The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, January 30, 2007
In the wake of the SWIFT privacy scandal, the European parliament will be debating the scandal, European data protection laws and broader issues of access to personal data. Should be interesting to watch:
theparliament.com - EU parliament debates personal data rules
EU parliament debates personal data rules
MEPs are this week expected to intensify pressure on the European commission to act over the controversial Swift case.
In November, an independent panel found that the Belgian-based money transfer company Swift had breached EU privacy laws by secretly giving personal financial data to the US authorities.
Swift denied breaking the law, saying it was subpoenaed to give limited data for use in the fight against terrorism.
On 31 January, in the first Brussels parliamentary plenary of the year, deputies will debate the issue of current personal data legislation and table a series of questions to the commission on the Swift case.
Included in the list of questions is a demand to know whether the commission is aware of any other requests to private companies to make their data available to the US.
MEPs also want to know what action the commission intends to take given that access to data handled by Swift makes it possible to get information on the economic activities of individuals and businesses.
The ongoing row involving Swift, which handles 11 million transactions a day, could further exacerbate tensions between the EU and the US over the use of personal flight data in the fight against terrorism.
The EU and US recently resolved a long-running dispute over the issue and is confident of reaching an agreement on passenger name records (PNR).
US negotiator Michael Chertoff and his EU counterpart Wolfgang Schauble said at the weekend that despite continued differences of opinion on the use of the personal data they were confident of reaching a deal by July.
Some MEPs, however, are currently raising concerns which they would like the commission to take on board when the executive alone negotiates a new agreement with the US.
The plenary, though, will be urged by British Conservative MEP Timothy Kirkhope to back the deal brokered by the EU and US.
"Some of these concerns are warranted but the most important thing to adopt are appropriate air safety and anti-terrorism measures and provide certainty for the airlines, while also ensuring that data protection norms are respected,” Kirkhope said.
Monday, January 29, 2007
I just checked my calendar to see if I accidentally slept in and woke up on April 1. According to Yahoo News, the British government is considering taking all encompassing surveillance to the next level by installing cameras in public places that can see through clothes. According to a memo obtained by the Sun, the measure will make the detection of weapons and explosives easier.
X-ray cameras 'see through clothes' - Yahoo! News UK:
However, officials acknowledged that it would be highly controversial as the cameras can "see" through clothing.
"The social acceptability of routine intrusive detection measures and the operational response required in the event of an alarm are likely to be limiting factors," the memo warned.
"Privacy is an issue because the machines see through clothing."
The Sun reported that the memo, dated January 17, was drawn up by the Home Office for the Prime Minister's working group on security crime and justice.
It noted that some technologies used for airport security had already been used in police operations searching for drugs and weapons in nightclubs.
"These and other could be developed for a much more widespread use in public places," it said.
"Street furniture could routinely house detection systems that would indicate the likely presence of a gun for example."
A Home Office spokeswoman said: "We don't comment on leaked documents".
Sunday, January 28, 2007
Earlier this week, I was tagged by Michel Adrien aka "Library Boy" (Library Boy: Five Things You Didn't Know About Me) to eschew some personal privacy and disclose five things you may not know about me.
Here goes ...
Tag, you're it: David Canton.
In Computerworld, Jay Cline asks "Are Privacy Notices Worthless?".
In my not so humble opinion, most of them are. Too many are overly long and full of legalese that is meaningless to most of the prospective readers. Too many are simply a regurgitation of blue sky principles that don't provide any information.
In many cases, they are referred to as "privacy policies". I prefer to call them privacy statements, since they are supposed to communicate with customers. Policies are those things in thick three-ring binders in the back office.
What's the real purpose of a privacy statement? At least in Canada, it is part of the openness requirement in PIPEDA:
4.8 An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
The information made available shall include(a) the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
(b) the means of gaining access to personal information held by the organization;
(c) a description of the type of personal information held by the organization, including a general account of its use;
(d) a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and
(e) what personal information is made available to related organizations (e.g., subsidiaries).
An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.
If your statement doesn't contain that minimum, go back to the beginning.
However, privacy statements are more than that. Companies really need to think about who is going to read it and under what circumstances. Just because very few people read them doesn't mean that we should underestimate their importance.
When someone actually takes the time to read the statement, they are usually either upset about something or actually care about privacy and want to know how you handle personal information. This customer can become a real problem and your privacy statement is your first (and perhaps last) opportunity to keep them as a customer and prevent any problems from arising. (On a purely practical level, the customer who reads the statement is one who cares about privacy and these are the kinds of customers than can become difficult.)
If a customer wants to know how you handle personal information, make it staggeringly easy by spelling it out in your privacy statement. If you don't, they will go somewhere else or will ask one of your employees. A privacy statement is an opportunity to clearly answer that question in a very controlled way. The trend towards layered privacy statements, or those with a snapshot summary at the top is a good way to provide a quick answer to the customer without forcing them to wade through details that may not be relevant to them.
If a customer has a problem or a potential complaint, a clear and meaningful privacy statement will go a long way to providing some comfort. If it's full of legalese, the customer becomes less trusting and increasingly alienated. The statement should answer their question and lead them quickly to the resolution they are looking for. If not, they'll be madder when they finally reach the right person.
Your privacy statement should not be worthless. You should treat it as an important communication opportunity with your customers. It is perhaps the first and last chance to keep your customer and to avoid an unpleasant complaint.
And, as an aside, privacy should permeate all aspects of your business. If you ask customers to input information online, make sure that the form includes explanations about why you are looking for the information and what will be done with it. If you actually operate in the real world, train employees to explain without prompting what information is used for. If you don't provide an explanation, customers will assume the worst.
Of course, you should also treat it like a contract with your customers and follow it accordingly. The FTC in the United States considers not following your privacy statement to be an unfair trade practice and imposes penalties accordingly.
Saturday, January 27, 2007
Fashion retailer Club Monaco is now associated with a third information breach, though the details are very sketchy. From the Globe & Mail:
globeandmail.com : globeinvestor.com : Clothing chain tipped to security breach:
Fashion retailer Club Monaco has called in the RCMP to investigate a possible privacy breach involving customers' credit card numbers -- the third time in the past week that a major Canadian company has been plagued by security issues.
Club Monaco confirmed it was alerted to the problem by a credit card processor late last year and said it immediately hired a forensic firm to help the Mounties with their probe. Banks and other card issuers were also notified of the problem, and have been combing client records for any signs of fraud, according to sources in the financial community.
Investigators have found no evidence to suggest a breach occurred, a spokeswoman for the clothing chain said yesterday, adding that the data under investigation do not include names, addresses or phone numbers. She said the company has not determined how many customers might be affected.
'We've been told through the report thus far that our systems are very secure,' Wendy Smith said. 'It's an active investigation.'...
The recent personal information breaches in Canada have prompted a lot of discussion about breach notification.
This may be the upswell of citizen concern that will prompt legislative change in Canada. From today's Halifax Chronicle Herald:
The ChronicleHerald.ca - Should retailers come clean? Businesses not obligated to alert consumers when information is stolen
By CLARE MELLOR Business Reporter
Retailers and financial institutions in Canada don’t have to tell customers when thieves have stolen their personal information.
Recent cases of data theft at Winners and the loss of a hard drive at CIBC have made headlines across the country, alerting Canadian consumers to be on guard for identity theft, but these security breaches could be the tip of the iceberg, privacy experts say.
"There are probably a whole lot more incidents out there that we haven’t heard about because the businesses have no legal reason that requires them to tell the consumers involved," Halifax lawyer David Fraser, a privacy specialist, said Friday.
"One of the big questions on law reform in this area is whether a business should have a duty to notify people whose information has been compromised."
CIBC, which was earlier taken to task by federal privacy commissioner Jennifer Stoddart for lapses in security involving misdirected faxes, issued a news release and sent letters to Talvest mutual-fund holders last week. The company said a backup computer file containing their personal information had gone missing in transit.
TJX Cos., American operator of Winners and HomeSense, recently revealed that computer hackers had broken into its system, but the firm has not said how many customers had personal data stolen.
About 30 states have laws requiring businesses to notify their customers when their personal information has been stolen or lost, Mr. Fraser said.
A parliamentary committee has been reviewing Canada’s federal privacy law. Requirements to notify the public when a breach happens are being discussed.
When Ms. Stoddart appears before the committee, she will likely call for changes to the law requiring businesses to inform consumers when their information has been stolen or gone missing, Anne-Marie Hayden, spokeswoman for the privacy commissioner’s office, said Friday.
Under Canada’s privacy law, businesses and banks must keep personal information secure and not share it without client consent.
While Ms. Stoddart’s office can’t fine or penalize businesses that repeatedly break the law, it can pursue legal action through the Federal Court, Ms. Hayden said.
"It would be safe to say that most of the time when the commissioner makes recommendations (to tighten privacy practices), those changes are implemented," she said .
But David Malamed, a forensic accountant, said it is clear many companies are not taking their privacy obligations seriously enough.
"A lot of the reason that it is happening is that the focus for a lot of companies is on the bottom line," said Mr. Malamed, who works at Grant Thornton in Toronto
"As systems advance, people get smarter and the question is how money is being invested into protecting these systems. . . . There are different methods that you can go about to protect your customer information that will help prevent this from happening or at least reduce it to a greater degree."
There have been media reports of fraudulent purchases made with customer information stolen from Winners.
A Canadian law firm, Merchant Law Group, which has offices in Saskatchewan and Alberta, has already launched a class-action suit over the security breach.
But there is some question about whether Canadian consumers can successfully sue for theft or mishandling of their personal information, Mr. Fraser said.
"If you are the subject of fraud, you may be able to successfully sue them," he said. "But if you can’t prove harm, it is much more difficult."
Friday, January 26, 2007
The second (that I know of) conviction under Canada's new voyeurism laws took place yesterday in Halifax.
The Daily News: News Former sailor pleads guilty after trying to videotape neighbour
LINDSAY JONES The Daily News
CRIME – A former sailor has pleaded guilty to trying to videotape a woman while she was changing in her own apartment.
In August of 2006 the woman was getting dressed in her walk-in closet when she spotted a video camera in the window pointed towards that part of the room. She was changing in the closet because her window was only partially covered by a blanket.
Karlson Glen Chaulk, who had been in the armed forces for nearly seven years, lived in the apartment above her. The two did not know each other, the court heard.
The woman called police and Chaulk admitted to committing the offence. He asked police if there was any way to make it go away, the court heard. Police found no images on the video camera.
Chaulk has two previous convictions, for impaired driving and possessing narcotics.
The court heard the victim moved from the residence because she no longer felt safe, costing her her damage deposit and moving expenses.
Chaulk told the court he was “truly sorry” for his actions and promised it would never happen again. “I do realize now that I shouldn’t have conducted myself in the way I did with the camera,” he said.
Judge Michael Sherar said not only is the charge sad and juvenile, but also deplorable. He asked Chaulk what he intended when he surreptitiously looked into someone else’s apartment. He also outlined how everyone has the right to privacy in their own home.
Chaulk has since resigned from the Defence Department and plans to move to Alberta tomorrow.
He was sentenced in Halifax provincial court yesterday to 90 days probation, ordered to pay a $500 fine and $450 restitution to the victim, as well as undergo counseling. He must also stay 150 metres from the woman’s home and workplace.
Chaulk is the second person in Canada to be sentenced for voyeurism, since the law was enacted in November 2005. The law makes it illegal to “surreptitiously observe or make a visual recording” for a sexual purpose.
The only other prosecuted case of voyeurism in Canada also took place in the province.
Winston Charles Patriquin of Port Howe, Cumberland Co., pleaded guilty last August to using a video camera to tape a girl in the bathtub.
Technology takes place of peeping Toms: lawyer
A Halifax privacy lawyer says technology is taking the place of the guy lurking outside the window.
David Fraser said what’s traditionally considered trespassing is now occurring digitally, without the physical presence of a perpetrator.
“People can be observed in a number of different contexts,” he said. “Hidden cameras in change rooms in stores. Hidden cameras in bathrooms in hotels.”
Canada’s voyeurism law was enacted in November 2005 to better protect children and other vulnerable victims from harm. The law makes it illegal to “surreptitiously observe or make a visual recording” for a sexual purpose.
Fraser said the law reflects the potential seriousness and intrusiveness of voyeurism. Enacting it was necessary, he says, to keep up with technological advances and the advent of miniature, wireless cameras.
“Thousands of companies sell wireless cameras and it’s pretty plain in the description of their products that they’re selling them for this sort of voyeurism,” he said. “Once this information is in digital form, it’s very easily transmitted.”
— Lindsay Jones
According to the CBC, the Information and Privacy Commissioner has completed his inquiry related to the practice of swiping drivers' licenses at bars in that province. A decision is expected next month. See: B.C. privacy commissioner to rule on ID scans in bars.
Thursday, January 25, 2007
The Information and Privacy Commissioner of Alberta released a very interesting order today, considering whether the right to freedom of expression in the Charter overrides the restriction on disclosure of personal information without consent. In this case, a shopper at Safeway was allegedly caught shoplifting. The "shopper" was an employee of another grocery chain and a representative of Safeway reported the incident to her employer, and she was fired. She then complained that Safeway had disclosed her information without her consent, in breach of the Personal Information Protection Act. At an inquiry under that Act, Safeway argued that the restriction on disclosure was unconstitutional. In the order, the Commissioner disagreed.
Summary: The Complainant, an employee of another food retail chain, entered a store of Canada Safeway Limited (the “Organization”) while wearing her employee uniform. The Complainant gathered several goods, paying for some and not for others. When the Complainant left the store, security for the Organization stopped the Complainant and accused the Complainant of theft. The unpaid items were returned and the police were notified. Upon review of the incident, no charges were laid.
The Organization, without the consent of the Complainant, advised the Complainant’s employer about the incident. As a result the Complainant was dismissed. The Complainant initiated a complaint with the Office of the Information and Privacy Commissioner, and the matter proceeded to a written inquiry. The Organization argued that it did not require consent to disclose personal information of the Complainant under section 7(1)(d) (consent to disclose) of the Personal Information Protection Act, (the “Act”) as the section is contrary to section 2(b) (freedom of expression) of the Canadian Charter of Rights and Freedoms (the “Charter”). The Organization also argued that if it is found that section 7(1)(d) of the Act is not contrary to the Charter, then section 20(b) (disclosure pursuant to a statute of Canada that authorizes or requires disclosure) of the Act and section 20(m) (disclosure reasonable for investigation or legal proceeding) of the Act apply and permit the disclosure of the Complainant’s personal information.
The Commissioner found that section 7(1)(d) of the Act did not contravene section 2(b) of the Charter; that sections 20(b) and 20(m) of the Act did not authorize the Organization to disclose the Complainant’s personal information without consent; and that the Organization disclosed the Complainant’s personal information contrary to section 7(1)(d) of the Act.
David Canton's regular Canoe.ca and London Free Press column this week discusses the movement toward recognizing the right to sue for invasion of privacy. See: eLegal Canton: Can we sue for privacy invasion?.
The Globe & Mail is reporting that significant fraud has been linked to the Winners information breach:
globeandmail.com: Winners security breach hits home
Thousands of Canadian credit-card holders have been victimized by fraud after a security meltdown at the U.S. parent company of retail chains Winners and HomeSense, according to sources in the financial community.
They suggested that number could rise as banks and other credit-card issuers continue to gather information on what has become one of the most high-profile privacy thefts in recent memory.
“We have seen fraud on some of those accounts that we can directly link back to [the breach],” said an official with one card issuer, who cautioned his company is still determining how many of its clients could be left vulnerable by the hacking incident. He added that issuers are directly contacting any customers whose cards appear to have been used fraudulently.
I've recently subscribed to a couple of Podcasts about privacy. There aren't many out there, but these two have been really good so far:
If you know of any good privacy podcasts, please leave the details in the comments.
Yesterday's weekly Globe & Mail law page had a good article on issues related to breach notification in Canada. It quotes three privacy lawyers with whom I've had the pleasure of serving on the CBA Privacy Section executive: David Young of Lang Michener, Michael Power of Gowlings and John Beardwood of Faskens. See: globeandmail.com: Privacy breaches.
Wednesday, January 24, 2007
A company has developed an RFID tattoo, that has all the benefits of RFID implantation, but without the messy chip. The chip is replaced by a tattoo. The company is touting its benefits in traceability of the meat supply, but is also suggesting that it may be useful in soldiers:
Industrial Control Designline RFID Ink
... The ink also could be used to track and rescue soldiers, Pydynowski said.
"It could help identify friends or foes, prevent friendly fire, and help save soldiers' lives," he said. "It's a very scary proposition when you're dealing with humans, but with military personnel, we're talking about saving soldiers' lives and it may be something worthwhile."
I can't imagine anything more dangerous than tagging all soliders with a tracking device that may be hacked by the other side. Instead of saving lives, it may result in wholesale destruction. I wonder how long it would be before we saw RFID activated IEDs? Not long, I expect.
Thanks to Schneier for the link.
The Privacy Commissioner of Canada has released a summary of a recently settled case, in which a dental clinic disclosed the fact that a patient's account was in arrears to another patient who had referred the first:
Settled Case summary #27: Clinic discloses client information when trying to collect a debt (May 16, 2006)
An individual complained that her dental clinic disclosed information about her overdue account to the person who had referred her to the clinic.
The complainant noted that she had been in hospital and in respite care for several months, and thus did not receive the invoices sent by the dental clinic. When the invoices remained unpaid, the clinic telephoned the client who had made the referral in order to determine the complainant’s whereabouts. The clinic confirmed that it had not only asked the client how it could reach the complainant, but it had also disclosed that her bill was overdue, the amount owing, and that it would be sent to collections unless paid.
The OPC and the complainant agreed that in light of the settlement the matter should be considered settled.
The Winter 2007 edition of the Ontario Information and Privacy Commissioner's Perspectives was just released. It includes a look at some of the major projects relating to privacy or freedom of information that her office has been working on.
The newsletter also contains reviews of recent significant orders issued under the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, or the Personal Health Information Protection Act, information about recent IPC publications, upcoming presentations and more.
Tuesday, January 23, 2007
Wired's 27B Stroke 6 is reporting on an interesting decision from New Jersey in which an appeals court has held that internet users have a right to privacy in their "ISP Address" or "screen name". While technologically incorrect, I'll leave it to others to comment on whether it's technically correct. See: WIRED Blogs: 27B Stroke 6: Jerseyites Have Right to Protect "ISP Address".
The American Civil Liberties Union, along with a coalition of civil liberties groups, has put up an interesting web site with stories of state surveillance in America, from pre-WWI to post 9/11. Check it out: Tracked in America.
CanWest News Service is running a very interesting feature-length report on the upcoming Canadian "no fly" list. Read the entire article ...
Canadian airline passengers will be kept under close scrutiny
Canadian airline passengers will be kept under close scrutiny
CanWest News Service
Tuesday, January 23, 2007
OTTAWA - The RCMP and the Canadian Security Information Service will be able to examine up to 34 pieces of information about everyone who flies in Canada under a comprehensive passenger screening program being developed by Public Safety and Emergency Preparedness Canada.
Among other things, the program will require airlines to gather and share the full legal name, date of birth, citizenship or nationality and gender of all passengers - information they don't currently collect for domestic flights.
The new program will affect about 90 million passenger trips a year, two-thirds of which are purely domestic.
The program is authorized under Section 4.82 of the Aeronautics Act, which gives CSIS and the RCMP the right to receive and analyse Advance Passenger Information (API) and Passenger Name Record (PNR) data from air carriers and operators of aviation reservation systems without a warrant.
API data is collected at check-in and include name, date of birth, gender, citizenship or nationality and travel document information. PNR data is collected at the time of booking and includes information relating to a traveller's reservation and itinerary.
Section 4.82, added to the Aeronautics Act in 2004 when the Public Safety Act was passed but not yet in force, also authorizes CSIS and the RCMP to match passenger information against any other data under their control.
The Section 4.82 program ''is envisioned as the next step'' in a two-pronged strategy to use airline passenger information to combat terrorist threats, said Philip McLinton, a spokesman for Public Safety and Emergency Preparedness Canada.
The first step - Canada's new no-fly list - will be introduced in March for domestic flights and in June for international flights.
McLinton said it's ''impossible to speculate how 4.82 would impact the no-fly list. It's just too early to say.''
Since 2002, airlines flying to Canada from abroad have had to provide API and PNR data to the Canadian Border Services Agency, which analyses and risk-scores it to identify passengers who require further review on arrival in Canada. The agency doesn't get the information until flights have departed for Canada.
Under the Section 4.82 program, the collection and analysis of passenger information will dramatically expand. Airlines and operators of reservation systems will have to send passenger information to the RCMP and CSIS for all domestic and international flights. And they'll have to do so before flights depart.
The no-fly program, known as Passenger Protect, obliges airlines to vet the names of passengers against the no-fly list and notify Transport Canada is there is a match. That responsibility will shift to the RCMP and CSIS under the Section 4.82 program.
Section 4.82 also authorizes CSIS and the RCMP to disclose passenger information to other organizations or individuals to promote public safety. They include the minister of Transport, the Canadian Air Transport Security Authority, air carriers, airport operators and police officers. ...
It is unclear how, or even whether, the passenger information gathered under the Section 4.82 program would be shared with the U.S. and other allies. The feasibility study cites two issues with the PNR data that would be collected and shared under the section 4.82 program.
Another issue is passenger information that is currently not collected during the reservation process, but is essential for the new Section 4.82 program to operate effectively.
Most important is full name, date of birth and gender, which the study says is ''widely viewed as the core set of information required'' to match existing law enforcement records. That information is not currently collected for domestic passengers, so regulations may be needed to make provision of that information mandatory.
''For domestic flights, if the government regulates a requirement for passengers to provide full name, date of birth and gender, the air carriers' view is that passengers would comply, and that air carriers would provide this data,'' the feasibility study says.
To avoid causing delays to the travelling public, the study also says swift and timely information flow is required that can take account of last-minute changes such as no-shows.
Here's the list of 34 pieces of information to be collected by airlines on everyone who travels on domestic or international flights flying in or out of Canada:
1. Surname, first name and initial or initials.
2. Date of birth.
3. Citizenship or nationality or, if not known, the country that issued the travel documents for the person's flight.
5. Passport number and, if applicable, visa number or residency document number.
6. The date on which passenger name was first recorded with airline.
7. If applicable, a notation the person arrived at the departure gate with a ticket but without a reservation for the flight.
8. If applicable, the names of the travel agency and travel agent who made the person's travel arrangements.
9. Date airline ticket was issued.
10. If applicable, a notation the person exchanged their ticket for another flight.
11. The date, if any, by which a ticket for a flight had to be paid to avoid cancellation of the reservation; or the date, if any, on which the request for a reservation was activated by the air carrier or travel agency.
12. Airline ticket number.
13. Whether the flight is a one way.
14. If applicable, a notation the person's ticket for the flight is valid for one year and is issued for travel between specified points with no dates.
15. The city or country where the flight begins.
16. All points where a passenger will embark or disembark.
17. The name of airline.
18. The names of all airlines to be used on trip.
19. The aircraft operator's code and flight ID number.
20. The person's destination.
21. The travel date for the person's flight.
22. Any seat assignment on the person's flight selected for the person before departure.
23. Number of pieces of baggage checked by the person.
24. The baggage tag numbers
25. Class of service (first class, business class, economy).
26. Any specific seat request.
27. The passenger name record number.
28. Phone numbers of the person and, if applicable, of the travel agency that made the arrangements.
29. Passenger's address and, if applicable, that of the travel agency.
30. How the passenger paid for the ticket.
31. If applicable, a notation the ticket was paid for by another person
32. If applicable, a notation there are gaps in the passenger's itinerary that necessitate travel by an undetermined method.
33. Departure and arrival points, codes of the aircraft operators, stops and surface segments.
34. If applicable, a notation the ticket is in electronic form and stored in an aviation reservation system.
Nova Scotia's Personal Information International Disclosure Protection Act has kept a pretty low profile as of late, but the Halifax Chronicle Herald has devoted a quarter page in its technology supplement to the legislation. It includes a fair amount of content provided by yours truly, but may have the effect of making Nova Scotians more aware of this important development.
Click on the image to download the article in PDF format.
I've had one of my e-mail addresses for almost ten years, but there appears to be a demand for email addresses that'll only last ten minutes.
Enter 10 Minute Mail.
Have you ever signed up for a service that required a "validation address", though they promised they'd never use it to send you junk? Woe betide the person who uses their most favourite, ten-year address for such a purpose. Use one that'll only last long enough to suit the purpose. From the site:
Welcome to 10 Minute Mail.
By clicking on the link below, you will be given a temporary e-mail address. Any e-mails sent to that address will show up automatically on the web page. You can read them, click on links, and even reply to them. The e-mail address will expire after 10 minutes.
Why would you use this? Maybe you want to sign up for a site which requires that you provide an e-mail address to send a validation e-mail to. And maybe you don't want to give up your real e-mail address and end up on a bunch of spam lists. This is nice and disposable. And it's free. Enjoy!
When I launched 10minutemail.com, tons of forum admins decried the idea. They screamed that it would let spammers on to their forums, and that they wouldn't sell e-mail lists to spammers, etc...
A month goes by, and let's see what we have. My server used to get around 200-300 e-mail a day. In the past week it averaged 20,000-30,000 e-mail a day. Virtually all of those were to old (expired) 10minutemail.com accounts. Presumably virtually all spam.
30,000 a day!? This proves that the average person simply CAN'T trust a random site or forum with their real e-mail address. Are there some forums/sites that are trustworthy? Sure! Does the average net user have any ability to tell with certainty if a given site or forum will sell their e-mail address or spam them direction? Unfortunately not.
This drives home the importance of the service.
In order to save my server from the crushing spam, I've swapped out the e-mail domain to fificorp.com, and then fificorp.net, and will continue to swap out the e-mail domain on a regular basis. This will serve two purposes. One, it will save my server from dying under the flood of spam. Two, it will keep admins who block registrations by domain on their toes at least once a month.
One important thing to note ... In some cases you may want an address that lasts longer. For example, if you forget your password to a service, they'll often e-mail it to the address on file. With 10minutemail, you're outta luck. For those sites where longevity may matter, try the Fake Name Generator. They'll supply an e-mail address that you can read as long as you bookmark it.
Monday, January 22, 2007
Michael Geist's latest Law Bytes column in the Toronto Star presses the case for mandatory breach notification in the wake of the recent TJX and CIBC privacy breaches. See: Michael Geist - Privacy Breaches Expose Flaws in Law.
Sunday, January 21, 2007
If you have been run out of Wisconsin and were thinking you'd while away the day wandering through Colorado, implanting RFID chips in unsuspecting citizens, think again. Colorado has joined the aforementioned cheesy state to make it a misdemeanor to require chipping of individuals. See: Rocky Mountain News - Bill would nip chips in humans.
There are still a few states left that haven't abridged the right to chip.
Thanks to Objective Justice for the link.
If you have any connection to a unionized workplace or advise any party in such an environment, run -- do not walk -- to Michael Fitzgibbon's latest post: Thoughts from a Management Lawyer: A Breath of Fresh Air - Surveillance Evidence.
If a current bill introduced in the US Congress is passed, the chief privacy officer will have expanded powers, including the ability to issue subpoena and to report directly to Congress. See: House bill would boost power of DHS privacy chief (1/19/07).
Last week, Global Television's main news program has aired a number of reports relating to privacy breaches at Canada Revenue Agency. This has led to a number of viewers contacting the TV network to report their own versions, involving Revenue Canada and others.
The Global Maritimes ran a report on Thursday about a woman in Nova Scotia who was repeatedly sent the credit card information, including the "secret code" for a cardholder in Ontario. When she informed them of the screw-up, they told her she was wrong and kept resending the info to her. When contacted by Global's reporter, the Ontario cardholder was furious that he had no idea that a woman in Bridgewater, Nova Scotia, could have gone to town on his Visa account and the company apparently never did anything to protect his account.
There are also a number of small scale breaches recounted as comments to the CRA breach story on the Global TV website:
Taxman moves to protect privacy
- in 1988 while living in Woodstock ON, I received an other pe... Wanda
- It happened to me last month. I received information that be... vivian
- Revenue Canada provides the Quebec Govt with income informat... Yves
- I thought maybe I should share my incident although I had ... Sherri
- This is not quite the same but equally disturbing. My husba... Margaret
- Last year I went to the post office to pick up my passport a... Elaine
- How about receiving mail from the government addressed Maureen
- Summer, 2005 I requested a Revenue Canada summary and receiv... Frank
- My dad's Disability Tax credit approval notice was enclosed ... Marnie
Saturday, January 20, 2007
Individual countries tend to leave each other alone in the area of law reform, privacy and data protection. So it is rather unusual that the Attorney General of Australia is pushing India's government to strengthen privacy in the outsourcing sector. Currently, NSSCOM (the Indian outsourcing advocacy group) is working on voluntary guidelines for data protection, which the Indian government says may be replaced with legislation if they are not robust enough. See: Australia's Attorney General presses India on privacy data .:. NewKerala.Com, India News Channel.
Thursday, January 18, 2007
This has been a crazy week for privacy breaches in Canada and the week isn't over yet. I can't recall the last time I had so many media inquiries.
In addition to those below, I've been asked about two other incidents that will likely break in the next few days. (Since I heard about them from journalists, it would be rude to scoop them on the blog.)
Today we've heard of a significant announcement made by Talvest Mutual Funds
Talvest Mutual Funds issues statement regarding missing back up computer file
MONTREAL, Jan. 18 /CNW/ - Talvest Mutual Funds today announced that a backup computer file containing client information has recently gone missing while in transit between its offices.
The backup file contained information relating to the process used to open and administer approximately 470,000 current and former Talvest client accounts and may have included client names, addresses, signatures, date of birth, bank account numbers, beneficiary information and / or Social Insurance Numbers. Talvest has retained original copies of their files on its secure website.
While Talvest has no evidence to suggest this backup file has been inappropriately accessed, the manager of Talvest Mutual Funds, CIBC Asset Management, has taken precautionary measures to protect its clients. These actions include:
- Notifying all affected clients by letter.
- Compensating any affected Talvest clients for monetary loss that arises directly from unauthorized access of personal information contained on this file.
- Providing affected Talvest clients the opportunity to enrol in a credit monitoring service at no cost. This service will provide added security on client credit files at major Credit Reporting agencies.
- Establishing a dedicated call centre and website to deal with any affected Talvest client inquiries.
- Advising affected Talvest clients to regularly review activity on all their financial accounts and report any unauthorized activity immediately to their financial institution.
- Working with the police to investigate this incident and retrieve this backup file.
"We are in the process of contacting affected Talvest clients by letter to advise them of this issue and to detail the steps we are taking to safeguard their information," said Steve Geist, President of CIBC Asset Management. "Although, we have no evidence that the information contained in the backup file has been accessed in any way, we are acting out of an abundance of caution and want to assure our clients that we are taking all steps possible to address this matter. Any issue that causes disruption to our clients is of great concern to us and we regret the inconvenience this may cause our Talvest Mutual Fund Clients."
For more information on this matter, Talvest Mutual Fund clients are advised to visit www.talvest.com.
And with a report from the CBC:
CIBC loses data on 470,000 Talvest fund customers
CIBC Asset Management says a backup computer file containing information on almost half a million of its Talvest Mutual Funds clients has gone missing.
The company says the missing data was in a file that disappeared "while in transit between our offices." The file had personal and financial details on current and former clients of Talvest Mutual Funds, which is a CIBC subsidiary.
The information may have included client names, addresses, signatures, dates of birth, bank account numbers, beneficiary information and/or Social Insurance Numbers.
Talvest says there's no indication that the missing backup file has been "inappropriately accessed," but says CIBC will be taking a number of precautions.
"We are in the process of contacting affected Talvest clients by letter to advise them of this issue and to detail the steps we are taking to safeguard their information," said Steve Geist, president of CIBC Asset Management.
Computer fraud expert Thomas Keenan from the University of Calgary said there's good reason for the company to alert their customers. "Because what's on there [the missing file] is everything you need to know to do identity theft," he told CBC News.
The privacy commissioner of Canada, Jennifer Stoddart, announced that she is launching an investigation.
"Although I appreciate that the bank notified us of this incident and that it is working co-operatively with my office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians," Stoddart said in a statement.
Talvest has set up special phone lines for clients who want more information.
The report follows news of a potential corporate privacy breach that could affect as many as two million Visa credit card holders in Canada.
The owner of Winners and HomeSense stores warned Thursday that hackers gained access to its computer system and credit card numbers may have been improperly accessed.
Also, a breach involving TJX, the parent of TJ Maxx, Winners and Homesense, may have exposed the personal information of Canadian customers of that store:
globeandmail.com: Computer breach exposes TJX shoppers to fraud
Parent of Winners, HomeSense targeted
MARINA STRAUSS AND SINCLAIR STEWART
Tens of millions of credit card customers in Canada and the United States may have been exposed to fraud during a computer security breach at discount retailer TJX Cos., the U.S. parent of Winners and HomeSense.
TJX, which also owns T. J. Maxx and Marshalls, said yesterday it discovered the "unauthorized intrusion" in mid-December and has been working with police and security experts on both sides of the border to investigate the incident and tighten security procedures.
The retailer declined to say exactly how many customers are affected. But sources close to Visa said the company notified banks and other issuers last week that approximately 20 million of its cards around the world may have been involved. Some in the financial industry estimate the number in Canada could be as high as two million. It's not clear how many customers of other credit card companies have been left vulnerable.
The problem was tied to the computer systems that process and store information about customer transactions involving credit cards, debit cards, cheques and merchandise returns -- some of them going back to 2003. The Royal Canadian Mounted Police and the U.S. Secret Service have been called in to investigate.
"While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known," the Framingham, Mass-based retailer said in a statement.
"I was stunned," said retail analyst John Chamberlain at Canadian Bond Rating Service. "That's not what you expect from a big retailer. You really expect that they would have stronger systems than that. You get to the point that you trust a retailer to keep that information."
Customers consider the shopping at TJX stores as a "treasure hunt," never quite sure what they'll find, he said. As a result, customers probably use plastic there more often because they don't always know how much they'll spend, he said.
Company officials didn't return calls. Their statement said the retailer kept the matter secret until yesterday at the request of law enforcement. The company said it promptly notified credit card companies and firms that process customer transactions.
An intruder grabbed information dealing with credit and debit cards sales in TJX stores during 2003 and part of 2006, according to the company. However, a source said that the debit transactions were confined to the U.S. market. TJX has been able to identify "a limited number" of credit card and debit card holders whose information was taken.
Canadian banks are scrambling to assess the potential damage. Tania Freedman, a Visa spokeswoman, said the company is forwarding information to banks. "These accounts were potentially exposed, [but] not all accounts that are exposed will experience fraud," she said, adding that customers are protected by the card's zero-liability policy.
In Canada, TJX runs 184 Winners and 68 HomeSense stores.
Expect much more info to come.....
Update (20070118): The Privacy Commissioner of Canada has inititated a complaint on her own accord related to the Talvest breach: Privacy Commissioner launches investigation of CIBC breach of Talvest customers' personal information.
Wednesday, January 17, 2007
I was interviewed today for Global National's most recent report on privacy problems at the Canada Revenue Agency (our IRS, for my American readers). Since earlier reports on misdirected tax information, many more people have come out to report they have also been the unwitting recipients of information about other taxpayers. See: Taxman moves to protect privacy and also note the many comments in which others relate receiving others' personal information.
I think you can get the video of the feature here: http://video.canada.com/VideoContent.aspx?13750&vc=1&popup=1, but it seems hit and miss to me.
In what appeas to be a significant retreat from its previous position, the Bush administration is reportedly going to turn to the Foreign Intelligence Surveillance Court to remove the word "warrantless" from the controversial warrantless wiretapping program. AP, via ABC News: Secret Court to Govern Wiretapping Plan.
I just got an e-mail from Dr. Jóri András ügyvéd in Budapest to let me know about his new online resource on European Data Protection. I've had a chance to check it out and I'm definitely bookmarking it. You can find it here: Data protection in Europe.
Here's the welcome message from the main page:
Welcome to www.dataprotection.eu!
There is much talk about the crisis of data protection legislation in Europe. I've been dealing with data protection law for seven years. I can still recall the atmosphere in the late 90s that was pervasive in the office led by the first data protection commissioner of Hungary. We were enthusiastic, our task was to make a new constitutional right known for the public. We were more members of a workshop, champions of the new constitutional right, than mere bureaucrats.
I am no longer involved in this work: for six years I've been helping my clients - companies and goverment agencies - in complying with data protection law, and sometimes I have the opportunity to contribute to the creation of legal instruments with data protection relevance. Standing on the "other side" my perspective is not the same, of course. From this point of view you can see what is hidden to civil servants: how hard is it - even with great efforts - to apply legal texts that have deficiencies, how important it is to formulate coherent, acceptable and concistent interpretations in this field of law, and what are the results (and costs) of a given decision by the data protection authority. On the "other side", one can think more freely, and can ask questions like "is informational self-determination worth its price?"; "is an institution organized following the ombudsman-model the best one to control the compliance with data protection law?". The answer is not necessarily "no" - but the arguments raised by the sceptics of data protection are sometimes worth the consideration.
Is data protection in crisis? Is informational self-determination just a toy for constitutional lawyers? Can it be reinvented to meet the challenges of the information age?
These are questions yet to be answered. My aim with this project - www.dataprotection.eu - is to carry out a comparative analysis of European data protection legislations, that can help the data protection community of Europe to answer them.
Last month, a Saskatoon private investigator pleaded guilty to charges stemming from unauthorized access to police databases at an RCMP detachment. A few years ago, the PI's firm was investigated for a similar incident in which 6 government employees were ultimately suspended. See: CBC - Private eye fined for accessing police computer system.
Thanks to PI Buzz for the link.
Tuesday, January 16, 2007
All the evidence to date in the statutory review of PIPEDA is up on the committee's website. Links are below for your convenience:
Today's Washington Post is running an interesting article on the unique legal regime in the US related to law enforcement / intelligence access to e-mail stored by third parties. A bit ...
The Legal Tangles Of Data Collection - washingtonpost.com
... E-mail is a slightly different matter. The law makes a distinction between intercepting e-mail in transit and obtaining stored e-mail from a service provider's servers. The distinction made sense in the 1980s and early 1990s when downloaded e-mail often sat only on the user's computer. If the government wanted the records, it had to go to the e-mail recipient.
These days, most e-mail is held and stored by third parties. So the government claims the authority to read someone's most intimate communications, including stored chat sessions, by serving a subpoena -- no probable cause required. A person may never even know that this has been done, as there is no legal requirement for an Internet service provider to provide notice. In most cases where the government subpoenas the e-mail, it demands that the third party keep that fact confidential, at least for a while.
The same holds true for virtually any information held by a third party: phone company records that indicate who called you, when they called and how long the call lasted; Internet service provider records on what Web sites you visited, when and for how long; tollbooth records; security camera footage; records of emergency calls made from a car; supermarket purchase records. All that and more can be requested by the government with a search warrant, or sometimes with an administrative subpoena or other demand, frequently without judicial review....
Canada's new Information Commissioner, Robert Marleau, took up his post yesterday. You may recall that he was the interim Privacy Commissioner after George Radwanski's resignation until the current Commissioner's appointment.
From the Government of Canada news release:
Prime Minister Welcomes New Information Commissioner
15 January 2007
Prime Minister Stephen Harper today welcomed Canada’s new Information Commissioner, Mr. Robert Marleau, whose appointment was recently approved by the Senate and the House of Commons. This appointment is effective January 15, 2007.
The Prime Minister took the opportunity to commend Mr. John Reid, who had been serving as Information Commissioner since August 1, 1999 and whose term expired on September 30, 2006, for the commitment, diligence, and professionalism he demonstrated during his tenure. The Prime Minister wished him well in his future endeavours.
The Office of the Information Commissioner was created in 1983 under the Access to Information Act - Canada’s freedom of information legislation. An agent of Parliament, the Information Commissioner oversees the implementation of the Access to Information Act by government institutions. The Information Commissioner investigates complaints from individuals who believe they have been denied rights under the Act. The Information Commissioner is also responsible for mediating between dissatisfied applicants and government institutions.
Biographical notes on Mr. Marleau are attached.
* * * *
ROBERT MARLEAU, B.A., D.U.
Robert Marleau served Parliament and the members of the House of Commons for 31 years, 13 of which were spent as Clerk of the House of Commons. Mr. Marleau left a rich legacy of achievement, including the guide book, House of Commons Procedure and Practice, which he co-authored with then Deputy Clerk Camille Montpetit.
During his parliamentary career, Mr. Marleau held several senior positions as an advisor to seven Speakers and to Members and Senators for nine Parliaments. A franco-Ontarian, Mr. Marleau is a graduate of the University of Ottawa, where he earned a B.A. in French Literature. He joined the House of Commons in 1970 as a Committee Clerk and went on to hold such positions as Clerk Assistant of the House of Commons and Deputy Secretary General of Parliamentary Relations. In July 1987, he was appointed Clerk of the House of Commons, and served in that capacity until July 2000.
From July 2000 until his retirement at the end of January 2001, he served as Senior Advisor to the Speaker of the House of Commons. On his retirement, the House of Commons made Mr. Marleau an Honorary Officer of the House by unanimous resolution. Following his retirement from the House of Commons, Mr. Marleau was Principal of RDM Consulting, a parliamentary consulting practice with work in Canada, Africa and the Caribbean. From July 2, 2003 until November 30, 2003, he was appointed to serve as Interim Privacy Commissioner.
Mr. Marleau is the recipient of an Honorary Doctorate degree from Ottawa University, his alma mater. He is a member of the Commonwealth Society of Clerks at the Table, the Association of Canadian Clerks at the Table, and the Canada/USA Association of Clerks and Legislative Secretaries
In a finding under PIPEDA published on the OPC website, the Assistant Privacy Commissioner of Canada found that an airline's obligation to provide an individual with access to his information continues to exist even if there is litigation pending between the applicant and the organization. See: Commissioner's Findings - PIPEDA Case Summary #352: Airline delays granting access to personal information, citing ongoing litigation (September 8, 2006).
It is also worth noting that the Commissioner's office had to commence an application before the Federal Court in order to get the airline to follow her recommendation.
Sunday, January 14, 2007
Over the last little while, I've been using wireless more and more. When traveling, an unsecured hotspot is often all you can get. For access to my work resources, there's secured VPN to keep things safe and sound but what about the more mundate stuff?
By messing around, I've discovered that many of the sites you may use on a regular basis have secure alternatives. For example, instead of hitting GMail at http://www.gmail.com, try https://mail.google.com. Or for bloglines users, you can use https://www.bloglines.com/myblogs. When you're not sure of the security of your connection, check to see if there's an SSL version you can use. You never know ...
People who want to stay on top of the UK terror alert level can sign up to receive periodic e-mail updates from MI5. Sorta but not quite, since MI5 has outsourced managing the e-mail service to an American company. See: MI5 terror alert blunder sends private data to US mailshot firm | the Daily Mail.
This is not a disaster, but clearly the UK intel folks didn't think about the perception of doing things this way.
What's the lesson here? When you are dealing with personal information, think about every facet of how the service is being offered and how it may be perceived.
Update (20070117): According to Spy Blog, MI5 is now handling its email subscriptions in-house.
The New York Times, always on the leading edge of reporting in this area, is reporting that US military intelligence is expanding its role in domestic intelligence gathering. It, and the CIA, have been using non-compulsory letters to get access to financial information on residents of the United States. Perhaps more troubling from a privacy point of view is that most recipients of these letters volunteer the info. Check it out: Military Is Expanding Its Intelligence Role in U.S. - New York Times.
In related news, changes to an American army manual have raised concerns that the Army also takes the position that warrants are not required for domestic wiretapping. See: Deletions in Army Manual Raise Wiretapping Concerns - New York Times.
Update (20070114): On Fox News Sunday, VP Dick Cheney says the practice isn't illegal:
Cheney: Credit checks aren't illegal - Yahoo! News
"The Defense Department gets involved because we've got hundreds of bases inside the United States that are potential terrorist targets," Cheney said.
"The Department of Defense has legitimate authority in this area. This is an authority that goes back three or four decades. It was reaffirmed in the Patriot Act," he said. "It's perfectly legitimate activity. There's nothing wrong with it or illegal. It doesn't violate people's civil rights."
The Pentagon and the CIA, to a lesser extent, have used this little-known power, officials said. The FBI, the lead agency on domestic counterterrorism and espionage, has issued thousands of such letters since the attacks of Sept. 11, 2001.
Saturday, January 13, 2007
Engadget featured an interesting product this week that you can put in your wallet or attach to your cell phone to supposedly thwart would-be skimmers from gaining access to the data on contactless (read: RFID) cards. See: Elecom intros skim prevention kit for wallet, cellphone - Engadget.
Friday, January 12, 2007
The Office of the Privacy Commissioner of Canada has today launched the fourth round of its contributions program:
News Release: Privacy Commissioner's Office launches fourth annual privacy research program (January 12, 2007)
Privacy Commissioner's Office launches fourth annual privacy research program
Ottawa, January 12, 2007 –The Privacy Commissioner of Canada, Jennifer Stoddart, announced today the renewal of funding for privacy research through her Office's 2007-2008 Contributions Program.
"It is with great enthusiasm that I announce the launch of this program early in 2007, so that privacy experts and researchers can contribute to enriching the program of the 29th International Conference of Data Protection and Privacy Commissioners, which I am proud to be hosting in September 2007, in Montreal. The event is an excellent opportunity to showcase the wealth of knowledge and expertise we have here in Canada in the field of privacy protection. The conference will also help crystallize Canada’s leadership in this area."
Officially launched in June 2004 to further the development of a national research capacity in Canada, the Contributions Program was set up to catalyze independent research in Canada in areas that have been identified as priorities by the Office. According to a leading privacy expert, Professor Michael Geist, "the OPC’s privacy research program has been applauded by the research community and privacy experts as vital to galvanizing action on the broad spectrum of issues that have an impact on privacy".
Professor Geist is a law professor at the University of Ottawa where he holds the Canada Research Chair in Internet and E-commerce law. He is also a nationally syndicated columnist on technology law issues and the author of the Canadian Privacy Law Review.
This year, the Program will have three separate streams for which the Office of the Privacy Commissioner of Canada (OPC) is encouraging the submission of separate proposals:
In line with its plans and priorities for 2007-08, the OPC is interested in funding research in three core areas:
- The protection of personal information on the Internet;
- The challenges inherent in secure identification or authentication of individuals and entities; and
- The intersection of the public and private sectors with regard to use and protection of personal information.
While the OPC is particularly interested in funding research in the above-noted areas, it should be noted that it will also consider requests to fund research on issues that fall outside of these.
One of the goals of the Contributions Program is to promote the awareness of different privacy research activities in Canada, with a view to reinforcing a broader public education agenda. In order to promote this goal, the OPC has allocated part of this year’s funding to the organization of a workshop to engage many of the researchers who have been funded under the Program in previous years.
This year, the Office is hosting the 29th International Data Protection and Privacy Commissioners Conference. At many past conferences, the dialogue has been greatly enriched by the presence of civil society representatives, from human rights workers to privacy advocates, civil liberties organizations to consumer representatives. These groups, however, are chronically under-funded. The OPC has therefore set aside funds under this year’s Program to assist these groups in organizing a workshop one day before the international conference.
Projects must be completed within the fiscal year in which the funding was provided. The deadline to submit applications for streams 1 and 2 is February 19, 2007. The deadline for proposals stream 3 is January 29, 2007.
Links to the projects completed under the previous Contributions Programs are available on the OPC Web site at http://www.privcom.gc.ca/information/cp/index_e.asp.
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.
As of February 5, 2007, Nova Scotia will have a new review officer under the Freedom of Information and Protection of Privacy Act:
News Release: Department of Justice
New FOIPOP Review Officer Appointed
Department of Justice
January 11, 2007 8:20
Dulcie McCallum, former Ombudsman for the Province of British Columbia, is Nova Scotia's new Freedom of Information and Protection of Privacy Review Officer.
Ms. McCallum will oversee how provincial and municipal governments protect the privacy of Nova Scotians and respond to requests for access to information.
"I'm pleased that Ms. McCallum has agreed to take on this important role," said Justice Minister Murray Scott. "The courts have recognized our legislation as being among the most open, progressive information and privacy laws in the country. Ms. McCallum brings tremendous expertise and knowledge to this office, particularly in the areas of the rights of persons with disabilities and children, constitutional matters and justice issues."
Ms. McCallum received her law degree from the University of Victoria and has expertise in administrative and human rights law. Over the past 30 years, Ms. McCallum has held positions in private practice and in the public sector. She was Ombudsman for the Province of British Columbia for seven years, until 1999. Since then, Ms. McCallum has worked for government and a number of organizations, including representative on the Canadian Delegation to the United Nations, to draft the new UN Convention on the Rights of Persons with Disabilities.
"I am thrilled to be named the new FOIPOP Review Officer and am ready to serve Nova Scotians in this important office," said Ms. McCallum. "I moved to rural Nova Scotia just over a year and a half ago from Victoria, British Columbia.
"Living in Sherbrooke has been one of the most rewarding times of my life. This new opportunity, which will enable me to work throughout the province to ensure citizens' rights of access and privacy are respected, is both a great honour and privilege."
The review officer is an independent ombudsman appointed by the Governor in Council for a term of five to seven years. The review officer will accept appeals from people and organizations who are not satisfied with the response they received from government departments or other public bodies such as hospitals, universities and school boards.
The review officer may make recommendations to the public body. The public body must respond in writing to the report. If the applicant, or a third party, is not satisfied with the outcome of a review, an appeal may be made to the Supreme Court of Nova Scotia.
The selection process for a new review officer was led by the Public Service Commission. An independent selection advisory committee, chaired by Auditor General Jacques Lapointe, recruited candidates for the position. The committee reviewed 70 applications and interviewed six candidates.
Ms. McCallum will assume office on Feb. 5.
In Rousseau v. Wyndowe, 2006 FC 1312 (CanLII), Justice Teitelbaum ordered that information collected in connection with an independent medical exam be provided by the insurer to the complainant. He found that the information was personal information and was not covered by litigation privilege. Now, the decision is under appeal and in December Chief Justice Richard granted a stay pending appeal (Wyndowe v. Rousseau, 2006 FCA 422 (CanLII)).
The first charges have been laid in the HP pretexting case: Federal charge in HP spy case.
Thursday, January 11, 2007
Thanks to David Canton for passing this along.
Wednesday, January 10, 2007
The Canadian Internet Policy and Public Interest Clinic has released a whitepaper calling for manadatory breach notification. Speficially, CIPPIC is calling for an amendment to PIPEDA:
Amend Principle 7 of PIPEDA to include a requirement to notify affected individuals of a security breach that results in the acquisition of unencrypted personal information by an unauthorized person. Such requirement should include specifics regarding the type of personal information and breach that triggers the obligation to notify, form and content of notices, timing of notices, who should be notified, etc. Failure to notify affected individuals as required under the Act should be subject to tough penalties.
Notification should be required when designated personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. Good faith acquisition of personal information by an employee or agent of the agency for the purposes of the agency should not trigger the notification requirement, provided that the personal information is not used or subject to further unauthorized disclosure.
An "unauthorized person" means:a) A person who is not an employee or agent of the person that maintains the designated personal information;
b) An employee or an agent of the person that maintains the designated personal information who(i) exceeds his or her authority to access the designated personal information; or
(ii) uses the information for purposes not related to his or her duties.
"Designated personal information" is information, in electronic or paper form, which includes the first name, initial, or middle name, and last name, or address, in combination with any of the following data: government issued identification number including social insurance number, driver’s license number, or health card number; account numbers, credit or debit card numbers, or other unique identifiers issued by other organizations together with any security code, password or access code that would permit access to the individual's information. Information that is encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable by unauthorized persons does not constitute "designated personal information".
Tuesday, January 09, 2007
Kevin Bousquet, a private investigator with The Corpa Group, has an interesting and long post on PIs, privacy law and pretexting on his blog. It's his view that privacy laws have backfired and that Bill C-299 (the anti-pretexting private member's bill) will have a disastrous effect on the ability of private investigators to deal with fraud, among other things. It's obvious that he put a lot of thought into it and, though I don't agree with many of his conclusions, it is an interesting perspective.
Oddly, there wasn't anyone espousing this perspective who appeared at the PIPEDA review hearings.
Monday, January 08, 2007
The Canada Revenue Agency continues to be in the news as of late.
The Canadian Press has found that the CRA official leading the investigation into the disclosure of information about high profile taxpayers, including MP and former hockey star Ken Dryden, once faced the wrath of George Radwanski:
CRA commissioner probing Dryden tax leak once dismissed privacy breach finding
Monday, January 08, 2007
TORONTO (CP) - The senior public servant leading a probe into the leak of Ken Dryden's confidential tax information once dismissed a scathing ruling by the federal privacy commission that found Canada Revenue Agency employees had violated the Privacy Act.
Larry Hillier, the agency's assistant commissioner for the Ontario region, launched an "immediate investigation" last month after a published report that employees had violated the Income Tax Act, the Privacy Act and possibly criminal law by leaking Dryden's information.
In an internal e-mail sent to CRA employees, Hillier also warned of possible disciplinary action, including dismissal.
"When one employee breaches confidentiality, as is currently alleged, each and every one of us is impacted," he wrote.
Hillier, however, had a decidedly different response in 2003, when the federal privacy commissioner found CRA employees committed a "serious violation" of the Privacy Act by accessing and disclosing the tax information of former employee Lillian Shneidman while investigating allegations that she had violated a taxpayer's privacy rights.
In an October 2003 letter obtained by The Canadian Press, Hillier defended the actions of his employees, despite the privacy commissioner's findings.
"I offer the following regarding the above-referenced report, which concludes that we inappropriately accessed Ms. Shneidman's tax information," Hillier writes in a letter to then-CRA human resources branch assistant commissioner Dan Tucker.
"It is felt that this particular investigation warranted the accessing of Ms. Shneidman's tax information, as a taxpayer raised serious allegations."
CRA employees who are found guilty of disclosing confidential tax information - a violation of the Income Tax Act - face fines of up to $5,000 or jail time of up to 12 months. Under the Criminal Code of Canada, breach of trust by a public officer is punishable by a maximum prison sentence of five years.
Shneidman, who was fired from the CRA in 2001, had been assured in a July 2003 letter from Tucker that the agency viewed "any breach in privacy as a very serious matter."
The CRA "will ensure that appropriate corrective action will be taken," Tucker wrote.
At least one of the employees involved in the incident has been promoted, said Shneidman - who continues to fight her termination, with cases pending before the Public Service Labour Relations Board and the Federal Court of Appeal.
Former privacy commissioner George Radwanski was unequivocal in his condemnation of the CRA's treatment of Shneidman.
"Accessing that information . . . for the sole purpose of confirming your status as a (CRA) employee was, in my view, totally unnecessary and a gross misuse of taxpayer information," wrote Radwanski, who faces charges of fraud and breach of trust after resigning that same year amid an expense-abuse scandal.
"I consider the use of your (tax) information in this instance to constitute a serious violation of the confidentiality rights afforded you under . . . the Privacy Act."
Thanks to Rob Hyndman for passing along the link.
Thursday, January 04, 2007
According to the Associated Press, a "signing statement" issued by President Bush when signing postal legislation may open the door to greater powers for law enforcement and intelligence authorities to open first class mail.
Here's the signing statement"
"The executive branch shall construe subsection 404(c) of title 39, as enacted by subsection 1010(e) of the act, which provides for opening of an item of a class of mail otherwise sealed against inspection, in a manner consistent, to the maximum extent permissible, with the need to conduct searches in exigent circumstances, such as to protect human life and safety against hazardous materials, and the need for physical searches specifically authorized by law for foreign intelligence collection.
An Australian with a sense of humour got his cat a credit card to test his bank's "identity security":
Bank issues credit card to cat
SYDNEY, Jan 4 (Reuters Life!) - An Australian bank has apologized for issuing a credit card to a cat after its owner decided to test the bank's identity security system.
The Bank of Queensland issued a credit card to Messiah the cat when his owner Katherine Campbell applied for a secondary card on her account under its name.
"I just couldn't believe it. People need to be aware of this and banks need to have better security," Campbell told local media on Thursday.
The bank said the cat's card had been canceled. "We apologize as this should not have happened," it said in a statement.
A Halifax resident was more than slightly surprised when he went to the Canada Revenue Agency to pick up his requested notice of assessment. While the notice was conspicuously absent from the envelope, he did find a raft of information about ten complete strangers. Apparently, the CRA stuffed the wrong envelopes and handed over confidential and sensitive information to the wrong person.
When the individual who received the information was not satisfied with the CRA's reaction, he called the other taxpayers and went to the media. The story is on the front page of the Halifax Chronicle Herald.
To make matters worse, the notice of assessment was mailed but nobody knows who to.
CTV is doing a piece for the supper hour news here in Halifax, for which I was interviewed earlier today. They are hoping to get some comment from the unshuffled Minister responsible for CRA.
From today's paper:
More than he wanted to know
Government mistakenly mails other people’s tax papers to Whites Lake man
By JOHN GILLIS Staff Reporter
Andrew Doiron of Whites Lake just wanted to find out his RRSP contribution limit for the year. But what he got was a raft of personal information about 10 strangers from as far away as British Columbia.
The Canada Revenue Agency is now investigating how the confidential tax documents landed in Mr. Doiron’s mailbox and where the information he requested ended up.
"It looks like somebody just picked a handful of paper off a printer and just slipped it in an envelope with my (address) page on top," Mr. Doiron said Wednesday. "But of course they didn’t put my papers in there."
The confusion began Dec. 20 when Mr. Doiron went to the Canada Revenue Agency’s Halifax office in person to ask for a copy of his notice of assessment. He was told he had to call a toll-free number to ask for the document. Staff let him use a phone in the building.
Mr. Doiron was surprised Tuesday when he found an envelope from the agency in his mailbox, and it contained about 35 pages. The documents bore the names, addresses, social insurance numbers, income, marital status and other personal information for 10 other people. His own notice of assessment was not included.
He immediately called a toll-free Canada Revenue Agency number again but said it was tough to persuade the person who answered to let him speak to a supervisor. When he finally did, he said he was asked to mail the documents back to the agency and advised he could claim the price of the postage stamp on his tax return next year.
Mr. Doiron also called as many of the people whose tax information he’d been sent as possible.
One, Sandra Ambersley of Brampton, Ont., told CTV she was very concerned about what might have happened if someone had wanted to use that information.
"I was totally shocked yesterday when I received a call from Halifax, this man saying that he’d received all my personal information," she said Wednesday.
Mr. Doiron noted that on the same online telephone directory he used to find people’s telephone numbers, there was an ad pointing to a Capital One credit card application that required only an address and a social insurance number.
He personally returned all the strangers’ documents to the Halifax office Wednesday.
Mr. Doiron said he felt he did not get a serious response from the agency until after he began contacting the media.
Jack Lee, acting director of the Nova Scotia office, called to apologize and had a copy of the notice of assessment Mr. Doiron requested sent to him. It arrived safely.
The notice had been mailed previously, but not to him.
"Mine’s out there somewhere, floating around," Mr. Doiron said. "I hope somebody threw it away."
Canada Revenue Agency spokesman Roy Jamieson said security is the No. 1 priority for the service, but mistakes happen.
"We’re certainly scrambling to try and piece together what took place," he said. "There’s quite an active and quite an intense investigation going on right now."
He said a call to a toll-free number could be answered at any one of a number of call centres across the country, depending in part on the nature of the request. A requested document could be printed at the appropriate location and mailed from there.
The agency sends about 90 million pieces of mail per year and it’s rare that something gets mixed up, he said.
"To be misdirected in the magnitude of this case, it’s certainly unusual," Mr. Jamieson said.
He said the agency will contact all of the people whose documents were involved and will keep Mr. Doiron abreast of its investigation into the mix-up.
"There’s no question that any kind of breach of security and compromising of an individual’s privacy and confidentiality is our most significant issue in this agency," Mr. Jamieson said.
Mr. Doiron has little confidence that anything will change.
"My gut feeling is, this is government, nothing’s going to happen," he said.
Update: From CTV:
Canada Revenue investigates botched mailout
The Canada Revenue Agency is scrambling to restore public trust and has launched an internal investigation after confidential information on several Canadians was sent to a Halifax-area man.
Documents that Andy Doiron of White's Lake, N.S., were mistakenly sent include social insurance numbers, income, addresses and the marital status of 10 Canadians, including some from as far west as Edmonton.
Doiron said he called most of the people to tell them what happened, and returned the documents to Revenue Canada.
With the trust of Canadians potentially on the line and tax time just around the corner, the agency is promising tough action if necessary.
Revenue Canada spokesperson Roy Jamieson called the incident a rare case of misdirected mail, but admitted somebody in the department made a mistake.
"Certainly if we identify breaches of policy process and procedure, there are disciplinary measures that can be taken and I expect they will be looked at quite seriously," he told CTV Atlantic.
Federal Minister of National Revenue Carol Skelton said she was "disturbed" by the security breach.
"The instant that I found out about it we had launched an investigation," she told CTV News in Saskatoon. "I really can't say much more about it than that. The incident is being looked into."
The agency is still trying to determine which one of five locations was responsible for the botched mail out.
David Fraser, a legal expert in security matters, told CTV Halifax that if such information were to fall in the wrong hands, it could easily be used to commit fraud.
"There really does need to be something done in order to make sure the trust is always there. Accidents happen but so often trust is won or lost in the aftermath of how they decide to deal with it," he said.
Sandra Ambersley of Brampton, Ont. was one of the people Dorion called.
"I was totally shocked when I received the call (on Tuesday) from Halifax," Ambersley told CTV Toronto.
"This man (was) telling me that he received all my personal information. As a joke he did say 'I could duplicate you right now.'"
The confusion began when Doiron called the revenue agency on Dec. 20 requesting a copy of his notice of assessment.
On Tuesday, an envelope from the agency arrived in his mailbox, containing over 30 pages of documents with all the information. His own assessment wasn't included.
Doiron said he immediately called the toll-free Canada Revenue Agency number again and he was asked to mail the documents immediately.
With a report from CTV Atlantic reporter Marc Patrone.
Tuesday, January 02, 2007
The Privacy Commissioner of Canada suggests that you make a few New Year's resolutions to protect your privacy:
Start the New Year with privacy resolutions
Ottawa, December 27, 2006 – Privacy Commissioner of Canada Jennifer Stoddart is urging Canadians to add good privacy habits to their list of New Year’s resolutions.
"Polls have told us again and again that Canadians value their privacy. The start of the New Year is a great time for everyone to check whether they are doing enough to protect this important right," Ms. Stoddart said. "I hope people will add some good privacy habits to their New Year’s resolutions list."
Ms. Stoddart today released her top 10 resolutions for consumers to protect their privacy in 2007 and beyond. They are:
- Guard your information
Ask questions when a cashier ringing in your purchases wants your name, address or telephone number. Why is the information being requested? How will it be used? If you are concerned about unwanted junk mail or telemarketing calls, decline to provide the information. It’s as simple as saying, "Sorry, I don’t want to share that personal information." Privacy laws give you a choice. You don’t always have to say "Yes."
- Check your receipts
Some retailers still use older equipment that prints receipts with a complete credit card number – creating a risk the number will fall into the wrong hands and be fraudulently used. If the number is complete, use a pen to scratch out the middle four numbers on your copy.
- Become a junk mail buster
If you don't want to be added to marketing lists, check the "no thanks" or opt-out box, or initial a note stating your preference, whenever you give personal information to magazine publishers, retail stores, charities and other organizations.
- Take three steps to create more quiet nights at home
- Take advantage of the Do Not Contact Service (do-not-call, do-not-mail, and do-not-fax) offered at no cost by the Canadian Marketing Association (CMA). You can make the request online at www.the-cma.org.
- Ask your telephone company to remove you from the lists it sells to external organizations.
- When telemarketers call, insist they remove your name from their calling lists. They are now required by law to maintain do-not-call lists.
- Develop a shredding habit
Make sure your blue box is not a goldmine for identity thieves. Buy a shredder (many are surprisingly inexpensive). Destroy all documents that include sensitive personal information, such as bank statements, credit card statements, credit card receipts, and pre-approved credit card applications.
- Check loyalty program fine-print
- Become more privacy-aware on-line
Educate yourself about protecting your privacy on-line. Install the latest anti-spyware, anti-virus and firewall software on your computer. Shop only on secure sites – check for a lock symbol on the bottom right of the window. There’s plenty of advice on the Internet.
- Stop Spam
Invest in a good spam filter and learn how to use it. Spam affects privacy rights because it involves the inappropriate use of personal information – your e-mail address. Protect your regular e-mail address by using it only with trusted friends and business associates. Get another address for other online uses. If you receive an e-mail from a sender you don’t recognize, or with a subject line that doesn’t make sense, just delete it. Opening spam may send a confirmation that an e-mail address is valid – and lead to more spam. The OPC homepage, www.privcom.gc.ca, includes a link to more information about spam.
- Caution on the phone
Apply a healthy dose of skepticism when an e-mail or phone caller warns that your bank account or credit card has been compromised. Never reply to such e-mails, which may have been sent by ID thieves. Call your bank instead. Fraudsters are also using the telephone to get personal information. The best way to determine whether a call about account problems is legitimate is to say, "I’ll call you right back," and then call either the number on your credit card or account statement.
- Protect your SIN
Ask questions when an organization asks for your Social Insurance Number. An ID thief could use your SIN to apply for a credit card or bank account in your name. Companies can’t insist that you provide a SIN unless it is required for a specific and legitimate purpose, such as tax reporting. Ask why the organization needs your SIN and whether you are required by law to provide it. If you are refused a product or service unless you give your SIN, complain to the Office of the Privacy Commissioner of Canada.
The Canadian Press is running an article about the growing business of identity theft insurance, both as an add-on to traditional homeowners policies and as a standalone policy of insurance. This is something I've seen in the US for some time, but is relatively new north of the 49th. See: Insurance providers offer policies that can take sting out of identity theft.
Monday, January 01, 2007
According to the Washington Post, a number of US states are fed up with the level of cooperation with federal authorities and are hanging up their own shingles in the intelligence business. Dozens of operation centres are currently operating from coast to coast, and some concerns are being raised about privacy concerns and the level of information sharing these centres are predicated upon.
The post cites an example, which was first hailed as a success, but this sentiment fizzled out:
Officials say an incident on the Chesapeake Bay Bridge in 2004 shows the center's effectiveness. State transportation police stopped an SUV after a veiled passenger was seen videotaping the bridge in a suspicious manner. The officers called the fusion center, which discovered that the driver was an unindicted co-conspirator in a Chicago case involving Hamas, a U.S.-designated terrorist group.
Eisenberg contacted a prosecutor in Chicago, who quickly obtained an arrest warrant for the driver as a material witness in the Hamas case.
"The 9/11 commission's major criticism was that people didn't talk to each other," said Dennis R. Schrader, Maryland's director of homeland security. "Well, this is an example of how you had state, local and federal all working together. . . . It's really pretty unbelievable."
To some, though, the incident raised questions about what constitutes dangerous behavior.
The driver, Ismail Elbarasse, a U.S. citizen of Palestinian origin living in Annandale, was quickly released on bond, and the material-witness warrant eventually expired. He was not charged with a crime. His family said the veiled woman, Elbarasse's wife, was simply taping the bay while returning from the beach.
"It was regarded in the community as just a case of overreaction to seeing somebody in a head scarf videotaping," said Ibrahim Hooper of the Council on American-Islamic Relations.
Civil liberties advocates worry that the fledgling fusion centers could stray into monitoring people engaged in lawful activities, as some members of new police homeland security units have done. A Georgia homeland security officer, for example, was discovered photographing a protest by vegans at a HoneyBaked Ham store in 2003. Privacy advocates are also concerned about the vast amount of information some fusion centers collect -- and the sometimes vague limits on its use and storage.
Best wishes for a very successful '007.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.