The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, October 28, 2009
Notification respecting service provider outside CanadaPermitted "as required by law" disclosures are now limited to required by Canadian or Alberta law. The breach notification provisions require notice to the Commissioner and the Commissioner may order that individuals be notified. I'm sure we'll be hearing more about this. Here's an extract from yesterday's Hansard:
13.1(1) Subject to the regulations, an organization that uses a service provider outside Canada to collect personal information about an individual for or on behalf of the organization with the consent of the individual must notify the individual in accordance with subsection (3).
(2) Subject to the regulations, an organization that, directly or indirectly, transfers to a service provider outside Canada personal information about an individual that was collected with the individual’s consent must notify the individual in accordance with subsection (3).
(3) An organization referred to in subsection (1) or (2) must, before or at the time of collecting or transferring the information, notify the individual in writing or orally of
(a) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and
(b) the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.
(4) The notice required under this section is in addition to any notice required under section 13.
ISYSweb 8 Search Results for Bill 54
Personal Information Protection Amendment Act, 2009
Mr. Denis: Thank you very much, Mr. Speaker. I rise to introduce Bill 54, the Personal Information Protection Amendment Act, 2009. Mr. Speaker, this bill is a direct result of the hard work of the SelectSpecialPersonalInformation Protection ActReviewCommittee, an all-party special committee of the Legislature that in 2006 undertook a complete review of the act and tabled a report to the Legislature in November 2007 outlining recommendations for amendments. This bill incorporates a number of their proposed amendments.The main proposals for change include emerging issues such as notifying the commissioner or individuals about security breaches that place personal information at risk and informing individuals when services involving personal information are occurring outside of Canada. Mr. Speaker, as required for any new legislation in a rapidly evolving area, this bill also does some updating and finetuning of the existing provisions of this act.
Thank you very much, Mr. Speaker.
[Motion carried; Bill 54 read a first time]
The Speaker: The hon. Government House Leader.
Mr. Hancock: Thank you, Mr. Speaker. I move that Bill 54 be moved onto the Order Paper under Government Bills and Orders.
Tuesday, May 05, 2009
Presuably to counteract the effects of the Information and Privacy Commissioner's decision that bans siping licenses at bars in the province (Alberta Commissioner forbids license scanning), the Alberta legislature is considering Bill 42 which permits the collection of similar information:
Legislative Assembly of Alberta - Bill 42: Gaming and Liquor Amendment Act, 2009
Collection of personal information by licensee
69.2(1) A licensee may, before allowing a person to enter licensed premises, collect the person’s name, age and photograph.
(2) If a licensee has personal knowledge or reasonably believes that a person referred to in subsection (1) has, at any time within the preceding year, engaged in an activity referred to in section 69(1) or (2), the licensee may, in good faith, disclose the person’s name, age and photograph to other licensees for the purpose of allowing them to determine whether they wish to allow the person to enter licensed premises.
(3) A licensee must, as soon as possible after a request is made by a police officer, disclose to the police officer any information collected under subsection (1).
Thanks to a correspondent for pointing this out ...
Sunday, May 18, 2008
The Alberta Information and Privacy Commissioner's office, in Investigation Report H2008-IR-001, has confirmed that individuals have the right to have their personal health information masked and its distribution restricted on Alberta Netcare:
Investigation confirms Albertans' right to ask custodians to limit disclosure of health information through Alberta Netcare
May 15, 2008Investigation confirms Albertans' right to ask custodians to limit disclosure of health information through Alberta NetcareInformation and Privacy Commissioner, Frank Work, has confirmed that individuals can ask that disclosure of their health information through Alberta Netcare, Alberta’s electronic health record, be limited. On conclusion of a recent investigation, it was recommended that Alberta Health and Wellness take steps to fully implement the technology that will allow custodians to limit the disclosure of health information through Alberta Netcare and communicate the availability of this option to Netcare users and Albertans.
The case involves a woman who asked her pharmacist to limit the disclosure of her health information through Alberta Netcare, but was told the pharmacist could not refuse to disclose information to AHW. The woman then contacted AHW to request that her information be “masked” in Alberta Netcare, but was directed to make her request to other custodians.
The Health Information Act (HIA) section 58(2) requires custodians to consider the expressed wishes of individuals when deciding how much health information to disclose. AHW has decided to manage expressed wishes in Alberta Netcare by masking information. Masked information is hidden until an authorized user who is providing care to a patient decides to unmask the information.
The investigation found that AHW built masking capabilities into Alberta Netcare as early as 2006, but did not did not formalize the processes required to allow Netcare users to apply masking until April 2008. The investigation also found that AHW had not adequately communicated the availability of masking as a means to manage an individual’s expressed wishes to health care providers nor had they developed the administrative tools required to fully support implementation of masking.
Mr. Work says “While I commend Health and Wellness for building important privacy features like masking into the system, it is not very useful to develop a masking system and not support its implementation or advise end users that it is available to them. In principle, AHW’s approach to masking information in Alberta Netcare is sound but implementation has been weak. The Department acknowledges this gap and has committed to developing an enhanced masking implementation plan for my review and comment before the end of the month. We will continue to work with AHW on this issue.”
Other recommendations that have been accepted by AHW include the recommendation to respond to the complainant’s request that her information be masked and expand Alberta Netcare communications materials to inform and educate patients about how a masking request can be made. The Department has taken immediate steps to implement these recommendations.
The investigation report and its recommendations can be found at http://www.oipc.ab.ca/.
Friday, April 18, 2008
Privacy Commissioner Concerned With Ticketmaster's Privacy Practices, Encourages Companies to Adopt High Privacy Standards Across Operations
OTTAWA, April 18, 2008 – Privacy Commissioner of Canada Jennifer Stoddart expressed concern with the information collection and privacy practices of a major online ticket vendor. However, following an investigation by her office and that of Alberta Commissioner Frank Work , the privacy practices of Ticketmaster Canada Limited have been brought up to standard.
However, she encourages companies to adopt the highest standard of privacy practices possible, regardless of where they do business.
“Online commerce continues to grow and customers worldwide expect companies to safeguard their personal information in the course of their business,” says Jennifer Stoddart. “It simply makes good business sense for companies to implement excellent privacy practices across their operations. It is also the law in Canada.”
The Commissioner launched an investigation into the information collection practices of Ticketmaster Canada Limited after a private citizen filed a complaint alleging that the company’s policies and practices on the collection, disclosure and use of customers’ personal information did not comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).
The Information and Privacy Commissioner of Alberta, Frank Work, investigated a similar complaint into how Ticketmaster obtained consent to collect its customers’ personal information and released an investigation report late in 2007.
The investigation conducted by the Office of the Privacy Commissioner of Canada examined the issue of consent, but also investigated whether Ticketmaster followed the principles of access, openness and accountability found in PIPEDA.
“I am now satisfied with the measures Ticketmaster undertook to resolve the complaints that were brought to our attention,” says Jennifer Stoddart. “But I am very concerned that, seven years after PIPEDA was enacted, a major online company operating throughout Canada was found to be in violation of the legislation.”
The Assistant Commissioner also found that Ticketmaster’s online customers were required to consent to their personal information being used for marketing purposes as a condition of purchasing a ticket – a clear violation of PIPEDA.
Following the two investigations, Ticketmaster has revised its privacy practices to explicitly communicate what personal information is collected, with whom it is shared, and how it is used. The company has also adapted its online notification and call-centre telephone scripts so that customers are provided with a choice of whether to opt in to receive marketing material from Ticketmaster and event providers.
The Commissioner will bring this distinction to the attention of her colleagues at the US Federal Trade Commission. As well, she will continue to encourage companies with operations in Canada and elsewhere to adopt the highest standard of information protection practices possible to ensure compliance with Canadian privacy law.
To view the case summary and backgrounder:
Tuesday, April 01, 2008
The Information and Privacy Commissioner of Alberta has ruled that Home Depot violated the Personal Information Protection Act (Alberta) when it collected and recorded a customer drivers license information in connection with a product return. The company's policy was that returns for purchases that were made with a debit card, even with a receipt, are treated as a "no receipt" return and the information is collected. The Commissioner noted that the information would be placed in a database maintained by the American parent company in the United States, which is a disclosure of personal information.
The article on Canada.com quotes a Home Depot spokesperson who says this is no longer the policy as customers thought it to be an invasion of privacy. See: Privacy commissioner raps Home Depot.
Monday, March 31, 2008
There have been some interesting releases from the Information and Privacy Commissioner of Alberta's office:
Adjudicator rules personal information released in contravention of Personal Information Protection ActAn Adjudicator with the Office of the Information and Privacy Commissioner has ruled that the Alberta Teachers’ Association contravened the Personal Information Protection Act (PIPA), when it published an article containing the personal information of former members.
The Complainants filed the complaint when the ATA published their names in a newsletter stating that they no longer were required to adhere to the ATA’s Code of Professional Conduct.
The ATA argued while it had published personal information, it had done so for “journalistic purposes” and that PIPA did not apply.
The Adjudicator determined that PIPA did apply and that the information was disclosed contrary to sections 7 and 19 of PIPA.
Adjudicator finds Alberta Energy and Utilities Board did not disclose personal information in contravention of the FOIP Act
Information and Privacy Commissioner, Frank Work, has ruled that the parents of a student had no legal standing in a complaint over the seizure of their son’s cell phone. The Commissioner says he was not presented with any evidence under section 84 of the Freedom of Information and Protection of Privacy Act (FOIP) that the parents were authorized to act on behalf of their son, nor is there any evidence that the son is even aware of a complaint being made on his behalf.The parents complained to the Commissioner their son’s cell phone had been seized by school administrators who had accessed photographs contained on the phone.
During an inquiry into the matter, the Commissioner found the evidence did not establish that the parents had standing to make a complaint. The Commissioner also found there was little evidence that the son’s personal information had been collected or used by the school.
Commissioner releases investigation report on DeVry Institute of Technology, related to discovery of identity theft.
Commissioner releases investigation report related to discovery of identity theft
New guidelines set out how companies should evaluate the use of video surveillance that respects privacy rights and complies with the law.
Adjudicator upholds decision not to release Crown Prosecutor records
Adjudicator rules company tried to find applicant's personal information
Sunday, March 09, 2008
As March Break is almost in full swing, it's timely to read Compterworld's recent 5 things you need to know about laptop searches at U.S. borders. State sovereignty usually means that a country has total control over who and what gets in and traditional searches are being extended to laptop searches. This makes sense on one level but seems futile as any traveller can upload ilicit digital content before crossing into the US and then download it on the other side of the border.
But searches are happening, so make sure you delete from your computer all content that you wouldn't want disclosed as part of such a search. Lawyers should particularly remove any privileged content they don't need to be taking with them. And if you're a public servant from BC, Alberta or Nova Scotia, you can't take it with you thanks to the USA Patriot Act blocking legislation in your province.
Thursday, March 06, 2008
The Privacy Commissioners of Canada, British Columbia and Alberta today have released Guidelines for Overt Video Surveillance in the Private Sector to help businesses consider privacy matters when deciding whether to and how to implement overt video surveillance. (I wonder whether they'll also produce guidelines on covert surveillance?)
From the media release:
Privacy Commissioners Release New Video Surveillance Guidelines
Privacy Commissioners Release New Video Surveillance Guidelines
OTTAWA, March 6, 2008 — Private-sector organizations considering video surveillance systems must take specific steps to minimize the impact on people’s privacy, say video surveillance guidelines released today.
The new guidelines set out how companies should evaluate the use of video surveillance and ensure any surveillance they undertake is conducted in a way that respects privacy rights and complies with the law.
These guidelines have been endorsed by Jennifer Stoddart, the Privacy Commissioner of Canada, Frank Work, the Information and Privacy Commissioner of Alberta, and David Loukidelis, the Information and Privacy Commissioner for British Columbia.
“We have seen a dramatic increase in the use of surveillance cameras by private-sector organizations. Many of our day-to-day activities are now captured by these cameras,” says Commissioner Stoddart.
“There are some legitimate reasons to conduct video surveillance, but privacy laws in Canada impose restrictions and obligations when, where and how businesses can conduct this kind of surveillance,” says Commissioner Loukidelis.
“These guidelines make it clear that businesses must carefully evaluate why they are installing video surveillance equipment, and what they will do with the information that is collected,” says Commissioner Work.
The Commissioners say it is disturbing to hear stories about video surveillance operators deliberately pointing cameras to ogle women, as well as surveillance images of people caught in unflattering situations finding their way onto video sharing sites like YouTube and Vimeo.
The new guidelines are aimed at businesses subject to the Personal Information Protection and Electronic Documents Act, or PIPEDA. They are also targeted at businesses subject to the provincial Personal Information Protection Acts in Alberta and British Columbia.
The overarching principle for video surveillance – which stems from the key legal test under the federal and provincial laws – is that it should be used only for purposes that a reasonable person would consider appropriate in the circumstances.
The guidelines state that, in order to limit the impact on privacy, cameras should be positioned to avoid capturing the images of people not being targeted (e.g., someone walking outside a store). As well, cameras should not be used in areas where people have a heightened expectation of privacy, such as washrooms, and through building windows.
The guidelines also say:
- People should be notified about the use of cameras before they enter the premises.
- Individuals whose images are captured on videotape should, upon request, be given access to this recorded personal information.
- Organizations must ensure that video surveillance equipment and videotapes are secured and used for authorized purposes only.
- Individuals who operate video surveillance systems should understand the privacy issues related to surveillance and their obligations under the law.
- Video surveillance recordings should be retained only as long as necessary and destroyed securely.
The complete guidelines for private-sector organizations are available at www.privcom.gc.ca, www.oipc.ab.ca and www.oipc.bc.ca. The Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for British Columbia have previously published guidelines for the use of video surveillance in public places by police and law enforcement authorities.
All three privacy commissioners are statutorily mandated to oversee compliance with the Acts and are advocates and guardians of privacy and the protection of personal information rights of Canadians.
Thursday, February 21, 2008
The Alberta Commissioner's office has been busy and productive as of late. The Commissioner has ruled that a database of pawn shop patrons is unlawful and has ordered that the database that's been in operation since 2006 be destroyed. Check out the decision/order here: Order P2007-001, F2007-001 and F2007-002.
Some media coverage here: Edmonton's pawnshop database violates privacy laws, commissioner rules
Wednesday, February 20, 2008
In a long awaited decision, the Information and Privacy Commissioner of Alberta has ordered a nightclub to cease scanning drivers licenses. The practice is an unreasonable collection of personal information and is not justified under the Personal Information Protection Act.
From the decision, the Commissioner didn't see the connection between the collection of drivers license information and the supposed purposes for collecting it:
[para 31] From my review of the evidence and the parties’ submissions, I find that, at best, the Organization offers conjecture that collecting driver’s license information of patrons may act as a deterrent to violent behaviour. The Organization did not submit any evidence to establish that collecting the Complainant’s driver’s license information, or that of other patrons, is in any way a deterrent to violent behavior. In addition, it did not provide any evidence regarding the causes of violence in bars or statistics relating to the incidence of violence in bars before and after the implementation of a driver’s license collection program. I draw the inference that the Organization is unable to produce any evidence to draw a correlation between violence, patron safety, and collecting driver’s license information. As a result, the Organization has failed to establish any reasonable relationship between collecting driver’s license information and any of its stated purposes for scanning driver’s licenses. I am therefore unable to conclude that the Organization has a reasonable purpose within the meaning of section 11 when it scans patrons’ driver’s licenses.
[para 32] For these reasons, I find that the Organization did not comply with the requirements of either section 11(1) or (2) when it scanned the driver’s license information of the Complainant, as its collection of personal information is not reasonable related to its purpose....
On the topic of whether putting up a poster results in informed consent:
[para 53] The Complainant’s evidence is that his driver’s license was scanned before he could raise an objection. He had assumed that the Organization’s employee would check his birth date, but she instead scanned the information on the license into a database. The Organization does not challenge the Complainant’s version of events, but points to a poster it has now posted for patrons explaining why it collects driver’s licenses and what it does with them. It argues that this poster satisfies the requirements of section 13(1).
[para 54] As noted above, the poster explains that its collection practice is intended “to encourage our patrons to behave responsibly and deter those who are seeking to ruin your experience with us, from entering the venue.” The poster is not clear about the purposes of the Organization in collecting the information and does not warn patrons that information will be retained for a period of 7 – 10 days or longer by the Organization.
[para 55] I find that the poster is misleading and does not provide sufficient information for patrons to provide informed consent to the Organization’s collection of personal information. In addition, the Organization provided no evidence that the poster was in place when it scanned the Complainant’s driver’s license. In fact, paragraph 8 of the Organization’s affidavit establishes only that the notice was posted on August 24, 2006, the date of the affidavit.
[para 56] I find that the Complainant did not consent to the scanning of the information on the face of his driver’s license, other than to permit the Organization employee to confirm his date of birth. I also find that the Organization did not provide adequate notice to the Complainant of its collection of his personal information. As none of the provisions of 14 apply, and because an individual cannot consent to the unreasonable collection of personal information, I find that the Organization was required to provide notice of its collection and did not. As a result, I find that the Organization contravened section 13 of the Act when it collected the Complainant’s personal information.
The Calgary Sun reports that the owner of the bar is considering appealing and is "furious" about the decision: The Calgary Sun - Bar owner furious after licence checks halted.
Tuesday, February 05, 2008
The Information and Privacy Commissioner of Alberta has chastised a physician in that province after his patient database was used to send invitations to his birthday party. An individual who had "opted out" from such use received an invitation and complained to the Commisioner. See: edmontonsun.com - Alberta- Doc's birthday invitations land him in hot water and the Commissioner's decision H2007-1.
Monday, January 14, 2008
Personal information practices of bars and nightclubs are coming under increasing scrutiny, particularly with repect to video surveillance in Nova Scotia and the practice of scanning identification documents. Complaints related to the latter practice are pending in British Columbia and Alberta. It appears that a decision of the Alberta Commissioner is to be expected shortly: Alberta privacy commission to rule on bar scans.
Saturday, January 12, 2008
Commissioner rules reference check was in compliance with Personal Information Protection Act
January 8, 2008
Commissioner rules reference check was in compliance with Personal Information Protection ActInformation and Privacy Commissioner, Frank Work, has determined that information collected in an employment reference check was in compliance with the Personal Information Protection Act (PIPA).
An individual had complained that a former employer had disclosed information not related to her job to a prospective employer in contravention of PIPA and that the prospective employer had collected the information in contravention of the Act. The individual also complained that the former employer had not responded to her request for her personal information.
Following an inquiry into the matter, the Commissioner determined that the information collected in the reference check was personal employee information as defined in PIPA and that no unrelated personal information about the individual was collected. The Commissioner found no evidence that personal information, aside from work related information, had been disclosed or collected.
The Commissioner did find, however, that the former employer did not properly respond to the Complainant’s request for her personal information and has ordered the former employer to respond to that request.To obtain a copy of Orders P2006-006 and P2006-007, visit our website, http://www.oipc.ab.ca/.
Wednesday, January 02, 2008
Today marks the fourth anniversary of the Canadian Privacy Law Blog. Four years ago, on January 2, 2004, I put fingers to keyboard and joined the interesting conversation that was beginning to take shape on the internet among veteran bloggers and I'm glad I did. (Welcome to the Canadian Privacy Law blog.) According to Blogger, this will be my 2740th post to the blog.
Forgive me if I get a bit melancholic and wistful as I look back on the past four years, but it has been a very eventful one for me and for the world of privacy. And both are related, I think. (I mean the changes in the world of privacy have influenced me, not the other way around.)
The day before my first posting, the Personal Information Protection and Electronic Documents Act ("PIPEDA") came fully into force for all commercial activities in Canada. That day, the Personal Information Protection Acts of British Columbia and Alberta came into force, but were not declared to be "substantially similar" to PIPEDA until ten months later (Alberta and British Columbia privacy laws declared to be substantially similar.) Also on the legislative front, Ontario passed the Personal Health Information Protection Act and it became law in May, 2004 (Ontario's Personal Health Information Protection Act receives royal assent.) Perhaps as importantly, it was declared substantially similar on November 28, 2005. (PHIPA declared substantially similar.)
Much attention has been paid to the continuing erosion of privacy rights in the United States and Canada. In 2004, the Information and Privacy Commissioner of British Columbia brought the USA Patriot Act under scrutiny. (U.S. Patriot Act worries Privacy Commissioner and BC Information and Privacy Commissioner releases his report: Patriot Act contravenes BC privacy laws.) In response, British Columbia, Alberta and Nova Scotia have passed laws or amendments to existing laws to closely regulate the export of personal information outside of Canada. In the US, the USA Patriot Act has been subject to many judicial challenges with some success.
Perhaps the area that has been most visible to laypeople is the growing trend of requiring companies to report data breaches. California led the way and now more than thirty US states have such requirements. We haven't seen it in Canada (except in PHIPA in Ontario) but advocates are calling for such a requirement in Canada's privacy laws of general application. Coming clean has led to the public disclosure of a number of huge breaches, including Cardsystems, TJX/Winners, Department of Veterans Affairs and the UK Revenue and Customs Service. Whether we see a change in Canadian law has yet to be seen. Despite the huge publicity given to these breaches, business built on personal information -- such as Facebook -- thrive.
On the professional front, I've been very fortunate to have been invited to speak on the topic of privacy on more occasions than I can estimate. Highlights have been speaking at the Canadian Bar Association general meeting in Winnipeg in 2005, Canadian IT Law Association for the past few years and innumerable professional organizations. The blog has also led to innumerable media interviews and some amazing awards (I'd like to thank the academy. And my blog ... and An honour to even be considered.)
Perhaps more satisfying is that I've been fortunate to have met (in some cases, in the flesh) and to have been inspired by some great fellow legal bloggers. This list includes Connie Crosby, Rob Hyndman, David Canton, Michael Geist, Michael Fitzgibbon and the amazing Slawyers.
To my readers, thank you very much for taking the time to drop by. I hope it has been informative and useful. Please pass along any suggestions or your thoughts, either in the comments to my posts or via e-mail at firstname.lastname@example.org.
Birthday cake graphic used under a creative commons license from K. Pierce.
Wednesday, December 19, 2007
The Alberta Information and Privacy Commissioner has found that Ticketmaster violated that province's privacy law by requiring that purchasers consent to use of their information by concert promoters. From the Commissioner:
Office of the Information and
Privacy Commissioner of Alberta
December 19, 2007
Ticketmaster investigated under Personal Information Protection Act
The Complainant went on Ticketmaster’s website, www.ticketmaster.ca to purchase tickets for an event. During the on-line transaction, the Complainant was unable to proceed with his on-line ticket purchase unless he consented to Ticketmaster’s “Use of Personal Information” privacy statement. The Complainant was particularly concerned with the contents of this privacy statement, which authorized Ticketmaster to share his email address with event providers for the event providers’ marketing purposes.
CBC has some coverage of the story here: CBC.ca Arts - Ticketmaster's online sales violated Alberta privacy law.
Wednesday, December 05, 2007
Daniel J. Michaluk has a great comment on an Alberta case that's pending dealing with employee drug testing, which is a very common practice in that province's oil sands projects. Check it out: One to watch - Drug testing case at Alberta CA « All About Information.
Wednesday, November 28, 2007
I've blogged on this topic of bars swiping patrons' identification a number of times (see label "id swiping"), but it appears that we'll have a decision from the Alberta Commissioner on the topic in the next few months: edmontonsun.com - Edmonton News - Barlink probed by privacy watchdog.
Thursday, November 15, 2007
After an investigation into a stolen laptop from Alberta Capital Health, Frank Work has expressed some exasperation about how personal information is being protected:
The Edmonton Journal
Thursday, November 15, 2007
Crafting sophisticated privacy legislation has never been more important, as lawmakers struggle to keep up with technological advances. And yet all the statutes in the world are no excuse for common sense.
"It's just nuts that we're not looking after this stuff better," exclaimed an exasperated Frank Work on Tuesday. Work, Alberta's information and privacy commissioner, had just released a report investigating the May theft of four laptop computers at a Capital Health office.
The study concluded that Capital Health had contravened the Health Information Act by not taking adequate security precautions. This was in spite of two previous warnings about the need for encryption programs. Capital Health has promised that it will have encryption for laptops installed by January and will soon provide the commissioner with a detailed implementation plan for other changes. Let's hope so.
Not that Capital Heath is alone. Work also announced another investigation into the theft of a memory stick storing personal details of 560 students attending Edmonton Catholic Schools. An employee of the board's school bus company kept the stick in her purse. The school board now insists bus carriers' memory sticks must be encrypted.
The hope is that other organizations are paying attention. Breaches in consumer information security have made all of us think twice when ordering online or even at the local cash register.
To be fair, a lot of bright people are working on this and lessons have been learned. Still, coming to terms with the storehouse of private information most of us carry around daily in various devices is everyone's business. As technology moves forward, we must remember that privacy is too precious to be taken lightly. That begins at home, at work and at school.
Wednesday, September 26, 2007
The federal Privacy Commissioner and the Information and Privacy Commissioner of Canada have released their reports on the TJX/Winners breach (Report of Findings (September 25, 2007) Privacy Commissioner of Canada and Investigation Report P2007-IR-006). The moral of the story: don't collect information you don't need, don't keep it any longer than you need and properly secure the information you have.
Here's the media release:
News Release: Inadequate security safeguards led to TJX breach, Commissioners say (September 25, 2007) - Privacy Commissioner of Canada
Inadequate security safeguards led to TJX breach, Commissioners say
September 25, 2007 –The risk of a breach of sensitive personal information held by TJX Companies Inc., the US parent company of Winners and HomeSense stores in Canada, was foreseeable, but the company failed to put in place adequate security safeguards, an investigation by the Privacy Commissioners of Canada and Alberta has found.
“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” says Privacy Commissioner of Canada Jennifer Stoddart.
“Criminal groups actively target credit card numbers and other personal information,” says Commissioner Stoddart. “A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures.
“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”
The joint investigation by the two Commissioners was launched after TJX disclosed in January that its computer system had been breached. This breach involved millions of credit and debit card numbers as well as other personal information, such as driver’s license numbers collected when customers returned merchandise without receipts.
“This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction,” says Frank Work, the Information and Privacy Commissioner of Alberta.
“One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with unreceipted returns which strikes an appropriate balance between privacy rights and a retailer’s need to take steps to prevent fraud.”
TJX believes the intruder may have initially gained to customer information via the wireless local area networks at two of its US stores. Customer information was stolen from mid-2005 through December 2006, a TJX investigation found. Some stolen information involved transactions dating back to 2002.
Stolen information included credit card account data as well as data collected when customers returned merchandise without a receipt (drivers’ license numbers, names and addresses).
The investigation concluded TJX did not comply with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Alberta’s Personal Information Protection Act (PIPA). The investigation found:
- TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected.
- The company failed to act quickly in converting from a weak encryption standard to a stronger standard. The conversion process took two years to complete, during which time the breach occurred.
- TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
- The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.
The investigation also found the company did not have a reasonable purpose to collect driver’s license and other identification numbers when unreceipted merchandise was returned. TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely.
In response to these concerns, TJX proposed a new process to address fraudulent returns. Store staff will continue to ask for identification, however, information such as a driver’s license number will instantly be converted into a unique identifying number when it is keyed into the point-of-sale system. This will allow the company to track unreceipted merchandise returns without keeping original driver’s license numbers in its system.
The Commissioners called on TJX to take a number of steps to improve its security measures and privacy practices and are pleased the company has agreed to follow these recommendations.
Commissioner Stoddart says the Winners/HomeSense breach illustrates the need to get security right in the first place to avoid the potentially huge costs of mopping up after a security breach. “Organizations need to ensure they have multiple layers of security and that they keep up with advances in security technologies. The cost of failing to do this can be enormous – not only to a company, but to its customers,” she says, adding that a data breach can also have a major impact on credit card companies, banks, law enforcement agencies and regulatory bodies.
A summary of the findings in the case is available on the Commissioners’ websites.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
The Information and Privacy Commissioner of Alberta has a mandate to promote a society where personal privacy is respected and public bodies are open and accountable.
Monday, September 24, 2007
According to a media advisory released by the Privacy Commissioner of Canada, both the federal and Alberta commissioners are going to release their findings on the TJX/Winners/Home Sense privacy breach tomorrow morning in Montreal. See: Media Advisory: September 24, 2007 - Privacy Commissioners to release report on Winners/HomeSense breach - Privacy Commissioner of Canada.
Saturday, September 22, 2007
The Information and Privacy Commissioners of Alberta and British Columbia, along with the Privacy Commissioner of Canada, have released a guidance document on requiring photo ID of individuals paying for goods and services by credit card. All three have concluded it is reasonable.
Monday, August 27, 2007
CAPAPA supports Canadian’s Right to Know “Privacy IS Your Business”(Calgary, Alberta)
August 26, 2007 – CAPAPA (Canadian Association of Professional Access and Privacy Administrators) is pleased to support international Privacy Awareness Week, August 26th to September 1st, 2007. Privacy Awareness Week, a campaign first initiated by Privacy Victoria (Australia) in 2001, has for the first time gone international.
As Canada’s leading association serving privacy and access professionals, CAPAPA is spearheading the campaign to promote privacy awareness in Canada. “Identity theft and information security breaches are happening more often than ever,” says CAPAPA National Chair Sharon Polsky. “To reverse that trend, Canadians must recognize the importance of protecting their personal information — at home, in the workplace, and in the consumer marketplace.”
Privacy Awareness Week provides an opportunity for individuals to raise questions about privacy legislation and its impact on how individuals conduct their business and personal lives. Privacy Awareness Week spotlights the need for Canadians to recognize their rights and obligations to maintain the privacy of their personal information. The theme for Privacy Awareness Week 2007 is ‘Privacy is your business'.
Know your Rights and Obligations
Canadian organizations, governments, and government agencies are bound by a variety of wide-reaching privacy laws. Ms. Polsky notes that, “As consumers, each of us is responsible to understand what our rights and responsibilities are under those laws.”
CAPAPA is a key source for helping Canadians recognize their privacy rights and responsibilities, and is the privacy advocate’s source for issues such as the passenger name record exchange, emerging RFID CHIP technology, and CAPAPA's Submission to the Senate on proposed changes to Canada’s Election Act.
More information on these and other Canadian privacy issues is at http://www.capapa.org./ For more information on how you can promote Privacy Awareness Week 2007, visit http://www.capapa.org/ or contact CAPAPA at: email@example.com.
Tuesday, August 21, 2007
This should have been done a few years ago ...
Yesterday, the Privacy Commissioner of Canada launched an online training tool for retailers to understand their obligations under PIPEDA. I haven't taken the course yet, but anything like this should be a good thing.
News Release: Privacy Commissioner launches e-learning tool for retailers (August 20, 2007) - Privacy Commissioner of Canada
Ottawa, August 20, 2007 – Retailers now have a free, do-it-yourself interactive tool to help them bring their privacy practices and policies in line with the law, the Privacy Commissioner of Canada, Jennifer Stoddart, announced today.
“Small businesses often don’t have the money to hire privacy specialists or lawyers to help them figure out how to comply with Canada’s privacy legislation,” says Commissioner Stoddart. “Nor is it always necessary. Good privacy compliance doesn’t have to be expensive or time-consuming”.
The new e-learning tool created by the Office of the Privacy Commissioner of Canada (OPC) provides retailers with the information they need to set up their business to meet their obligations under Canada’s privacy laws and provide customers with the privacy protection they’re guaranteed under the Personal Information Protection and Electronic Documents Act (PIPEDA).
“Protecting customers’ information is an increasingly important part of running a business today and the online training is a valuable tool to help our members build solid privacy practices into their operations,” says Catherine Swift, President and CEO of the Canadian Federation of Independent Business (CFIB).
Derek Nighbor, Vice-President, National Affairs with the Retail Council of Canada (RCC) agrees. “With the proliferation of identity thieves and online fraudsters, members of the RCC who do not always have the time or the resources to learn about PIPEDA requirements will be pleased with the user-friendliness of this e-learning tool. Ultimately, their customers will find this a rewarding tool in the protection of their personal information” says Mr. Nighbor.
The OPC, in a joint initiative with the RCC, recently mailed privacy information kits to some 3,000 retailers in provinces where businesses are governed by PIPEDA. The kit includes a guide entitled Your Privacy Responsibilities: A Guide for Businesses and Organizations. (The kits will not go out to Retail Council members in the three provinces which have adopted their own private-sector privacy laws, B.C., Alberta and Quebec.)
“Some small businesses have been very proactive in developing good privacy practices, while many others still have a ways to go,” Ms. Stoddart says.
“Protecting customers’ personal information is the law, and it’s also good for a company’s reputation and bottom line,” the Commissioner adds, noting that research has shown it costs far less to adequately protect personal information in the first place than to clean up after a data breach.
The online retailer training session takes only about 30 minutes to complete. At the end, retailers will have: an information audit of their business; consent provisions required specifically for their business; a security plan; a sample privacy brochure for customers; and a training needs assessment. The interactive training is available online at http://www.privcom.gc.ca/privacy_comm/0001_home_e.asp.
New information for other types of small businesses is also available on the OPC’s web site.
Companies – large and small – in all but three provinces are subject to PIPEDA. The law imposes obligations on how those businesses must handle personal information such as names and addresses.The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.
Sunday, August 19, 2007
Many businesses deal with personal information that they would not consider "sensitive" personal information. Names, addresses, delivery instructions, maybe payment information. Other than credit card data (which isn't retained, right?), most is seen to be routine, mundane transactional data.
But businesses need to constantly ask themselves what is the worst that can happen if personal information is disclosed? Or if any of their usual practices could somehow cause their customers harm of any kind. Privacy goes well beyond preventing fraud and identity theft. Personal information is powerful and what might be perfectly mundane to most may cause particular individuals real problems.
There's a story out of Texas that provides a great illustration of what can go wrong and how businesses should be thinking about their practices. A Texas resident is suing 1-800-FLOWERS for a million bucks because they sent him a card thanking him for his patronage. Nothing offensive there, right? But the thank you card was read by his soon-to-be ex-wife and it showed that the plaintiff had sent a dozen long-stemmed roses to someone else. What had been an amicable separation went sideways and she has significantly upped her demands. (See: Married Man Sues Florist for Revealing Affair: Man Sues for $1 Million After Wife Discovers He Bought Flowers for His Girlfriend.)
You may think he is a cheating weasel who deserves everything he gets. But, assuming the article is correct, was it really his florist's job to drop a dime on him? Simply put, no it isn't.
Some time ago, a cellular phone carrier in Ontario provided a customer's billing records to his wife because she said she was doing the monthly bills and couldn't understand some of the charges. He was having an affair and the bills told the tale. (National Post, 27 September 2003.)
I've heard of a clinic in Nova Scotia that called to ask a question about scheduling a patient's vasectomy and, when the patient wasn't home, asked his wife. No harm done in that case, but what if the spouse didn't know about the man's plans? What if it wasn't his wife who answered, but a friend, housekeeper, etc?
A while ago, the Alberta Privacy Commissioner "named and shamed" a pharmacist for disclosing a patient's prescriptions to the patient's spouse. The question related to tax records, but it did disclose psychiatric prescriptions.
What does all of this mean? Many of these disclosures are made in good faith with no intention to harm anyone. On the contrary, most are made to be helpful. But for some customers/patients, these disclosures can have disastrous consequences. Every business that collects, uses or discloses personal information has to be mindful of this.
Friday, August 03, 2007
The Federal Privacy Commissioner has just released privacy breach guidelines, which are similar to guidelines produced by the Ontario and British Columbia commissioners. Here is the press release, with links to the guidelines:
News Release: Privacy Commissioner releases privacy breach guidelines (August 1, 2007) - Privacy Commissioner of Canada
Privacy Commissioner releases privacy breach guidelines
Ottawa, August 1, 2007 – New guidelines will help organizations take the right steps after a privacy breach, including notifying people at risk of harm after their information has been stolen, lost or mistakenly disclosed, says the Privacy Commissioner of Canada, Jennifer Stoddart.
The guidelines outline some of the key steps in responding to a breach, such as containing the breach, evaluating the risks associated with it, notifying the people affected and preventing future breaches.
“It’s clear that most businesses take seriously their responsibilities under Canada’s private-sector privacy law. I want to thank the industry groups, civil societies groups and privacy commissioners' offices that helped my office in developing these,” Commissioner Stoddart says.
The Office of the Privacy Commissioner (OPC) has become increasingly concerned about privacy breaches and breach notification following some major data breaches in recent months. Earlier this year, Commissioner Stoddart urged the federal government to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to make it mandatory for businesses to notify people when their personal information has been breached.
“Our new voluntary guidelines do not take away from the need for breach notification legislation,” the Commissioner says. “I would once again urge the Minister of Industry and his cabinet colleagues to help better protect Canadians by making breach notification a legal requirement for businesses.” The guidelines call on businesses to notify people that their personal information has been compromised in cases where the breach raises a risk of harm. For example, there may be a risk of identity theft or fraud in cases where sensitive personal information has been lost or stolen.
Organizations are also encouraged to inform the appropriate privacy commissioner(s) of a privacy breach. (In British Columbia, Alberta and Quebec, provincially regulated businesses should speak to their provincial privacy commissioners. In Ontario, breaches involving personal health information must be reported to the provincial commissioner.)
The OPC is currently investigating two high-profile privacy breach cases involving large amounts of personal information.
In one case, the Canadian Imperial Bank of Commerce reported to the OPC the disappearance of a hard drive containing the personal information and financial data of close to half a million clients of its subsidiary, Talvest Mutual Funds.
The other investigation, being conducted jointly with the Information and Privacy Commissioner of Alberta, is looking at a breach at TJX Companies Inc., which affected thousands of Canadians who shopped at TJX’s Winners and HomeSense stores.
The new guidelines as well as a privacy breach checklist and a list of organizations which participated in the consultation process to develop the guidelines are available on the OPC website, http://www.privcom.gc.ca/.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Saturday, July 07, 2007
Earlier this week, the Ontario Court of Appeal, in Cash Converters Canada Inc. v. Oshawa (City) (July 4, 2007) (an appeal from Cash Converters Canada Inc. v. Oshawa (City), 2006 CanLII 3469 (ON S.C.)), overturned a City of Oshawa Bylaw that required sellers of second hand goods to collect detailed personal information about those who sell second hand goods to the stores. The bylaw was inconsistent with the Municipal Freedom of Information and Protection of Privacy Act.
Here's what the Toronto Star had to say about it:
TheStar.com - News - Oshawa second-hand store bylaw invades privacy: Court
LEGAL AFFAIRS REPORTER
The Ontario Court of Appeal has struck down sections of a controversial Oshawa bylaw that require second-hand dealers to collect detailed personal information from people who sell them goods and transmit the data to police.
The bylaw conflicts with provincial privacy legislation, which requires the collection and retention of personal information to be strictly controlled, the court ruled Wedneday, The 3-0 decision could influence challenges to similar bylaws in other parts of the country, including Alberta and British Columbia.
“This decision comes at a time when cities are gaining broader law-making powers,” said David Sterns, a lawyer representing the Oshawa franchise of Cash Converters Canada Inc., a second-hand store that challenged the bylaw.
“The court has sent a strong signal that all forms of information gathering and surveillance by municipalities are subject to the public’s overriding right to privacy.”
Under the Oshawa bylaw, passed by the city in 2004 as part of a new licensing system for second-hand dealers, stores were required to record the name, address, sex, date of birth, phone number and height of their vendors, who also had to produce three pieces of identification, such as a driver’s licence, birth certificate or passport.
“This information is then transmitted and stored in a police data base and available for use and transmissions by the police without any restriction and without any judicial oversight,” said Justice Kathryn Feldman said, writing on behalf of Associate Chief Justice Dennis O’Connor and Justice Paul Rouleau.
Store owners were required to send reports to police at least daily, in some cases at the time of purchase. The city argued the bylaw was meant to protect consumers from purchasing stolen goods.
But the municipality offered no evidence of a growing problem involving the sale of stolen goods to second-hand dealers, said Feldman.
Nor is there evidence that unscrupulous people are more likely to be deterred by the electronic collection and transmission of personal information, she said.
In 2003, Cash Converters purchased more than 28,000 used items from people in 2003. About 30 of those were seized by police in connection with criminal investigations.
It’s unknown whether any were confirmed as stolen, the court said.
The bylaw did not apply to pawn shops, which are provincially regulated.
See, also, James Daw's column: TheStar.com - columnists - New ruling stands up for privacy.
Wednesday, June 27, 2007
From the OIPC website:
" On Friday, June 22, 2007, the Standing Committee on Legislative Offices voted to recommend to the Legislative Assembly that Frank Work will be reappointed as Information and Privacy Commissioner for a term of 4 years."
Wednesday, June 13, 2007
In an unsolicited media blitz, I had three reporters call me yesterday about three different stories. The second was about a facebook group that popped up in the wake of a series of unsolved sexual assaults in Carman, Alberta. The group, called "Kiss my ass, Carman rapist", included speculation on who might be a suspect. I understand that the group has since been removed, but it raises the usual internet defamation issues:
Town gossip over sex assaults hits Facebook
... David Fraser, a Halifax lawyer who specializes in privacy and Internet law, said a host of legal issues arise when water-cooler chats move to the Net.
"What was a small conversation in the drug store or at the post office is now being broadcast globally," he said.
Fraser said anyone naming "suspects" or calling someone a rapist online is opening themselves to a potential lawsuit.
"The rules of defamation that apply in the real world also apply online," he said.
"The anonymity of the Internet ... actually makes it easier to say things that perhaps they wouldn't say in front of a crowded auditorium full of people, although there's probably more people seeing it online."
Thursday, May 03, 2007
The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:
ETHI (39-1) — Fourth Report: STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) — Standing Committee on ACCESS TO INFORMATION, PRIVACY AND ETHICS - Committees of the House of Commons
The Standing Committee onACCESS TO INFORMATION, PRIVACY AND ETHICS
has the honour to present its
Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:
The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.
Here are the recommendations:
The Committee recommends that a definition of “business contact information” be added to PIPEDA, and that the definition and relevant restrictive provision found in the Alberta Personal Information Protection Act be considered for this purpose.
The Committee recommends that PIPEDA be amended to include a definition of “work product” that is explicitly recognized as not constituting personal information for the purposes of the Act. In formulating this definition, reference should be added to the definition of “work product information” in the British Columbia Personal Information Protection Act, the definition proposed to this Committee by IMS Canada, and the approach taken to professional information in Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector.
The Committee recommends that a definition of “destruction” that would provide guidance to organizations on how to properly destroy both paper records and electronic media be added to PIPEDA.
The Committee recommends that PIPEDA be amended to clarify the form and adequacy of consent required by it, distinguishing between express, implied and deemed/opt-out consent. Reference should be made in this regard to the Alberta and British Columbia Personal Information Protection Acts.
The Committee recommends that the Quebec, Alberta and British Columbia private sector data protection legislation be considered for the purposes of developing and incorporating into PIPEDA an amendment to address the unique context experienced by federally regulated employers and employees.
The Committee recommends that PIPEDA be amended to replace the “investigative bodies” designation process with a definition of “investigation” similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose .
The Committee recommends that PIPEDA be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction. This amendment should be modeled on the Alberta Personal Information Protection Act in conjunction with enhancements recommended by the Privacy Commissioner of Canada.
The Committee recommends that an amendment to PIPEDA be considered to address the issue of principal-agent relationships. Reference to section 12(2) of the British Columbia Personal Information Protection Act should be made with respect to such an amendment.
The Committee recommends that PIPEDA be amended to create an exception to the consent requirement for information legally available to a party to a legal proceeding, in a manner similar to the provisions of the Alberta and British Columbia Personal Information Protection Acts.
The Committee recommends that the government consult with the Privacy Commissioner of Canada with respect to determining whether there is a need for further amendments to PIPEDA to address the issue of witness statements and the rights of persons whose personal information is contained therein.
The Committee recommends that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts.
The Committee recommends that consideration be given to clarifying what is meant by “lawful authority” in section 7(3)(c.1) of PIPEDA and that the opening paragraph of section 7(3) be amended to read as follows: “For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is […]”
The Committee recommends that the term “government institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA to specify whether it is intended to encompass municipal, provincial, territorial, federal and non-Canadian entities.
The Committee recommends the removal of section 7(1)(e) from PIPEDA.
The Committee recommends that the government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amendments to PIPEDA in this regard.
The Committee recommends that no amendments be made to PIPEDA with respect to transborder flows of personal information.
The Committee recommends that the government consult with members of the health care sector, as well as the Privacy Commissioner of Canada, to determine the extent to which elements contained in the PIPEDA Awareness Raising Tools document may be set out in legislative form.
The Committee recommends that the Federal Privacy Commissioner not be granted order-making powers at this time.
The Committee recommends that no amendment be made to section 20(2) of PIPEDA with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest.
The Committee recommends that the Federal Privacy Commissioner be granted the authority under PIPEDA to share personal information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities.
The Committee recommends that any extra-jurisdictional information sharing, particularly to the United States, be adequately protected from disclosure to a foreign court or other government authority for purposes other than those for which it was shared.
The Committee recommends that PIPEDA be amended to permit the Privacy Commissioner to apply to the Federal Court for an expedited review of a claim of solicitor-client privilege in respect of the denial of access to personal information (section 9(3)(a)) where the Commissioner has sought, and been denied, production of the information in the course of an investigation.
The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.
The Committee recommends that upon being notified of a breach of an organization’s personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner.
The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a “without consent” power to notify credit bureaus in order to help protect consumers from identity theft and fraud.
Wednesday, May 02, 2007
Two Complainants brought complaints under the Personal Information Protection Act with respect to the collection, use and disclosure of their personal information by International Stereo Ltd., (now operating as Urban Audio Video Inc.) (the “Retailer”). The information had been collected by the Retailer and then conveyed to Wells Fargo Financial Corporation of Canada, so as to permit the latter organization to conduct credit checks for determining whether it would grant credit for buying the Retailer’s merchandise. Although the Complainants signed applications containing clauses consenting to use of personal information for credit checks, they said they had been assured their personal information would not be used in this way. They also said they had been led to believe the cards for which they applied would allow them to get 10% discounts on purchases. As well, one of them complained that his request to withdraw his application had been refused.
The Adjudicator found that the Retailer collected, used and disclosed the Complainants’ personal information in violation of section 7 of the Act (collection, use and disclosure without consent), that it failed to provide adequate notification of the purpose for collection in contravention of section 13, and that it failed to cease collecting, using or disclosing the personal information after consent had been withdrawn, in violation of section 9(4).
Saturday, April 28, 2007
Earlier this month, a medical clerk was fined $10,000 for unlawfully accessing the personal health information of her lover's wife. To my knowledge, this is the first charge and conviction of its kind in Canada. The charges were laid under Alberta's Health Information Act. Most other provinces would have no penalty for such conduct.
Medical office clerk fined $10,000 for accessing records of lover's wife
CALGARY (CP) - A medical office clerk has been fined $10,000 for illegally obtaining health records of her lover's wife.
Stephanie MacDonald, who was charged under the Alberta Health Information Act, gained access to test results, biopsy findings and X-rays belonging to Marlene Stallard 17 times between August 2005 and May 2006.
Stallard, who is fighting ovarian cancer, told court in her victim impact statement the records were used in an attempt to convince her husband she was gravely ill.
It was part of MacDonald's strategy to make her adulterous relationship with James Stallard more permanent, she alleged.
''A violation of your privacy to that degree, when you're going through cancer, is a pretty terrible thing,'' Marlene Stallard said Friday, after the sentencing.
MacDonald, who could access information through her capacity as a clerk at the Dr. McPhalen Professional Corporation, maintained she was working under her lover's direction when she accessed the records. MacDonald and James Stallard are no longer lovers.
But James Stallard testified he only asked MacDonald to get information about his wife's condition twice, and denied he'd asked for information the other 15 times.
Provincial court Judge Manfred Delong said he didn't believe a 12-year medical clerk didn't know what she was doing was wrong.
Tuesday, April 10, 2007
April 10, 2007
EPCOR Utilities Inc. found in compliance with Personal Information Protection Act
The Office of the Information and Privacy Commissioner has found that EPCOR Utilities Inc. (EPCOR) complied with the Personal Information Protection Act (PIPA) when it collected, used and disclosed personal employee information without consent. EPCOR’s collection, use and disclosure of the employee’s personal information was also found to be reasonable for purposes of an investigation.
The complainant, an EPCOR employee at the time, took a leave of absence from EPCOR. Shortly thereafter, EPCOR received unsolicited information suggesting the complainant was about to begin work for another company. EPCOR contacted the other company to verify the complainant’s alleged employment there. The complainant complained that EPCOR collected, used and disclosed his personal information without consent.
The Investigator found that EPCOR had collected, used and disclosed the complainant’s personal information to investigate a possible contravention of the complainant’s employment agreement. As such, consent was not required.
Further, the Investigator found that the information qualified as personal employee information under PIPA: the information was reasonably required to manage the complainant’s employment relationship with EPCOR, and consisted only of information related to that employment relationship. The complainant was notified at the time of hire that his personal information could be collected, used or disclosed for investigation purposes. As such, EPCOR did not require consent to collect, use and disclose the complainant’s personal employee information in these circumstances.
Thursday, March 22, 2007
This is likely to spur some interesting discussion:
A complaint was made against the Organization which operates the “Talisman Centre for Sport and Wellness”. The Complainant stated that the Organization had placed overt security cameras in the Talisman Centre’s men’s locker rooms. The Complainant was concerned about a loss of privacy and that patrons of the Centre would be unable to change without being viewed by the cameras. The Organization stated that the security cameras were installed in 1997 in response to over 900 incidents of theft and property damage during the years 1994-97. The security cameras were installed after all other means to prevent criminal activity had failed. The cameras’ field of vision was restricted to the lockers and had no zoom, panoramic or audio capabilities. The cameras were not actively monitored and a protocol was in place which restricted the viewing of images to instances where there was an incident or reported criminal activity with a case number assigned by the Calgary Police Service. Viewing of the images occurs only in the presence of two senior staff members or by one such member and a police constable. If images are not reviewed they are automatically overwritten in approximately 21 days. After installation of the cameras there was a sharp reduction in criminal activity. As of the date of the Organization’s submission to the Commissioner only 19 images had ever been viewed. The Commissioner found that due to the history of theft, the attempt to use other measures prior to using security cameras as a last resort, and the fact that the images recorded were only accessed in the event of a criminal incident, that the Organization’s collection of personal information was for purposes that were reasonable, as required by section 11(1) of the Personal Information Protection Act (“PIPA”). However, the Organization’s signage was not in compliance with section 13(1) of PIPA. The Commissioner ordered the Organization to change the signage.
Click to view more information Order P2006-008
Wednesday, February 28, 2007
The Information and Privacy Commissioner of Alberta just released a new Order in which the he determined he did not have jurisidction because the personal information in question was collected and disclosed for journalistic purposes, which is excluded from the purview of the Personal Information Protection Act.
Summary: The Complainant alleged that the Organization had disclosed the Complainant's personal information when it published a newspaper article. The Organization argued that the disclosure of personal information in the form of a newspaper article was for journalistic purposes only as provided for by section 4(3)(c) of the Personal Information Protection Act. As such the Act did not apply to the personal information in question. The Commissioner decided the personal information disclosed were materials written for publication in the media and therefore collected and disclosed for journalistic purposes only in accordance with section 4(3)(c). The Commissioner, having determined that he had no jurisdiction in the matter, further stated that he had no authority to determine the remaining issue of the inquiry, regarding the allocation of a complainant's burden of proof.
Monday, February 12, 2007
Released today from the Information and Privacy Commissioner of Alberta:
Employee Assistance Provider found in contravention of Personal Information Protection Act
The Office of the Information and Privacy Commissioner has found that Wilson Banwell Human Solutions Inc. (Wilson Banwell) contravened the Personal Information Protection Act (PIPA) by disclosing more personal information than was necessary to a complainant's employer. The investigation also determined Wilson Banwell contravened PIPA by disclosing the complainant's personal information to a union for purposes that were not reasonable, and to an extent that was not reasonable.
After failing to pass a drug and alcohol test, the complainant was referred to Wilson Banwell, an Employee Assistance Provider (EAP), for a "return to work assessment." He signed a consent authorizing release of "assessment / treatment summaries" to his employer to facilitate his return to work. The complainant believed Wilson Banwell would limit its report to recommendations arising from the assessment. However, the Wilson Banwell psychologist sent a three-page report to both the complainant's employer and union. The report provided a summary of the clinical interview the psychologist conducted with the complainant, including details of a previous visit the complainant had made to Wilson Banwell on his own initiative, and some personal information of the complainant's wife.
The Investigator recommended Wilson Banwell:
- revise its "Release of Information" form to clarify exactly what information will be disclosed to a client's employer for return to work purposes, and
- remind all staff of Wilson Banwell's policies respecting written consent, and the requirement to disclose only the least amount of information necessary for reasonable purposes.
Wilson Banwell agreed to implement these recommendations.
I expect the result would have been the same if the complaint was brought under PIPEDA, except the parties wouldn't have been named.
Saturday, January 27, 2007
The recent personal information breaches in Canada have prompted a lot of discussion about breach notification.
This may be the upswell of citizen concern that will prompt legislative change in Canada. From today's Halifax Chronicle Herald:
The ChronicleHerald.ca - Should retailers come clean? Businesses not obligated to alert consumers when information is stolen
By CLARE MELLOR Business Reporter
Retailers and financial institutions in Canada don’t have to tell customers when thieves have stolen their personal information.
Recent cases of data theft at Winners and the loss of a hard drive at CIBC have made headlines across the country, alerting Canadian consumers to be on guard for identity theft, but these security breaches could be the tip of the iceberg, privacy experts say.
"There are probably a whole lot more incidents out there that we haven’t heard about because the businesses have no legal reason that requires them to tell the consumers involved," Halifax lawyer David Fraser, a privacy specialist, said Friday.
"One of the big questions on law reform in this area is whether a business should have a duty to notify people whose information has been compromised."
CIBC, which was earlier taken to task by federal privacy commissioner Jennifer Stoddart for lapses in security involving misdirected faxes, issued a news release and sent letters to Talvest mutual-fund holders last week. The company said a backup computer file containing their personal information had gone missing in transit.
TJX Cos., American operator of Winners and HomeSense, recently revealed that computer hackers had broken into its system, but the firm has not said how many customers had personal data stolen.
About 30 states have laws requiring businesses to notify their customers when their personal information has been stolen or lost, Mr. Fraser said.
A parliamentary committee has been reviewing Canada’s federal privacy law. Requirements to notify the public when a breach happens are being discussed.
When Ms. Stoddart appears before the committee, she will likely call for changes to the law requiring businesses to inform consumers when their information has been stolen or gone missing, Anne-Marie Hayden, spokeswoman for the privacy commissioner’s office, said Friday.
Under Canada’s privacy law, businesses and banks must keep personal information secure and not share it without client consent.
While Ms. Stoddart’s office can’t fine or penalize businesses that repeatedly break the law, it can pursue legal action through the Federal Court, Ms. Hayden said.
"It would be safe to say that most of the time when the commissioner makes recommendations (to tighten privacy practices), those changes are implemented," she said .
But David Malamed, a forensic accountant, said it is clear many companies are not taking their privacy obligations seriously enough.
"A lot of the reason that it is happening is that the focus for a lot of companies is on the bottom line," said Mr. Malamed, who works at Grant Thornton in Toronto
"As systems advance, people get smarter and the question is how money is being invested into protecting these systems. . . . There are different methods that you can go about to protect your customer information that will help prevent this from happening or at least reduce it to a greater degree."
There have been media reports of fraudulent purchases made with customer information stolen from Winners.
A Canadian law firm, Merchant Law Group, which has offices in Saskatchewan and Alberta, has already launched a class-action suit over the security breach.
But there is some question about whether Canadian consumers can successfully sue for theft or mishandling of their personal information, Mr. Fraser said.
"If you are the subject of fraud, you may be able to successfully sue them," he said. "But if you can’t prove harm, it is much more difficult."
Friday, January 26, 2007
The second (that I know of) conviction under Canada's new voyeurism laws took place yesterday in Halifax.
The Daily News: News Former sailor pleads guilty after trying to videotape neighbour
LINDSAY JONES The Daily News
CRIME – A former sailor has pleaded guilty to trying to videotape a woman while she was changing in her own apartment.
In August of 2006 the woman was getting dressed in her walk-in closet when she spotted a video camera in the window pointed towards that part of the room. She was changing in the closet because her window was only partially covered by a blanket.
Karlson Glen Chaulk, who had been in the armed forces for nearly seven years, lived in the apartment above her. The two did not know each other, the court heard.
The woman called police and Chaulk admitted to committing the offence. He asked police if there was any way to make it go away, the court heard. Police found no images on the video camera.
Chaulk has two previous convictions, for impaired driving and possessing narcotics.
The court heard the victim moved from the residence because she no longer felt safe, costing her her damage deposit and moving expenses.
Chaulk told the court he was “truly sorry” for his actions and promised it would never happen again. “I do realize now that I shouldn’t have conducted myself in the way I did with the camera,” he said.
Judge Michael Sherar said not only is the charge sad and juvenile, but also deplorable. He asked Chaulk what he intended when he surreptitiously looked into someone else’s apartment. He also outlined how everyone has the right to privacy in their own home.
Chaulk has since resigned from the Defence Department and plans to move to Alberta tomorrow.
He was sentenced in Halifax provincial court yesterday to 90 days probation, ordered to pay a $500 fine and $450 restitution to the victim, as well as undergo counseling. He must also stay 150 metres from the woman’s home and workplace.
Chaulk is the second person in Canada to be sentenced for voyeurism, since the law was enacted in November 2005. The law makes it illegal to “surreptitiously observe or make a visual recording” for a sexual purpose.
The only other prosecuted case of voyeurism in Canada also took place in the province.
Winston Charles Patriquin of Port Howe, Cumberland Co., pleaded guilty last August to using a video camera to tape a girl in the bathtub.
Technology takes place of peeping Toms: lawyer
A Halifax privacy lawyer says technology is taking the place of the guy lurking outside the window.
David Fraser said what’s traditionally considered trespassing is now occurring digitally, without the physical presence of a perpetrator.
“People can be observed in a number of different contexts,” he said. “Hidden cameras in change rooms in stores. Hidden cameras in bathrooms in hotels.”
Canada’s voyeurism law was enacted in November 2005 to better protect children and other vulnerable victims from harm. The law makes it illegal to “surreptitiously observe or make a visual recording” for a sexual purpose.
Fraser said the law reflects the potential seriousness and intrusiveness of voyeurism. Enacting it was necessary, he says, to keep up with technological advances and the advent of miniature, wireless cameras.
“Thousands of companies sell wireless cameras and it’s pretty plain in the description of their products that they’re selling them for this sort of voyeurism,” he said. “Once this information is in digital form, it’s very easily transmitted.”
— Lindsay Jones
Thursday, January 25, 2007
The Information and Privacy Commissioner of Alberta released a very interesting order today, considering whether the right to freedom of expression in the Charter overrides the restriction on disclosure of personal information without consent. In this case, a shopper at Safeway was allegedly caught shoplifting. The "shopper" was an employee of another grocery chain and a representative of Safeway reported the incident to her employer, and she was fired. She then complained that Safeway had disclosed her information without her consent, in breach of the Personal Information Protection Act. At an inquiry under that Act, Safeway argued that the restriction on disclosure was unconstitutional. In the order, the Commissioner disagreed.
Summary: The Complainant, an employee of another food retail chain, entered a store of Canada Safeway Limited (the “Organization”) while wearing her employee uniform. The Complainant gathered several goods, paying for some and not for others. When the Complainant left the store, security for the Organization stopped the Complainant and accused the Complainant of theft. The unpaid items were returned and the police were notified. Upon review of the incident, no charges were laid.
The Organization, without the consent of the Complainant, advised the Complainant’s employer about the incident. As a result the Complainant was dismissed. The Complainant initiated a complaint with the Office of the Information and Privacy Commissioner, and the matter proceeded to a written inquiry. The Organization argued that it did not require consent to disclose personal information of the Complainant under section 7(1)(d) (consent to disclose) of the Personal Information Protection Act, (the “Act”) as the section is contrary to section 2(b) (freedom of expression) of the Canadian Charter of Rights and Freedoms (the “Charter”). The Organization also argued that if it is found that section 7(1)(d) of the Act is not contrary to the Charter, then section 20(b) (disclosure pursuant to a statute of Canada that authorizes or requires disclosure) of the Act and section 20(m) (disclosure reasonable for investigation or legal proceeding) of the Act apply and permit the disclosure of the Complainant’s personal information.
The Commissioner found that section 7(1)(d) of the Act did not contravene section 2(b) of the Charter; that sections 20(b) and 20(m) of the Act did not authorize the Organization to disclose the Complainant’s personal information without consent; and that the Organization disclosed the Complainant’s personal information contrary to section 7(1)(d) of the Act.
Wednesday, December 06, 2006
The Office of the Information and Privacy Commissioner of Alberta has found that the Calgary Health Region violated the Health Information Act in connection with a stolen laptop:
Calgary Health Region found in Contravention of Health Information Act over stolen laptop:
The Office of the Information and Privacy Commissioner has found that the Calgary Health Region contravened the Health Information Act (HIA), following an investigation into the theft of a laptop computer. The laptop contained a database of more than 1,000 children in a mental health care program, including patient history and treatment details.
Key findings included:
- The Health Region had policies in place that would have protected the stolen laptop and the information it contained, but those policies were not fully implemented by the Collaborative Mental Health Program.
- A copy of the entire database was stored on the stolen computer, increasing the number of people affected. Program workers should only have copied the files they needed, rather than the entire database.
- While the laptop was protected by passwords, this was not adequate given the nature of the information it contained
- A knowledgeable and motivated individual could access the data with tools that are readily available on the internet.
- While the risk of identity theft from the information is low, it cannot be ruled out.
- Encryption technology would have protected the lost data, but it was not implemented.
The CHR informed the Commissioner's Office of the incident on its own initiative, took immediate action to notify affected individuals and has since implemented measures to secure mobile computers. The Health Region also agreed to follow our Investigator's recommendations.
Investigator Brian Hamilton says, "For the most part the Calgary Health Region does a good job protecting information, and has been taking steps to improve security. Unfortunately, they failed to recognize and address the risks of mobile computing in this program area."
Others can learn from this investigation. The Office of the Information and Privacy Commissioner urges all HIA custodians, public bodies and private sector organizations to follow these recommendations for mobile computing:
- Perform a Privacy Impact Assessment (or a security risk assessment) before implementing mobile computing.
- Do not store personal or health information on mobile computing devices unless you need to - consider technologies that allow secure, remote access to your network and data instead.
- If you must store personal or health information on a mobile device, use encryption to protect the data - password protection alone is not sufficient.
- Keep the amount of personal or health information stored on mobile computing devices to a minimum, based on your business needs.
- Periodically check your policies against practice to ensure they reflect reality and remain effective.
- Provide specific training on mobile computing to staff to ensure they understand the risks and understand how to protect their equipment.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.