The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Monday, October 13, 2008

British Columbia bridge implements plate-based tolling 

The Golen Ears Bridge in British Columbia is the first toll highway/bridge in Western Canada to follow the lead of Toronto's 407 ETR to implement electronic tolling using plate identification.

Spokespeople are attempting to soothe privacy fears, but I'm not sure it goes far enough:

Vehicles crossing Golden Ears Bridge will be tracked, TransLink says


But TransLink spokesman Ken Hardie said people shouldn't worry about their privacy being invaded.

He said billing agents who send toll bills by mail will be the only ones who usually have access to who crosses the bridge.

Police conducting criminal investigations will also have access, he said, just as they are able to access digital video recorded at SkyTrain stations.

Private individuals will be out of luck.

"If a jealous husband comes along and says, 'I want to know if my wife went across the bridge at a certain time', he won't be able to. That information is protected," he said.

Hardie said TransLink conducted a privacy impact assessment on Golden Ears bridge tolling, and had it approved by the Freedom of Information and Privacy office in Victoria.

"We've taken all the steps to satisfy them [privacy officials] that the records will be kept and managed in an appropriate way," he said.

"The key issues are what kind of record is being created, how long do you keep it, how do you store it and who has access to it," said Hardie.

If you ask me, police shouldn't get any of the information unless they show a warrant and spouses should know that an ordinary civil subpoena will probably pry that info loose from TransLink without too much hassle.

Labels: ,

Monday, April 21, 2008

PIPA review released in BC 

The Special Committee of the BC Legislature reviewing the Personal Information Protection Act has recently released its report:

April 17, 2008: Special Committee Recommends Changes to Streamline B.C.’s Private-Sector Privacy Law Media Releases Special Committee to Review the Personal Information Protection Act 4th Session 38th Parliament Committees


VICTORIA – The Special Committee to Review the Personal Information Protection Act submitted its Report to the Legislature this afternoon. The all-party committee was appointed in 2007 by the Legislative Assembly to review the act that regulates the collection, use and disclosure of personal information by private-sector organizations in the province. During the past year, the committee received 39 submissions.

The key findings from the consultations are that the act seems to be working well overall for private-sector organizations operating in British Columbia, while the public is not as aware of the purpose, rules and scope of the act. The act also aligns with the federal and Alberta private-sector privacy laws.

The report, titled Streamlining British Columbia’s Private Sector Privacy Law, was unanimously adopted by all committee members. The report contains 31 recommendations, including:

  • Making private-sector organizations accountable for personal information they transfer for processing outside Canada
  • Requiring organizations to notify affected individuals of privacy breaches in certain circumstances
  • Banning the use of blanket consent forms by provincially regulated financial institutions
  • Revising consent exceptions to better address business practices in the insurance industry
  • Permitting disclosure of personal contact information for health research
  • Retaining the minimal fee for access to personal information
  • Streamlining the complaints process in the province’s privacy laws
  • Strengthening the Information and Privacy Commissioner’s oversight powers

“Keeping personal information private is vitally important,” said committee chair Ron Cantelon, MLA. “We want to enhance safeguards, but at the same time, balance that goal against imposing unnecessary regulations on business, particularly small businesses.”

The members of the Special Committee to Review the Personal Information Protection Act are:

Ron Cantelon, MLA Nanaimo-Parksville

Harry Lali, MLA Yale-Lillooet

Leonard Krog, MLA Nanaimo

Mary Polak, MLA Langley

John Rustad, MLA Prince George-Omineca

Information about the committee’s work can be found on its website at, or by contacting the committee chair, Ron Cantelon, MLA, or any committee member.

Labels: , , , ,

Friday, April 11, 2008

B.C. introduces law governing access, privacy of electronic health records 

British Columbia's government has just recently introduced legislation specifically tailored for privacy and access to electronic health records.


April 10, 2008

Ministry of Health


VICTORIA – A new e-Health (Personal Health Information Access and Protection of Privacy) Act introduced today moves British Columbia a step closer to the goal of giving citizens access to their health records and medical information, while strengthening privacy protection, said Health Minister George Abbott.

“This new e-Health legislation moves us forward in meeting our throne speech commitment to give citizens better access to their health records and medical information so they can engage in a more informed role in their own health-care choices,” said Abbott. “eHealth will give patients faster, safer and better health care by providing authorized health-care professionals with secure access to patients’ information to make the best and most timely clinical decisions.”

British Columbia is the first province in Canada to create a specific legislative framework governing access and privacy for electronic health information databases. While other provinces have access and privacy legislation governing personal health information, British Columbia will be going above and beyond the provisions of the Freedom of Information and Protection of Privacy Act with new legislation containing specific provisions to address access to information and protection of privacy of electronic health information.

“As e-Health information becomes a more widely accessible and used tool in our health-care system, we want to ensure British Columbia has a framework that allows for the most effective medical and health-research related use of electronic health database information,” said Abbott. “But we also have to ensure that the framework surrounding use of electronic health information is to the highest standards of privacy protection.”

Individuals will be able to block access to their own information in Health Information Banks from all health professionals, with the only overriding clause being in the case that the person is incapacitated in an emergency or with the person’s consent. Maximum fines for violations of the act have been increased from $2,000 under the Pharmacists, Pharmacy Operations and Drug Scheduling Act to $200,000 under the new act.

The act specifically prohibits disclosing information from electronic databases for market research, while creating a Data Stewardship Committee that will evaluate requests for the disclosure of data for health research or planning purposes.

The e-Health (Personal Health Information Access and Protection of Privacy) Act will also introduce legislative changes so medical researchers can approach individuals regarding health research studies, while respecting personal privacy and patient confidentiality. Individual requests by researchers to contact persons for health research from database information will require the specific approval of the Information and Privacy Commissioner.

“Patients and former patients can provide invaluable information in chronic disease research,” said Barbara Kaminsky, CEO of the Canadian Cancer Society. “Previously, researchers we fund could not even contact individuals who were willing to assist us in this vital work. Now we have a viable way to expand our research while respecting individual privacy.”

The Province recognizes that medical research and the privacy of British Columbians are equally important. The legislation will create an effective balance between individual rights and public responsibilities. It will also enable government to make objective decisions on the appropriate disclosure of health information for secondary purposes.

Amendments are also being made to the Pharmacists, Pharmacy Operations and Drug Scheduling Act to provide similar access, privacy and penalty provisions regarding PharmaNet. PharmaNet is internationally recognized as a world-class secure electronic network that protects patient safety. It protects patients from potentially dangerous medication errors, duplications and dangerous combinations of different medications. It records all prescriptions dispensed at B.C. community pharmacies in a central database and checks for interactions.

From the Canadian Press:

The Canadian Press: B.C. introduces law governing access, privacy of electronic health records

B.C. introduces law governing access, privacy of electronic health records

1 day ago

VICTORIA — British Columbians will soon be able to use their computers to view their health records, Health Minister George Abbott said Thursday after introducing legislation governing access and privacy for electronic health information databases.

British Columbia became the first province in Canada to create a legislative framework with specific provisions to address access and protection of electronic health information.

The e-Health Personal Health and Information Access and Protection of Privacy Act could eventually create paperless medical offices, allowing physicians to store information about patients on their computers as opposed to the banks of individual file folders in most offices, Abbott said.

"I'm pretty confident we got it right here," he said. "I'm very pleased with the balance with the legitimate access to personal information that a physician may require and the protection of the sanctity of those records that is so important to the patient."

The e-Health law gives medical researchers access to the electronic health database but ensures privacy, Abbott said.

Individuals can block access to the their own information in health data banks, except in cases where the person is incapacitated in an emergency or with the individual's consent.

Abbott said the new law prohibits disclosing information from electronic health databases for market research. The government will create a committee that evaluates requests for data for health research or planning purposes.

Maximum fines for violating the act have been will be $200,000.

The Opposition New Democrats said they want patient privacy ensured. They also said the act suffers from credibility issues.

Opposition health critic Adrian Dix wondered whether the bidding process for a $108 million contract for the software to store electronic medical records was tainted by alleged conflict of interest by a former top bureaucrat.

"The electronic medical records process is mired, unfortunately, in problems with the bidding process and problems with conflict of interest," he said. "We're talking about access to personal medical records and the credibility of that process is put in jeopardy."

The Health Ministry received a letter of concern about the bid process from an unnamed company whose bid for the electronic medical records contract was rejected.

And Dr. Tom Elliott, of Vancouver, went public with his concerns, saying his electronic records software met more than 95 per cent of the bid guidelines but didn't make the shortlist.

Other concerns involved the relationship between Ron Danderfer, a former assistant deputy minister of health, and Dr. Jonathan Burns, a Fraser Valley emergency room doctor and health contractor who developed and promoted a widely used health records device.

Danderfer and Burns were members of a steering committee overseeing the $108 million contract, aimed at getting the province's doctors on common software for medical records.

