen in right of the Province ("Contract"). The Contract provides a Fee Tariff for "Insured Medical Services".

     [17]Some medical services are provided under arrangements other than fee for service under this Contract. Article 3.1 of the Contract mentions the collective agreement between PARI-MP (which represents medical residents in the Maritime Provinces) and various healthcare facilities. "Alternative Funding Programs" are defined by article 1(1) as:

funding mechanisms, other than Fee- For-Service which are documented in the contracts anticipated by article 8 of this Agreement . . .

     Article 12.5 notes that physicians may provide insured medical services pursuant to a salaried arrangement with district health authorities.

     [18]Ms. Redden's request for information relates only to services by physicians on a fee for service basis as prescribed in the Contract of April 1, 2004. No other contract is in evidence. I express no opinion whether any such other contract, be it a collective agreement involving PARI-MP or an Alternative Funding Program or a salaried arrangement, is or is not a "contract to supply services to a public body" under s. 20(4)(f).

     [19]Concerning the requested information under the Contract, the chambers judge began by posing the question:

[25] Does Section 20(4)(f) apply to the requested information?

     [20]Clearly the Contract of April 1, 2004 was a "contract", the disclosure would reveal financial details deriving from that contract, and physicians provide medical "services". The issue under s. 20(4)(f) is whether, under the Contract, physicians provide those services "to a public body".

     [21]The chambers judge noted repeatedly that physicians' services are provided to individual patients:

[26] . . . Each doctor bills individually and is paid individually for each service provided to a resident of Nova Scotia.

[27] . . . I interpret the contract involved here to clearly set out the rights of doctors to bill the Province provided they provide the service to a resident of Nova Scotia . . .

[28] . . . doctors are paid for services provided to a resident . . .

[29] . . . The service provided by the doctors are [sic] not for the Department of Health but for residents of the Province. As Doctors Nova Scotia speaks for the doctors so does the Department of Health speak for the residents of Nova Scotia.

     [22]The chambers judge found that the service provided by physicians was "not for the Department of Health but for residents of the Province". Nowhere does his decision say that physicians provided a service to the Department of Health.

     [23]The chambers judge then said:

[30] I conclude that the contract between Doctors Nova Scotia and the Department of Health is a contract for the supply of services and that the fees paid under the contract are financial details of the contract and therefore come within Section 20(4)(f) of the Act.

. . .

[34] I interpret this section [20(4)(b)] to be very broad in scope and basically indicating that if a person has a financial contract with a government body to provide goods or services you should expect that it is going to become public knowledge through Freedom on Information.

     [24]The chambers judge arrived at his conclusion by interpreting s. 20(4)(f) as if it read:

. . . the disclosure reveals financial and other similar details of a contract with a public body to supply goods or services.

     The chambers judge has, with respect, misread the provision. The point is not whether the Contract is signed with a public body. Under the Contract, the services must be supplied to a public body.

     [25]In his able submission, counsel for Ms. Redden urged the court to interpret s. 20(4)(f) "purposively", instead of "literally", to promote disclosure. The court is to interpret the Act. The words of the Act are to be read in their entire context, in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act and the intention of the legislature: R. v. Sharpe, [2001] 1 S.C.R. 45 at ¶ 33 per McLachlin, C.J.C., and authorities cited. The starting point is the "grammatical and ordinary sense of the words". The legislature has chosen to enact that the deeming by s. 20(4)(f) applies only when the disclosure relates to details of a contract to provide "services to a public body". Section 2 of the Act lists the statutory objects to include both promotion of public access to records and protection of privacy for personal information. The court cannot ignore the clear statutory direction simply to promote disclosure per se. It is the function of the legislature, not the court, to decide whether or not the words "services to a public body" should cease to qualify the deeming in s. 20(4)(f).

     [26]A review of the Contract and its enabling legislation establishes that the physicians' services involved in this appeal, provided on a fee for service basis, are not "services to a public body" and the Contract does not "supply services to a public body".

     [27]The Contract provides the mechanism for negotiating a Fee Tariff. Article 1(6) defines "Fee Tariff" as a tariff for "Insured Medical Services". Article 1(9) defines "Insured Medical Services" as "the medical services that Insured residents are entitled to receive under the provisions of the Health Services and Insurance Act . . ." [emphasis added]. "Insured Residents" are defined by article 1(8) of the Contract as "residents of Nova Scotia as defined by the Health Services and Insurance Act . . ."

     [28]The Health Services and Insurance Act, R.S.N.S. 1989, c. 197, as amended, ("HSIA") s. 2(h)(a) defines "insured professional services" as "the services with respect to which a resident is entitled to receive insurance under the provisions of this Act and the Regulations". "Resident" is defined by s. 1(l) as "resident of the Province as defined in the Regulations". Various provisions [e.g. ss. 17(2)(a), (b) and (d); 27(1); 28(1); 29(1) ] state that the insured professional service is rendered "to a resident". Nothing in the HSIA says physicians' services are to the Province. Section 3(2), the heart of the HSIA, states:

(2) Subject to this Act and the regulations, all residents of the Province are insured upon uniform terms and conditions in respect of the payment of the cost of insured professional services to the extent of the tariffs.

     [29]Section 13(1)(a) authorizes the Minister of Health to negotiate "compensation for insured professional services on behalf of the Province with the professional organization representing providers". Section 13(A) authorizes the Minister of Health to "enter into an agreement with the Society [now DNS] on behalf of all duly qualified medical practitioners in the Province who provide insured medical services concerning compensation for insured medical services . . .". These provisions that enable the Contract are subject to s. 23 of the HSIA:

Nothing in this Act

(a) prevents a person from choosing his own provider;

(b) prevents a provider from practising as a provider outside the M.S.I. Plan; or

(c) imposes an obligation upon a provider to treat a person.

     [30]In my view, the Contract and HSIA display the following dynamics. The Contract establishes a Tariff for "insured medical services", and defines "insured medical services" to mean services to the patient. The Contract is authorized by the HSIA. Under that HSIA, "insured professional services" are services to the patient. The Province insures the patient for the cost of the services to the extent of the tariffs. The Act does not interfere with, or inject the Province into, the individual choices of the patient and physician to engage in the professional relationship - confirmed by s. 23. The Department and the physician (through DNS) contract to establish the tariff, and the Province as insurer pays the physician directly. But the physician provides the medical service to the patient, not to the Province.

     [31]The chambers judge (¶ 29 - quoted earlier) noted that "the Department of Health speak[s] for residents of Nova Scotia." It is unclear how this proposition channelled the chambers judge's reasoning. It appears that the chambers judge may have characterized the Department as an agent for the residents/patients. To this I have two comments. First, the HSIA does not express an agency role for the Department. The HSIA describes the Province as an insurer. Second, even if there is an implied or constructive agency (about which I express no opinion), that does not redirect the physicians' medical services to the Province. An agency does not bestow on the agent the benefit of a service rendered to the principal.

     [32]Counsel for Ms. Redden says that it should not matter who "consumes" the service. Counsel cited examples of contracts with government to build roads, schools and hospitals. Another example discussed at the hearing would be a contract with government for garbage collection. Counsel says the contractor provides these services to the government. In my view, these examples differ in principle from physicians' services. In these examples the contract with the public body is the source of the third party's commitment to build the road, school or hospital or collect garbage. So the service may be provided to the public body though it benefits individuals. The Contract of April 1, 2004 systemizes the Province's role as insurer, but is not the source of a physician's commitment to provide medical service. That commitment results from the individual dealings between physician and patient, as acknowledged by s. 23 of the HSIA.

     [33]This was not a contract to supply medical "services to a public body". Section 20(4)(f) does not apply. The standard of review for errors of law is correctness. With respect, the chambers judge erred in law by ruling that s. 20(4)(f) deemed this disclosure not to be an unreasonable invasion of the physicians' privacy.

Rebuttal of Presumption - s. 20(2)

     [34]Ms. Redden's factum acknowledges that, if s. 20(4)(f) does not apply, then s. 20(3)(f) does apply. The requested disclosure involves personal information describing physicians' "income". Section 20(3)(f) presumes this to be an unreasonable invasion of the physicians' privacy, unless rebutted under s. 20(2). I will turn to s. 20(2).

     [35]The chambers judge did not consider s. 20(2). There is no issue of appellate deference on that topic.

     [36]In Dickie, this court considered the approach to the rebuttal of the presumption. Justice Cromwell stated:

55 However, the judge's balancing of the factors was incorrect because of the error in failing to find the disputed information was personal information related to employment history. In the case of personal information related to employment history, the Act presumes that the balance is in favour of privacy because it presumes that disclosure of personal information relating to employment history is an unreasonable invasion of personal privacy. The judge held, in effect, that the citizen's right to know trumps a third party employee's right to privacy, saying that if an employee "... apparently or actually misuses the power vested in that employee as a consequence of employment, an aggrieved citizen has a right to be adequately advised of the nature and the results of an investigation into the allegation of wrongdoing.." I think the judge erred in reaching this conclusion when the explicit presumption of the Act is the opposite. The error was not in failing to do the balancing but in failing to start the balancing with the presumption in favour of privacy of this type of information.

     The s. 20(2) analysis is a balancing exercise, but not from a level scale. It begins with the weighted presumption under s. 20(3)(f) that the disclosure would unreasonably invade the physicians' privacy. The question is whether the circumstances cited in s. 20(2) overcome this presumption. The proponent of rebuttal must define and establish her proposition.

     [37]Section 20(2) is quoted earlier (¶ 11). In the circumstances here, there is nothing in ¶ 20(2)(c) through (h) to support the rebuttal of the presumption that disclosure would unreasonably invade the physicians' privacy. The questions are whether the presumption is rebutted by a consideration of "all the relevant circumstances" in the prefix, whether the disclosure would better subject government to public scrutiny under s. 20(2)(a) and whether the disclosure would promote public health under s. 20(2)(b).

     [38]Ms. Errington's affidavit says that the requested information is public in British Columbia and Manitoba, and that in Nova Scotia incomes of civil servants, teachers and professors are publicized. Her affidavit says that the Nova Scotia government spends over half a billion dollars per annum for medical payments and grants. Ms. Redden's factum repeats these submissions. Nothing in the evidence or Mr. Redden's factum focuses on the listed factors in s. 20(2). The Province's factum does cite s. 20(2)(a).

     [39]Physicians' billing data is publicized in British Columbia and Manitoba under specific statutory provisions that do not exist in Nova Scotia: Financial Information Act, R.S.B.C. 1996, c. 140 and Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165, s. 22(4)(g); Public Sector Compensation Disclosure Act, C.C.S.M. 1996, c. P265, s. 5. In Nova Scotia, the disclosure of incomes of teachers, civil servants and professors does not involve the issues under s. 20 that determine the outcome of Ms. Redden's request for the physicians' billings.

     [40]The Province spends over half a billion dollars annually on medical services. If the question was simply "Should there be disclosure of how the government spends over half a billion dollars per annum?" I would agree. Disclosure would promote public scrutiny of the spending activities of the government in the field of public health. This would engage s. 20(2)(a) and (b). But that is not the question. DNS does not object to the disclosure of the requested information, provided only that the names of individual physicians are deleted (or replaced with numbers). Disclosure of global funding, or categories of funding, or details (other than names) of funding for physicians' insured services is not contested. The only question is whether the names of individual physicians should be included (or replaced by numbers). If the names were deleted, the billings data, to the extent that the information would not then relate to an identifiable individual, would not be "personal information" and s. 20 would not bar disclosure.

     [41]The evidence contains nothing to support the conclusion that the disclosure of the names of individual physicians would better subject the government to public scrutiny or improve public health.

     [42]At the hearing of his appeal, counsel for Ms. Redden referred to passages in the transcript of his submissions to the chambers judge. Counsel said to the chambers judge, "I'm not going to give evidence", but then described "hypotheticals". An example is a hypothetical municipality that considers whether to levy a tax to replace a physician or entice a physician to locate in the community. The physician's income would be relevant to the policy choice of the municipal council - to calculate the level of the special tax. Counsel concluded by saying to the chambers judge: "I make no claims about how close these are to actual fact situations in Nova Scotia."

     [43]Counsel may hypothesize how the name of a physician might connect to a government decision. But there is no support in the evidence for this speculation. Free-wheeling conjecture does not establish a proposition to rebut the statutory presumption. In my view, the consideration of the circumstances under s. 20(2) here does not rebut the presumption under s. 20(3)(f) that the disclosure would unreasonably invade the physicians' privacy.

Conclusion

     [44]The disclosure of the names of individual physicians would be an unreasonable invasion of the physician's privacy. By s. 20(1), the names of individual physicians should not be disclosed, and I would allow the appeal in that respect. The parties should bear their own costs.

Labels: , , ,

Wednesday, May 17, 2006

Use big words 

A friend sent me this earlier today and I thought I'd pass it along:

Labels:

Canadian privacy leaders speak out about privacy and digital rights management 

Some of the biggest names in privacy in Canada have joined together to lobby the new Conservative government about potential privacy effects of legislative changes enshrining digital rights management in Canadian copyright law. The new group (IntellectualPrivacy.ca) has sent a letter and a background paper to Culture minister Maxime Bernier asking that privacy issues be carefully considered before embarking on changes to copyright laws that could have a significant privacy impact upon Canadians. The privacy commissioners of Canada, Ontario and British Columbia have also each sent separate letters to the Minister on the topic.

In short, the group is seeking assurances from the government that:

  • any proposed copyright reforms will prioritize privacy protection by including a full privacy consultation and a full privacy impact assessment with the introduction of any copyright reform bill;
  • any proposed anti-circumvention provisions will create no negative privacy impact; and
  • any proposed copyright reforms will include pro-active privacy protections that, for example, enshrine the rights of Canadians to access and enjoy copyright works anonymously and in private.

Labels: , ,

Telcos deny giving customer calling info to NSA 

In the fallout of the most recent privacy scandal (The Canadian Privacy Law Blog: NSA collection of info on ordinary Americans wider than originally suspected), Verizon and Bellsouth are denying having given calling information to the National Security Agency in the first place. (See: NPR : Phone Companies Distance Themselves from NSA.) Another major carrier, Qwest, got some publicity for first saying they were asked by the NSA but refused. (See: Qwest Goes From the Goat to the Hero - New York Times.) There's nothing I can find in a quick search of the conventional media or in the blogosphere suggesting that AT&T have issued any statements one way or another.

Labels:

Tuesday, May 16, 2006

Texas AG sues to prevent unfettered sale of bankrupt company's customer data 

(Update 20060516) Here's an interesting lesson about assuming that RSS feeds are recent: The story below that I posted about earlier today is actually six years old. It was originally published in October 2000. Thanks to the reader who e-mailed to point that out! (I thought it was oddly familiar ...)

The Attorney General of Texas has stepped in to try to limit the resale of defunct Living.com's customer data as part of a bankruptcy sale. According to Computer World, the AG has filed a lawsuit against the company's bankruptcy trustee to require the destruction of sensitive financial customer information (credit card data, social security numbers, etc) and a requirement that the customers in question be given a chance to opt out before their remaining data is transferred. See: Texas Attorney General Sues to Stop Living.com Data Sale.

Labels:

Proposed amendments to Alberta's access law slammed 

Critics are urging citizens to call and e-mail legislators about proposed amendments to Alberta's access to information law that will keep certain government information unreachable for a longer period of time:

The Calgary Sun - Canada's 'private' province slammed:

New secrecy laws irk Alberta critics

By DARCY HENTON, LEGISLATURE BUREAU

EDMONTON -- Critics say the most secretive government in Canada is about to get even worse with new legislation it hopes to ram through the House this week.

They say Alberta's Freedom of Information and Privacy law is already so restrictive that even government MLAs have joked FOIP actually stands for (expletives deleted) It's Private.

Liberal Government Services critic Mo Elsalhy says new amendments to exclude ministerial briefing notes from being accessed for five years would have prevented the uncovering of the AdScam scandal.

'Everyone is talking about openness and transparency. This government is going in the opposite direction.

'They're adding more layers of secrecy to a government that's already too secretive.'

The FOIP amendments also will delay access to documents from the government's chief internal auditor for 15 years and include other measures to delay the release of information, Elsalhy said....

Here's some coverage from the Canadian Press (via Yahoo!):

Alberta government forcing through changes on contentious info law - Yahoo! Canada News:

EDMONTON (CP) - Alberta's freedom of information law, once described by a journalism group as the most secretive in Canada, is about to get even more restrictive.

The Conservative government is pushing through changes this week to Alberta's Freedom of Information and Protection of Privacy Act to put a five-year blackout on briefing documents and other records that show how Premier Ralph Klein ran the province for more than a dozen years. "This Conservative government seems hell bent to ram through legislation this week to make Canada's most secretive government even more tight-lipped," Liberal Leader Kevin Taft said Monday in the legislature.

Taft accused the Tories of putting the interests of two dozen cabinet ministers ahead of three million Alberta residents.

But Klein said the Liberals are complaining because they won't be able to make political hay with cabinet briefing documents.

"There is no way that the opposition is going to get this briefing book," Klein, waving his notes in the air, told the legislature.

"They will use it for purely political purposes."

Klein's Conservatives are using their majority to limit further debate on Bill 20 as the spring sitting of the legislature winds down this week.

Klein has said cabinet briefings are sometimes brutally frank and sharing this anytime soon with the public might be embarrassing for his staff and other bureaucrats.

"There are some sensitive pieces of information that were put together by the administration," Klein told the assembly.

...

"Noxious! That's the word used by a top expert in government secrecy when asked to describe this government's Bill 20," said Taft, who was referring to Alasdair Roberts, a Canadian author and professor teaching at Syracuse University in New York state.

Frank Work, Alberta's information commissioner, has also criticized Bill 20, saying the restrictions are unnecessary, since most cabinet documents are already kept confidential for an infinite period.

...

Raj Pannu, information critic for the NDP, said Klein is trying to cover his tracks before retiring later this year.

Pannu said people need to remember that Tory leadership contender Lyle Oberg was fired from cabinet recently after saying he knew about the "skeletons" in the government's past.

"There are lots of skeletons in the closet for this government and they want to keep them in the closet for as long as they can," Pannu said Monday in an interview.

...

Labels: ,

Doctors' billings in Nova Scotia is private information under FOIPOP 

On Friday, the Nova Scotia Court of Appeal ruled that individual billings by physicians in the province should not be disclosed under the Freedom of Information and Protection of Privacy Act. The decision isn't online yet at www.courts.ns.ca or www.canlii.org, but I'll post a link when it's up.

In the meantime, here's some coverage from the Halifax Chronicle Herald:

The ChronicleHerald.ca:

Court keeps doctors’ payments secret

By JENNIFER STEWART Staff Reporter

Nova Scotia doctors will not be required to disclose to government their fees for services rendered, the Nova Scotia Court of Appeal ruled Friday.

In April, members of Doctors Nova Scotia appealed an earlier Supreme Court of Nova Scotia decision that ordered all physicians in the province to hand over any MSI fee-for-service billing records, with their names attached.

Joanna Redden of the NDP made the request in July 2004, claiming the information was pertinent to helping solve the province’s health-care crisis.

The doctors had no problem providing the financial information but said the inclusion of the physicians’ names was a gross invasion of privacy.

Justices Joel Fichaud, Thomas Cromwell and Linda Oland, who heard the appeal on April 5, agreed.

"The disclosure of the names of individual physicians would be an unreasonable invasion of the physician’s privacy," the decision says.

...

Labels: , ,

Questions to ask about smartcards 

The Victoria (Australia) Privacy Commissioner has published a handy checklist of questions to ask about smartcards. Thanks to Open and Shut for the link.

Labels:

Monday, May 15, 2006

Incident: Laptop with info on 48,000 customers stolen from Mercantile Potomac Bank 

PEI "at a crossroads" on privacy and access 

It was reported last week that the Information and Privacy Commissioner of Prince Edward Island has temporarily taken leave due to stress. (See: CBC Prince Edward Island - Privacy commissioner takes sick leave and CBC Prince Edward Island - Minister surprised by overwork complaint) I didn't blog about it, principally because her health is her own business and shouldn't be the topic of public discussion. However, it has caused some discussion of real public interest on the role of the Information and Privacy Commissioner in that province and, particularly, the resources that should be devoted to the function.

Currently, the province's Commissioner is a part-time position, at 22.5 hours a week and with part-time administrative support. Her annual report, filed at the beginning of the month, outlines the backlog that her office is having to deal with.

Now today's Guardian has an editorial on the situation:

The Guardian: Province at crossroads on information

Either put more resources into the info commissioner’s office or tell the public to expect longer waits for information.

By The Guardian

Based on the recent report of P.E.I.’s information and privacy commissioner, government has two choices. It can lighten the demand on the office so that the current staff can handle it, or it can beef up resources so it can meet the targets set out in legislation.

If government has a genuine appreciation of the role of this newly created office, it should do the latter.

In her report to the legislature presented last week by Speaker Greg Deighan, Rebecca Wellner, part-time information and privacy commissioner, urged government to make the position of commissioner and her assistant full-time and increase their financial resources.

Why? The report identifies a growing backlog of incomplete files. In spite of the law requiring the office to process cases within 90 days of the date of filing, only three of 27 files that resulted in orders from the commissioner from 2003-2004 were dealt within the allotted time.

It appears the office is swamped with work and lacks the resources it needs to respond. If that’s the case, it’s unfair to the staff trying to get the job done, unfair to the parties who’ve filed requests with the office expecting they’ll get timely results, and it’s unfair to taxpayers who are paying for the service.

P.E.I. was one of the few provinces without access to information legislation until a few years ago when government finally adopted it. Suffice to say, it’s been a work in progress. Some of those who’ve used it say it’s costly and cumbersome, although these are seen as common problems that must simply be worked out.

In an era where voters are demanding more openness and accountability from their governments, this legislation is seen as a necessary tool to access public documents and information. It’s obvious that when the P.E.I. government created the office of the information and privacy commissioner, it attempted to ensure reasonable accessibility. Why else would it have put into law the requirement that cases be processed within 90 days?

However, the current staffing of the office doesn’t appear to be adequate to allow for this. Government must either revise the legislation and provide a longer period for case completion or address the staff inadequacies.

If government doesn’t want to render the office ineffective — and we assume that to be the case — it should follow Ms. Wellner’s recommendation and make the position of commissioner and her assistant full time. It’s the price we have to pay to ensure that our information and privacy legislation remains active and effective for Islanders.

Labels: ,

Sunday, May 14, 2006

UK cable service to feed CCTV of public spaces to viewer's TVs 

A TV service provider in London has rolled out a pilot project in which feeds from hundreds of "crime fighting" CCTV cameras are being rebroadcast for in-home viewing:

Telegraph | News | CCTV channel beamed to your home:

Shoreditch TV is an experiment in beaming live footage from the street into people's homes and promises to be every bit as fascinating as the courtship rituals of Celebrity Big Brother contestants Chantelle and Preston.

Viewers can watch the dog walkers on the street below, monitor the appearance of new graffiti and keep an eye on the local pub.

This summer 22,000 Londoners will be tuning in and homes across Britain are getting their own version next year. But despite being a curtain-twitcher's paradise, the channel is about 'fighting crime from the sofa', not entertainment.

In return for a package that includes footage from 12 security cameras, a police advice channel and an array of standard cable fare, the residents of Haberdasher Estate are expected to shop any yobs that they catch on camera.

Check out, also, the Slashdot discussion: Slashdot | London 2006, Meet London 1984.

Labels: , , , ,

Finding: Providing access to health information via individual's physician 

In this recent complaint to the Privacy Commissioner, an individual objected to an insurance company's policy of providing access to medical information by giving it to the individual's physician, who would then provide the information to the individual. This practice is contemplated by Principle 4.9 in Schedule I to PIPEDA. The Commissioner found that the insurance company had not violated its obligations under PIPEDA in providing access in this manner.

See: Commissioner's Findings - PIPEDA Case Summary #322: Provision of medical information through physician challenged (December 22, 2005).

Labels: , , ,

Finding: "Do not solicit" means "do not solicit" 

In this recent finding, the Commissioner dealt with a complaint by a bank customer who had contacted his bank asking not to be marketed to but subsequently was contacted a number of times by his branch about products and services.

The bank informed the Commissioner that there are two circumstances where the customer may be contacted notwithstanding a "do not solicit" flag on his or her file: (a) in-branch generated sales leads and (b) leads developed by data mining but taking advantage of service-related communication opportunities such as GIC and mortgage renewals.

The Commissioner considered that the bank had not followed the consent principle 4.3 and determined the complaint to be well-founded and resolved.

See: Commissioner's Findings - PIPEDA Case Summary #323: Bank's assumptions about consent to marketing challenged (December 22, 2005).

Labels: , , ,

Finding: Complainant objects to providing two pieces of ID to get own credit report 

In this just-released finding, an individual complained that a credit bureau required that the individual provide two pieces of identification before providing him a copy of his credit report. The Commissioner consulted with another credit bureau and found that their policy was the same.

In this case, the Commissioner relied on principle 4.9.2, in which an organization can require additional information in order to fulfil an access request. The complaint was not well founded as the credit bureau has to authenticate an individual's identity before handing over this sensitive information. (As an aside: I expect they'd be risking a complaint about inadequate security if they did not do so.)

Read the finding here: Commissioner's Findings - PIPEDA Case Summary #324: Consumer complains about requirement to provide identification in order to obtain credit report (January 9, 2006)

Labels: , ,

Finding: Personal information practices considered in sale of dental practice 

One of the most commonly identified "defects" with PIPEDA is that it does not contemplate and efficiently handle the disclosure of personal information in connection with the sale of a business, including pre-sale due diligence. This complaint dealt with the sale of a dentist's practice before the Ontario health information privacy law came into effect and was declared to be "substantially similar" to PIPEDA.

In this particular case, the complainant was given a "consent form" that contemplated that patient records may be disclosed in connection with the sale of the dental practice. It is not clear what the form actually said and whether it purported to obtain patients' consent. (Again, we have a situation where the lack of full detail in the summarized finding makes it very difficult to pull out best practices for the future.)

The Commissioner determined that the disclosure of certain patient records in connection with pre-purchase due diligence in this case was not contrary to PIPEDA. She reasoned:

  • Although the Personal Information Protection and Electronic Documents Act (PIPEDA) does not specifically contemplate any such collection, use or disclosure of personal information as described in the consent form, she noted that it was likely that a reasonable person would consider it appropriate for a dental office to disclose patient personal information to prospective buyers in order for the buyer to evaluate the practice, as per subsection 5(3).
  • The Commissioner also noted that dentists are subject to numerous regulations concerning privacy. Indeed, several regulations, policies, procedures, and laws apply to the disclosure of information: for example, Health Disciplines and Dentistry Acts, confidentiality agreements, and policies concerning personal information.
  • She stated that the Act also requires that personal information be safeguarded, and confidentiality agreements would meet such a requirement.
  • Given the above, the Commissioner was satisfied that the purpose, as described in the consent form, was an appropriate one.

Does this mean that a company that is not "subject to numerous regulations concerning privacy" can't disclose customer information as part of the sale process? I don't know.

Read the full finding here: Commissioner's Findings - PIPEDA Case Summary #325: Personal information practices considered in sale of dental practice (January 18, 2006)

Labels: , , ,

Finding: Credit bureau required to set retention limit for positive information 

In a finding by the Office of the Privacy Commissioner released on Friday, two individuals complained that a credit bureau was keeping positive credit information on file for too long. Retention of negative information is limited by provincial law, but there was no self-imposed retention period for favourable information. During the course of the investigation, the bureau decided on twenty years and also decided to give individuals the right to have it removed before then. The Commissioner therefore considered the complaint to be resolved.

See: Commissioner's Findings - PIPEDA Case Summary #326: Credit bureau sets retention period for positive information (January 18, 2006).

Labels: , , ,

Saturday, May 13, 2006

TorStar consumer columnist focuses on three privacy complaints 

The consumer columnist in the Toronto Star, Ellen Roseman, is focusing on three privacy-related complaints. See: TheStar.com - Playing fast and loose with privacy. Thanks to Pogo Was Right for the link.

Labels:

War Amps reaches compromise agreement for key tag program in Alberta 

Most Canadians are familiar with the War Amps key tag program. This amazing organization, whose chief purpose is to assist amputees in Canada, creates numbered key tags in a sheltered workshop and sends them to Canadians. If you put the tag on your keychain and your keys are lost, they'll find their way back to you if the finder drops them in a mailbox or calls the toll free number printed on the tag. One way that the organization has obtained names and addresses is through agreements with the provinces. Recently, they've encountered problems with the province of Alberta, where the Freedom of Information and Protection of Privacy Act limits the province's ability to disclose personal information to third parties. The Calgary Sun is reporting that the War Amps and the province have reached a deal that is a real compromise: all Albertans will be asked if they consent to the disclosure of their personal information when they renew their drivers' licenses. The War Amps is concerned that not all will consent and that it'll increase their costs. See: The Calgary Sun - Privacy form key to deal.

Labels: ,

Friday, May 12, 2006

Nova Scotia's Personal Information International Disclosure Protection Act to die on the order paper 

More on LSAT fingerprinting 

Phillipa Lawson of the Canadian Internet Policy and Public Interest Clinic has a thing or two to say about the practice of taking thumbprints from LSAT test-takers:

blog*on*nymity - blogging On the Identity Trail: Mandatory thumbprinting for the LSAT: an appropriate use of biometrics?:

...In any case, LSAC must still explain why other, less intrusive identification methods (such as the presentation of photo ID) are inadequate for the purpose of deterring fraud. Perhaps it is necessary to collect and store individual identifiers for some time after the test is administered, in order to be able to authenticate identities after the fact, in response to allegations of fraud. If so, are non-digitized thumbprints the least intrusive method? ...

For some additional background, see: The Canadian Privacy Law Blog: Complaint about LSAT fingerprinting

Labels: , ,

FTC settles with mortgage company for dumping customer applications 

The US Federal Trade Commission has just settled a case with Nations Title Agency and its parent company, Nations Holding Company, for dumping customers' loan applications in dumpsters instead of properly disposing of them. There does not appear to be a fine involved. See:

Feds Ding Data 'Dumpster'

The Kansas City-based NHC settled with the FTC Wednesday, agreeing to not misrepresent the extent of its data protection safeguards. The company also agreed to establish and maintain a comprehensive information security program subject to third-party audits for the next 20 years.

Labels:

Thursday, May 11, 2006

Cape Cod school runs criminal records checks on prom dates 

Sorry folks, I don't make this stuff up ...

A school board on Cape Cod in Massachusetts has caused a minor kerfuffle by requiring students to fill out a form on their intended prom dates so that the school board can run a criminal records check on them. Tonya Dockray is a little peeved that her boyfriend's old pot bust means she'll be flying solo at the prom. Check it out: School Bans Some Dates From Senior Prom - Yahoo! News.

Update (20060513): Apparently the school authorities have backed off: BostonHerald.com - Local / Regional News: Prom-ising ending: School backs off ban on dates amid probe.

Labels:

NSA collection of info on ordinary Americans wider than originally suspected 

USA Today is reporting that the US National Security Agency, which has already been linked to warrantless wiretaps, has been collecting data on virtually all phone calls made in the United States of America since the end of 2001. The data for this mammoth collection effort was provided by AT&T, Verizon and BellSouth. While the contents of the calls are not reported to have been collected, the effort was focused at analyzing calling patters to ferret out terrorists.

From USA Today:

NSA has massive database of Americans' phone calls - Yahoo! News

The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY.

The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans - most of whom aren't suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.

"It's the largest database ever assembled in the world," said one person, who, like the others who agreed to talk about the NSA's activities, declined to be identified by name or affiliation. The agency's goal is "to create a database of every call ever made" within the nation's borders, this person added.

For the customers of these companies, it means that the government has detailed records of calls they made - across town or across the country - to family members, co-workers, business contacts and others.

The three telecommunications companies are working under contract with the NSA, which launched the program in 2001 shortly after the Sept. 11 terrorist attacks, the sources said. The program is aimed at identifying and tracking suspected terrorists, they said.

The sources would talk only under a guarantee of anonymity because the NSA program is secret. ...

Labels: ,

Pawnbroker vows to fight Edmonton bylaw requiring handing over customer information 

An Edmonton pawnbroker says he will not back down from his fight against a new bylaw that requires vendors of second-hand goods to transmit personal information on customers to a central database. He has complained to the Alberta Privacy Commissioner and expects a public hearing in due course. See: edmontonsun.com - Edmonton News - Pawnbroker won't quit privacy fight.

This isn't a new fight. I've blogged about similar bylaws here before:

:: :: :: :: ::

Labels: , ,

Wednesday, May 10, 2006

Incident: BC Cancer agency sends mammogram results to wrong women 

Thanks to a regular Vancouver correspondent for passing this along ...

The British Columbia CTV news is reporting that the BC Cancer Agency accidentally sent 977 sets of mammogram results to the wrong addresses. It was caused by "operator error" in using a letter stuffing machine. The agency sent letters to the 977, informing them of the error. This story only came to the media's attention because CTV's health correspondent was one of the unlucky recipients.

The only coverage I can find is from the CTV's news broadcast: video here (scroll to 15:14). There's nothing on the Cancer Agency website.

Labels: , , ,

Tuesday, May 09, 2006

Privacy and pilfering one's own medical record 

Today's New York times has an interesting essay that describes how a woman reviewed her own medical file and secretly removed all references to the fact that she has a family history of Huntington's disease. She did so out of fear that the information, in the hands of insurance companies, might prejudice her children and their ability to get coverage.

It's an interesting illustration that not only are some patients not being forthright with their physicians out of fear where their information may end up, but some will take more drastic action. Both can have a serious impact upon the health care they receive. See: The Quest for Privacy Can Make Us Thieves - New York Times.

Labels: ,

Monday, May 08, 2006

Bill 16: The Personal Information International Disclosure Protection Act (Nova Scotia) 

Bill 16, the proposed Personal Information International Disclosure Protection Act (Nova Scotia) was introduced in the Nova Scotia legislature last week, but the full text hasn't appeared yet on the legislature's website. For those who are too impatient to wait, here is a pdf copy of Bill 16: http://www.privacylawyer.ca/Bill_16_PIIDPA.pdf. I tried to OCR it for posting the text, but the quality of the fax isn't that great.

Update (20060508): The text of the bill is now online at the official Nova Scotia government legislature site here.

Labels: , , , , ,

Geist on the Heinz decision 

Michael Geist's latest Law Bytes article in the Toronto Star addresses the recent Heinz decision from the Supreme Court of Canada (see: The Canadian Privacy Law Blog: New Supreme Court of Canada decision considers privacy aspects of Access to Information Act review procedure). Here's an extract:

TheStar.com - Supreme court tips its hand on privacy:

"A divided court ultimately sided with the company by ruling that privacy considerations were too important to be left out. The majority of the judges feared that once the personal information was disclosed, the only recourse would be to launch a complaint with the Privacy Commissioner of Canada. That option was viewed as insufficient, with the court candidly concluding that 'the Privacy Commissioner and the Information Commissioner are of little help because, with no power to make binding orders, they have no teeth.'

Indeed, the court had little confidence in the complaints mechanism, which it viewed as inadequate because 'the Privacy Commissioner has no authority to issue decisions binding on the government institution or the party contesting the disclosure. Nor does the Commissioner have an injunctive power which would allow it to stay the disclosure of information pending the outcome of an investigation.'

In other words, the current framework simply does not provide adequate privacy protection.

Given the importance of privacy -- the majority characterized the Privacy Act as 'quasi-constitutional' because of the role privacy plays in the preservation of a free and democratic society -- the court was unwilling to allow for a potential privacy breach with little prospect for subsequent protection."

Labels:

Sunday, May 07, 2006

Happy Anniversary, Thoughts from a Management Lawyer 

Michael Fitzgibbon at Thoughts from a Management Lawyer just posted that his blog's third birthday recently passed by. (Thoughts from a Management Lawyer: Another Day, Another Blog Anniversary) Happy anniversary, Mike!

One of the great, but unanticipated, benefits of starting my own blog has been the chance to get to know Mike and, more recently, meet him in person.

All the best for the next three (and more) years ...

Labels:

Canadian immigration authorities begin "low key" biometrics trial 

Canadian immigration authorities are starting a "low key" biometrics trial in a number of centres, including a handful of border crossings in British Columbia and Ontario.

The fact of the trial is interesting enough, but the polling and spin plan referred to in the following article is also very interesting:

Print Story - canada.com network

Biometric screening program planned

The controversial technology would be used on immigrants and refugees

Peter O'Neil

Vancouver Sun

Saturday, May 06, 2006

OTTAWA -- The Conservative government, concerned about negative media coverage and public concerns over privacy issues, is taking a "low-key" approach to its plans to launch a six-month trial later this year of controversial biometrics screening technology at key entry points for immigrants and refugees, according to internal documents.

The $3.5-million trial program will take place at two Canada-U.S. border stations in B.C., Vancouver International Airport, a refugee processing centre in Etobicoke, Ont., and visa offices in Seattle and Hong Kong.

...

The trial marks one of the government's first moves into the controversial use of biometrics -- the use of physical characteristics such as DNA or face, iris or fingerprint scans -- to confirm identity documents.

Privacy Commissioner Jennifer Stoddart has raised questions about biometrics in the context of broader post 9/11 concerns about how the personal information of Canadians can be distributed, often without their knowledge, to governments, corporations and even U.S. security agencies through the powerful and intrusive Patriot Act.

Polls show that numerous Canadians don't trust the technology, fear who may have access to it, and view their physical characteristics as "extremely personal," said Florence Nguyen, a media spokeswoman at Stoddart's office.

"They're very concerned."

CIC officials consulted Stoddart's office on the trial program, which was first funded by the former Liberal government in 2003. Nguyen said privacy officials proposed changes to improve privacy protection, and will await results on the trial program before passing final judgment.

A March 15, 2006 slide presentation to Solberg described the trial as a "sensitive issue."

It noted that an internal poll found that more than 70 per cent of Canadians support biometrics for use in passports and at borders, but that the polling also indicates "mixed opinions" and added that "security still surpasses privacy concerns but is weakening."

The presentation, noting that media coverage of biometrics has been "negative" due to privacy concerns, argues against strongly publicizing the initiative.

"Communications strategy takes this into consideration, proposing a low-key approach and news release upon launch of the trial," states the plan, obtained by Ottawa researcher Ken Rubin through the Access to Information Act.

Charette's March 15 partly-censored briefing note predicts a strong reaction from media and non-governmental organizations to the trial and says "communications strategy will include the preparation of "media lines" for Solberg and a "broad communications strategy on the field trial."

The third component of the media strategy is also whited out, although Access to Information officials at Citizenship and Immigration Canada refused to disclose in the document which specific section of the legislation was used to justify the exclusions.

There are indications CIC is following through on the plan to lay low about the trial.

CIC published a brief notice of the trial on its website last month announcing the trial, identifying Unisys Canada Inc. as the company that has won the contract to supply the biometrics technology. However, no formal news release was issued, and CIC spokeswoman Sheila Watson said the department can't explain why it issued a notice rather than a press release, and couldn't explain whether the two forms of communication have different distribution networks to the media and other organizations.

...

Labels: , , , , , , ,

Saturday, May 06, 2006

Incident: Idaho utility hard drives -- and data -- turn up on eBay 

If you have a friend, acquiaintance, colleague, contact, chum, pal, neighbour or customer who is involved in decommissioning any (ANY!) information technology assets, please tell him or her that the surest route to the unemployment queue is to disposte of any media containing business or personal information without securely wiping the contents. The latest example of this is from ComputerWorld (Idaho utility hard drives -- and data -- turn up on eBay), but it is just one of hundreds of similar incidents. I would have thought that the word would have gotten out by now, but I guess some people just don't read the news. If I were to buy a used hard-drive on eBay, the first thing I'd do is run an unerase program just to see what's there. Hundreds of other people would do it and either (i) call the media or (ii) rip off your customers. It doesn't have to be that way. Just don't let it happen.

Labels:

Nova Scotia introduces amendments to thwart USA Patriot Act 

Yesterday, in the second day of the spring sitting of the provincial legislature, Nova Scotia's Justice Minister, Murray Scott, tabled Bill No. 16 - Entitled an Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada. (Hon. Murray Scott), (the full text is not yet available online). It will amend the Freedom of Information and Protection of Privacy Act to address the perceived threat to privacy posed by the USA Patriot Act if the processing or storage of personal information is outsourced by Nova Scotia public bodies to companies operating in the US (or US companies operating in Canada).

