The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Wednesday, January 10, 2007

CIPPIC calls for mandatory privacy breach notification 

The Canadian Internet Policy and Public Interest Clinic has released a whitepaper calling for manadatory breach notification. Speficially, CIPPIC is calling for an amendment to PIPEDA:

Amend Principle 7 of PIPEDA to include a requirement to notify affected individuals of a security breach that results in the acquisition of unencrypted personal information by an unauthorized person. Such requirement should include specifics regarding the type of personal information and breach that triggers the obligation to notify, form and content of notices, timing of notices, who should be notified, etc. Failure to notify affected individuals as required under the Act should be subject to tough penalties.

Notification should be required when designated personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency should not trigger the notification requirement, provided that the personal information is not used or subject to further unauthorized disclosure.

An "unauthorized person" means:

a) A person who is not an employee or agent of the person that maintains the designated personal information;

b) An employee or an agent of the person that maintains the designated personal information who

(i) exceeds his or her authority to access the designated personal information; or

(ii) uses the information for purposes not related to his or her duties.

"Designated personal information" is information, in electronic or paper form, which includes the first name, initial, or middle name, and last name, or address, in combination with any of the following data: government issued identification number including social insurance number, driver’s license number, or health card number; account numbers, credit or debit card numbers, or other unique identifiers issued by other organizations together with any security code, password or access code that would permit access to the individual's information. Information that is encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable by unauthorized persons does not constitute "designated personal information".

Labels: , ,

1/10/2007 03:57:00 PM  :: (1 comments)  ::  Backlinks
Comments:
Does this go against Privacy Laws:
I experienced a something last night at Blockbusters on Lonsdale avenue that I have quite honestly never experienced before in my life. I have been working in the hospitality business and customer service all my life, and last night I saw the worst.

My Spouse and I decided to rent a couple of movies last night, and also drop off a few movies that we had recently purchased. They have that trade a movie for a $1.00. We arrived at the Blockbuster at about 10 pm, dropped off our old rentals, quickly picked up a new one and made our way to the Counter.

When at the counter, the girl gave asked us for a drivers license and our Blockbuster card. Which we did. She then asked my spouse what her height was. We asked why her height was important to rent a movie, she answered, it’s a new thing brought out by the RCMP, and was then told by the lady, “The RCMP know everything about you anyway” We certainly didn’t want to cause a scene, so we told her “5 feet 5 inches “
Especially when there was a few people behind us waiting for the counter.
Even though it was on the back of the Drivers License, she explained to us that she does not understand cm‘s. ( And I thought we lived in Canada where it was a metric system)
She then asked my spouse in front of all the customers what her weight was. I am sure that there are many woman out there that might be a little sensitive to tell half the store (customers and staff )their weight. My spouse being very sensitive about her weight, told the lady that she did not think it was appropriate to ask in front of everybody what her weight was. I then told the lady, it clearly states her weight at the back of her drivers license that she had been holding in her hand. The Lady told me that her weight on the Drivers license was in Kilo Grams (Kg’s) and she needed it in Lbs. I said, no problem, take the calculator on your desk , enter the kg’s and multiply it by 2.2

The Lady ( really rude) told us in front of everyone that she will stop serving us, as she needs the weight in Lbs. I asked her again to please do the calculation. She then told us that we are personally attacking her, and she walked away from the counter. Needless to say, we where very embarrassed and was then helped by what seemed to be the Manager. I tried explaining to her that it is not only against the law to ask something like that out load, due to our privacy act and it would have been simple to calculate the weight by multiplying it by 2.2 to get the Lbs. I was told that she was just doing her job.

Now, would it not have been a simple transaction to simply ask the customer to right her personal information on a piece of paper, or do the calculation? Do these people actually get trained in customer service. Anyway, I personally will never use block buster again.

What do you think.
 
Post a Comment

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs