The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Thursday, November 05, 2009
Wednesday, November 04, 2009
The Minister of Health for Nova Scotia has today introduced the Personal Health Information Act in the legislature. I'll have a link to the text of the bill tomorrow, but in the meantime you can read the release:
Personal Health Information Legislation Introduced News Releases Government of Nova Scotia
Personal Health Information Legislation Introduced
Department of Health
November 4, 2009 2:46 PM
Nova Scotian's personal health information would be better managed under proposed legislation introduced today, Nov. 4.
The Personal Health Information Act would provide consistent provincial rules for the management of personal information in health care.
"Patient privacy is a fundamental principle in delivering health care. At the same time, it is important that health care professionals can share information in ways that can improve care," said Health Minister Maureen MacDonald. "This legislation balances these important objectives."
The proposed legislation sets out rules for how health information is collected, used, disclosed, retained and destroyed by the health-care sector in Nova Scotia. It better supports a system that uses electronic as well as paper health records and helps provide a more seamless flow of information.
Specific rules include provisions for privacy breach notification audit reports to track who has had access to electronic health records, and requests for people to access to their health information.
Nova Scotia does not have clear health information legislation. It is governed by a mix of federal and provincial laws, health profession codes, and organizational policies and procedures. Nova Scotia joins eight other provinces who have comprehensive legislation to manage personal health information.
I understand that the legislature session ends shortly, so the Bill will not be debated until the new year. It's also reported that the Department plans to have the Bill come into force in January 2011.
Thursday, October 15, 2009
The Minister of Justice has responded to the Standing Committee on Access to Information, Privacy and Ethics' reports on reform to the Privacy Act and the Access to Information Act with a robust "thanks, but no thanks".
House of Commons Committees - ETHI (40-2) - Reports and Government Responses Report 11 - The Access to Information Act: First Steps Towards Renewal (Adopted by the Committee on June 15, 2009; Presented to the House on June 18, 2009)Government Response: 11th Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Access to Information Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)Report 10 - The Privacy Act: First Steps Towards Renewal (Adopted by the Committee on June 8, 2009; Presented to the House on June 12, 2009)Government Response: Tenth Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Privacy Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)
Thanks to Michael Geist for the pointer.
Some media coverage from the Canadian Press:
The Canadian Press: Harper government refuses to expand information, privacy laws
Harper government refuses to expand information, privacy laws
By Joan Bryden (CP) – 2 hours ago
OTTAWA — The Harper government has quietly nixed recommendations to expand and modernize Canada's access-to-information and privacy laws.
Justice Minister Rob Nicholson's rejection of reforms to the 26-year-old laws sparked accusations Thursday that the Tories have reneged on campaign promises to bring openness and transparency to the federal government.
"The access system now does not work," said Michel Drapeau, a lawyer and a leading expert on accessing government documents.
"They appear to like it this way."
Nicholson's rejection was also greeted with disappointment by privacy experts, who warned that Canada's outdated Privacy Act does not cover modern technologies, such as surveillance cameras and DNA samples collected from suspects.
Nor does it give the privacy commissioner any recourse to the courts when the government inappropriately discloses personal information, no matter how serious the breach.
"We're very disappointed, actually," said Chantal Bernier, assistant privacy commissioner.
"While we agree with the minister that privacy is well protected in Canada, we feel we can do better."
A Commons committee had recommended, among other things, that the information commissioner be given more power to force the government to disclose information in a timely manner.
Drapeau said only 10 to 20 per cent of access requests receive a response within 30 days, as intended under the law. The rest routinely take up to two years with some dragging on as long as four years.
Suzanne Legault, interim information commissioner, said Drapeau's view of the access system is overly pessimistic. She said 57 per cent of requests get a response within 30 days.
Still, she acknowledged there's an "urgent need" to modernize legislation to remedy some "very long delays" in responding to access requests.
Legault pointed out that the act was drafted in the days when bureaucrats kept paper records "in a neat file folder." Now, they are inundated with digital information, such as streams of emails with attachments, that is harder to manage and takes longer to sift through.
"We really live in a world of digital information and the system hasn't adjusted," Legault said.
The Commons committee had also wanted the privacy law expanded to cover new technologies. And it wanted to beef up provisions governing the disclosure of personal information by the Canadian government to foreign states - one of the most urgent needs in the wake of the Maher Arar case, according to Bernier.
Based on information provided by Canadian security authorities, Arar was detained in the U.S. and deported to Syria, where he was tortured.
In responses to the committee tabled quietly last week, Nicholson rejected the proposed reforms as too cumbersome, unnecessary or ill-considered.
He said giving the information commissioner more powers would shift the nature of the job "from an ombudsman model towards a quasi-judicial model," which would be inconsistent with other independent parliamentary watchdogs.
He rejected the notion that information requesters should have direct recourse to the Federal Court if access is refused, arguing that such a reform "would increase the caseload burden on the Federal Court."
On the privacy recommendations, Nicholson ruled out legislative restrictions on the disclosure of personal information to foreign states, arguing that law enforcement and security agencies "require a flexible approach" to information sharing.
"They must be able to share their intelligence within Canada and well as with their foreign partners," he wrote.
Moreover, Nicholson argued that efforts to combat international child abductions, forced marriages and worldwide health threats would be "seriously hampered" by restrictions on information sharing.
Nicholson maintained both the Access to Information Act and the Privacy Act are strong pieces of legislation. And he suggested "administrative alternatives, such as enhanced guidance and training" could be "equally effective" in improving both the access and privacy regimes.
Copyright © 2009 The Canadian Press. All rights reserved.
Labels: health information
Thursday, September 10, 2009
The federal, provincial and territorial Privacy Commissioners meeting together in St. John's have issued a statement calling for "caution" on the expansion of investigative powers proposed by the conservative government.
They issued the following media release, referring to resolutions available on the federal Commissioner's website:
Privacy commissioners urge caution on expanded surveillance plan
ST. JOHN'S, Sept. 10 /CNW Telbec/ - Parliament should take a cautious approach to legislative proposals to create an expanded surveillance regime that would have serious repercussions for privacy rights, say Canada's privacy guardians.
Privacy commissioners and ombudspersons from across the country issued a joint resolution today urging Parliamentarians to ensure there is a clear and demonstrable need to expand the investigative powers available to law enforcement and national security agencies to acquire digital evidence.
The federal government has introduced two bills aimed at ensuring that all wireless, Internet and other telecommunications companies allow for surveillance of communications, and comply with government agency demands for subscriber data - even without judicial authorization.
"Canadians put a high value on the privacy, confidentiality and security of their personal communications and our courts have also accorded a high expectation of privacy to such communications," says Jennifer Stoddart, the Privacy Commissioner of Canada.
"The current proposal will give police authorities unprecedented access to Canadians' personal information," the Commissioner says.
The resolution is the product of the semi-annual meeting of Canada's privacy commissioners and ombudspersons from federal, provincial and territorial jurisdictions across Canada, being held in St. John's.
The commissioners unanimously expressed concern about the privacy implications related to Bill C-46, the Investigative Powers for the 21st Century Act and Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act. Both bills were introduced in June.
"We feel that the existing legal regime governing interception of communications - set out in the Criminal Code and carefully constructed by government and Parliament over the decades - does protect the rights of Canadians very well," says Ed Ring, the Information and Privacy Commissioner for Newfoundland and Labrador and host of the meeting.
"The government has not yet provided compelling evidence to demonstrate the need for new powers that would threaten that careful balance between individual privacy and the legitimate needs of law enforcement and national security agencies."
The resolution states that, should Parliament determine that an expanded surveillance regime is essential, it must ensure any legislative proposals:
- Are minimally intrusive;
- Impose limits on the use of new powers;
- Require that draft regulations be reviewed publicly before coming into force;
- Include effective oversight;
- Provide for regular public reporting on the use of powers; and
- Include a five-year Parliamentary review.
At the meeting in St. John's, the commissioners and ombudspersons also passed a resolution about the need to protect personal information contained in online personal health records.
The resolution emphasizes the importance of empowering patients to control how their own health information is used and shared. For example, it calls for developers of personal health records to allow patients to gain access to their own health information, set rules about who else has access, and to receive alerts in the event of a breach.
"Personal health records have the potential to deliver significant benefits for patients and their health care providers. However, given the highly sensitive personal information involved, developers need to ensure they build in the highest privacy standards," says Commissioner Ring.
Both resolutions are available on the Privacy Commissioner of Canada's website, http://www.priv.gc.ca/.
The resolutions are here:
Wednesday, September 02, 2009
The Information and Privacy Commissioner of Ontario has released written guidance on the "circle of care" under that province's Personal Health Information Protection Act, entitled Circle of Care: Sharing Personal Health Information for Health-Care Purposes.
Here's the news release:
Privacy Commissioner Cavoukian and seven health organizations team up to eliminate confusion over key element of health privacy law
TORONTO, Sept. 2 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, today released a new publication that includes specific practical examples to help clarify any confusion over when health information custodians can assume a patient's implied consent to collect, use or disclose personal health information.
The brochure, Circle of Care: Sharing Personal Health Information for Health-Care Purposes, was developed with the collaboration of seven health organizations. "This brochure cuts through the confusion surrounding the term circle of care," said the Commissioner. "We are using seven relevant examples from across the broader continuum of the health sector to provide such clarification."
"There had been some confusion in the health sector as to the meaning and scope of the circle of care concept," explained Commissioner Cavoukian. "In part, this may have been because the term does not appear in the Personal Health Information Protection Act, 2004. It is, however, commonly used in the health-care community to describe the provisions in the Act that permit health-care providers to assume a patient's implied consent to collect and use personal health information - and to share that information with other health-care providers - in order to provide health care to that patient, unless the patient expressly indicates otherwise."
The Act is based on the premise that privacy can be protected, without needless delays in the health system.
"Overall, the Act is working very well, but clarity needed to be brought to bear on the circle of care concept," said Commissioner Cavoukian.
The seven examples in the brochure address this. As a fictional 61-year-old patient is followed through much of the health-care system, the examples provide specific guidance relating to when a health provider can assume implied consent.
The seven health organizations that worked with the IPC include (in alphabetical order): the College of Physicians and Surgeons, the Ontario Association of Community Care Access Centres, the Ontario Association of Non-Profit Homes and Services for Seniors, the Ontario Hospital Association, the Ontario Long Term Care Association, the Ontario Medical Association and the Ontario Ministry of Health and Long-Term Care.
Here is a condensed version of one of the examples used in the brochure:A patient is sent by his family doctor to a laboratory for blood and urine testing. A geriatrician, a specialist whom the patient has been referred to by his family doctor, would like to obtain the results of those tests. He would also like to obtain a list of the patient's current prescriptions from the pharmacy where he fills all his prescriptions.
Can the laboratory and pharmacy disclose this personal health information and can the geriatrician collect information based on assumed implied consent?
Yes. The laboratory, pharmacy and geriatrician may assume implied consent. The personal health information was received by the laboratory and pharmacy - and will be received by the geriatrician - for the purpose of providing health care to this patient.
"Personal health information may be shared within the circle of care - among health-care providers who are providing health care to a specific patient - but not outside that circle," stressed Commissioner Cavoukian. "Any sharing of personal health information with other health-care providers for purposes other than the provision of health care - or the sharing of personal health information with persons or organizations that are not health-care providers, such as insurers and employers - requires the express consent of the patient."
To see a copy of the brochure, visit http://www.ipc.on.ca/.
Wednesday, July 08, 2009
This is not good and should have been avoidable:
Commissioner urges vigilance in wake of computer virus outbreak at Alberta Health Services
July 8, 2009
The Office of the Information and Privacy Commissioner has been notified by Alberta Health Services that a virus was present on the Alberta Health Services network in Edmonton. The virus impacted the network and Netcare, Alberta’s electronic health record, before it was discovered and removed.
The virus is a new variant of a Trojan horse program called coreflood and is designed to steal data from an infected computer and send it to a server controlled by a hacker. Coreflood captures passwords and data the user of the computer accesses. The virus was active from May 15 to 29 before it was detected and removed.
AHS identified two groups who are potentially at risk. Patients whose health information was accessed in Netcare through an infected computer and employees who accessed personal banking and email accounts from work using an infected computer. AHS is sending letters to the 11,582 patients whose information may have been exposed and has notified all affected employees.
Commissioner Frank Work says this does not necessarily mean Netcare itself has been infected by the virus; rather the virus may have captured patient data accessed through Netcare from an infected computer and sent it to an external party. “While it appears the risk to patients is low, viruses don’t discriminate and this is an important message to everyone about the need to run up to date anti virus software”, says the Commissioner.
The Commissioner’s office is investigating. In the meantime Work is expecting a full forensic report from Alberta Health Services on how this happened and what steps will be taken to prevent future breaches. Work says “AHS responded quickly when the virus was detected and that steps have been taken to notify users and patients with advice on what they should do to protect personal and health information”.
Friday, June 26, 2009
I can just imagine Frank Work's expression of exaperation in uttering the quote attributed to him in the following media release:
Level of security on stolen laptops simply not acceptable, says Commissioner
June 24, 2009
Level of security on stolen laptops simply not acceptable, says Commissioner
Information and Privacy Commissioner Frank Work is perplexed with news that two laptops containing health information stolen from Alberta Health Services (AHS) were not encrypted. “This is shocking for me...I don’t know what we have to do to drive this message home” says the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less. This is highly sensitive information and an issue of public trust. How can the public have faith in public bodies if they can’t provide security for personal information?”
Two laptops with health information of more than 300,000 people were stolen earlier this month. Information on the laptops included names, birth dates, personal health numbers and lab test results for communicable and reportable diseases.
The Commissioner says AHS did have layers of protection on those laptops, but the final layer simply was not there, and while the risk might be low, there is still a risk, “A person with motivation and sufficient skills could still access the information. Risk remains without properly implemented encryption. The measures they had in place are better than nothing, but not good enough.”
Works says, “Encryption technology is readily available, and if you are going to store personal information on a portable device, you had better make sure that encrypting that information is a priority, a part of your business model, and an everyday occurrence, like making sure the door is locked before you leave home.”
The Office of the Information and Privacy Commissioner has launched an investigation into this matter. Work says, “We will be working very closely with AHS to make sure they understand their obligations and to ensure that steps are taken to prevent this from happening again”.
I pity the (next) fool who loses an unencrypted laptop in Alberta.
Wednesday, May 13, 2009
The Information and Privacy Commissioner of Ontario has released her 2008 Annual Report, which makes broad recommendations for changes to the laws in Ontario and calls for the adoption of better practices:
IPC - Office of the Information and Privacy Commissioner/Ontario Commissioner Cavoukian lays out path for increased privacy protection & accountability – doing battle with Victoria University
Commissioner Cavoukian lays out path for increased privacy protection & accountability – doing battle with Victoria University
TORONTO – Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, is urging the provincial government to make specific legislative changes and take additional steps to protect privacy and ensure greater accountability.
In her 2008 Annual Report, released today, the Commissioner cites how her sweeping recommendations from her seminal investigation into a privacy complaint against the video surveillance program of Toronto’s mass transit system have been hailed in the United States as a model that cities around the world can build upon, and in Canada as “a road map for the most privacy-protective approach to CCTV.”
Among the recommendations she is making in her 2008 Annual Report, are:
Amend the law to make it clear that all Ontario universities fall under FIPPA
The Commissioner is calling on the government to fix a potential omission in the Freedom of Information and Protection of Privacy Act related to which organizations are covered under the Act.
Under amendments that came into force in mid-2006, publicly funded universities were brought under the Act. Due to the wording of an amended regulation, the University of Toronto, in response to a freedom of information request received under the Act, argued that Victoria University, an affiliated university, was not covered under the Act.
“An IPC adjudicator determined that, based on the financial and academic relationship between the two, Victoria was part of the University of Toronto for the purposes of FIPPA,” said Commissioner Cavoukian. “The University of Toronto has not accepted our ruling and is now appealing it – having it ‘judicially reviewed.’ They have chosen to fight openness and transparency, expending valuable public resources in the process. We find this completely unacceptable, which is why we are prepared to go to battle on this issue, in our effort to defend public sector accountability. We should add that this is contrary to our normal process of working co-operatively with organizations to mediate appeals and resolve complaints informally. In this case, however, the university, having thrown down the gauntlet, left us no choice but to respond in kind and aggressively defend our Order in the courts.”
There are more than 20 other affiliated universities in Ontario that may have a different relationship with the university they are affiliated with, says Commissioner Cavoukian. “I am calling on the government to ensure that all affiliated universities are covered by the Act. There is no rationale for these publicly funded institutions to fall outside of the law.”
The government needs to set specific fees for requests for patients’ health records under PHIPA
The IPC has received a number of inquiries and formal complaints from the public regarding the fees charged by some health information custodians when patients ask for copies of their own medical records.
Ontario’s Personal Health Information Protection Act (PHIPA) provides that when an individual seeks copies of his or her own personal health information, the fee charged by a health information custodian shall not exceed the amount set out in the regulation under the Act or the amount of reasonable cost recovery, if no amount is provided in the regulation. No such regulation has been passed.
Commissioner Cavoukian, in her August 2008 submission to the Standing Committee on Social Policy, which conducted a statutorily mandated review of PHIPA, again raised the need for a fee regulation. Two months later, in its report to the Speaker of the Assembly, the Standing Committee indicated its agreement with the Commissioner’s recommendation, stating that the determination of what constitutes “reasonable cost recovery” should not be left to the discretion of individual health information custodians and their agents.
“The Minister of Health,” said the Commissioner, “should make the creation of a fee regulation a priority.”
Ontario’s enhanced driver’s licence (EDL) needs a higher level of protection
The Commissioner is calling on the Minister of Transportation to provide better privacy protection for the EDL. “The radio frequency identity (RFID) tag that will be embedded into the card can be read not only by authorized readers, but just as easily by unauthorized readers,” said Commissioner Cavoukian. “Over time, these tags could be used to track or covertly survey one’s activities and movements.”
The electronically opaque protective sleeve that will come with these enhanced licences – which drivers without a passport will need as of June 1 to drive across the U.S. border – “only provides protection when the driver’s licence is actually encased in the sleeve,” said Commissioner Cavoukian. “But individuals who voluntarily sign up for these enhanced driver’s licences will not only be required to produce them at the border, but will still have to do so in other circumstances where a driver’s licence or ID card is presently required, including in many commercial contexts. The reality is that most drivers will abandon the use of the protective sleeve.”
“An on-off device on the RFID tag would provide greatly enhanced protection,” said the Commissioner. “The default position would be off since drivers don’t need the RFID to be ‘on’ when routinely taking their licence in and out of their wallets, unless they are actually crossing the border. I am urging the government to pursue adding a privacy-enhancing on-off device for RFID tags embedded in the EDLs.”
The number of freedom of information requests filed across Ontario in 2008 was the second highest ever – 37, 933, trailing only the 38,584 filed in 2007. Nearly two-thirds of the 2008 requests were filed under the Municipal Freedom of Information and Protection of Privacy Act (24,482), to such organizations as police service boards, municipalities, school boards and health boards. In fact, there were more requests filed to police service boards (13,598) than there were for all organizations under the provincial Act (13,451).
FOI requests may be filed for either personal information or general records (which encompasses all information held by government organizations except personal information). And, the majority of requests each year have been for general records. In 2008 – for the second year in a row – the average cost of obtaining general records under the provincial Act dropped – this time, to $42.74 from $50.54, continuing a reversal of what had been a lengthy trend. The average cost of general records under the municipal Act was $23.54, up only a nickel from the previous year.
Among other key statistics released by the Commissioner:
· Since the IPC began emphasizing in 1999 the importance of quickly responding to FOI requests, in compliance with the response requirements set out in the Acts, the provincial 30-day compliance rate has more than doubled, climbing to 85 per cent from 42 per cent. After achieving a record 30-day compliance rate in 2007 of 84.4 per cent, provincial ministries, agencies and other provincial institutions promptly broke the record in 2008, producing an overall 30-day compliance rate of 85 per cent.
· The Commissioner also reported that her office received 507 complaints in 2008 under Ontario’s three privacy Acts, and 919 appeals from requesters who were not satisfied with the response they received after filing an FOI request with a provincial or local government organization. Overall, the IPC resolved 966 appeals and 534 complaints in 2008. The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, which applies to both public and private sector health information custodians, in addition to educating the public about access and privacy issues.
Wednesday, January 28, 2009
Today's Halifax Chronicle Herald has an opinion piece by Bob Doherty, the former head of privacy and access with the Nova Scotia Department of Justice:
Time for a privacy check-up - Nova Scotia News - TheChronicleHerald.ca
Time for a privacy check-up Laws need to be understandable, consistent
By BOB DOHERTY Wed. Jan 28 - 7:25 AM
With today being International Data Privacy Day, it is useful to see just how far society in Atlantic Canada has come in dealing with the complex issue of privacy since the last, almost unnoticed, celebration of this event locally a year ago.
Positive signs are emerging in the efforts to create more privacy consciousness in the region. Dalhousie University hosted a privacy event yesterday, and there have also been other events over the past 12 months. Most recently, CBC Radio’s Maritime Noon hosted a privacy "phone in" with Kostas Halavrezos and local privacy lawyer David Fraser. All of these events and others point to an increase in privacy consciousness in the past year.
However, as one listened to the calls that were received on the CBC Radio privacy segment, it became apparent there was substantial confusion as to what privacy choices, rights, obligations and remedies exist in a variety of settings. A good part of this confusion would seem to arise from a misunderstanding as to what "privacy" is.
In a nutshell, privacy is about legal choices, rights, obligations and remedies for the collection, use and disclosure of non-public, usually recorded, information about us, as individuals, in certain public and private-sector situations. However, even further than this, there are usually only four categories of personal information about us in which privacy choices, rights and obligations may or may not exist:
•Our secrets: This includes information about our personal or work lives, such as employment record, sexual orientation, personal preferences, digital photos or video recordings, records of library loans, video rentals, etc.
•Our identity: Such things as our social insurance number, health card number, blood type, society membership cards, etc., fall into this category.
•Our health: This includes our medical and psychological history.
•Our finances: Examples are our financial and credit status, bank account information, credit card identification and usage history, etc.
While some of the information in all categories may not be considered particularly sensitive and of little privacy interest to some individuals, for others this information is very personal and its disclosure would be viewed as highly privacy-invasive. Regardless of the sensitivity, there is always the potential for public embarrassment, denial of services or financial loss if the information is disclosed, or disseminated widely or indiscriminately.
However, while all of these categories involve our privacy choices, not all of the situations in these categories are subject to privacy laws.
All of this information we willingly (or reluctantly) give to selected individuals or organizations, either as a matter of trust, social interaction, contract or as required by law. However, there seems to be confusion among the general population on choices, rights, obligations and remedies (if any) in many of these situations where our personal information is involved.
In many cases, as Esther Dyson points out in a September 2008 Scientific American article entitled Reflections on Privacy 2.0, "People often have a better bargaining position than they realize, and are gaining the tools and knowledge to exploit that position."
So, how do we lessen that confusion and achieve that level of knowledge and understanding? For those who have tried to navigate the patchwork landscape of privacy laws in Canada, the answer should be obvious. Current laws need to be made more understandable to the average person and consistent across Canada. Penalties should be clear and significant for egregious privacy breaches, and oversight mechanisms must be provided with broad educational mandates and the budgets to implement them.
At the federal level, this would include passage of the proposed "identity theft" amendments to the Criminal Code, and development of clarity amendments to federal public and private-sector privacy legislation.
In Nova Scotia, this would mean proclamation of the recently passed Privacy Review Officer Act. It would also mean a provincial health information law, along with legislation to deal with privacy in the workplace and electronic surveillance (e.g. video, digital cameras including cellphone cameras, and computers).
If these changes, along with increased privacy education about choices, rights and obligations regarding our personal information in the schools, the workplace and the community are implemented, perhaps at this time next year we will not only have an increased level of privacy consciousness – we will also have a better understanding and the capacity to engage in a more informed debate on the future directions privacy-protection policy and laws should take.
Bob Doherty is a Halifax access and privacy consultant who teaches and works with access and privacy law courses in Nova Scotia and Alberta.
I think that Bob and I may think about privacy a bit differently. I probably wouldn't have used the categories he did. To me, words like "non-public" aren't very helpful and everything may fit into the category of "secrets". It just depends on how much an individual decides to disclose and how they propose to disclose it. Public information can be subject to privacy rights, as is the case in PIPEDA where publicly available information is still subject to legal limitations. But no matter what, the public should be educated about privacy rights and should have a say in shaping privacy laws.
Friday, December 19, 2008
In the past two weeks, the New York Times reported that Microsoft has made a minor concession with European privacy authorities about how long it retains its log files. A committee of European privacy regulators had asked that these logs be kept for only six months. Microsoft's response? Eighteen months.Yahoo used to keep them for thirteen months and just announced it will cut retention to 90 days. Google keeps them for nine.
The privacy implictions of these innocuous log files have been underestimated, particularly when you think about the fulsome picture of your private life that companies like Google may be assembling about you. The information in an ordinary web-server log usually contains the just a tid-bit of information. One "hit" on a website may look like this (but all on one line):127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"
The first bundle of numbers is the IP address of the computer that requested a particular web-page. "Frank" refers to a userid, which is usually not eabled. The next field is the date" Following that, and usually preceded by "GET" is the command your web-browser sent to the server. The next bits are the status code returned by the server and then the size of the entity requested. Next is something called a "referer" (mis-spelled) , followed by details about your browser.
Since many people often share the same IP address (it could be one IP for an entire company or just a group of people in a house using the same internet connection), some have argued it is not personal information and a log-file doesn't contain personal information. The problem is that even if an IP address is not directly connected to one individual, one can do some easy analysis to make the connections. After AOL released supposedly de-identified search logs to researchers, an intrepid reporter was able to track down at least one of the users who had some very personal health-related searches in the logs (see: Users identifiable by AOL search data).
What's additionally troubling from a privacy point of view is that the large inernet companies, like Google, Yahoo and Microsoft, don't just have your search queries. Increasingly, they have a huge trove of data sources in their logs.
Take Google, for example. Google has their famous Google search. They also have GMail, Google Analytics, Google AdSense, Google Documents, Google Toolbar and more. Each time you "hit" one of their sites, you're in their logs. Most internet users hit Google's logs dozens of times a day and on many of those occasions aren't even aware that they're using a Google service. Google has what is probably the most popular and widely used network of online advertising: AdSense. Each time you go to a website that features Google's ads, your computer sends a request to Google's servers and that "hit" goes into their logs, along with the information about what site you were visiting, when you visited and what ad was served. If you click on the ad, even more information is collected and logged. But even if you don't visit a site with Google's ads, there's a very good chance that the webmaster is using Google Analytics to find out about useage of his or her site. (Full disclosure: I use Google Analytics for my site at www.privacylawyer.ca.) I should also note that Yahoo! and MSN also have advertising networks, which collect the same sort of information.What this means is that Google, Yahoo and Microsoft register in their logs a significant portion of your usage of the internet.
And if you have a Google, Yahoo! or MSN account, that hit can be connected to your account details, includig your name.
I don't think it's too far fetched to think of a day when it will become standard for all investigations involving the internet to inlcude a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.
Next week, I'll discuss efforts being made by governments and law enforcement to make log rentention mandatory.
Thursday, December 04, 2008
The Federal Privacy Commissioner has today tabled her annual report on the Privacy Act. And she isn't happy with how certain government departments handle personal information:
News Release: Privacy issues given short shrift in passport operations and tribunal Internet postings, Commissioner says (December 4, 2008) - Privacy Commissioner of Canada
Privacy Commissioner’s 2007-2008 Annual Report to Parliament on the Privacy Act outlines audit of Passport Canada; investigative findings regarding online posting of personal information by administrative and quasi-judicial bodies
Ottawa, December 4, 2008 — Privacy concerns are not given enough weight in the day-to-day operations of a number of federal government institutions, the Privacy Commissioner of Canada says.
The Commissioner’s latest Annual Report to Parliament on the Privacy Act, which was tabled today, describes how privacy and security problems in Canada’s passport operations added up to a significant risk for Canadians applying for passports.
The annual report also highlights the Commissioner’s concerns that the online posting of personal information by some federal administrative and quasi-judicial bodies does not strike the right balance between the public interest and privacy rights.
Privacy Commissioner Jennifer Stoddart says her Office’s audit of passport operations raised a broad range of concerns about how personal information was handled.
“Given the high sensitivity of the personal information involved in processing passport applications, better privacy and security measures are needed,” says Commissioner Stoddart. “Unfortunately, the shortcomings we found raised the risk that Canadians’ information could wind up in the wrong hands.”
The audit found that passport applications and supporting documents were kept in clear plastic bags on open shelves; documents containing personal information were sometimes tossed into regular garbage and recycling bins; and some documents that were shredded could be easily put back together. Meanwhile, computer systems allowed too many employees to access passport files. The investigation also concluded there was inadequate privacy training for employees – an issue which is a concern across government institutions.The Commissioner is pleased that Passport Canada and the Department of Foreign Affairs and International Trade have indicated they will act on her recommendations and improve privacy and security safeguards.
The annual report also outlines the Commissioner’s concerns about the online posting of federal administrative and quasi-judicial bodies’ decisions which contain highly sensitive personal information.
The OPC investigated 23 complaints regarding the disclosure of personal information on the Internet by seven bodies created by Parliament to adjudicate disputes. The complaints involved: the Canada Appeals Office on Occupational Health and Safety; the Military Police Complaints Commission; the Pension Appeals Board; the Public Service Commission; the Public Service Staff Relations Board; the RCMP Adjudication Board; and Umpire Benefits decisions.
Decisions of these bodies often include highly personal information such as an individual’s financial status, health and personal history.
“This is private information. Law-abiding citizens fighting for a government benefit should not be forced to expose the intimate details of their lives to everyone with an Internet connection,” says Commissioner Stoddart.
The Commissioner agreed that the “open court” principle is an important part of Canada’s legal system, but noted there is a crucial distinction between the courts and the bodies the OPC investigated: The Privacy Act does not apply to the courts, but it does apply to many administrative tribunals and quasi-judicial bodies.
In order to respect their obligations under the Privacy Act, the Commissioner recommended, among other steps, that the bodies reasonably depersonalize decisions posted online by replacing names with random initials. However, the Commissioner noted that, where there is a genuine and compelling public interest in such a disclosure, these bodies have the legal authority under the Act to exercise discretion in disclosing personal information.
Service Canada and Human Resources Development Canada agreed to fully implement the OPC’s recommendations. Other bodies took important but incomplete steps towards compliance with the Commissioner’s recommendations.
Currently, unlike its private-sector counterpart, the Privacy Act does not empower the Privacy Commissioner to enforce her recommendations through legal actions. The OPC has recommended an overhaul of the legislation to address this and other concerns.
The OPC has also asked Treasury Board Secretariat to develop centralized policy guidance on the online posting of personal information by administrative and quasi-judicial bodies.The annual report outlines key activities undertaken by the OPC during 2007-2008, including audits, investigations and policy work. The report notes that new complaints against government institutions dropped slightly to 759 in 2007-2008 from 839 the previous year.
The report is available on the OPC website.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Tuesday, October 07, 2008
An article in the September 24, 2008 National Post cites a new journal article that concludes that privacy laws are hampering important health research. I haven't read the journal article yet, but plan to. While this argument is not new, I don't agree with the conclusions. I have served on Research Ethics Boards and on a special privacy committees of an REB and I haven't seen that happen.
One researcher is quoted as saying that health research should be exempted from privacy laws, which is, in my view, a very bad idea. Perhaps some tweaking is called for, but a blanket exemption would be a very bad idea and may lead to a backlash against research using identifiable personal information.
Many scientists deprived access to patient data
Tom Blackwell , National Post
Published: Wednesday, September 24, 2008
As Canadians place more and more emphasis on safeguarding personal privacy, the trend is taking an inadvertent toll on medical research, often impeding access to intimate but crucial health information, scientists are warning.
Privacy laws not only make public-health studies more time-consuming and costly, they can also significantly skew research results, argue University of British Columbia epidemiologists in a recent journal article.
"I think it's something that everyone should consider because good research is basically how we make advances in public health," said Anne Harris, lead author of the paper. "We need to be able to trust the results we get."
The paper in the Canadian Journal of Public Health suggests that medical research be exempted in some way from privacy rules.
A leading Ontario scientist echoed the B. C. group's concerns: "A lot of the advances we have had in the past might not happen because of privacy legislation and the way it's interpreted," said Dr. Jack Tu, a cardiac health researcher with a University of Toronto-affiliated institute.
Thursday, July 31, 2008
The Province of Nova Scotia has for some time been consulting with inside stakeholders on the development of health information legislation. It has just launched a consultation, seeking input from interested parties. I haven't had a chance to look at the discussion paper yet, but I understand they've been using Ontario's PHIPA as the model:
Personal Health Information Legislation for Nova Scotia Department of Health Government of Nova Scotia
For the past several years the Department of Health has been working with health sector partners on initiatives related to the protection and use of personal health information. As part of the evolution of standards, policy and law on these issues, .the Department is developing a Personal Health Information Act for the province.
The Department is pleased to present the Discussion Paper Personal Health Information Legislation for Nova Scotia (PDF: 70p). Throughout the Discussion Paper, key issues related to the collection, use, disclosure, retention and destruction of personal health information are discussed, and legislative provisions for a Personal Health Information Act are proposed.
Public and stakeholder input to this legislation is critical to its success. Any feedback on the issues raised in the paper, and on any issues related to the management of personal health information in Nova Scotia can be submitted through the online questionnaire, by e-mail to mailto:firstname.lastname@example.org by regular mail to the Personal Health Information Project, Department of Health, 1690 Hollis Street, P.O. Box 488 , Halifax , Nova Scotia , B3J 2R8
The deadline for comments is November 1, 2008.
- Personal Health Information Legislation for Nova Scotia Discussion Paper (PDF:70p)
- Frequently Asked Questions - Foire aux questions (PDF)
- Questionnaire (MS Word) Questionnaire French (MS Word)
- Personal Health Information Legislation Online Questionnaire
Thursday, July 17, 2008
The Supreme Court of Canada has just handed down its decision in Canada (Privacy Commissioner) v. Blood Tribe Department of Health, which was a question of whether the Privacy Commissioner could review documents to determine whether claims of privilege have been properly applied. The unanimous Court, on appeal from the Federal Court of Appeal, determined that she cannot.
From the headnote:
Privacy — Investigations of complaints — Powers of Privacy Commissioner — Production of documents — Solicitor‑client privilege — Dismissed employee filing complaint with Commissioner and seeking access to her personal employment information — Employer claiming solicitor‑client privilege over some documents — Whether Commissioner can compel production of privileged documents — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, s. 12.
Following her dismissal, an employee asked to have access to her personal employment information because she suspected that the employer had improperly collected inaccurate information and used it to discredit her before its board. The employer denied the request, and the employee filed a complaint with the Privacy Commissioner seeking access to her personal file. The Commissioner requested the records from the employer in broad terms. All records were provided except for those over which the employer claimed solicitor‑client privilege. The Commissioner then ordered production of the privileged documents pursuant to s. 12 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which confers the powers to compel the production of any records “in the same manner and to the same extent as a superior court of record” and to “receive and accept any evidence and other information . . . whether or not it is or would be admissible in a court of law”. The employer applied for judicial review of the Commissioner’s decision. The reviewing judge determined the Commissioner was empowered to compel production of documents over which solicitor‑client privilege was claimed in order to effectively complete her statutory investigative role. The Federal Court of Appeal set aside the decision of the reviewing judge and vacated the Commissioner’s order for production of records.
Held: The appeal should be dismissed.
Solicitor‑client privilege is fundamental to the proper functioning of our legal system. The complex of rules and procedures is such that, realistically speaking, it cannot be navigated without a lawyer’s expert advice. However, experience shows that people who have a legal problem will often not make a clean breast of the facts to a lawyer without an assurance of confidentiality “as close to absolute as possible”. Without that assurance, access to justice and the quality of justice in this country would be severely compromised. It is in the public interest that the free flow of legal advice be encouraged. 
When the appropriate principles of statutory interpretation are applied to the general language of PIPEDA, the right of the individual or organization that is the target of the complaint to keep solicitor‑client confidences confidential must prevail. The Commissioner is an officer of Parliament vested with administrative functions of great importance, but she does not, for the purpose of reviewing solicitor‑client confidences, occupy the same position of independence and authority as a court. It is well established that general words of a statutory grant of authority to an office holder, including words as broad as those contained in s. 12 of PIPEDA, do not confer a right to access solicitor‑client documents, even for the limited purpose of determining whether the privilege is properly claimed. That role is reserved to the courts. Express words are necessary to permit a statutory official to “pierce” the privilege. Such clear and explicit language does not appear in PIPEDA. [1-2]
An adjudication of a claim of privilege by the Commissioner, who is an administrative investigator not an adjudicator, would be an infringement of the privilege. Client confidence is the underlying basis for the solicitor‑client privilege, and infringement must be assessed through the eyes of the client. To a client, compelled disclosure to an administrative officer, even if not disclosed further, would constitute an infringement of the confidentiality. The objection is all the more serious where, as here, there is a possibility of the privileged information being made public or used against the person entitled to the privilege. Furthermore, in pursuit of its mandate, the administrative officer may become adverse in interest to the party whose documents it wants to access. Not only may it take the resisting party to court but it may decide to share compelled information with prosecutorial authorities without court order or the consent of the party from whom the information was compelled. [20‑21] 
Here, the only reason the Commissioner gave for compelling the production and inspection of the documents in this case is that the employer indicated that such documents existed. She does not claim any necessity arising from the circumstances of this particular inquiry. The Commissioner is therefore demanding routine access to such documents in any case she investigates where solicitor‑client privilege is invoked. In the Commissioner’s view, piercing the privilege would become the norm rather than the exception in the course of her everyday work. Even courts will decline to review solicitor‑client documents to adjudicate the existence of privilege unless evidence or argument establishes the necessity of doing so to fairly decide the issue. 
The Commissioner has not made out a case that routine access to solicitor client confidences is necessary to achieve the ends sought by PIPEDA. There are other less intrusive remedies. Firstly, she may, at any point in her investigation, refer a question of solicitor‑client privilege to the Federal Court under s. 18.3(1) of the Federal Courts Act. Secondly, within the framework of PIPEDA itself, the Commissioner has the right to report an impasse over privilege in her s. 13 report and, with the agreement of the complainant, bring an application to the Federal Court for relief under s. 15. The court is empowered, if it thinks it necessary, to review the contested material and determine whether the solicitor‑client privilege has been properly claimed. This procedure permits verification while preserving the privilege as much as possible.  [33‑34]
Some past coverage of this case on this blog: Canadian Privacy Law Blog: Decision: Blood Tribe (Dept. of Health) v. Canada (Privacy Commissioner), Canadian Privacy Law Blog: Commissioner cannot compel privileged documents: FCA.
Tuesday, July 15, 2008
I received the following question the other day:
In terms of personal data that was captured by a healthcare company while a patient in Canada, and relayed to another city in Canada for analysis, further use, etc., does that patient data have to remain in Canada ? or is it allowed to traverse the US border at any time during its journey across the continent ? My concern is that communication networks don't seem to be restricted to intra-Canada operation or due to congestion or failure, most have to use large data highways that may cross over into the United States.In Canada, there are no restrictions on the export of personal information except for personal information that is subject to the Freedom of Information and Protection of Privacy Acts of Alberta, British Columbia and Nova Scotia, and the equivalent in Quebec. Each of those provinces have enacted laws in response to the USA Patriot Act. The Patriot Act gives American law enforcement with much easier access to information, including personal information. The laws in these provinces don't deal with information in transit, but talk about the storage and access to that information. For example, from Nova Scotia's PIIDPA:
Under PIPEDA, is patient or personal data limited to just traverse within Canada ?
5 (1) A public body shall ensure that personal information in its custody or under its control and a service provider or associate of a service provider shall ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless...While there is no caselaw on this issue, I doubt that any of the privacy regulators of those provinces or the courts would find a contravention of this law if data packets containing personal information were routed through the United States on their way between two points in Canada. The information may be intercepted while in transit, but there users have little control over how this data travels. For example, a traceroute function from my home computer to ubc.ca shows that most of the data travels through the US:
Tracing route to ubc.ca [188.8.131.52] over a maximum of 30 hops:
1 2 ms 1 ms 1 ms [REDACTED]
2 20 ms 9 ms 9 ms [REDACTED]
3 17 ms 12 ms 10 ms [REDACTED]
4 11 ms 8 ms 8 ms hlfx-br1.eastlink.ca [184.108.40.206]
5 18 ms 28 ms 18 ms te-3-1.car2.Boston1.Level3.net [220.127.116.11]
6 22 ms 19 ms 18 ms ae-2-5.bar2.Boston1.Level3.net [18.104.22.168]
7 19 ms 19 ms 22 ms ae-0-11.bar1.Boston1.Level3.net [22.214.171.124]
8 46 ms 54 ms 49 ms ae-5-5.ebr1.Chicago1.Level3.net [126.96.36.199]
9 44 ms 52 ms 39 ms ae-68.ebr3.Chicago1.Level3.net [188.8.131.52]
10 73 ms 72 ms 70 ms ae-3.ebr2.Denver1.Level3.net [184.108.40.206]
11 99 ms 90 ms 90 ms ae-2.ebr2.Seattle1.Level3.net [220.127.116.11]
12 90 ms 89 ms 89 ms ae-22-52.car2.Seattle1.Level3.net [18.104.22.168]
13 90 ms 89 ms 88 ms unknown.Level3.net [22.214.171.124]
14 93 ms 91 ms 102 ms p2-1.pr0.yvrx.hgtn.net [126.96.36.199]
15 93 ms 93 ms 91 ms r1-hgtn.netnation.com [188.8.131.52]
16 102 ms 95 ms 93 ms itservices.ubc.ca [184.108.40.206]
This leads to the question of whether your information is safe from interception during transit through the US. It's really not safe from interception at any point on the internet. At each point above, the signals can be intercepted. There was recent speculation that a collaboration between AT&T the National Security Agency allowed national security organs of the US to vacuum international internet and telco traffic from at least one AT&T facility. (See: EFF's class action against AT&T.) Do they have the tools to single out particular traffic? Probably.
So what to do? If sensitive information is being transferred between two points on the internet, it should be encrypted and sent through a secure "tunnel".
Update: Added reference to Quebec statute. Thanks, commenter.
Friday, July 11, 2008
More commentary on the Viacom v. Google/YouTube case, this time from MIT's Technology review:
Technology Review: Privacy protections disappear with a judge's order
Privacy protections disappear with a judge's order
By Associated Press
NEW YORK (AP) _ Credit card companies know what you've bought. Phone companies know whom you've called. Electronic toll services know where you've gone. Internet search companies know what you've sought.
It might be reassuring, then, that companies have largely pledged to safeguard these repositories of data about you.
But a recent federal court ruling ordering the disclosure of YouTube viewership records underscores the reality that even the most benevolent company can only do so much to guard your digital life: All their protections can vanish with one stroke of a judge's pen.
"Companies have a tremendous amount of very sensitive data on their customers, and while a company itself may treat that responsibly ... if the court orders it be turned over, there's not a lot that the company that holds the data can do," said Jennifer Urban, a law professor at the University of Southern California.
In the past, court orders and subpoenas have generally been targeted at records on specific individuals. With YouTube, it's far more sweeping, covering all users regardless of whether they have anything to do with the copyright infringement that Viacom Inc., in a $1 billion lawsuit, accuses Google Inc.'s popular video-sharing site of enabling.
It's a scenario privacy activists have long warned about.
"What we're seeing is (that) the theoretical is becoming real world," said Lauren Weinstein, a veteran computer scientist. "The more data you've got, the more data that's going to be there as an attractive kind of treasure chest (for) outside parties."
U.S. District Judge Louis L. Stanton dismissed privacy arguments as speculative.
Last week, Stanton authorized full access to the YouTube logs -- which few users even realize exist -- after Viacom and other copyright holders argued that they needed the data to prove that their copyright-protected videos for such programs as Comedy Central's "The Daily Show with Jon Stewart" are more heavily watched than amateur clips.
"This decision makes it absolutely clear that everywhere we go online, we leave tracks, and every piece of information we access online leaves some sort of record," Urban said. "As consumers, we should all be aware of the fact that this sensitive information is being collected about us."
Mark Rasch, a former Justice Department official who is now with FTI Consulting Inc., said the ruling could open the floodgates for additional disclosures.
Though lawyers have known to seek such data for years, Rasch said, judges initially hesitant about authorizing their release may look to Stanton's ruling for affirmation, even though U.S. District Court rulings do not officially set precedence.
The YouTube database includes information on when each video gets played. Attached to each entry is each viewer's unique login ID and the Internet Protocol, or IP, address for that viewer's computer -- identifiers that, while seemingly anonymous, can often be traced to specific individuals, or at least their employers or hometowns.
Elsewhere, search engines such as Google and Yahoo Inc. keep more than a year of records on your search requests, from which one can learn of your diseases, fetishes and innermost thoughts. E-mail services are another source of personal records, as are electronic health repositories and Web-based word processing, spreadsheets and calendars.
One can reassemble your whereabouts based on where you've used credit cards, made cell phone calls or paid tolls or subway fares electronically. One can track your spending habits through loyalty cards that many retail chains offer in exchange for discounts.
Though companies do have legitimate reasons for keeping data -- they can help improve services or protect parties in billing disputes, for instance -- there's disagreement on how long a company truly needs the information.
The shorter the retention, the less tempting it is for lawyers to turn to the keepers of data in lawsuits, privacy activists say.
With some exceptions in banking, health care and other regulated industries, requests are routinely granted.
Service providers regularly comply with subpoenas seeking the identities of users who write negatively about specific companies, at most warning them first so they can challenge the disclosure themselves. The music and movie industries also have been aggressive about tracking individual users suspected of illegally downloading their works.
Law enforcement authorities also turn to the records to help solve crimes.
The U.S. Justice Department had previously subpoenaed the major search engines for lists of search requests made by their users as part of a case involving online pornography. Yahoo, Microsoft Corp.'s MSN and Time Warner Inc.'s AOL all complied with parts of the legal demand, but Google fought it and ultimately got the requirement narrowed.
In the YouTube case, Viacom largely got the data it wanted.
Google has said it would work with Viacom on trying to ensure anonymity, and Viacom has pledged not to use the data to identify individual users to sue. The YouTube logs will also likely be subject to a confidentiality order.
But privacy advocates warn that there's no guarantee that future litigants will be as restrained or that data released to lawyers won't inadvertently become public -- through their inclusion as an attachment in a court filing, for instance.
And retailers, government agencies and others are regularly announcing that personal information, stored without adequate safeguards, is being stolen by hackers or lost with laptops or portable storage drives.
"You just never know," said Steve Jones, an Internet expert at the University of Illinois at Chicago. "There are some circumstances under which what seems to be private information is going to be shared with a third party, and the court says it's OK to do that."
Copyright Technology Review 2008.
Thursday, July 03, 2008
A Quick Overview
This is my fifth Annual Report as Saskatchewan’s first full-time Commissioner.
Some good progress has been achieved in terms of access to information and privacy compliance in a number of areas. In other areas, not enough has been achieved.
My intention is that this Annual Report provide both some perspective on the last four and one-half years and an outline of the challenges ahead for this office. The people of Saskatchewan deserve an access and privacy regime that is both robust and effective.
My commentary in this Annual Report needs to be qualified by the recognition that achieving such a regime captures much more than just the activities of our oversight office. It entails other features such as:
From the perspective of the individual in
- Effective and up-to-date legislation;
Strong network of FOIP Coordinators in all government institutions and local authorities;
- Comprehensive training program for all new public sector employees and contractors;
- System of in-service training for all existing public sector employees; and
- Detailed and practical manual that explains statutory requirements in plain language with checklists, specimen forms, and ‘decision trees’.
Saskatchewan, a robust access and privacy regime would feature:
- Relatively simple process to access one’s own personal information and to correct errors in that information;
- Full and timely response to any access requests;
- Relatively simple process to make a complaint that privacy requirements for a public body have not been met;
- A senior, properly trained and qualified FOIP Coordinator for the relevant public body who can assist the citizen to exercise the rights created by our three access and privacy laws; and
Reviews by our office to be completed in majority of cases within five months.
Two central themes have crystallized since I started in November 2003.
1. One is the largely unfinished state of our access and privacy regime despite the fact that FOIP is 16 years old.
2. The other is the burgeoning demand by Saskatchewan citizens and organizations for assistance from us in coping with what is seen as a fragmented, confusing and underresourced trio of laws.
This includes demand from public sector employees who want to do the right thing and who do wish to ensure their organizations meet access and privacy requirements.
Our last four and one-half years have seen significant increases in almost all areas of service. Formal reviews of access decisions and privacy complaints received by our office for the 2007-2008 fiscal year are 40% higher than the previous fiscal year. Requests to our office for summary advice are up 29%. Visitors to our website are up 20% over the previous year.
This increase in demand for assistance may be at least partly attributable to a lack of tools and resources available to those who need them.
That demand for service also reflects new developments that have dramatically sharpened the focus on personal health information, technical threats to privacy and the demand for transparent and accountable government at all levels.
The OIPC is supported by the Legislative Assembly Office that provides an array of services. We appreciate and rely on those resources.
I am very proud of what our small office has accomplished in the last four and onehalf years. The credit goes to the wonderful team of men and women in this office led by Diane Aldridge, Director of Compliance and Pamela Scott, Manager of Administration.
Sunday, June 29, 2008
Earlier this week, I co-chaired Insight Information's conference on electronic health records here in Halifax. I was very pleased to see a lot of expertise in privacy developing in Atlantic Canada, which is necessary as Nova Scotia, New Brunswick and Newfoundland move towards developing and implementing health privacy laws and as electronic health record projects are driving forward.
I gave a presentation on the mess and uncertainty related to the cross-border movement of personal health information in Canada. The complicated overlap of laws that we see in provinces such as Nova Scotia is compounded when the information is disclosed out of the province.
If you're interested, the presentation is here and can be flipped through below:
Thursday, May 22, 2008
The Information and Privacy Commissioner of Ontario tabled her Annual Report 2007 this past week. Apparently it was a good year:
IPC - Office of the Information and Privacy Commissioner/Ontario Major advances made in Access and Privacy, says Commissioner Ann Cavoukian
Major advances made in Access and Privacy, says Commissioner Ann Cavoukian
Court rulings, key decisions by her office and other developments all helped to make 2007 a year of significant progress in advancing both freedom of information and protection of privacy, Ontario Information and Privacy Commissioner Ann Cavoukian said today, as she released her 2007 Annual Report.
“I have never felt as positive about the future of privacy in Ontario as I do right now,” said the Commissioner. “And there have been some very important advances related to access to government-held information.”
Among the positive developments she cites related to privacy protection:
- A key court ruling and subsequent ground-breaking order the Commissioner issued that addressed the same core issue – that the collection of extensive personal information from individuals whose only wish was to sell one or more second-hand items to a used-goods store should not end up in police files.
- In July, the Ontario Court of Appeal struck down a City of Oshawa bylaw that had required used-goods retailers to collect extensive personal information from people who wanted to sell second-hand items to used-goods stores. This personal information was then to be transmitted to, and stored centrally in, a police database – without any restrictions on its use or any judicial oversight.
- Two months later, following an investigation into a privacy complaint received by her office, the Commissioner invoked – for the first time in the 20-year history of her office – the power to order an institution to cease the collection of personal information and to destroy collections of information collected previously. She ordered the City of Ottawa and the Ottawa Police to stop collecting extensive personal information from individuals selling used goods to second-hand stores and to destroy personal information already collected (with limited exceptions).
- A ruling by Justice Edward Belobaba of the Ontario Superior Court of Justice that sections of the Adoption Information Disclosure Act breached the Canadian Charter of Rights and Freedoms. “As the Court noted,” said the Commissioner, “the Charter, ‘… is intended primarily to protect individuals and minorities against the excesses of the majority,’ and, accordingly, in this case, the Charter protected the minority who wished to preserve their privacy. I want to emphasize the significance of one of the statements in that Court decision:
‘People expect, and are entitled to expect, that the government will not share their confidential or personal information without their consent. The protection of privacy is undeniably a fundamental value in Canadian society.’”
“It is of critical importance,” said the Commissioner, “that we never forget the Court’s words, ‘… privacy is undeniably a fundamental value in Canadian society,’ because privacy forms the very underpinning of liberty – the very foundation upon which our freedoms are built.”
- Positive steps were also taken in the development of “transformative technologies” – a new term for privacy-enhancing technologies applied to technologies of surveillance. For example, the Ontario Lottery and Gaming Corporation is evaluating facial biometrics for its “self-exclusion” program, under which some gamblers seek the OLG’s assistance in barring them from gambling in casinos operated by the OLG. Under a contract with the OLG, a University of Toronto team has been researching novel Biometric Encryption (BE) solutions. The system attempts to identify the subjects in the self-exclusion program while protecting the privacy of stored personal information. This information can be accessed only if a correct biometric, i.e. the facial image of a self-excluded person, is presented. In other words, the personal information is in effect “encrypted” with the person’s biometric – extremely privacy protective.
Among the positive developments in 2007 related to freedom of information were several pivotal court rulings. These included:
- A very significant ruling by Ontario’s Divisional Court which upheld two decisions made by the Commissioner’s office on the application of the solicitor-client exemption to legal fees. “This ruling was a strong endorsement of our approach to the disclosure of legal fee information and underscores our consistent message that governments should actively disclose information about the expenditure of public funds,” said the Commissioner.
- Another key ruling, which applied the Canadian Charter of Rights and Freedoms, expanded the circumstances under which the public interest may override certain exemptions to accessing information under the Freedom of Information and Protection of Privacy Act (FIPPA). The Ontario Court of Appeal, in effect, amended FIPPA in a way that the IPC had been advocating since 1994, but did not have the authority to change. Section 23 of FIPPA states that where a “compelling public interest” in disclosure “clearly outweighs” the purpose of certain exemptions from the right of access, those exemptions do not apply. As a result of this decision, the IPC (subject to an appeal the Supreme Court of Canada will hear this fall) now has the ability to decide independently whether records subject to the law enforcement and solicitor-client privilege exemptions should be disclosed in the public interest.
Among the recommendations the Commissioner makes in her Annual Report:
- She is urging Ontario to make a privacy-protective electronic health record a priority.
- She is calling on the Premier and John Wilkinson, the Minister of Research and Innovation, to advance the development of transformative technologies (privacy-enhancing technologies applied to technologies of surveillance), not only in the area of research, but particularly in the commercialization of such research to facilitate its entry into the marketplace.
- She is urging all police services in Ontario to abide by the law and give a broad and generous interpretation to recent amendments to the provincial and municipal freedom of information and protection of privacy Acts that now allow police to disclose – in compassionate circumstances – the personal information of someone who has died to his or her family members.
- Rather than require individual provinces to build their own extensive databases of citizenship information from scratch, she is urging the federal government to make citizenship information available to provinces that want to provide an enhanced drivers’ licence (EDL) that citizens could use as an alternative to a passport, for the purpose of crossing the U.S. border.
FOI REQUESTS SET ANOTHER RECORD
Among the statistical information released by the Commissioner:
- The number of freedom of information requests filed with provincial or municipal government organizations across Ontario in 2007 – 38,584 – set an all-time high, surpassing the previous record of 36,739, set in 2006. Much of this increase is due to a jump in the number of requests filed with municipalities and police services.
- The number of privacy complaint files opened under the two public sector privacy Acts – 213 – was the highest in 11 years. (There were 170 privacy complaints in 2006.)
- And, the number of complaint files opened under the Personal Health Information Protection Act – 338 – set a record. (The old record was 269 in 2006.) Of the 338 complaint files, 227 were privacy complaints and 111 were access or correction complaints.
Commissioner Cavoukian’s 2007 annual report is available on the IPC’s website, www.ipc.on.ca.
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.
Sunday, May 18, 2008
The Alberta Information and Privacy Commissioner's office, in Investigation Report H2008-IR-001, has confirmed that individuals have the right to have their personal health information masked and its distribution restricted on Alberta Netcare:
Investigation confirms Albertans' right to ask custodians to limit disclosure of health information through Alberta Netcare
May 15, 2008Investigation confirms Albertans' right to ask custodians to limit disclosure of health information through Alberta NetcareInformation and Privacy Commissioner, Frank Work, has confirmed that individuals can ask that disclosure of their health information through Alberta Netcare, Alberta’s electronic health record, be limited. On conclusion of a recent investigation, it was recommended that Alberta Health and Wellness take steps to fully implement the technology that will allow custodians to limit the disclosure of health information through Alberta Netcare and communicate the availability of this option to Netcare users and Albertans.
The case involves a woman who asked her pharmacist to limit the disclosure of her health information through Alberta Netcare, but was told the pharmacist could not refuse to disclose information to AHW. The woman then contacted AHW to request that her information be “masked” in Alberta Netcare, but was directed to make her request to other custodians.
The Health Information Act (HIA) section 58(2) requires custodians to consider the expressed wishes of individuals when deciding how much health information to disclose. AHW has decided to manage expressed wishes in Alberta Netcare by masking information. Masked information is hidden until an authorized user who is providing care to a patient decides to unmask the information.
The investigation found that AHW built masking capabilities into Alberta Netcare as early as 2006, but did not did not formalize the processes required to allow Netcare users to apply masking until April 2008. The investigation also found that AHW had not adequately communicated the availability of masking as a means to manage an individual’s expressed wishes to health care providers nor had they developed the administrative tools required to fully support implementation of masking.
Mr. Work says “While I commend Health and Wellness for building important privacy features like masking into the system, it is not very useful to develop a masking system and not support its implementation or advise end users that it is available to them. In principle, AHW’s approach to masking information in Alberta Netcare is sound but implementation has been weak. The Department acknowledges this gap and has committed to developing an enhanced masking implementation plan for my review and comment before the end of the month. We will continue to work with AHW on this issue.”
Other recommendations that have been accepted by AHW include the recommendation to respond to the complainant’s request that her information be masked and expand Alberta Netcare communications materials to inform and educate patients about how a masking request can be made. The Department has taken immediate steps to implement these recommendations.
The investigation report and its recommendations can be found at http://www.oipc.ab.ca/.
Friday, May 09, 2008
This just crossed the wires and is likely of interest to those who followed the earlier discussions about using privacy legislation as an excuse for inaction.
CNW Group OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Ontario and B.C. Privacy Commissioners issue joint message: personal health information can be disclosed in emergencies and other urgent circumstances
Ontario and B.C. Privacy Commissioners issue joint message: personal health information can be disclosed in emergencies and other urgent circumstances
TORONTO, May 9 /CNW/ - In light of recent events, such as the tragic suicide of Nadia Kajouji, a student at Carlton University, and the Virginia Tech massacre of 2007, the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, and the Information and Privacy Commissioner of British Columbia, David Loukidelis, are reaching out to educational institutions, students, parents, mental health counsellors and healthcare workers in both provinces: personal health information may, in fact, be disclosed in emergencies and other urgent circumstances. The two Commissioners want to ensure that people realize that privacy laws are not to blame because they do permit disclosure.
The Commissioners want to send the clear message that privacy laws do not prevent counsellors or healthcare providers from contacting a person's family if there are real concerns that they may seriously hurt themselves. "When there is a significant risk of serious bodily harm, such as suicide, privacy laws in Ontario clearly permit the disclosure of personal information without consent, regardless of age. In such situations, schools may contact parents or others if there are reasonable grounds to believe that it is necessary to do so," says Commissioner Cavoukian. Commissioner Loukidelis adds that, "If there are compelling circumstances affecting health or safety, or if an individual is ill, B.C.'s privacy laws allow disclosure to next of kin and others, including school officials and health care providers. Individual cases can be fuzzy, but if someone uses common sense and in good faith discloses information, my office is not going to come down on them. Privacy is important, but preserving life is more important."
In Ontario, the Personal Health Information Protection Act (PHIPA) allows health care providers, such as mental health counsellors, to disclose personal health information when necessary to eliminate or reduce a significant risk of serious bodily harm. This would include disclosure to a physician or parent if there are reasonable grounds to believe it is necessary to do so. In fact, PHIPA specifically allows for this kind of disclosure in emergency or urgent situations. Commissioner Cavoukian clarified this in a Fact Sheet she issued in 2005 entitled, Disclosure of Information Permitted in Emergency or other Urgent Circumstances, available at http://www.ipc.on.ca/.
In British Columbia, Commissioner Loukidelis underscored, the public sector Freedom of Information and Protection of Privacy Act allows universities, schools, hospitals and other public institutions to disclose personal information where someone's health or safety is at risk. He also noted that the private sector Personal Information Protection Act contains similar authority to disclose personal information for health and safety reasons.
Both Commissioners are today announcing their joint project to issue a new publication aimed at clarifying the role that privacy laws play when workers are trying to decide whether they can disclose personal health information. Commissioner Cavoukian said of the joint project, "Our goal is to ensure that educational institutions understand the legislative framework in advance of problems occurring. We are looking forward to working further with the educational community - stay tuned."
Commissioners Cavoukian and Loukidelis are urging those responsible for the health and safety of others to educate themselves about how the privacy laws covering them apply to their work and familiarize themselves with the provisions allowing them to disclose personal health information in emergency situations. Commissioner Loukidelis says, "I know that frontline decisions have to be made quickly and sometimes the facts may not be as clear as you'd like. But there's no doubt that privacy laws support disclosures to protect health and safety." Commissioner Cavoukian agrees that privacy laws are not at fault. "To infer that privacy laws were responsible for someone's death is to completely misunderstand the role that privacy laws are designed to play. The tragedy here lies if you take a default position of non-disclosure and inaction," says Commissioner Cavoukian. She also adds that, "However, Commissioner Loukidelis and I both recognize that the decision to notify someone's family without their consent can be extremely difficult, requiring very sound judgment. We are also clear that notification cannot be done on a routine basis and that students need to feel reassured that their privacy will be protected when they seek counselling or other health care services."
Tuesday, April 29, 2008
If you handle personal information and only read one privacy law article, this one should be it:
Far too often, bureaucrats, cops and others use poorly understood privacy laws as a justification for inaction. Maybe it's just that they don't fully understand the myriad rules and the multiplicity of exceptions.
Privacy laws are complicated and are not well understood, even by people whose day-to-day operations are affected by them. But they are generally sensible and coherent. And -- believe it or not -- they are laced with common sense.
I've had the opportunity to look at every privacy law in Canada and I don't think I've seen one that does not have a public interest override. A public body, in the public sector context, can disclose personal information without consent if it is in the public interest to do so. There are often other exceptions from the general rule that requires consent.
Some may recall the aftermath of the south Asian tsunami where the federal government said they couldn't name victims or survivors because of the Privacy Act. The Privacy Commissioner and others were pretty quick to point out s. 8 of the Privacy Act, which allows the government to disclose personal information where it is in the public interest:
8(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed...
(m) for any purpose where, in the opinion of the head of the institution,(i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or
(ii) disclosure would clearly benefit the individual to whom the information relates.
(I wrote about it on this blog at the time: Editorial urges that naming Canadian tsunami victims is in the public interest & Fallout from naming/not naming Canadian victims)
I was recently reminded of this in a discussion about the failure of the police in Merritt BC to identify a suspect on the lam after a family was found murdered. Police blamed privacy laws. (RCMP grilled for delay in alerting town over suspect) The National Post Editorial Board called them out on the misstep:
The Post editorial board on the Allan Schoenborn case: The RCMP's high-profile failure - Full Comment
...Two days later, Ms. Clarke returned from errands to find her children murdered, and their father vanished along with his dog. The RCMP, confronted with a gruesome spectacle that may have resulted from their failed efforts to get Schoenborn under lock and key, took nearly a full day to announce to the public in Merritt that he was the prime suspect in the killings. Their excuse? "Due to privacy concerns," said RCMP Staff Sergeant Scott Tod, "we had to make sure that we had information that this was the suspect before we released his name."
"Privacy" is a popular item these days in the lexicon of justice, as it is used by the Mounties. No act of ineptitude in communicating with the public can possibly escape its reassuring cover, even though every privacy law or code written down anywhere in the last 50 years contains public-interest exemptions.
Most recently, a University in Ontario has been called to account for not notifying the parents of a mentally ill student who subsequently committed suicide. Privacy laws were pointed to as preventing such action. Anne Cavoukian and her counterparts have reminded universities that these laws are easy scapegoats, but without exception contain provisions that allow privacy rights to be overridden in certain circumstances.
Universities grapple with providing health services, protecting privacy
...University officials say they followed procedures and couldn't tell Kajouji's parents about her mental health because of the province's privacy law. They also indicated universities that don't respect the privacy of their students' health information risk driving students away from the very services designed to help them.
Ontario's privacy commissioner, Ann Cavoukian, and several of her counterparts in other provinces, say universities need to have a clearer understanding of what privacy laws allow and they cautioned that too often privacy laws are the automatic target of blame when controversy arises.
Cavoukian's office provided a fact sheet several years ago to universities explaining the law allows them to disclose personal health information in "compelling circumstances" and if they believe on reasonable grounds it would eliminate or reduce the risk of bodily harm.
Determining whether a situation warrants disclosure is a judgment call, Cavoukian said in an interview, though the law affords protection to the decision-maker as long as he or she acted in good faith.
"If you are a health-care practitioner or a university professional and you have information relating to a student that is considering suicide and you fear for that person and want to reduce the risk of suicide, absolutely you are allowed to release that information," she said. "It's not an easy decision but it is one that is permitted under our privacy laws and I'm sick and tired of people saying that it's the privacy laws that prevented the counsellors from contacting the girl's parents. That's incorrect," she said.
... Suzanne Blanchard, vice-president for student support services, said in an e-mail message the university has specific procedures to deal with students who are in "imminent danger of doing harm to themselves or others."
"Carleton University has reviewed its actions in the aftermath of Nadia's tragic death. We believe that we followed all proper procedures and provided all the support services we could for Nadia," she said. "Carleton University is always diligent in its compliance with Ontario's privacy laws and we believe that we acted, and continue to act, in accordance with those laws."
Cavoukian said some universities take their obligations under the privacy law seriously, but there is still a lot of confusion. She plans to convene a meeting with the Council of Ontario Universities in an attempt to clarify any lingering questions.
Saskatchewan's privacy commissioner agreed there is a "significant need for more education" about the flexibility that is built into privacy laws.
"Sometimes you have people who don't want to do the wrong thing and so therefore you get a kind of paralysis and they don't share information even when the law allows them to and it's appropriate to do so," said Gary Dickson.
Dickson said Kajouji's death, while tragic, provides incentive for universities to ensure they are prepared to deal with students' mental health issues and with situations where informing the parents is up for debate. "Decisions will have to be made and then there have to be people with the appropriate training and judgment who can then make that discretionary decision," he said.
Frank Work, Alberta's privacy commissioner, said it has to be kept in mind Kajouji was an adult and the university may have felt her situation was under control. All the law asks is that a standard of reasonableness be applied, said Work.
"I think it's true in just about every privacy law, the standard is always reasonableness, not perfection," he said.
People will disagree on whether Carleton made the right decision, but one thing the privacy commissioners all agree on is the decision needs to be given due consideration.
"The worst case scenario is if it's just neglect. They saw the bus coming and they didn't yell: 'Get out of the way.' We don't know here. Hopefully in this case they made a judgment call," said Work.
Ontario's commissioner similarly said university officials have to take the time to make the difficult determination and should not rely on privacy laws as the default reason for not disclosing personal information.
"I would urge people to resist the knee-jerk reaction of automatically blaming privacy laws," Cavoukian said.
Here is the moral of this story: Whenever common sense or humanity seem to bump up against privacy laws, take a close look at the law and its exceptions. You will probably find that the drafters have designed the laws to accommodate common sense and humanity.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.