The appearance of the bill was foreshadowed by consultations among public bodies and IT service providers (see: The Canadian Privacy Law Blog: Nova Scotia consultations on Patriot Act amendments to FOIPOP).

Here's the press release from the Nova Scotia government:

News Release: Department of Justice:

"New Legislation to Protect Privacy

Department of Justice

May 5, 2006 11:15

New provincial legislation will better ensure that Nova Scotians' personal information is not disclosed under the U.S. Patriot Act.

The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.

"We know that American security legislation has led to concerns about the ability to access personal information of Nova Scotians held outside Canada," said Murray Scott, Minister of Justice. "This legislation clearly outlines the responsibilities of public bodies, municipalities and technology service providers, and the consequences if they are not fulfilled."

The act provides protection regarding storage, disclosure and access to personal information outside of Canada in the custody or under the control of a public body or municipality.

Under the act, the minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. It also requires that service providers storing information only collect and use personal information necessary for their work for a public body or municipality.

The act also address "whistleblower" protection for employees of external service providers to ensure they are protected if they report an offense under the act. Whistleblower protection for Nova Scotia government staff already exists under the Civil Service Act.

"In order for these measures to be successful, staff must be sure they will be protected if they come forward to report wrongdoing under this act," said Mr. Scott.

Penalties under the act include up to $2,000 per government employee for malicious disclosure by employees of public bodies and municipalities. The act also creates offences for service providers, with penalties of up to $2,000 for employees and $500,000 for companies.

Offences relate to the improper storage, collection, use, or disclosure, failure to notify the minister of Justice of foreign disclosure demands, and improper discipline or termination of employees.

"We are putting in place serious and significant penalties to protect the privacy of Nova Scotians," said Mr. Scott.

The minister also announced that the Wills Act is being amended. Updates will bring it more in line with other Canadian jurisdictions. The amendments respond to recommendations of the Law Reform Commission and will make it easier for people to ensure their final wishes are fulfilled by clarifying the effect divorces have on wills and the distribution of property in Nova Scotia under wills made outside the province. It will also permit handwritten wills.

The province is also introducing a number of housekeeping amendments under the Justice Administration Act.


FOR BROADCAST USE:

Justice Minister Murray Scott has introduced new provincial legislation that will help ensure Nova Scotians' personal information is not at risk from activities under the U.S. Patriot Act.

The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.

The act provides protection regarding storage, disclosure and access to personal information in the custody or under the control of a public body or municipality.

-30-

I'll definitely have more to say about this once I've had a chance to review Bill 16 in some detail.

Labels: , , , , ,

Noncommercial spam and PIPEDA 

Alec Saunders, at saunderslog.com is a little upset about receiving some unsolicited e-mail from the liberal party and Bill Graham (How to Stop the Liberal Party of Canada From Spamming You -- Alec Saunders .LOG):

Hypocrites that they are, by spamming me with Liberal propaganda, they’ve violated their own privacy policy. Their hypocrisy is further amplified by the fact that what they’ve done contradicts the Personal Information Protection and Electronic Documents Act, section 4.2.4 which states:
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.

And here, of course, is the irony. It was a Liberal Government which introduced the Personal Information Protection and Electronic Documents Act.

Whether this is a violation of PIPEDA depends upon whether that law applies at all. PIPEDA only regulates the collection, use and disclosure of personal information in the course of commercial activities (and information about employees of federal works, undetakings and businesses). This generally excludes non-profits, like political parties. Some activities are deemed to be commercial, like the sale or trade of personal information by a non-profit organization.

It's arguable that PIPEDA wouldn't apply in the case of political spam, unless one organization has traded the e-mail address with another. But if it bugs you enough, complain to the Privacy Commissioner and see if she agrees...

Labels: , ,

RFID Hacking 

Wired is running an article on RFID hackers, highlighting that it is rather easy for RFID chips to be hacked/cloned/altered/abused using a little knowledge and some off the shelf equipment: Wired 14.05: The RFID Hacking Underground.

Labels: ,

Friday, May 05, 2006

Nova Scotia man charged with voyeurism 

According to the Halifax Chronicle-Herald, a Nova Scotia man is the first in the province (and perhaps the country) to be charged under Canada's recent voyeurism amendments to the Criminal Code. Gist:

The ChronicleHerald.ca

Man, 33, first to face voyeurism charge

By TOM McCOAG Amherst Bureau

AMHERST — A Cumberland County man has become the first Nova Scotian to be charged under the new voyeurism section of the Criminal Code.

Winston Charles Patriquin, 33, of Port Howe is alleged to have used a video camera to secretly tape a girl having a shower. He is also charged with one count of knowingly accessing child pornography through a computer for his own use, making child pornography and possession of child pornography.

"This is definitely the first case of (voyeurism) to be tried in the province, and we think it may be the first case in Canada," Chris Hansen, spokeswoman for the Nova Scotia Public Prosecution Service said Thursday. ""We’re not exactly sure of the latter, but if it isn’t the first, it certainly is among the first charges under this newly created section to be laid in the country."

The bill that added voyeurism to the code passed last fall and increases the sentences for people convicted for possessing, making and distributing child pornography or committing an act of child molestation by "ensuring that those convicted of those crimes will serve jail time." ...

Labels:

Wednesday, May 03, 2006

Q. What could a boarding pass tell an identity fraudster about you? 

The Guardian Online has a very interesting special report on identity theft, using a discarded boarding pass to track down huges troves of information on the poor guy who discarded it. It's a tale of how much information is collected and how easy it is for bad guys to get ahold of it. Read on:

Guardian Unlimited | Special reports | Q. What could this boarding pass tell an identity fraudster about you? A. Way too much:

"... We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.) ..."

Labels: ,

US wiretap scandal leads to closer look at Canada's CSE 

Recent scandal in the United States over warrantless wiretapping by the NSA under the USA Patriot Act has led to increased scrutiny of Canada's Communications Security Establishment and its actions under the Anti-terrorism Act. Gist:

CTV.ca | U.S. wiretapping scandal sparks Canadian inquiry:

OTTAWA -- Allegations of illegal eavesdropping by U.S. spies prompted pointed questions from the federal watchdog who oversees their Canadian counterparts, newly released records reveal.

Correspondence obtained by The Canadian Press shows the public controversy about U.S. National Security Agency spying on American citizens led to a series of highly classified exchanges in Ottawa.

John Adams, chief of the ultra-secret Communications Security Establishment, was forced to respond to detailed inquiries spanning two months from the office of Antonio Lamer, the former Supreme Court chief justice who, as CSE commissioner, serves as watchdog over the spy outfit.

...

But it is clear from the records, obtained under the Access to Information Act, that Lamer's office wanted to ensure the CSE, a wing of the Defence Department, wasn't contravening Canadian law by conducting excessive snooping in the fight against terrorism.

...

The CSE works closely with the signals intelligence services of allied countries, including the massive Maryland-based National Security Agency, which boasts more than 30,000 employees.

...

Labels: ,

New Brunswick premier in privacy hot water 

The Premier of the Province of New Brunswick is in hot water and one of this senior official has had to resign after a letter from an opposition politician concerning a constituent with an 18-month licence suspension for drunk driving was released to the media by the Premier's Press Secretary. The Secretary has since resigned and the Ombudsman of the province is investigating under the province's privacy legislation. (See: canadaeast.com - CP Atlantic Regional News. Hat tip to Pogo Was Right for the link.)

This sort of thing is not particularly new in New Brunswick, but you would think they'd learn. See: The Canadian Privacy Law Blog: Politics and privacy: New Brunswick MLA resigns from cabinet over alleged violation of NB's privacy laws, The Canadian Privacy Law Blog: Second New Brunswick Minister resigns over new privacy breach.

Labels:

Tuesday, May 02, 2006

New RFID privacy standard and privacy-protecting RFID device, both brought to you in part by IBM 

Network World is running two interesting articles on RFIDs and privacy, both of which include reference to IBM's growing role in this field:

IBM demos RFID tag with privacy-protecting features - Network World:

"The latest to tackle the issue is IBM, which this week is expected to demonstrate its design for an RFID tag with a disabling feature that limits - but doesn't kill - a wireless chip's ability to broadcast item information.

The Clipped Tag gives consumers the option to disable RFID tags on items they purchase without eliminating the possibility that the tags could be used later to expedite product returns or recalls, says Paul Moskowitz, a research staff member at IBM's Watson Research Center in Hawthorne, N.Y. The design calls for a product label with perforations 'like a sheet of postage stamps,' he says.

After purchasing a tagged item, a consumer can tear the Clipped Tag label along the perforations to remove a portion of the tag's antenna, reducing its transmission capability. 'When you do that, you do not kill the tag completely. The chip is still there, and it has some of the antenna left. But you've just taken a tag that may have had a 30-foot range and reduced the range to just a few inches.' "

IT vendors, privacy groups release RFID standards - Network World:

"Companies using RFID tags on products should notify customers in all cases, should tell customers whether they can deactivate the tags and should build security into the technology as a primary design requirement, the group said. "

Labels: , ,

Monday, May 01, 2006

Ontario arbitrator determines that administration of employment is not "commercial activity" for the purposes of PIPEDA 

The Personal Information Protection and Electronic Documents Act is a messy, difficult to understand statute. It is not clearly drafted and lay people have a heck of a time trying to figure out what it means. It should not be a surprise that many lawyers have a hard time getting their heads around its requirements. For those who deal with the statute on a daily basis, there is a consensus on how it works and how it is to be interpreted. These interpretations are generally confirmed by the Commissioners who enforce the laws and the courts, when privacy issues come before them.

It remains surprising to see parties to litigation (and their counsel) making arguments that go completely against the consensus view. It should not be suprising when the Courts make decisions that, with all due respect, are completely wrong. (See, for example, The Canadian Privacy Law Blog: Courts and PIPEDA: Why the federal law does not apply in British Columbia. )

In a recent arbitral decision from Ontario, an arbitrator was faced with the argument that (i) PIPEDA applies to employee information in the provincially regulated private sector in Ontario and (ii) because of PIPEDA, an employer is prohibited from providing certain information to the union as required under the province's occupational health and safety legislation. The union (oddly) did not seriously dispute argument (i). The panel of the Ontario Labour Relations Board didn't agree with the employer and went farther than the union desired: it concluded that the collection of employee information in connection with the administration of the employment relationship is not "commercial activity" for the purposes of PIPEDA. This is critical since section 4(1) of PIPEDA dictates the circumstances under which the law applies:

Application

4. (1) This Part applies to every organization in respect of personal information that

(a) the organization collects, uses or discloses in the course of commercial activities; or

(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

Except for employee information of federal works, undertakings and businesses, PIPEDA can only apply if ther personal information in question is collected, used or disclosed in connection withe commercial activities. The arbitration panel concluded:

Although the definition of commercial activity is quite broad and, as a result, subsection 4(1)(a) of PIPEDA would include the collection, use or disclosure by the company of the personal information of its employees’ for commercial purposes, where the employees’ personal information is being collected, used or disclosed for employment-related purposes, subsection 4(1)(a) does not apply. First, the collection, use or disclosure by an organization of the personal information of its employees solely for employment-related purposes cannot reasonably constitute a “commercial activity” under any logical interpretation of that phrase. The mere fact that an organization carries on a commercial activity cannot, on its own, render the collection, use or disclosure of employee personal information for employment-related purposes into a commercial activity. Furthermore, if subsection 4(1)(a) of PIPEDA is intended to include the employment-related collection, use or disclosure by an organization of the personal information of its employees, subsection 4(1)(b) of PIPEDA (under which Part 1 of PIPEDA applies to the personal information of the employees of federal works, undertakings or businesses) would be unnecessary. (See: Re: McKesson Canada and Teamsters Chemical, Energy and Allied Workers Union, Local 424, 136 L.A.C. (4th) 102, G.F. Luborsky).

This conclusion is in accord with the position embraced by most privacy law practitioners and may help to settle some still broadly-held misconceptions.

The case is International Association of Bridge, Structural, Ornamental and Reinforcing Iron Workers and its Local 736 v. E.S. Fox Limited, [2006] O.L.R.D. No. 107 (QL) and the full text is available online here: http://www.lancasterhouse.com/decisions/2006/jan/OLRB-IABSORIWU,736-v-ESFox.pdf

Thanks to the CUPE Local 1356 blog for the pointer to the case.

Labels: , , , ,

Survey on Canadian privacy law compliance released by CIPPIC 

The Canadian Internet Policy and Public Interest clinic has today released a pair of reports that paint an unflattering portrait of the state of compliance with privacy laws in Canada. The first is a survey of Canadian retailers to determine whether the companies reviewed are complying with PIPEDA and its equivalents. The second is a survey of the data brokering indstry in Canada. Here's the blurb and links from the CIPPIC website:

CIPPIC News = CIPPIC:

CIPPIC study shows widespread violation of privacy laws

May 1, 2006

In a report released today, the CIPPIC provides the results of the first Canadian survey assessing the compliance of retailers with Canadian data protection laws. The results show widespread non-compliance with federal laws requiring openness, accountability, consent, and individual access to personal data. In a companion report also released today, CIPPIC exposes the many ways that detailed personal information about consumers is gathered and traded in the marketplace.

  • News Release (French version)
  • Report on Retailer Compliance with PIPEDA
  • Compliance Report - Executive Summary (French version)
  • Compliance Report - Appendices
  • Report on Databrokerage Industry
  • Databroker Report - Executive Summary (French version)
  • Update (20060512): The Ottawa Citizen is reporting on this in today's edition: Online sellers flout privacy rules.

    Labels: , ,

    This page is powered by Blogger. Isn't yours? Creative Commons License
    The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs