The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, November 30, 2009
The New York Times is reporting on an agreement reached between European ministers and the United States for restored access to information about bank transfers processed by the Society for Worldwide Interbank Financial Telecommunications (SWIFT). See: EU Clears Bank Data Transfers to United States - NYTimes.com.
There has been some coverage of this already on blogs, particularly the Brussels Blogger (SWIFT - EU to grant USA nearly unlimited access to all EU banking data). Much of the tone has suggested that wholesale transfers of information will take place with massive datamining operations to be set up, but take a look at the actual agreement between the US and Europeans. It's available at wikileaks: EU draft council decision on sharing of banking data with the US and restructuring of SWIFT, 10 Nov 2009 - Wikileaks.
The agreement doesn't contemplate wholesale, massive data downloads of the kind one would expect if the database were in the United States. Instead, targeted requests must be made and these are directed through European authorities rather than to SWIFT directly. There are covenants on the US side that it will not be used for data mining purposes and other privacy-protective promises. And, to top it off, the term of the agreement is one year so that it can be renegotiated if it's not working out.
While all of this needs to be examined with a critical eye and it's not perfect, the cynic in me was pleasantly surprised by the details of the agreement.
Thursday, November 26, 2009
A very good commentary from the Victoria Times Colonist. Fave quote: "It was a good example of how privacy law has vastly enhanced officials' first inclination to say "no" to every request."
Privacy law helps the government hide
Thursday, November 26, 2009
When reporters were briefed a couple of weeks ago on how the Olympic torch relay would go down, they were told no identities of the runners would be supplied, because of "privacy law."
Apparently the people who eagerly volunteered to wear bright white suits while carrying burning torches in front of TV cameras and thousands of people wanted their privacy, along with all the fame and glory.
They wanted no such thing, of course. They were only too happy to joyously volunteer their names on their own. The edict was simply the decision of torch functionaries eager to exercise some of their authority. It was a good example of how privacy law has vastly enhanced officials' first inclination to say "no" to every request.
So it's very enlightening to see how the "privacy law" is bearing up in the scandalous situation uncovered by the Times Colonist last week.
It's useless. It's being cited and ignored at the same time. In the face of a crystal-clear gross violation of taxpayers' privacy -- by a bureaucrat, no less -- the vaunted privacy law is a joke. It's only been handy so far when it comes to trying to cover up this botch.
A ministry caseworker in Victoria with what's likely malevolent intent carted home documents with personal information of some 1,400 clients of the government.
Police are still investigating, but at this point it looks like the man had a lot of the material you'd need to go into the lucrative fake ID business in a fairly big way.
It fell to Citizens' Services Minister Ben Stewart to explain this mess. And his explanation has turned into a mess itself.
He gave every indication last week to Times Colonist reporters Lindsay Kines and Rob Shaw that the government was responding with alacrity to this emergency. His version of the government's reaction looked pretty good -- for him.
He's the action figure who alerted some officials, contacted all the citizens involved, helped get the employee fired and started an investigation.
What he left out of the story was the fact that the government knew about this for months, and did nothing. Stewart skated right past the central point -- government officials have been aware for seven months that the privacy of 1,400 people had been violated. And they only started acting on the emergency last month.
Confronted with this yesterday, Stewart offered some explanations that are nothing short of baffling.
"The reality is, I as minister responsible, when I found out about it, I immediately asked my staff . . . to make an investigation into the matters as to the timelines and why in fact it had taken as long as it did."
So the investigation isn't just about the employee. It's about why nobody bothered to tell the minister responsible about the breach for several months. That's quite a refinement on the original version.
Stewart also said: "One of the things about the dates in this thing is that nobody is exactly clear in terms of what actually transpired from when the RCMP first made their discovery of these records."
Well, why on earth not?
It looks like some scam artist was interrupted while trying to run a con of some sort. RCMP nabbed him and told the government about it. And the government did nothing for months on end, other than continue employing and paying the suspect right up until last month.
Meanwhile, the personal ID information of 1,400 clients went God knows where. It doesn't look like illicit use was made of it. But it sure wasn't for lack of opportunity.
Why was the guy kept on the payroll? Why did it take so long? What was the government doing?
There must be some answers. But you likely won't get them for a while. Because we've got a privacy law.
Just So You Know: The ministry sent a letter to the individuals involved.
It's a gracious, heartfelt apology with an assurance that the government is working hard to correct the problem.
Only some of the letters went to the wrong people. So people who got letters addressed to other people were advised to send them back, or destroy them.
Some readers of this blog may be interested in this seminar that I'm giving for the Nova Scotia Barristers Society in a couple of weeks. Those who aren't lucky enough to be in Halifax can attend by webinar:
NSBS - Development
Wednesday, December 9, 2009
Lunch & Law - Social Networking in a Global Market: Marketing Strategies for Lawyers
Nova Scotia Barristers' Society - Continuing Professional Development Wednesday, December 9, 2009, 12:00 - 1:30 pm
Location: CPD Center, Suite 408, 1645 Granville Street, Halifax
The Program: New technologies provide a plethora of unique opportunities for lawyers to raise their profiles and reach new clients.
Join David T.S. Fraser of McInnes Cooper who will provide an overview of blogs, social networking websites and other innovative means of marketing your law practice.
Even if blogs, Facebook, LinkedIn, and Twitter leave you scratching your head and wondering what it's all about, this seminar will provide practical insight into these dynamic marketing channels.
David will also explore the issues of associated ethics challenges based on the CBA's new Guidelines for Ethical Marketing Practices Using New Information Technologies.
Don't miss this unique opportunity to learn the latest and greatest trends in marketing your legal practice.
Register online - If you do not already have a username and password, (or to activate your account), please contact Pierre Benoit at (902) 422-1491. Outside of Metro? Please register and join us via conference call. There are no cancellations for this program; substitutions are welcome.
Fee: $40 per person plus tax (lunch included)
Can't travel to Halifax? Why not join us from the comfort of your office!
Webinar/Teleconference option is available. Fee is $40 plus tax (includes long-distance charges). Instructions will be emailed one day in advance.
Feel free to pass this along to anyone who may be interested. You can share the invitation on Facebook via the event page, which is here.
Labels: social networking
Wednesday, November 25, 2009
The owners of one of the largest databases of genomics information and biological samples, in Iceland, has gone bankrupt.
The article in Nature says that the database and the samples cannot be sold, but it remains to be seen what will happen with this trove of incredibly valuable and deeply sensitive personal information.
Icelandic genomics firm goes bankrupt : Nature News
... deCODE intends to sell most of its assets, including its drug-discovery and development services and the unit that conducts its genetic research, to Saga Investments, a US venture-capital-backed company, unless a better offer is made. The database and biological samples themselves cannot be sold, Stefánsson says, because of legal restrictions on their use. He says that the Wellcome Trust in Britain had approached deCODE to try to fund a non-profit institute to manage the database in Iceland, but was unable to do so.
"The database will never be managed by a foreign organization," he says. "The data are sensitive. We are a proud nation, and the data are not for others to manage."
Tuesday, November 24, 2009
According to the Guardian, citing a report to be released tomorrow, police in the UK have been routinely arresting people wihtout justification just to get their DNA into the national database:
Police routinely arresting people to get DNA, inquiry claims Politics The Guardian
Police officers are now routinely arresting people in order to add their DNA sample to the national police database, an inquiry will allege tomorrow.
The review of the national DNA database by the government's human genetics commission also raises the possibility that the DNA profiles of three-quarters of young black males, aged 18 to 35, are now on the database.
The human genetics commission report, Nothing to hide, nothing to fear?, says the national DNA database for England and Wales is already the largest in the world, at 5 million profiles and growing, yet has no clear statutory basis or independent oversight....
Via Boing Boing.
The Secretary of Homeland Security and our Minister of Public Safety just wrapped up a bi-annual meeting and announced the addition of the United States to an existing program that uses biometric information to match immigration and refugee applicants to information in foreign databases. From the media release:
Secretary Napolitano and Minister Van Loan announce initiatives to combat common threats and expedite travel and trade
Immigration Information Sharing: Secretary Napolitano announced that the United States will join a biometric data sharing initiative involving Canada, Australia, the United Kingdom and, eventually, New Zealand – an initiative designed to strengthen the integrity of immigration systems and the security of each country while protecting privacy and civil rights. Minister Van Loan, with the Canadian Minister of Citizenship, Immigration and Multiculturalism, Jason Kenney, welcomed the United States’ participation.
“Previous trials show that biometric information sharing works. For example, when the fingerprints of some asylum claimants in Canada were checked against the U.S. database, more than a third matched and 12 percent of these individuals presented a different identity in the United States,” said Minister Kenney. “The data sharing helps uncover details about refugee claimants such as identity, nationality, criminality, travel and immigration history, all of which can prove relevant to the claim.”
I'm trying to get my hands on the Privacy Impact Assessment for the program, but as with most such documents they are well hidden on the department's website.
Monday, November 23, 2009
A British Columbia government employee has been fired and the Commissioner has launched an investigation after it was discovered that a spreadsheet with sensitive personal information on social assistance recipients was taken to the employee's home. See: Privacy czar to probe files breach.
Tuesday, November 17, 2009
The Privacy Commissioner of Canada has tabled her annual report on the public sector privacy law, the Privacy Act: Annual Report to Parliament 2008-2009 - Report on the Privacy Act.
At the same time, she has also tabled additional privacy audits, related to FINTRAC and the Canadian no-fly list:
Here's the media release that accompanied the tabling of the reports:
Audits of major national security programs raise concerns for privacy Excessive reporting of personal information to FINTRAC and potential information technology risks with Canada’s “no-fly list” are among concerns identified in audits highlighted in the Privacy Commissioner’s annual report on public sector issues.
OTTAWA, November 17, 2009 — The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has more personal information in its database than it needs, uses or has the legislative authority to receive.
This was one of the key findings of the Privacy Commissioner of Canada’s in-depth audit of the independent agency mandated to analyze financial transactions and identify suspected money laundering and terrorist financing in Canada.
A separate audit, also published today, examined the Passenger Protect Program – better-known to Canadians as the no-fly list. It identified several concerns, such as the fact that the Deputy Minister ultimately in charge of who is on the list was not provided with complete information to allow for informed decision-making.
“Since the terrorist attacks of 9/11, we’ve seen a proliferation of new national security programs. We fully appreciate the underlying aim of many security programs – protecting Canadians. However, it is critical – a point reinforced by our new audits – for government officials to integrate privacy protections into all of these programs at the outset,” says Privacy Commissioner Jennifer Stoddart.
The findings of the two audits are highlighted in the Commissioner’s 2008-2009 report to Parliament on Canada’s federal public-sector privacy legislation, the Privacy Act.
Legislative changes passed in 2006 expanded the types of transactions that must be reported to FINTRAC, as well as the number of professionals and organizations that are required to collect information about clients and to report it to FINTRAC. Examples of entities required to report to FINTRAC include financial institutions, life insurance companies, accountants and casinos.
The audit found that FINTRAC needs to do more to ensure that the amount of personal information it acquires is kept to an absolute minimum. A random sample of files examined in the audit turned up several reports that did not clearly demonstrate reasonable grounds to suspect money laundering or terrorist financing. For example:
A reporting entity filed several reports stating it was “taking a conservative approach in reporting this … because there are no grounds for suspecting that this transaction is related to the commission of a money laundering offence, but there is a lack of evidence to prove that the transaction is legitimate.”
An individual deposited a government cheque for an amount less than $300 and then withdrew the entire amount. The financial institution filed a suspicious-transaction report, but did not indicate why the transaction was deemed suspicious.
A financial institution filed a report about an individual who had deposited a cheque from a law firm. The institution was satisfied that the individual had provided legitimate reasons for the source of funds, but decided to notify FINTRAC anyway because of the individual’s ethnic origin and the fact that this person had visited a particular country.
“It is clear that such reports, containing not a shred of evidence of money laundering and terrorist financing, should not be making their way into the FINTRAC database,” says Commissioner Stoddart.
“It is a bedrock privacy principle that you collect only the personal information you need for a specific purpose,” she says. “The federal government needs to have a justifiable need to collect someone’s personal information. Clearly, FINTRAC needs to do more work with organizations to ensure it does not acquire personal information that it has no legislative authority to receive – and that it does not need or use.”
The audit recommended enhanced front-end screening of reports; stronger ongoing monitoring and review to ensure that information holdings are relevant and not excessive, and the permanent deletion of information that FINTRAC did not have the statutory authority to receive.
Under amendments passed in 2006, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires the Privacy Commissioner to review FINTRAC every two years and report the results to Parliament.
Passenger Protect Program Audit
The “no-fly list” is a passenger screening tool introduced in 2007 to prevent people named on a “specified persons list” from boarding domestic and international flights from or to Canadian airports.
The program has sparked privacy concerns, in part because it is secretive in that it uses personal information without the knowledge of the individuals concerned. Moreover, the repercussions for a person named on the list being denied boarding on an aircraft can be profound in terms of privacy and other human rights, such as freedom of association and expression and the right to mobility.
The focus of the audit, however, was to determine whether the program has adequate controls and safeguards in place to protect personal information.
“We were concerned to learn that officials did not always provide the Deputy Minister – who is ultimately responsible for adding to or removing people’s names from the ‘specified persons’ list – all the information needed to make these sorts of decisions,” says Assistant Privacy Commissioner Chantal Bernier.
Other concerns identified during the audit included:
Transport Canada has not verified that airlines are complying with federal regulations related to the handling and safeguarding of the “specified persons list.” The risk of this information being inappropriately disclosed is particularly high for the small number of air carriers that rely on paper copies of the list.
There were no requirements that air carriers report to Transport Canada security breaches involving personal information related to the no-fly list.
Transport Canada did not demonstrate that the application used to transmit information to air carriers met government security standards.
The Passenger Protect Program and the FINTRAC audits, as well as the latest Privacy Act annual report, are available at http://www.priv.gc.ca/.
The annual report also includes details of privacy-related complaints against federal departments and agencies investigated during the 2008-2009 fiscal year. The Office received 748 formal complaints in 2008-2009, down slightly from the previous year. The most common complaints related to access to personal information and to the length of time government departments and agencies were taking to respond to access requests.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
To view the reports:
Sunday, November 15, 2009
I am often asked whether potential employers are legally able to use Facebook or other social networking sites to do background checks on candidates. A recent "update" email from LinkedIn contained the following blurb at the bottom:
This is a different model: rather than scoping the info a candidate may have on his or her profile, you can find people who may have something to say about a candidate. Interesting and potentially useful. But make sure you have consent from the applicant for broad-ranging reference checks.
"DID YOU KNOW you can conduct a more credible and powerful reference check using LinkedIn? Enter the company name and years of employment or the prospective employee to find their colleagues that are also in your network. This provides you with a more balanced set of feedback to evaluate that new hire."
Labels: social networking
The Sunday Chronicle Herald has two articles on the increasing use of video surveillance by police and private organizations in Halifax. They are interesting reading, but what I find most interesting is that this is the first time that I've seen any dicussion of how the police manage the feeds and access to recordings. Check them out:
The cameras in place now are not monitored all day long, although they are recording, Supt. Moore said. The images are automatically deleted if there’s no request to see them within 14 days.
The department used guidelines from the province’s Freedom of Information office as well as the federal Office of the Privacy Commissioner to develop its guidelines for using the images, he said.
All viewing requests are made to him and only he and his technical staff have access to the recordings.
"They’re very much locked down and once they’re collected, there’s a formalized process for someone looking to go in and find these images," he said.
Supt. Moore said police haven’t used video from those downtown cameras to solve "big" crimes – yet.
"We are still optimistic that it will, but to date it has not been pivotal," he said.
Any discussion of the policies regulating the use of video surveillance is a good thing, and better late than never.
Friday, November 06, 2009
AFP: Experts agree on proposed global privacy standards
Experts agree on proposed global privacy standards
MADRID — Experts from 50 nations meeting in Madrid have reached a draft agreement on international standards for the protection of privacy and personal data, participants said Friday.
Under the proposed standards, data may only be processed after obtaining the "free, unambiguous and informed consent" of the data subjects and it should be deleted when it is no longer necessary for the purposes for which it was gathered.
Data collectors must identify themselves, state in clear language the purpose of the data processing and the recipients of the gathered data.
International transfers of personal data may only be carried out to a country which "affords, as a minimum, the level of protection provided for in the document," according to the proposed standards, agreed by representatives from privacy protection agencies.
"This agreement was reached with the active participation and support of civil society and industry," the head of the Spanish Data Protection Agency, Artemi Rallo Lombarte, said at the end of the three-day gathering.
Participants hope the draft international standards will serve as the basis for a universal, binding legal instrument on data protection. But several cautioned that this is still a long way off given the different rules around the world.
"We have jumped over a first step but we have a long road, a very long road, ahead to arrive at a common, restricting legal framework," said the president of France's CNIL data protection agency, Alex Turk.
Over 1,000 participants from around the world took part in the 31st International Conference of Data Protection and Privacy which is billed as the world's largest forum dedicated to privacy.
US Homeland Security Secretary Janet Napolitano and representatives from key Internet firms like Google and Facebook were among those who took part in the event, which was organized by the Spanish Data Protection Agency.
The next such conference is scheduled for October 2010 in Jerusalem. Previous gatherings have taken place in Strasbourg, Hong Kong, Sydney and Montreal.
Thanks to Alex Cameron for the pointer.
Thursday, November 05, 2009
From today's National Post:
Nova Scotia launches probe into jury vetting
Shannon Kari, National Post
Published: Thursday, November 05, 2009
The Public Prosecution Service in Nova Scotia is conducting an internal review into whether or not its Crown attorneys have been conducting improper background checks of potential jurors.
The review was prompted by a request for information from the Nova Scotia Criminal Lawyers' Association following a National Post story last month that suggested jury vetting was taking place in the province.
A report issued about the scope of the practice in Ontario by the provincial Privacy Commissioner also cited a senior Crown official in Nova Scotia who said it was common for jury lists to be given to police to do background checks. The information was "generally not shared with the defence," the Nova Scotia official told the Ontario agency. The Public Prosecution Service in Nova Scotia initially suggested the Ontario report was inaccurate. But in a written response to the lawyers' association, the director of public prosecutions in Nova Scotia announced that he had initiated an internal review.
"I anticipate that our review will ultimately result in a policy statement or practice advice being prepared which will be distributed to our Crown attorneys. A copy of that advice piece will be provided to you," wrote Martin Herschorn in the letter dated Oct. 20.
Mr. Herschorn also imposed an interim directive. It states that if a background check is requested, it should only be to see if an individual has been previously sentenced to more than two years in prison, which would make the person ineligible to serve as a juror in Nova Scotia.
A spokeswoman for the prosecution service confirmed yesterday that it is asking its 20 Crown offices whether confidential databases were used to probe potential jurors and if the data was disclosed to the defence. "We hope to have a policy in place by the end of the calendar year," Chris Hansen said.
While he welcomes the review, the president of the Criminal Lawyers' Association said he wants to know more about what happened previously. "Our membership certainly has many more questions," Josh Arnold said. "So far, all the talk has been on a go forward basis."
Dulcie McCallum, the Nova Scotia Freedom of Information and Protection of Privacy review officer, said yesterday that she will wait for the internal review to be completed before deciding whether to launch her own investigation.
The Ontario Privacy Commissioner's report revealed that one in three Crown offices in the province engaged in improper jury vetting in just the past three years.
The Ontario Court of Appeal is hearing its first case on this issue this fall, in which three defendants convicted of murder are seeking a new trial. The Ontario government announced on Oct. 27 that it is amending the Juries Act so that any checks for eligibility will be done by an independent agency and the information will be kept confidential. Mr. Arnold urged the Nova Scotia government to consider similar changes to its Juries Act.
Wednesday, November 04, 2009
The Minister of Health for Nova Scotia has today introduced the Personal Health Information Act in the legislature. I'll have a link to the text of the bill tomorrow, but in the meantime you can read the release:
Personal Health Information Legislation Introduced News Releases Government of Nova Scotia
Personal Health Information Legislation Introduced
Department of Health
November 4, 2009 2:46 PM
Nova Scotian's personal health information would be better managed under proposed legislation introduced today, Nov. 4.
The Personal Health Information Act would provide consistent provincial rules for the management of personal information in health care.
"Patient privacy is a fundamental principle in delivering health care. At the same time, it is important that health care professionals can share information in ways that can improve care," said Health Minister Maureen MacDonald. "This legislation balances these important objectives."
The proposed legislation sets out rules for how health information is collected, used, disclosed, retained and destroyed by the health-care sector in Nova Scotia. It better supports a system that uses electronic as well as paper health records and helps provide a more seamless flow of information.
Specific rules include provisions for privacy breach notification audit reports to track who has had access to electronic health records, and requests for people to access to their health information.
Nova Scotia does not have clear health information legislation. It is governed by a mix of federal and provincial laws, health profession codes, and organizational policies and procedures. Nova Scotia joins eight other provinces who have comprehensive legislation to manage personal health information.
I understand that the legislature session ends shortly, so the Bill will not be debated until the new year. It's also reported that the Department plans to have the Bill come into force in January 2011.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.