I received the following question the other day:

In terms of personal data that was captured by a healthcare company while a patient in Canada, and relayed to another city in Canada for analysis, further use, etc., does that patient data have to remain in Canada ? or is it allowed to traverse the US border at any time during its journey across the continent ? My concern is that communication networks don't seem to be restricted to intra-Canada operation or due to congestion or failure, most have to use large data highways that may cross over into the United States.

Under PIPEDA, is patient or personal data limited to just traverse within Canada ?

5 (1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless...

Tracing route to ubc.ca [64.40.111.228] over a maximum of 30 hops:

1 2 ms 1 ms 1 ms [REDACTED]

2 20 ms 9 ms 9 ms [REDACTED]

3 17 ms 12 ms 10 ms [REDACTED]

4 11 ms 8 ms 8 ms hlfx-br1.eastlink.ca [24.222.79.205]

5 18 ms 28 ms 18 ms te-3-1.car2.Boston1.Level3.net [4.79.2.89]

6 22 ms 19 ms 18 ms ae-2-5.bar2.Boston1.Level3.net [4.69.132.250]

7 19 ms 19 ms 22 ms ae-0-11.bar1.Boston1.Level3.net [4.69.140.89]

8 46 ms 54 ms 49 ms ae-5-5.ebr1.Chicago1.Level3.net [4.69.140.94]

9 44 ms 52 ms 39 ms ae-68.ebr3.Chicago1.Level3.net [4.69.134.58]

10 73 ms 72 ms 70 ms ae-3.ebr2.Denver1.Level3.net [4.69.132.61]

11 99 ms 90 ms 90 ms ae-2.ebr2.Seattle1.Level3.net [4.69.132.53]

12 90 ms 89 ms 89 ms ae-22-52.car2.Seattle1.Level3.net [4.68.105.35]

13 90 ms 89 ms 88 ms unknown.Level3.net [64.154.178.134]

14 93 ms 91 ms 102 ms p2-1.pr0.yvrx.hgtn.net [66.113.197.5]

15 93 ms 93 ms 91 ms r1-hgtn.netnation.com [64.40.127.254]

16 102 ms 95 ms 93 ms itservices.ubc.ca [64.40.111.228]

Trace complete.

This leads to the question of whether your information is safe from interception during transit through the US. It's really not safe from interception at any point on the internet. At each point above, the signals can be intercepted. There was recent speculation that a collaboration between AT&T the National Security Agency allowed national security organs of the US to vacuum international internet and telco traffic from at least one AT&T facility. (See: EFF's class action against AT&T.) Do they have the tools to single out particular traffic? Probably.

So what to do? If sensitive information is being transferred between two points on the internet, it should be encrypted and sent through a secure "tunnel".

Update: Added reference to Quebec statute. Thanks, commenter.

Labels: AskThePrivacyLawyer, health information, patriot act, piidpa, privacy

I've been overwhelmed by the number of questions I've received in response to "Ask the privacy lawyer". Some of them are too specific and would cross over the line between legal advice and educational. But I got this question, which is relatively generic and probably is something that many people have to deal with:

HI - In September 2007 I subscribed to a well known Canadian magazine. I did not check a box on the form saying I wanted to receive 'mail' from them. However in December 2007 I and my neighbour (whose subscription to the same magazine had just ended) started receiving unsolicited requests for magazine subscripts at a rate of about 1 a week. I knew where the subscription was coming from since they mispelled my name on all the subscriptions in the same way.

I've emailed the magazine and the company responsible for these bulk mailings and have been told they 'occasionally send mailings we think our customs will enjoy' although that's only if you check the box requesting that 'service'.

They tell me the mailings will stop soon - but they haven't and now the mailing have my correctly spelled name.

I know there is a lot of work being done with SPAM laws and no phone anti-telemarketer laws - but is there any way I can legally stop this magazine for falsely advertising that they would to share my name and information with anyone else?

They don't seem to be taking my angry emails very seriously.

This situation sounds like a classic SNAFU, which might only take some more gentle persuasion to fix. But if one wants to take the legal route ....

The first question one has to ask is what privacy law applies. The questioner wasn't specific, so one should consider the options. This is a private sector matter, since we are not dealing with a government institution. Magazines are engaged in commercial activity, so one of the Canadian private sector laws would apply. The default would be PIPEDA, which applies to the collection, use and disclosure of personal information in the course of commercial activities except where there exists an applicable provincial law that has been declared to be "substantially similar" to PIPEDA. The substantially similar laws are the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia) and An Act Respecting the Protection of Personal Information in the Private Sector (Quebec). The PIPAs of Alberta and BC are very similar to PIPEDA and are built on the same foundation.

For the purposes of considering this question, I'll assume that PIPEDA applies. PIPEDA requires the knowledge and consent of all individuals for all collection, use and disclosure of personal information. Importantly, an organization cannot require an individual to consent to uses that are not necessary.

4.3.3 - An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

Privacy lawyers often refer to marketing as "secondary purposes" as they are secondary to the original purpose for the collection, use and disclosure of personal information (which, in this case, would be sending a subscriber the magazine and for billing purposes). There is some debate as to whether "opt in" or "opt out" is sufficient for these secondary purposes.

In any event, consent ,if previously granted, may be withdrawn:

4.3.8 - An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.

Even if an individual had previously consented to the use of personal information for marketing purposes, this consent can be withdrawn "subject to legal or contractual restrictions and reasonable notice". Assuming there is no such impediment, a subscriber should be able to tell a magazine publisher that he or she no longer wishes to receive marketing materials or to have personal information disclosed to other publishers. This is consistent with the Commissioner's finding in Summary #308:

Commissioner's Findings - PIPEDA Case Summary #308: Opting-out of marketing inserts in account statements - April 7, 2005

"The Assistant Commissioner therefore determined that by not providing a means of withdrawing consent to secondary marketing, the bank was requiring the complainant to consent to a use of his personal information beyond that required to fulfil the purpose of servicing his credit card account, in contravention of Principles 4.3.3 and 4.3.8 of Schedule 1."

So what recourse does an indvidual have? He or she can complain to the Office of the Privacy Commissioner, who will investigate and hopefully persuade the publisher to change their practices. If they do not comply, the individual or the Commissioner can take the matter to the Federal Court.

Labels: AskThePrivacyLawyer, privacy, telemarketing

Despite the disclaimer on the side of this blog, I often get e-mails from people asking questions about privacy laws and how they affect their own particular circumstances. They are usually from people who are not in a position to pay for legal advice. Often, I get the same basic question (with slight variations) a number of times.

I'm very sympathetic to their circumstances but can't always take the time to provide a full answer. Since there is obviously a need out there, I thought I'd try something new: Ask The Privacy Lawyer. Readers can send me their questions and, assuming it is a question that lends itself to being answered in a public forum, I will post my thoughts on the topic on the blog.

Questions should be sent to ask@privacylawyer.ca or can be left as an anonymous comment to this post. Please try to keep your questions as general as possible and DO NOT NAME ANY PEOPLE, COMPANIES OR ORGANIZATIONS in your query. I will not identify the submitter or anyone else in the response and may edit your e-mail to to make it applicable to a wider audience. Any response will be written to be educational but should not be contrived to be legal advice.

If you are looking to retain a lawyer to assist you with your matter, please e-mail me directly at david.fraser@mcinnescooper.com.

Labels: AskThePrivacyLawyer, privacy