Only six companies were chosen to be involved and last year Burns listed one of the winning companies as a partner on his website.

The company, Wolf Medical, denied there had ever been a financial link between the two.

Abbott has said a government review found Danderfer was not involved in the selection or evaluation process for the health records project.

An internal government letter addressed to the Health Ministry from the Labour Ministry said last year the bid process was not influenced by Danderfer and Burns.

"While news media reports appear to link the Burns/Danderfer matter with the electronic medical record procurement, we can confirm that neither of these individuals were involved in evaluating proponent proposals or proponent software demonstrations and testing at any stage of the evaluation process," said the Nov. 7 letter from Richard Poutney, assistant deputy labour minister.

"We have not received any information that would link this matter to the electronic medical record procurement," it said.

In December, RCMP confirmed an investigation involving Danderfer while he was employed at the Health Ministry. The Mounties also asked the government to withhold results of an internal audit until their probe is complete.

Danderfer was placed on mandatory leave last July and retired last October after 35 years of service with the B.C. government.

Labels: , , ,

Thursday, March 06, 2008

Privacy Commissioners Release New Video Surveillance Guidelines 

The Privacy Commissioners of Canada, British Columbia and Alberta today have released Guidelines for Overt Video Surveillance in the Private Sector to help businesses consider privacy matters when deciding whether to and how to implement overt video surveillance. (I wonder whether they'll also produce guidelines on covert surveillance?)

From the media release:

Privacy Commissioners Release New Video Surveillance Guidelines

Privacy Commissioners Release New Video Surveillance Guidelines

OTTAWA, March 6, 2008 — Private-sector organizations considering video surveillance systems must take specific steps to minimize the impact on people’s privacy, say video surveillance guidelines released today.

The new guidelines set out how companies should evaluate the use of video surveillance and ensure any surveillance they undertake is conducted in a way that respects privacy rights and complies with the law.

These guidelines have been endorsed by Jennifer Stoddart, the Privacy Commissioner of Canada, Frank Work, the Information and Privacy Commissioner of Alberta, and David Loukidelis, the Information and Privacy Commissioner for British Columbia.

“We have seen a dramatic increase in the use of surveillance cameras by private-sector organizations. Many of our day-to-day activities are now captured by these cameras,” says Commissioner Stoddart.

“There are some legitimate reasons to conduct video surveillance, but privacy laws in Canada impose restrictions and obligations when, where and how businesses can conduct this kind of surveillance,” says Commissioner Loukidelis.

“These guidelines make it clear that businesses must carefully evaluate why they are installing video surveillance equipment, and what they will do with the information that is collected,” says Commissioner Work.

The Commissioners say it is disturbing to hear stories about video surveillance operators deliberately pointing cameras to ogle women, as well as surveillance images of people caught in unflattering situations finding their way onto video sharing sites like YouTube and Vimeo.

The new guidelines are aimed at businesses subject to the Personal Information Protection and Electronic Documents Act, or PIPEDA. They are also targeted at businesses subject to the provincial Personal Information Protection Acts in Alberta and British Columbia.

The overarching principle for video surveillance – which stems from the key legal test under the federal and provincial laws – is that it should be used only for purposes that a reasonable person would consider appropriate in the circumstances.

The guidelines state that, in order to limit the impact on privacy, cameras should be positioned to avoid capturing the images of people not being targeted (e.g., someone walking outside a store). As well, cameras should not be used in areas where people have a heightened expectation of privacy, such as washrooms, and through building windows.

The guidelines also say:

  • People should be notified about the use of cameras before they enter the premises.
  • Individuals whose images are captured on videotape should, upon request, be given access to this recorded personal information.
  • Organizations must ensure that video surveillance equipment and videotapes are secured and used for authorized purposes only.
  • Individuals who operate video surveillance systems should understand the privacy issues related to surveillance and their obligations under the law.
  • Video surveillance recordings should be retained only as long as necessary and destroyed securely.

The complete guidelines for private-sector organizations are available at, and The Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for British Columbia have previously published guidelines for the use of video surveillance in public places by police and law enforcement authorities.

All three privacy commissioners are statutorily mandated to oversee compliance with the Acts and are advocates and guardians of privacy and the protection of personal information rights of Canadians.

Labels: , , , , , ,

Wednesday, February 06, 2008

Privacy Commissioners come out against national (RF)ID cards 

The Federal, Provincial and Territorial Privacy Commissioners came out yesterday against proposed RFID embedded super drivers licenses designed to facilitate border crossings:

Nova Scotia News -

Keep drivers' information in Canada — officials

Privacy commissioners slam plan to produce national identity cards


The Canadian Press

Wed. Feb 6 - 6:15 AM

VICTORIA — Personal information about Canadian drivers must stay in the country as plans are developed to introduce high-tech driver’s licences in Canada that will be accepted as identification at United States border crossings, Canada’s privacy commissioners said Tuesday.

The commissioners issued a joint statement that called on Ottawa and provincial and territorial governments participating in the so-called enhanced driver’s licence programs to ensure the personal information of participating drivers stays in Canada.

The commissioners also said they continue to voice their opposition to any plans to introduce national identity cards and systems.

British Columbia and the federal government reached an agreement last month to start issuing the enhanced driver’s licences on a trial basis. Ontario is examining a similar licensing program.

The enhanced licences, equipped with radio frequency chips, allow border officials to access personal identity information. They can be used as an alternative to a Canadian passport.

Jennifer Stoddart, Canada’s privacy commissioner, said her office is monitoring the progress of the enhanced driver’s licence program and recently received a government privacy-impact analysis. She said her office is not yet ready to give the green light to the licence program.

"Maybe our positions are more nuanced than that when we say with all these progressive and incremental steps towards measures that increasingly limit Canadians’ privacy, this is what you should be looking for," Stoddart said.

"These are the steps you need to follow," she said. "Have you chosen the least privacy-invasive route?"

David Loukidelis, B.C.’s privacy commissioner, said Canadians need to be reminded that a Canadian passport is a well-established, highly secure identification document.

"These enhanced driver’s licences or EDL programs do raise concerns about security and privacy of personal information on a number of fronts," Loukidelis said.

There are concerns that the radio frequency technology on the chips embedded into the licences could be skimmed by others or used to track individuals, he said.

The commissioners are concerned about the transfer across borders of databases containing personal information about Canadians, Loukidelis said.

"We don’t do that now with passport databases and we don’t see why we would need to do anything differently when it comes to enhanced driver’s licences."

The B.C. government has received 800 volunteers for the enhanced driver’s licence program within the first two days of the pilot project.

John van Dongen, Intergovernmental Affairs Minister, said 500 licences will be issued in British Columbia.

He said the information contained in the licences provides border officials with proof of citizenship, a photograph to confirm identity and status to legally cross the border.

"They do not access medical records," he said. "They do not access driver’s records. They do not access fines, tickets, penalties. They do not access accident history. None of that information is of any interest to the border agencies in either country."

Labels: , , ,

Monday, January 14, 2008

Alberta privacy commission to rule on bar scans 

Personal information practices of bars and nightclubs are coming under increasing scrutiny, particularly with repect to video surveillance in Nova Scotia and the practice of scanning identification documents. Complaints related to the latter practice are pending in British Columbia and Alberta. It appears that a decision of the Alberta Commissioner is to be expected shortly: Alberta privacy commission to rule on bar scans.

Labels: , , , , , ,

Saturday, September 22, 2007

Guidance on asking for ID in credit card transactions 

The Information and Privacy Commissioners of Alberta and British Columbia, along with the Privacy Commissioner of Canada, have released a guidance document on requiring photo ID of individuals paying for goods and services by credit card. All three have concluded it is reasonable.

See the OIPC website and the guidance document: Photo Identification Guidance.

Labels: , , ,

Monday, September 03, 2007

BC Commissioner: Student records can be shared to protect public safety 

Proably not a surprise for those who regularly work with the provincial public sector privacy laws in Canada, which usually contain a public interest and "health and safety" override:

Records of troubled B.C. students can be shared: privacy commissioner

Universities in British Columbia can share confidential medical records about troubled students if there's a perceived a threat to public safety, the province's privacy commissioner says.

Responding to a U.S. government report issued June 13 on the April 16 massacre at Virginia Tech that left 33 people dead — including the student who fired the gun — David Loukidelis said a university student's confidential medical records can be shared — regardless of the student's age.

"The laws in B.C. fully enable university and college officials to take steps to protect individual and indeed public safety," Loukidelis told CBC News on Monday.

The U.S. report says schools, doctors and police often do not share information about potentially dangerous students because they can't figure out complicated and overlapping privacy laws.

Loukidelis said there's a long list of exemptions in B.C.'s privacy laws that allow a student's private information to be shared for the good of public safety.

Tim Rahilly, senior director of student and community life at Simon Fraser University in Vancouver, said he often noticed the beginning of problems with students and wondered whether that information could be shared.

He said the university would ask the student whether it can talk to the student's parents about the concerns.

"The student can say no and if they are above the age of majority we are a little bit hamstrung," Rahilly said.

Loukidelis said if a student denies a request to share personal information with their parents or school officials, an assessment can be made.


Nil Koksal reports for CBC-TV (Runs: 2:28)

Play: QuickTime »

Play: Real Media »

Labels: , , , ,

Monday, August 13, 2007

BC auto body shops object to auto insurer's credit-card policy 

Auto body repair shops in British Columbia are complaining to the province's privacy commissioner about the public auto insurer requiring that the shops hand over customer credit card information in the course of routine audits.

I wonder whether there's anything in the customer's policy allowing ICBC to collect this information?

Check it out:

Auto body shops take aim at ICBC's credit-card policy

Neal Hall, Vancouver Sun

Published: Monday, August 13, 2007

An association representing auto body shops and automotive glass repair companies has filed a complaint with B.C.'s information and privacy commissioner about having to hand over customer credit card numbers to the Insurance Corp. of B.C.

The United Auto Trades Association of B.C. says disclosure of a customer's personal and financial information during ICBC audits should not be done without a customer's written consent.

The complaint, obtained by The Vancouver Sun, says the disclosure without written consent is "clearly unlawful."

"It's of concern to us," said Gerry Preddy, vice-president of the association. "We've had examples of files being lost [by ICBC]."

The association, in its complaint, cites the federal Personal Information Protection Act, which states: "An organization must not, as a condition of supplying a product or service, require an individual's consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service."

ICBC demands such information during audits of auto body and glass repair shops that participate in ICBC's Glass Express Program to make sure shops are charging the vehicle insurance deductible amount.

"When a customer makes a claim, they are required to pay a deductible," explained ICBC spokeswoman Kate Best, "so repair shops provide ICBC with credit card information to confirm the payment of the deductible."

ICBC's position is that audits of repair shops are reasonable to verify payments, she said.

"The matter is currently before the information and privacy commissioner and ICBC will await the ruling," Best said.

The association says while membership in the glass express program is voluntary -- about 700 businesses and 60 per cent of glass repair shops participate in the program -- shops would suffer a drastic loss in business if they withdrew or refused to hand over the financial information of customers during ICBC audits.

The association made a final submission to the privacy commissioner on July 30, pointing out a recent B.C. Court of Appeal decision "confirmed that the collection and disclosure must be authorized by law."

The appeal court, in its ruling involving Royal City Jewellers & Loans Ltd., struck down a New Westminster bylaw allowing police to collect financial and personal information about people selling or pawning items to second-hand stores and pawn shops. The shops still collect the information but take the position they won't hand it over to police without a court order or search warrant.

Royal City Jewellers launched the court challenge, stating it was an invasion of privacy for law-abiding customers.

Labels: , , ,

Tuesday, August 07, 2007

Cameras coming to BC buses 

Video cameras are coming to public transportation in British Columbia. Probably not breaking news, but I find the following quote to be interesting:

"Many proponents of the system say the public is already recorded on video in malls, ATM machines, and various other areas. Cameras on buses and other public areas, they believe, is simply a natural extension."

With cameras in many places, where is it not a natural extension? Once they are commonplace in one public area, it's very easy to justify putting them in another locale.

BCNG Portals Page (R)

Closed-circuit TV cameras coming to buses

By Kevin Diakiw Black Press

Aug 03 2007

Cameras will be installed on all buses in the coming months, but privacy watch-dogs are concerned about how they’ll be used.

TransLink will spend $4 million for camera installation, primarily as a measure for driver safety. However, TransLink spokesman Ken Hardie said cameras will be placed on various areas of the bus, and will not simply be focused at the driver.

“I believe actually there will be more than one camera on the bus, there will be a number of different views,” Hardie said Wednesday.

The expansion of Closed Circuit Television cameras (CCTV) onto buses has been sold primarily as a device to prevent assaults on drivers.

Hardie said they will have several uses.

“Let’s say taggers, who can create mayhem inside a bus, just by leaving graffiti and other damage,” Hardie said. “... now buses might not leave them the kind of anonymity that they love to have when they do their work.”

It’s that kind of “function creep” that concerns civil libertarians.

“I am concerned about this notion ... now that we’ve got them on the bus ... let’s point them all over the bus and let’s catch the kids with crayons in the back seat while we’re at it,” said Micheal Vonn, policy director for B.C. Civil Liberties Association.

She’s also concerned about who would have access to the images.

Hardie said the video will be “recorded on board” to a hard drive and overwritten every week. A special team with Coast Mountain Bus Ltd. would be the only people with access to the video, unless required by police or court.

Many proponents of the system say the public is already recorded on video in malls, ATM machines, and various other areas. Cameras on buses and other public areas, they believe, is simply a natural extension.

“The question is to what degree are we becoming immune to the idea we should not be on film whenever we’re outside of our house,” Vonn said.

With scores of people already on any particular bus witnessing what’s going on, many feel the public expectation of privacy is low.

Vonn has heard the argument and disagrees.

“If I’m in a restaurant having a private conversation with a friend, a server can overhear snatches of what I’m saying,” Vonn said. “It’s quite different than having my Waldorf salad bugged and my entire conversation recorded.”

Hardie said TransLink is working with the B.C. Privacy Commissioner and will be submitting a privacy impact assessment as part of the process.

At the end of the day, the public will be safer with the presence of cameras on the region’s buses, he said.

“For one element, to know their actions are being recorded will make them think twice, there will be a deterrent effect in some respects,” Hardie said.

TransLink is hoping it will serve not only as an effective investigative tool for police, but will lead to stiffer penalties when perpetrators go to court.

Labels: , , , ,

Friday, August 03, 2007

Federal Privacy Commissioner releases privacy breach guidelines 

The Federal Privacy Commissioner has just released privacy breach guidelines, which are similar to guidelines produced by the Ontario and British Columbia commissioners. Here is the press release, with links to the guidelines:

News Release: Privacy Commissioner releases privacy breach guidelines (August 1, 2007) - Privacy Commissioner of Canada

Privacy Commissioner releases privacy breach guidelines

Ottawa, August 1, 2007 – New guidelines will help organizations take the right steps after a privacy breach, including notifying people at risk of harm after their information has been stolen, lost or mistakenly disclosed, says the Privacy Commissioner of Canada, Jennifer Stoddart.

The guidelines outline some of the key steps in responding to a breach, such as containing the breach, evaluating the risks associated with it, notifying the people affected and preventing future breaches.

“It’s clear that most businesses take seriously their responsibilities under Canada’s private-sector privacy law. I want to thank the industry groups, civil societies groups and privacy commissioners' offices that helped my office in developing these,” Commissioner Stoddart says.

The Office of the Privacy Commissioner (OPC) has become increasingly concerned about privacy breaches and breach notification following some major data breaches in recent months. Earlier this year, Commissioner Stoddart urged the federal government to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to make it mandatory for businesses to notify people when their personal information has been breached.

“Our new voluntary guidelines do not take away from the need for breach notification legislation,” the Commissioner says. “I would once again urge the Minister of Industry and his cabinet colleagues to help better protect Canadians by making breach notification a legal requirement for businesses.” The guidelines call on businesses to notify people that their personal information has been compromised in cases where the breach raises a risk of harm. For example, there may be a risk of identity theft or fraud in cases where sensitive personal information has been lost or stolen.

Organizations are also encouraged to inform the appropriate privacy commissioner(s) of a privacy breach. (In British Columbia, Alberta and Quebec, provincially regulated businesses should speak to their provincial privacy commissioners. In Ontario, breaches involving personal health information must be reported to the provincial commissioner.)

The OPC is currently investigating two high-profile privacy breach cases involving large amounts of personal information.

In one case, the Canadian Imperial Bank of Commerce reported to the OPC the disappearance of a hard drive containing the personal information and financial data of close to half a million clients of its subsidiary, Talvest Mutual Funds.

The other investigation, being conducted jointly with the Information and Privacy Commissioner of Alberta, is looking at a breach at TJX Companies Inc., which affected thousands of Canadians who shopped at TJX’s Winners and HomeSense stores.

The new guidelines as well as a privacy breach checklist and a list of organizations which participated in the consultation process to develop the guidelines are available on the OPC website,

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Labels: , , , , , , ,

Saturday, July 07, 2007

Oshawa second-hand store bylaw invades privacy 

Earlier this week, the Ontario Court of Appeal, in Cash Converters Canada Inc. v. Oshawa (City) (July 4, 2007) (an appeal from Cash Converters Canada Inc. v. Oshawa (City), 2006 CanLII 3469 (ON S.C.)), overturned a City of Oshawa Bylaw that required sellers of second hand goods to collect detailed personal information about those who sell second hand goods to the stores. The bylaw was inconsistent with the Municipal Freedom of Information and Protection of Privacy Act.

Here's what the Toronto Star had to say about it: - News - Oshawa second-hand store bylaw invades privacy: Court

Tracey Tyler


The Ontario Court of Appeal has struck down sections of a controversial Oshawa bylaw that require second-hand dealers to collect detailed personal information from people who sell them goods and transmit the data to police.

The bylaw conflicts with provincial privacy legislation, which requires the collection and retention of personal information to be strictly controlled, the court ruled Wedneday, The 3-0 decision could influence challenges to similar bylaws in other parts of the country, including Alberta and British Columbia.

“This decision comes at a time when cities are gaining broader law-making powers,” said David Sterns, a lawyer representing the Oshawa franchise of Cash Converters Canada Inc., a second-hand store that challenged the bylaw.

“The court has sent a strong signal that all forms of information gathering and surveillance by municipalities are subject to the public’s overriding right to privacy.”

Under the Oshawa bylaw, passed by the city in 2004 as part of a new licensing system for second-hand dealers, stores were required to record the name, address, sex, date of birth, phone number and height of their vendors, who also had to produce three pieces of identification, such as a driver’s licence, birth certificate or passport.

“This information is then transmitted and stored in a police data base and available for use and transmissions by the police without any restriction and without any judicial oversight,” said Justice Kathryn Feldman said, writing on behalf of Associate Chief Justice Dennis O’Connor and Justice Paul Rouleau.

Store owners were required to send reports to police at least daily, in some cases at the time of purchase. The city argued the bylaw was meant to protect consumers from purchasing stolen goods.

But the municipality offered no evidence of a growing problem involving the sale of stolen goods to second-hand dealers, said Feldman.

Nor is there evidence that unscrupulous people are more likely to be deterred by the electronic collection and transmission of personal information, she said.

In 2003, Cash Converters purchased more than 28,000 used items from people in 2003. About 30 of those were seized by police in connection with criminal investigations.

It’s unknown whether any were confirmed as stolen, the court said.

The bylaw did not apply to pawn shops, which are provincially regulated.

See, also, James Daw's column: - columnists - New ruling stands up for privacy.

Labels: , , , , , , , ,

Tuesday, June 26, 2007

MySpace posting good enough for cross-examination 

In case you were wondering, you really shouldn't expect that anything you post on your MySpace page will be kept private. If you are in the middle of litigation alleging that you're disabled, don't post pictures of your skiing vacation.

This recent case from earlier this month in Ontario is, I think, the first Canadian case to mention MySpace. The defendants attempted to use info from the plaintiff's MySpace page as a basis for further discoveries.

Weber v. Dyck, 2007 CanLII 22348 (ON S.C.)

PDF Format

Date: 2007-06-12

Docket: 05-CV-4343CM


Weber v. Dyck

Ontario Master

Master L.A.M. Pope

Judgment: June 12, 2007

Docket: 05-CV-4343CM

Master L.A.M. Pope:

1 This action was scheduled for trial at a settlement conference held on December 1, 2006. The trial is number one on the trial list to commence the week of June 18, 2007. The defendants seek leave to bring this motion and for production from the plaintiff of information and documents pursuant to Rule 48.04(1). The information and documents relate to three activities of the plaintiff that took place subsequent to the plaintiff's examination for discovery on October 13, 2005.

2 The relief sought subparagraphs 1 (iv) and (v) of the Moving Party's Record are no longer in issue for the purposes of this motion.

3 This action arises out of a motor vehicle accident that took place on February 11, 2003 in which the plaintiff alleges that she sustained serious and permanent injuries to her left wrist and to her body, as well as emotional and psychic trauma. The action is governed by the Bill 59 insurance regime and as such the plaintiff has the onus to establish that her injuries meet the "threshold"; that is, that she has sustained a permanent serious impairment of an important physical, mental or psychological function within the meaning of section 267.5(5) of the Insurance Act in order for her to be entitled to damages.

4 At that time of her examination for discovery on October 13, 2005, the plaintiff was enrolled in year one of the Masters of Business Administration (Co-op) program ("MBA") at the University of Windsor. She testified at her examination that she earned part-time income by teaching piano and playing piano at weddings and other functions, what her plans were for employment after graduation and her vacation plans.

5 The following is the defendants' evidence that gave rise to this motion. The defendants learned that the plaintiff had a MySpace web page wherein she posted photographs of herself and announced certain information about herself. The undated photographs are of the plaintiff, for example, involved in what can be described as a somewhat physical activity in the Swiss Alps, in Paris, playing piano and at her graduation. The information exchange on the web page indicates that the plaintiff resides in Toronto and has a "new job." Further investigation revealed that the plaintiff worked as a Brand & Marketing Analyst for Level 5 Strategic Brand Advisors, that she recently completed her MBA specializing in marketing and international strategy and that she earned an ARCT (Associate of Royal Conservatory Teachers) designation. By letter dated March 30, 2007, the defendants requested production from the plaintiff of certain documents and information arising out of the information on the MySpace web page. Having received no response to that letter, Mr. Dycha wrote again to Mr. Leschied by letter dated May 2, 2007 and in that letter, Mr. Dycha added to his request for production additional documents and information.

Should leave be granted pursuant to Rule 48.04(1)?

6 The defendants seek leave to bring this motion for production pursuant to Rule 48.04(1) which provides that the consequence of a party setting an action down for trial or a party consenting to an action being placed on a trial list (as is the case here), is that the party shall not initiate or continue any motion or form of discovery without leave of the court. (emphasis added).

7 As this case is subject to the civil case management rules of Rule 77, it was placed on the trial list at the settlement conference held on December 1, 2006. There is no evidence that either party did not consent to the action being placed on the trial list. In my view, the consequences of placing a case managed action on a trial list are more serious than with a non-case managed case. This is evidenced by comparing the provisions of Rule 48.07 with subrules 77.14(2) and (4). The latter rules require a certification by the plaintiff that all examinations, production of documents and motions arising out of examinations and production of documents have been completed before the settlement conference date. Essentially, the parties who consent to an action being placed on the trial list declare that they are ready for trial. Subrules 77.14(2) and (4) support the purpose of the civil case management rules of reducing unnecessary cost and delay, facilitating early and fair settlements and bringing proceedings expeditiously to a just determination while allowing sufficient time for the conduct of the proceeding. In this case, the parties consented to the case being placed on the trial list with two exceptions as requested by the defendants and as ordered by Justice Nolan; firstly that the plaintiff deliver her x-rays by December 15, 2006, and secondly that the case be assigned an alternate trial date in the event the defendants did not have their expert reports by the June 18, 2007 trial list. The x-rays were delivered by the date ordered.

8 In order for the plaintiff to succeed in obtaining the right to further production of information and documents after a case has been placed on a trial list, they must first meet the requirements of Rule 48.04(1). The test for granting leave was aptly described by E.M. Macdonald J. in Hill v. Ortho Pharmaceutical (Canada) Ltd., [1992] 11 C.P.C. (3d) 236 (Ont. Gen. Div.) at 239, as follows:

The authorities make it clear that setting a matter down for trial is not a mere technicality of procedure. Before it can be vacated to permit any further discovery or other interlocutory proceedings, there must be a substantial or unexpected change in circumstances such that a refusal to make an order under s. 48.04(1) would be manifestly unjust.(emphasis added)

9 Plaintiff's counsel argues that the defendants were aware at the time of the mediation on July 26, 2006 and at settlement conference on December 1, 2006, that the plaintiff had graduated and therefore they should have brought this motion before agreeing to place the matter on the trial list. They further argue that given that the defendants consented to placing this matter on the trial list with the knowledge of the plaintiff's graduation, they should not be granted leave.

10 Firstly, there is no evidence before me of the above-noted allegations of the plaintiff. Secondly, it appears that Mr. Leschied provided Mr. Dycha with a copy of the plaintiff's transcript by letter dated December 20, 2006, several weeks following the settlement conference, (when the matter was placed on the trial list.) Moreover, the only evidence before me is that the defendants learned that the plaintiff had graduated on or about December 20, 2006, and that she had obtained a job and moved to Toronto when they discovered her MySpace web page. Therefore, it is my view that not only has the plaintiff had a substantial change in circumstances since this mater was placed on the trial list relating to her educational status, there has been a substantial change relating to her career, employment status and her place of residence. Albeit not all of these changes could be considered unexpected given her educational status at the time of her examinations for discovery, the test for leave does not require that the change in circumstances be substantial and unexpected. Therefore, I find that because there has been a substantial change in circumstances of the plaintiff since placing this matter on the trial list, it would be manifestly unjust in these circumstances not to grant leave for the defendants to bring this motion.

Rule 48.04(2)(b)(i) exception

11 The defendants submit that this motion falls within the exception set out in subrules 48.04(2)(b)(i). That rule provides that notwithstanding this matter being placed on the trial list, the plaintiff has a continuing obligation, pursuant to Rule 30.07, to disclose further relevant documents that come into her possession after serving an affidavit of documents or discovers that the affidavit is inaccurate or incomplete. If the plaintiff fails to make production of relevant documents she will be subject to the consequences set out in Rule 30.08. Rule 1.03 provides that a "document" includes data and information in electronic form.

12 The exception allowed in Rule 48.04(2)(b)(i) relates to subsequently discovered documents. The reason for this exception was explained by Master Dash in White v. Winfair Management Ltd., (2006) 16 C.P.C. (6th) (S.C.J.) at 48 as follows:

If a document is discovered and produced by the defendant after the plaintiff has completed his oral and documentary discovery and set the action down, it would constitute an unexpected change in circumstance that could mandate leave for further discovery thereon.

13 The defendants have requested the following documents:

1. a copy of the plaintiff's file from any employment placement agencies;

2. a copy of the plaintiff's current employment file and contact information relative to her immediate supervisor and individual in charge of Human Resources;

3. all photographs and video recordings from trips.

14 The defendants clarified that they were only seeking these documents for the last year and a half.

15 The first two documents set out above were not in the plaintiff's possession at the time of her examination for discovery on October 13, 2005 because they would have been created as a result of her graduating in the summer of 2006 and her subsequent job search. I am inclined to order production of these documents given the change in circumstances in the plaintiff's employment status and the fact that her income and job responsibilities are relevant to the threshold issue and the assessment of damages. Furthermore, there is no evidence before me that the defendants were aware that the plaintiff had graduated and/or had obtained a job at the time of the settlement conference on December 1, 2006. In fact, the plaintiff's evidence is that she did not provide the defendants with a copy of her transcript until December 20, 2006, following the settlement conference, as evidenced by Mr. Lescheid's letter of that date.

16 Regarding the third request above, clearly the photographs and video recordings requested were not in the plaintiff's possession at her examination for discovery such that the defendants could have requested them. The defendants urge me to grant the order based on the reasoning of the Master in the British Columbia case of Watt v. Meier , 2005 CarswellBC 3302 (S.C.) wherein it was the Master's opinion that in the hypothetical case where the main issue were a broken leg, where the plaintiff was claiming a significant disability and the defendant wanting to challenge the extent of the disability, then it would seem inherently possible that photographs from a vacation, where you may find somebody swimming or playing beach volleyball or all sorts of activities traditional on holidays, might be highly relevant to the question of the degree of a broken leg disability. I agree with the Master's reasoning; however, based on the reasons for my decision which follow, I have distinguished the Master's hypothetical case.

17 The defendants also rely on another case from the British Columbia Supreme Court of Tupper (Guardian ad litem of) v. Holding, [2003] B.C.J. No. 216wherein the plaintiff was ordered to produce vacation photographs. In that case the plaintiff sought damages for loss of her ability to enjoy life. The court stated that the documents sought include photographs of the plaintiff on vacation, posing or sitting with friends on the beach, and in front of various tourist sites; that is, they show her enjoying life. The court held that it was reasonable to conclude that the vacation photographs may assist the defendant in its defence of the plaintiff's claim. In both this case, as well as the Watt case, the motions were brought before the actions were set down for trial; therefore, the test for leave was not an issue before those courts.

18 I decline to order production of the photographs and video recordings for several reasons. Firstly, the parties consented to this action being placed on the trial list; therefore, they were deemed to admit that they were ready for trial. Secondly and more importantly, the defendants did not request production of the plaintiff's photographs and video recordings of her trip to Vancouver which she took the year before the examination. I fail to understand how the defendants would be entitled to photographs and video recordings of trips the plaintiff took after her examination for discovery when they did not see the relevancy in seeking production of photographs and video recordings of her pre-examination trips. The change in circumstances of the plaintiff relate to her career and employment status and has no relationship to her ability to travel which she testified to the fact that her injuries do not impact on her ability to travel. Lastly, the defendants have several images of the plaintiff from her MySpace web page with which they can cross examine the plaintiff at trial. This appears to be a form of further discovery to which the defendant is not entitled.

Rule 48.04(2)(b)(iv) exception

19 The defendants submit that this motion falls within the exception set out in subrule 48.04(2)(b)(iv). That rule provides that subrule (1) does not relieve a party from any obligation imposed by Rule 31.09 to correct answers given at an examination for discovery notwithstanding that the case was placed on the trial list. They further submit that in addition to the threshold issue at trial, another issue will be to what extent, if any, the plaintiff's avocational pursuits have been affected by her alleged injuries.

20 The information sought by the defendants is as follows:

1. a list of places the plaintiff sought employment;

2. details of the plaintiff's piano performances and piano lessons including sufficient details to identify and locate the persons for whom the plaintiff performed, along with the amounts received in compensation for services;

3. details of the plaintiff's travels for recreation or otherwise including particulars engaged in during her travels.

21 The defendants clarified that they were only seeking the above information for the last year and a half.

22 The questions and answers at issue are as follows:

Re: Career goals

154. Q. What's your ultimate ambition in terms of a career?

A. I'd like to get into international marketing, work for an international firm.

155. Q. Well, what do you mean by "international marketing"?

A. Global brand strategy.

156. Q. Okay. I'm going to guess that in order to do that you're going to have to potentially move from the city?

A. Yes.

157. Q. And do you have any objection to doing that?

A. No.

Re: Travel since the accident

377. Q. And have you had to travel anywhere since the accident for recreation or otherwise?

A. yes. I've travelled --

378. Q. (Interposing) Where have you been?

A. -- last September. I went to Vancouver last September.

Re: Piano

45. Q. Right, and the material that we've been given indicates that you also like to play piano. You teach piano --

A. (Interposing) I teach piano part-time.

387. Q. And you've got, you're still teaching the kids, right?

A. Correct.

388. Q. And how many hours?

A. Between 12 and 15. It's three, three evenings a week.

23 There is no evidence before me to suggest that these answers were not correct or were incomplete when given and that any time thereafter they became incorrect. Certainly certain aspects of the plaintiff's life have changed since her examination but that alone does not mean that her answers were incorrect or incomplete when made on October 13, 2005.

24 In particular, regarding the request for a list of the places the plaintiff sought employment, it is my view that notwithstanding the fact that there has been a substantial change in circumstances, this information is not relevant to any of the issues in this action therefore it is not to be produced. Regarding the requests for production of information about the plaintiff's piano performances, piano lessons and trips, I refuse to grant these orders because it can hardly be said that the defendants are now entitled to this information when they failed to ask for the same information for the period of time prior to the examination for discovery. To order production of this information would constitute a further form of discovery to which the defendant is not entitled.


25 Both parties filed Cost Outlines, however neither of them were complete in failing to specify the partial indemnity rate and actual rate or any of the points listed which are to be made in support of the costs sought. Both counsel attached a billing statement; however, a billing statement is not a substitute for setting out the partial indemnity and actual rates. These rates are some of the considerations in determining the cost order and without them an appropriate amount for costs cannot be determined. The Court cannot be expected to extrapolate the hourly rates from the billing statement and then calculate the partial indemnity rates. As the Costs Outlines were essentially useless for the purpose intended by the Rules, and given that the defendants were successful, at least in part, with their motion, costs are fixed at $750.00 payable by the plaintiff and the defendants forthwith.


26 There shall be an order as follows:

1. The plaintiff shall produce the following within 7 days;
a) a copy of the plaintiff's file from any employment placement agencies; and

b) a copy of the plaintiff's current employment file and contact information relative to her immediate supervisor and individual in charge of Human Resources;

2. Costs to the defendants fixed in the amount of $750.00 payable forthwith.


Labels: , , , ,

Saturday, June 02, 2007

B.C. privacy commissioner probes tenant database firm 

Today's Globe & Mail is reporting that the British Columbia Information and Privacy Commissioner has started an investigation into TVS Tenant Verification Services, a company that provides reports on prospective tenants. See: B.C. privacy commissioner probes tenant database firm.

Labels: , ,

Thursday, May 03, 2007

Parliamentary review of PIPEDA: Report 

The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:



has the honour to present its

Fourth Report

Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:

The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.

Here are the recommendations:


Recommendation 1

The Committee recommends that a definition of “business contact information” be added to PIPEDA, and that the definition and relevant restrictive provision found in the Alberta Personal Information Protection Act be considered for this purpose.

Recommendation 2

The Committee recommends that PIPEDA be amended to include a definition of “work product” that is explicitly recognized as not constituting personal information for the purposes of the Act. In formulating this definition, reference should be added to the definition of “work product information” in the British Columbia Personal Information Protection Act, the definition proposed to this Committee by IMS Canada, and the approach taken to professional information in Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector.

Recommendation 3

The Committee recommends that a definition of “destruction” that would provide guidance to organizations on how to properly destroy both paper records and electronic media be added to PIPEDA.

Recommendation 4

The Committee recommends that PIPEDA be amended to clarify the form and adequacy of consent required by it, distinguishing between express, implied and deemed/opt-out consent. Reference should be made in this regard to the Alberta and British Columbia Personal Information Protection Acts.

Recommendation 5

The Committee recommends that the Quebec, Alberta and British Columbia private sector data protection legislation be considered for the purposes of developing and incorporating into PIPEDA an amendment to address the unique context experienced by federally regulated employers and employees.

Recommendation 6

The Committee recommends that PIPEDA be amended to replace the “investigative bodies” designation process with a definition of “investigation” similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose .

Recommendation 7

The Committee recommends that PIPEDA be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction. This amendment should be modeled on the Alberta Personal Information Protection Act in conjunction with enhancements recommended by the Privacy Commissioner of Canada.

Recommendation 8

The Committee recommends that an amendment to PIPEDA be considered to address the issue of principal-agent relationships. Reference to section 12(2) of the British Columbia Personal Information Protection Act should be made with respect to such an amendment.

Recommendation 9

The Committee recommends that PIPEDA be amended to create an exception to the consent requirement for information legally available to a party to a legal proceeding, in a manner similar to the provisions of the Alberta and British Columbia Personal Information Protection Acts.

Recommendation 10

The Committee recommends that the government consult with the Privacy Commissioner of Canada with respect to determining whether there is a need for further amendments to PIPEDA to address the issue of witness statements and the rights of persons whose personal information is contained therein.

Recommendation 11

The Committee recommends that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts.

Recommendation 12

The Committee recommends that consideration be given to clarifying what is meant by “lawful authority” in section 7(3)(c.1) of PIPEDA and that the opening paragraph of section 7(3) be amended to read as follows: “For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is […]”

Recommendation 13

The Committee recommends that the term “government institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA to specify whether it is intended to encompass municipal, provincial, territorial, federal and non-Canadian entities.

Recommendation 14

The Committee recommends the removal of section 7(1)(e) from PIPEDA.

Recommendation 15

The Committee recommends that the government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amendments to PIPEDA in this regard.

Recommendation 16

The Committee recommends that no amendments be made to PIPEDA with respect to transborder flows of personal information.

Recommendation 17

The Committee recommends that the government consult with members of the health care sector, as well as the Privacy Commissioner of Canada, to determine the extent to which elements contained in the PIPEDA Awareness Raising Tools document may be set out in legislative form.

Recommendation 18

The Committee recommends that the Federal Privacy Commissioner not be granted order-making powers at this time.

Recommendation 19

The Committee recommends that no amendment be made to section 20(2) of PIPEDA with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest.

Recommendation 20

The Committee recommends that the Federal Privacy Commissioner be granted the authority under PIPEDA to share personal information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities.

Recommendation 21

The Committee recommends that any extra-jurisdictional information sharing, particularly to the United States, be adequately protected from disclosure to a foreign court or other government authority for purposes other than those for which it was shared.

Recommendation 22

The Committee recommends that PIPEDA be amended to permit the Privacy Commissioner to apply to the Federal Court for an expedited review of a claim of solicitor-client privilege in respect of the denial of access to personal information (section 9(3)(a)) where the Commissioner has sought, and been denied, production of the information in the course of an investigation.

Recommendation 23

The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.

Recommendation 24

The Committee recommends that upon being notified of a breach of an organization’s personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner.

Recommendation 25

The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a “without consent” power to notify credit bureaus in order to help protect consumers from identity theft and fraud.

Labels: , , , , , , , , ,

Friday, January 26, 2007

B.C. privacy commissioner to rule on ID scans in bars 

According to the CBC, the Information and Privacy Commissioner has completed his inquiry related to the practice of swiping drivers' licenses at bars in that province. A decision is expected next month. See: B.C. privacy commissioner to rule on ID scans in bars.

Labels: , , ,

Monday, December 11, 2006

Breach notification assessment tool 

Today, the Information and Privacy Commissioners of Ontario and British Columbia have released a Breach Notification Assessment Tool to provide guidance to public and private sector bodies on what to do after a personal information breach. It is meant to be used alongside existing publications for each province:
B.C.: Key Steps in Responding to Privacy Breaches (


What to do if a privacy breach occurs: Guidelines for government organizations, (

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector, (

Labels: , , , ,

Friday, December 01, 2006

Day four of the PIPEDA hearings 

Michael Giest has a summary of the fourth day of testimony before the Parliamentary Committee conducting the PIPEDA review hearings:

Michael Geist - PIPEDA Hearings - Day 04 (B.C. Privacy Commissioner Loukidelis and Professor Val Steeves):

"Wednesday's PIPEDA hearing featured B.C. Privacy Commissioner David Loukidelis and University of Ottawa professor Val Steeves. Commissioner Loukidelis went even further than the federal privacy commissioner in downplaying significant change. Loukidelis downplayed his order making power (a last resort), security breach notification (more evidence on impact needed), and even the concerns associated with cross-border transfers to the U.S. (can always pick a different private sector company). Professor Steeves highlighted the privacy challenges posed by new technologies and offered some specific reform recommendations. Natalie Senst was in attendance on Wednesday afternoon and she filed the following report:..."

Update (20070118): For links to the full hearing transcripts, go to: Canadian Privacy Law Blog: PIPEDA Review Transcripts.

Labels: , , ,

Saturday, November 11, 2006

"Streeet Sweeper" deployed in British Columbia 

Thanks to a friend in BC for sending me this:

Police in the Lower Mainland of British Columbia have just completed a trial of license plate recognition technology and are planning a widespread rollout of the technology in Vancouver. It consists of a camera mounted atop a police car that looks up license plates, checks them against a database and alerts the cop at the wheel if the car is "suspicious". The technology can look up about 3000 plates an hour and they apparently find that they are overwhelmed with the number that turn up as being suspicious - about one in fifty.

The technology has apparently had great success in the UK (you might remember this) and some people have concerns with privacy aspects of what is characterised by the BC Attorney General as a "street sweeper".

Sgt. Gord Elias said at a press conference: "The potential of ALPR is up to everyone's imagination. There is absolutely no end to what you could do with it."

Like any surveillance technology, it would be prone to "mission creep". It can target child abductors and terrorists. Or people with unpaid parking tickets, those defaulting on student loans. Or it could be used for profiling by flagging people who choose to drive in suspicious places at suspicious times. The reports I have seen do not say whether the system keeps a record of cars looked up or the location that this takes place. If that were the case, the police would be able to create a log of where you (or your car) has been and at what time.

There was no mention of privacy issues in any of the reports, or how these might have been addressed. I wonder whether a privacy impact assessment was carried out as part of the roll-out. Check out: CTV Video - licence plate scanning. And Vancouver Sun: 1 in 50 drivers 'commits crime' on roads.

The technology isn't exactly brand new. Check out what Bruce Schneier had to say when the technology was rolled out in Connecticut in 2004:

Schneier on Security: License Plate "Guns" and Privacy:

... On the face of it, this is nothing new. The police have always been able to run a license plate. The difference is they would do it manually, and that limited its use. It simply wasn't feasible for the police to run the plates of every car in a parking garage, or every car that passed through an intersection. What's different isn't the police tactic, but the efficiency of the process.

Technology is fundamentally changing the nature of surveillance.... It's wholesale surveillance.

And it disrupts the balance between the powers of the police and the rights of the people....

Like the license-plate scanners, the electronic footprints we leave everywhere can be automatically correlated with databases. The data can be stored forever, allowing police to conduct surveillance backwards in time.

The effects of wholesale surveillance on privacy and civil liberties is profound; but unfortunately, the debate often gets mischaracterized as a question about how much privacy we need to give up in order to be secure. This is wrong. It's obvious that we are all safer when the police can use all techniques at their disposal. What we need are corresponding mechanisms to prevent abuse, and that don't place an unreasonable burden on the innocent.


For license-plate scanners, one obvious protection is to require the police to erase data collected on innocent car owners immediately, and not save it. The police have no legitimate need to collect data on everyone's driving habits. Another is to allow car owners access to the information about them used in these automated searches, and to allow them to challenge inaccuracies.

We need to go further. Criminal penalties are severe in order to create a deterrent, because it is hard to catch wrongdoers. As they become easier to catch, a realignment is necessary. When the police can automate the detection of a wrongdoing, perhaps there should no longer be any criminal penalty attached. For example, both red light cameras and speed-trap cameras all issue citations without any "points" assessed against the driver.

Wholesale surveillance is not simply a more efficient way for the police to do what they've always done. It's a new police power, one made possible with today's technology and one that will be made easier with tomorrow's. And with any new police power, we as a society need to take an active role in establishing rules governing its use. To do otherwise is to cede ever more authority to the police.

Labels: , , , , ,

Friday, October 13, 2006

Sentencing judge can't impose drug testing without legislative scheme that balances privacy right 

According to the Supreme Court's decision in R. v. Shoker (handed down today), a sentencing judge does not have the power to "fill in the blanks" of the Criminal Code to require a probationer to submit to random blood, breath and urine samples to determine if he or she is obeying the condition to abstain from drugs and alcohol. It is up to Parliament to try to devise a scheme that includes adequate respect for the Charter rights of probationers.

R. v. Shoker:

"25 The establishment of these standards and safeguards cannot be left to the discretion of the sentencing judge in individual cases. There is no question that a probationer has a lowered expectation of privacy. However, it is up to Parliament, not the courts, to balance the probationers’ Charter rights as against society’s interest in effectively monitoring their conduct. Since the purpose of s. 8 is preventative, the following principle in Hunter v. Southam Inc., [1984] 2 S.C.R. 145, at p. 169, is particularly apposite here:

While the courts are guardians of the Constitution and of individuals’ rights under it, it is the legislature’s responsibility to enact legislation that embodies appropriate safeguards to comply with the Constitution’s requirements. It should not fall to the courts to fill in the details that will render legislative lacunae constitutional.

In this case, the Crown argues that reasonable and probable grounds are not required for the search and seizure of bodily substances from probationers and that the seizure of blood samples is also reasonable. Hall J.A. disagreed. He would have deleted the requirement to provide blood samples as too intrusive and conditioned the requirement to provide urine and breath samples upon the establishment of reasonable and probable grounds. Those are precisely the kinds of policy decisions for Parliament to make having regard to the limitations contained in the Charter. Parliament has specifically addressed the issue of alcohol and intoxicating substances in ss. 732.1(3)(c), (g.1) and (g.2) but it has not provided for a scheme for the collection of bodily samples as it has done in respect of parolees. Such a scheme cannot be judicially enacted on the ground that the court may find it desirable in an individual case. In addition to the constitutional concerns raised by the collection of bodily samples, the establishment of such a scheme requires the expenditure of resources and usually the cooperation of the provinces. This reality is exemplified in this case where the funding for urinalysis has been discontinued in British Columbia rendering the probation condition moot. This is yet another reason why the matter is one for Parliament.

Back over to you, Parliament ....

Labels: , ,

Thursday, September 14, 2006

Incident: BC Government and service provider lose 33 data tapes with info on hundreds of thousands 

A while ago, the BC government caught auctioning off backup dapes containing loads of pesonal information (The Canadian Privacy Law Blog: Incident: British Columbia government actioned off surplus backup tapes with sensitive health information). Now, IT Business has discovered that 33 backup tapes sent missing from a British Columbia government data centre. An investigation turned of three of the tapes, but the rest remain AWOL. Some of the tapes contain very sensitive personal information about welfare recipients and others contain even more sensitive health information.

What's worse is that the tapes were lost in August of last year and the investigation was completed in February, but it took a Freedom of Information Act request for the information to come to light.

See: ITBusiness - B.C. loses track of computer tapes with citizens' data: Information about income assistance, prescriptions and identifying details of hundreds of thousands of people goes missing. Telus comments on its role and its efforts to lock down the data centre

Labels: , , , ,

Thursday, August 31, 2006

Pizza receipts land in trash 

If your data is supposed to go to a shredder, make sure it ends up there.

A dumpster in British Columbia has been found overflowing with credit card receipts that contain card numbers, expiry dates and customer names. The owner of the pizza joint where the receipts originated says they were sent to a shredder. Unfortunately, they never made it there.

There are two problems here: First, the paper should have gone to a shredder. That's a no-brainer. Secondly, that information should not have been on the slips in the first place. I am getting sick and tired of seeing full credit card data on slips that are generated by a computer terminal. All these transactions are settled electronically and there is simply no reaon for the full credit or debit card number to be printed everywhere. I have noticed that even companies that do not print the full number on the customer's copy often print the full data on the story copy. Why? I don't know but that's the version that wound up in the dumpster.

In short, if you don't need it, don't collect it or keep it. But if you do need it and do collect it, dispose of it properly.

24 Hours Vancouver - News: Pizza receipts land in trash


When Mark Schroeder slapped a pizza dinner on his Visa card in Whistler three years ago, he never thought that his Visa receipt would end up in a dumpster behind a Domino's franchise office in Port Coquitlam.

But on Tuesday afternoon when 24 hours followed an anonymous tip to the dumpster off Kingsway Avenue, Schroeder's credit-card slip, complete with account number, expiry date and name, was among thousands in a trash container.

"I can't even think of a word to describe how upset I am right now. What can you say?" Schroeder said from his home in Pemberton. "I'm kind of awestruck, actually, that they would do something like this and treat their customers with such a lack of respect."

The anonymous tipster felt the same way when he came across the dumpster, overflowing with credit-card slips and card imprints, on his morning walk to work.

"I was angry because that could have been my stuff in there," he said, adding "there's credit-card numbers, expiry dates and signatures on there that makes it very obvious to identity theft."

According to Gord Jamieson, Visa Canada's director of Risk Management and Security, "there is a requirement under the Payment Card Data Security Standards for the destruction of data.

"The data must be securely destroyed in a manner such that the account data is no longer readable," he said.

Domino's franchise owner Gary Josefczyk oversees the office and owns 21 Domino's Pizzas throughout the Lower Mainland.

He said the credit-card slips were sent to a mobile shredder.

"I don't know what to say. My policy is to shred them after nine months of holding them," he said.

Josefczyk declined to comment any further.

Labels: , , ,

Sunday, August 27, 2006

Privacy groups slam use of CIA-backed software to index Canadian health files 

I'm back from vacation, CBA, etc and clearing out my backlog of developments in the privacy field. Here is one interesting item that I missed from ten days ago ....

It appears that the Canada Health Infoway group is contracting with a CIA-funded company to provide software for managing electronic health records here in Canada. This, not surprisingly, has some privacy folks concerned. I would be wary about selecting this vendor, but it raises an important general issue about the procurement of software and systems for managing sensitive personal information: if you do not have access to the source code, how can you know whether there is a back-door or a "phone home" function built into the system? Most contracts have covenants that there are no such functions, but these promises may be inadequate if the risks related to data is very high. Even if the company does not intend to use them for nefarious purposes, once-hidden "defects" (or features) are too easily discovered by those with nefarious intent and can completely destroy the credibility of the whole system. And when the system is a unified elecronic health records, the consequences of such a loss of trust could be devastating.

Privacy groups slam use of CIA-backed software to index Canadian health files:

OTTAWA (CP) - Software that will help sort millions of Canadian health records was developed by a company funded through the CIA's venture capital partner, sparking concerns about the confidentiality of patient data.

Privacy advocates are raising questions about Canadian use of the Initiate Systems indexing program given its creator's financial connection to In-Q-Tel - a private firm that helps the U.S. Central Intelligence Agency zero in on promising technology.

"There's a smell test that happens here, and it doesn't smell right," said David Fewer, general counsel for the Canadian Internet Policy and Public Interest Clinic.

"The optics require that foreign intelligence services stay well away from the delivery of health care services in Canada."

Initiate Systems of Chicago has sold the indexing software to Alberta, British Columbia, Manitoba, Newfoundland, Saskatchewan and Ontario for use in a national initiative to better manage health records.

Canada Health Infoway, a non-profit corporation accountable to the federal, provincial and territorial governments, aims to create compatible electronic health information systems across the country.

In-Q-Tel was established seven years ago as a private company to help the CIA and the broader U.S. intelligence community identify, acquire and use cutting-edge technologies.

Though not part of the CIA, In-Q-Tel consults with the intelligence agency on the strategic value of potential transactions.

The venture capital firm made an investment in Initiate Systems earlier this year.

The intelligence connection, first reported by U.S.-based Government Health IT magazine, prompted Canada Health Infoway staff to ask participating provinces about potential problems.

Infoway spokesman Kirk Fergusson said preliminary inquiries indicate Initiate doesn't have access to any client health data held by the provinces. "Thus far, that seems to be the story."

Gina Sandon, vice-president marketing for Initiate Systems, said the company will not see patient files of any description.

"At no point do we house data, access data or move data from our customers. Our customers control their data behind their firewalls and manage the security of that data."

Sandon said Initiate has worked with each province to ensure compliance with "all Canadian laws and privacy compliance requirements."

The software company adds that In-Q-Tel has no member on Initiate's board of directors, nor any decision-making power.

Despite the assurances, Darrell Evans of the B.C. Freedom of Information and Privacy Association remains skeptical Initiate Systems will not see patient data.

"I simply don't believe they will never have access," he said.

"I think there's reason to be concerned about this."

Evans contends the arrangement with a U.S. firm with intelligence ties increases the vulnerability of such files in an era when security agencies are keenly interested in personal dossiers to fight terrorism.

"Governments want this information. There's no question. If they see the need for it, they will get it."

In-Q-Tel spokesman Donald Tighe insisted there's nothing to worry about.

Tighe said In-Q-Tel, which has offices in northern Virginia and California's Silicon Valley, is solely interested in cultivating "best-of-breed" technologies of use to the intelligence community.

"Our job is to help create this connectivity between innovations and government agencies."

Anne-Marie Hayden, a spokeswoman for Privacy Commissioner Jennifer Stoddart, said the watchdog is discussing the issue with Canada Health Infoway.

"At this time, there's nothing that leads us to believe that Canadians' personal health information is at risk," Hayden said. "However, we are monitoring this issue very closely."

Labels: , , , ,

Wednesday, May 17, 2006

Canadian privacy leaders speak out about privacy and digital rights management 

Some of the biggest names in privacy in Canada have joined together to lobby the new Conservative government about potential privacy effects of legislative changes enshrining digital rights management in Canadian copyright law. The new group ( has sent a letter and a background paper to Culture minister Maxime Bernier asking that privacy issues be carefully considered before embarking on changes to copyright laws that could have a significant privacy impact upon Canadians. The privacy commissioners of Canada, Ontario and British Columbia have also each sent separate letters to the Minister on the topic.

In short, the group is seeking assurances from the government that:

  • any proposed copyright reforms will prioritize privacy protection by including a full privacy consultation and a full privacy impact assessment with the introduction of any copyright reform bill;
  • any proposed anti-circumvention provisions will create no negative privacy impact; and
  • any proposed copyright reforms will include pro-active privacy protections that, for example, enshrine the rights of Canadians to access and enjoy copyright works anonymously and in private.

Labels: , ,

Wednesday, May 10, 2006

Incident: BC Cancer agency sends mammogram results to wrong women 

Thanks to a regular Vancouver correspondent for passing this along ...

The British Columbia CTV news is reporting that the BC Cancer Agency accidentally sent 977 sets of mammogram results to the wrong addresses. It was caused by "operator error" in using a letter stuffing machine. The agency sent letters to the 977, informing them of the error. This story only came to the media's attention because CTV's health correspondent was one of the unlucky recipients.

The only coverage I can find is from the CTV's news broadcast: video here (scroll to 15:14). There's nothing on the Cancer Agency website.

Labels: , , ,

Sunday, May 07, 2006

Canadian immigration authorities begin "low key" biometrics trial 

Canadian immigration authorities are starting a "low key" biometrics trial in a number of centres, including a handful of border crossings in British Columbia and Ontario.

The fact of the trial is interesting enough, but the polling and spin plan referred to in the following article is also very interesting:

Print Story - network

Biometric screening program planned

The controversial technology would be used on immigrants and refugees

Peter O'Neil

Vancouver Sun

Saturday, May 06, 2006

OTTAWA -- The Conservative government, concerned about negative media coverage and public concerns over privacy issues, is taking a "low-key" approach to its plans to launch a six-month trial later this year of controversial biometrics screening technology at key entry points for immigrants and refugees, according to internal documents.

The $3.5-million trial program will take place at two Canada-U.S. border stations in B.C., Vancouver International Airport, a refugee processing centre in Etobicoke, Ont., and visa offices in Seattle and Hong Kong.


The trial marks one of the government's first moves into the controversial use of biometrics -- the use of physical characteristics such as DNA or face, iris or fingerprint scans -- to confirm identity documents.

Privacy Commissioner Jennifer Stoddart has raised questions about biometrics in the context of broader post 9/11 concerns about how the personal information of Canadians can be distributed, often without their knowledge, to governments, corporations and even U.S. security agencies through the powerful and intrusive Patriot Act.

Polls show that numerous Canadians don't trust the technology, fear who may have access to it, and view their physical characteristics as "extremely personal," said Florence Nguyen, a media spokeswoman at Stoddart's office.

"They're very concerned."

CIC officials consulted Stoddart's office on the trial program, which was first funded by the former Liberal government in 2003. Nguyen said privacy officials proposed changes to improve privacy protection, and will await results on the trial program before passing final judgment.

A March 15, 2006 slide presentation to Solberg described the trial as a "sensitive issue."

It noted that an internal poll found that more than 70 per cent of Canadians support biometrics for use in passports and at borders, but that the polling also indicates "mixed opinions" and added that "security still surpasses privacy concerns but is weakening."

The presentation, noting that media coverage of biometrics has been "negative" due to privacy concerns, argues against strongly publicizing the initiative.

"Communications strategy takes this into consideration, proposing a low-key approach and news release upon launch of the trial," states the plan, obtained by Ottawa researcher Ken Rubin through the Access to Information Act.

Charette's March 15 partly-censored briefing note predicts a strong reaction from media and non-governmental organizations to the trial and says "communications strategy will include the preparation of "media lines" for Solberg and a "broad communications strategy on the field trial."

The third component of the media strategy is also whited out, although Access to Information officials at Citizenship and Immigration Canada refused to disclose in the document which specific section of the legislation was used to justify the exclusions.

There are indications CIC is following through on the plan to lay low about the trial.

CIC published a brief notice of the trial on its website last month announcing the trial, identifying Unisys Canada Inc. as the company that has won the contract to supply the biometrics technology. However, no formal news release was issued, and CIC spokeswoman Sheila Watson said the department can't explain why it issued a notice rather than a press release, and couldn't explain whether the two forms of communication have different distribution networks to the media and other organizations.


Labels: , , , , , , ,

Saturday, April 29, 2006

BC Government proposes rollbacks to USA Patriot Act provisions in FIPPA 

The British Columbia Government has introduced amendments to the Freedom of Information and Protection of Privacy Act, the province's public sector privacy and access law, to roll back some of the more recent amendments made in response to fears about the USA Patriot Act. (BILL 30 -- 2006: MISCELLANEOUS STATUTES AMENDMENT ACT (No. 2), 2006). The Information and Privacy Commissioner is generally in agreemenet with the cross-border amendments and has issued a statement published on his website:

Bill 30 (Miscellaneous Statues Amendment Act, 2006)––Amendments to the Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Personal Information Protection Act (“PIPA”)––OIPC File No. F05-26470

Further to my letter of April 27, 2006, I have now had an opportunity to consider the other amendments that the above Bill would make to FIPPA and to PIPA. I support these amendments.

In the case of amendments to FIPPA in relation to location of personal information outside of Canada or access to it from outside Canada, I support these amendments as reasonable. I note that they are narrowly tailored and would permit location of personal information outside Canada or access from outside Canada only where a public body official is temporarily travelling outside Canada or for “installing, implementing, maintaining, repairing, trouble shooting or upgrading an electronic system or equipment that includes an electronic system” or “for data recovery that is being undertaken following failure of an electronic system”.

The BC Government Employees Union, which started the USA Patriot Act and oursourcing fuss some time ago, is not at all happy. Here's their statement:

BCGEU: Liberal efforts to weaken privacy protection, .....:FOR IMMEDIATE RELEASE

APRIL 28, 2006

Liberal efforts to weaken privacy protection, limit freedom of information buried in omnibus legislation

The B.C. Government and Service Employees’ Union is adding its name to the list of groups opposed to sweeping changes in privacy protections and access to information contained in the Freedom of Information and Protection of Privacy Act (FIPPA) which the Campbell government tried to bury in an omnibus piece of legislation introduced Thursday in the Legislature.

“These are very troubling measures that are ill advised and just plain dangerous,” warns BCGEU president George Heyman. “It’s a real setback for open and transparent government.”

Heyman says the proposed amendments roll back provisions to protect personal privacy implemented in 2004 to address concerns around the USA Patriot Act, based on recommendations by B.C.’s privacy commissioner. That Act—which was just renewed by the Bush government—gives U.S. security agencies like the FBI sweeping powers to obtain information from companies and individuals in that country.

“Victoria is putting British Columbians’ highly sensitive personal information at risk by weakening current protections—thereby increasing the risk of loss and theft, or exposure to the intrusive powers of the USA Patriot Act.”

Changes to section 33 of FIPPA will severely compromise current privacy protections by giving the green light to public bodies to release British Columbians’ personal information outside B.C. and Canada to a shopping list of officials and interests—including employees of private U.S. companies like Maximus and EDS hired by the government—to administer our personal medical and financial records.

“Given the recent high profile failures of this government to protect sensitive personal information, this is a development that will alarm British Columbians,” says Heyman.

Meanwhile, other changes to sections 17 and 21 of FIPPA will enable Victoria to expand the heavy veil of secrecy around privatization projects and private-public partnerships by giving government sweeping powers to withhold information from the public. “These amendments establish that the interests of private companies will take precedent over British Columbians’ right to know,” Heyman says.

He also cautions that proposed Liberal amendments include provisions that will compound the lengthy delays already faced by British Columbians filing access to information requests with government and public bodies, by allowing the government to manipulate response deadlines.

Labels: , , , , , ,

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs