The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, January 02, 2009
Five years ago, on January 2, 2004, a new age of privacy was creeping across Canada and this blog was born. The day before, at the stroke of midnight, the Personal Information Protection and Electronic Documents Act (Canada) had come fully into force. The Alberta and British Columbia Personal Information Protection Acts also became effective on the first day of 2004.
Since then, we have seen dramatic changes in privacy throughout the world: Identity theft is on the rise; there have been literally thousands of data breaches exposing the personal information of millions of people; governments are looking for easier access to personal information; video surveillance is more widespread; more personal information is generated digitally and aggregated in private hands.
And in the past year specifically, things have remained interesting on the privacy front. We've seen debate over changes to PIPEDA without anything definitive coming from the mandatory five year review. We've also seen arguments put forward to reform the public sector Privacy Act. Focus has also been drawn to the increasing practice of examining laptops at US border crossings. Litigation between Viacom and Google has raised awareness of log information that's often retained by internet companies. And Google has also been sued by a couple claiming their privacy has been violated by presenting pictures of their house in Google Street View. But in the last year, the one big privacy story that was supposed to have the largest impact on Canadians was the implementation of the National Do Not Call List. Whether it has, in fact, had an impact is the subject of debate.
I'd like to thank the many thousands of readers of the blog for visiting this site and thanks to those who have contacted me with comments, compliments, suggestions and links to interesting news. It's been a pleasure to write and I plan to keep it going as long as there's interesting privacy news to report.
Birthday cake graphic used under a creative commons license from K. Pierce.
Saturday, January 12, 2008
Yesterday, I gave a presentation with S/Sgt Al Langille of the RCMP at the Canadian Bar Association - Nova Scotia's annual professional development conference on ID theft and privacy laws. If you're interested, the presentation is here:
Thursday, November 22, 2007
Michael Geist, insightful and thoughtful as always, has some interesting comments on the proposed new identity theft legislation introduced yesterday. Check it out: Michael Geist - Canada's Identity Theft Bill: What It Says and What's Missing.
The full text of Bill C-27 has been posted on the Parlimentary website: C-27 - An Act to amend the Criminal Code (identity theft and related misconduct).
Here's the bill's summary
This enactment amends the Criminal Code to create a new offence of identity theft, of trafficking in identity information and of unlawful possession or trafficking in certain government-issued identity documents, to clarify and expand certain offences related to identity theft and identity fraud, to exempt certain persons from liability for certain forgery offences, and to allow for an order that the offender make restitution to a victim of identity theft or identity fraud for the expenses associated with rehabilitating their identity.
Wednesday, November 21, 2007
The Canadian federal government is planning to table legislation in Parliament today to add additional offenses to the criminal code to deal with activities that are precursors to identity theft.
I was interviewed earlier today by CTV Newsnet on the topic (on Google Video):
Here is the media release:
Government of Canada Introduces Legislation to Tackle Identity Theft
GOVERNMENT OF CANADA INTRODUCES LEGISLATION TO TACKLE IDENTITY THEFT
OTTAWA, November 21, 2007 – Minister of Justice and Attorney General of Canada, the Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, today introduced legislation to help combat identity theft, which has been identified as a fast-growing problem throughout North America.
“This Government is following through on its commitment to give police the tools they need to better protect Canadians by stopping identity theft activity before the damage is done,” said Minister Nicholson. “I have tabled legislation that will make it an offence to obtain, possess or traffic in other people's identity information if it is to be used to commit a crime.”
The misuse of another person's identity information, generally referred to as identity fraud, is covered by current offences in the Criminal Code , such as personation and forgery. But the preparatory steps of collecting, possessing and trafficking in identity information are generally not captured by existing offences. The proposed legislation would create three new offences directly targeting aspects of the identity theft problem, all subject to five-year maximum sentences:
- obtaining or possessing identity information with intent to use it to commit certain crimes;
- trafficking in identity information with knowledge of or recklessness as to its intended use in the commission of certain crime; and
- unlawfully possessing and trafficking in government-issued identity documents.
Additional Criminal Code amendments would create new offences of fraudulently redirecting or causing redirection of a person's mail, possessing a counterfeit Canada Post mail key and possessing instruments for copying credit card information, in addition to the existing offence of possessing instruments for forging credit cards.
Moreover, a new power would also be added permitting the court to order, as part of a sentence, that an offender be required to pay restitution to a victim of identity theft or identity fraud where the victim has incurred expenses related to rehabilitating their identity, such as the cost of replacement cards and documents and costs in relation to correcting their credit history.
“Our Government understands that new and rapidly evolving technologies have made identity theft a widespread criminal activity that often involves organized crime,” added Minister Nicholson. “This is an issue that is harming Canada 's families, seniors and businesses. We are therefore taking action to tackle this serious problem.”
This legislative proposal is one in a new series of tackling community crime bills the Government of Canada will be introducing in this new session of Parliament. This series is in addition to the comprehensive Tackling Violent Crime Act that aims to better protect youth from sexual predators, protect society from dangerous offenders, get serious with drug impaired drivers and toughen sentencing and bail for those who commit serious gun crimes.
In addition to its plan to protect Canadians against identity theft, the Government of Canada has:
- introduced a National Anti-Drug Strategy, including legislation that would provide mandatory jail time for serious drug crimes;
- tabled legislation to strengthen the Youth Criminal Justice Act ; and announced a comprehensive review of this Act in 2008;
- invested in crime prevention community projects across Canada that target youth;
- passed legislation to increase penalties for those convicted of street racing; and
- passed legislation to end conditional sentences for serious crimes such as personal injury offences.
An online version of the legislation will be available at www.parl.gc.ca.
Here is additional coverage from CTV:
CTV.ca Tory legislation to target identity theft
Tory legislation to target identity theft
Updated Wed. Nov. 21 2007 11:58 AM ET
CTV.ca News Staff
The federal Conservatives will introduce legislation today aimed at charging people accused of identity theft even before stolen information is used to commit a crime.
Currently, the law makes it illegal to misuse someone's personal information to create false identification or for other fraudulent purposes.
However, it is not against the law to collect, possess or traffic another person's identity information.
The Tories want to amend the Criminal Code to make it an offence to possess someone's personal identifying information with the intent of selling it or using it to commit fraud.
"I think there's always a challenge in proving intent but we have a number of offences in our Criminal Code where intent is an important portion of proving the charge," David Fraser, a lawyer that specializes in privacy issues, told CTV.ca.
"You can do that by looking at the totality of the circumstances -- you don't necessarily have to look directly into the head of the accused."
In 2006, almost 8,000 victims reported losses of $16 million to PhoneBusters, the Canadian Anti-fraud Call Centre.
"There are probably even more who don't report it... (and) there isn't mandatory reporting from the banks or the credit bureaus who might be the first to hear about it," said Fraser.
He said the Tory initiative will give law enforcement an additional tool to help them deal with identity theft offences.
However, Fraser said attention should also be given to ensuring that businesses properly secure personal information in the first place.
"That's one of the places where information often gets into the hands of identity thieves," he said.
"Another part of it might be simply to make it a little more challenging in order for credit granters to extend credit to individuals."
Consumers can also take practical steps to protect their information by regularly checking bank statements and shredding personal documents, said Fraser.
The identity theft legislation is the latest in a flurry of anti-crime initiatives the Tories have announced this week.
On Tuesday, the Harper government introduced new legislation proposing mandatory sentencing for individuals convicted of serious drug-related crimes.
Federal Justice Minister Robert Nicholson said the new bill is designed to impose tough sentences on Canadians profiting from organized crime and violence.
If passed, Bill C-2 will impose the first mandatory sentences under the Controlled Drugs and Substances Act for people convicted of drug-related crimes.
On Monday, the Tories proposed changes to the Youth Criminal Justice Act.
The key proponents of their proposal are:
- Tougher sentences
- Allowing for pre-trial detention
- Allow courts to consider deterrence and denunciation as objectives of youth sentences
Saturday, November 10, 2007
In case you haven't been consulted enough ...
The Government of Canada issued its response to the PIPEDA review report from the Standing Commitee on Access to Information, Privacy and Ethics, agreeing in parts and disagreeing in others with the committee's recommendations. So the government is now seeking public input on the topics that were relatively well canvassed before the parliaentary commitee.
If you have additional thoughts, you have until January 15 to make them known to Industry Canada.
DEPARTMENT OF INDUSTRY
IMPLEMENTATION OF THE GOVERNMENT RESPONSE TO THE FOURTH REPORT OF THE STANDING COMMITTEE ON ACCESS TO INFORMATION, PRIVACY AND ETHICS ON THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT
Deadline for submission of views: January 15, 2008
On October 17, 2007, the Government of Canada tabled in Parliament its response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). In support of the Minister of Industry's responsibility for PIPEDA, Industry Canada is seeking the views of Canadians on a number of issues related to the response, including proposals for legislative amendments to PIPEDA.
PIPEDA, which came into force on January 1, 2001, sets rules for the collection, use and disclosure of personal information in the course of commercial activity in Canada. In a modern, information-based economy, an effective and efficient model for the protection of personal information is vitally important to ensure that the privacy of Canadian consumers remains protected. The ETHI Report contains 25 recommendations for how PIPEDA could be fine-tuned to ensure that the Act continues to achieve this objective. The government response expresses agreement with a majority of the Committee's recommendations and reflects the view held by a number of stakeholders that PIPEDA is working well and is not in need of dramatic change at this time. However, a small number of specific amendments may be warranted, and this consultation process provides Canadians with the opportunity to present further information, advice and views regarding the implementation of key proposals for legislative change.
In particular, Industry Canada is seeking views on the implementation of a data breach notification provision in PIPEDA (ETHI recommendations 23, 24 and 25). Such a provision is an important component of a comprehensive strategy to address the growing problem of identity theft. The Government proposes that the Privacy Commissioner be notified of any major breach of personal information, and that affected individuals and organizations be notified when there is a high risk of significant harm resulting from the breach. Ultimately, a requirement for data breach notification should encourage organizations to implement more effective security measures for the protection of personal information, while enabling consumers to better protect themselves from identity theft when a breach does occur. Industry Canada is seeking input in developing the parameters of a data breach notification provision, including, but not limited to, questions of timing, manner of notification, penalties for failure to notify, the need for a "without consent" power to notify credit bureaus, and appropriate "thresholds" for when organizations should be required to notify.
Industry Canada is also seeking further views on the issue of "work product" information (ETHI recommendation 2). The question of whether information created by individuals in their employment or professional capacity should be explicitly excluded from the definition of personal information has been a matter of significant debate. Industry Canada would therefore appreciate a wider range of views on whether an amendment to PIPEDA is needed, and, if so, how this should be implemented.
Furthermore, in order to ensure that PIPEDA is consistent with the needs of Canadian law enforcement agencies, the Government intends to clarify the meaning of lawful authority in PIPEDA as recommended by the Committee (ETHI recommendation 12). Industry Canada is seeking views and specific advice on how the concept of lawful authority could be better defined.
The Committee also recommended a number of issues for further consideration and/or consultation, including witness statements (ETHI recommendation 10), consent by minors (ETHI recommendation 15), and an assessment of the extent to which elements contained in the PIPEDA Awareness Raising Tools (PARTS) document may be set out in legislative form (ETHI recommendation 17). Industry Canada welcomes submissions on these matters.
Finally, Industry Canada is considering alternatives to the current process for the designation of investigative bodies (ETHI recommendation 6) and would appreciate any further views on this issue.
Submissions on the above, or on any other issues related to the government response that you may wish to raise, can be sent by email to PIPEDAconsultation@ic.gc.ca, by fax to 613-941-1164, or by mail to Richard Simpson, Director General, Industry Canada, Electronic Commerce Branch, 300 Slater Street, Ottawa, Ontario K1A 0C8.
The Government's response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics is available electronically on the World Wide Web at the following address: http://ic.gc.ca/specialreports.
For printed copies, please contact Publishing and Depository Services, Public Works and Government Services Canada, Ottawa, Ontario K1A 0S5; 1-800-635-7943 (Canada and U.S. toll-free telephone), 613-941-5995 (telephone), 1-800-465-7735 (TTY), 1-800-565-7757 (Canada and U.S. toll-free fax), 613-954-5779 (fax), email@example.com (email), www. publications.gc.ca.
Monday, October 22, 2007
An interesting study of identity thieves has been released by the Center for Identity Management and Information Protection, which suggests that less than one fifth of criminals get their data from the internet. In most cases it they get their data by re-routing mail, dumpster diving and intercepting mail.
I would read the report itself, but they want your personal information before allowing access. Hmmm....
Study IDs identity thieves on Yahoo! News
Study IDs identity thieves
By WILLIAM KATES, Associated Press Writer
Mon Oct 22, 11:19 AM ET Identity thieves are typically young, work solo and rely on the Internet for fewer than one-fifth of their crimes, according to a new study of Secret Service cases.
The Center for Identity Management and Information Protection also found that "insider" employees were the offenders in just one-third of the cases. Employees who stole identity information often worked in the retail industry, the report found.
"There are some common perceptions we have that identity theft involves a person sitting at a computer hacking into corporate or individual computers. ... Certainly it is happening, but it is a crime that is happening in a multitude of ways, some of it as simple as stealing mail out of a mailbox," said Gary Gordon, a professor of economic crime programs who founded and heads the center at Utica College.
The Department of Justice-funded study, which was to be released Monday at a news conference in Washington, D.C., differs from previous studies because it focused on identity thieves and their methods, rather than victims, said Michael Stenger, Assistant Director of Investigations for the Secret Service, which agreed to open its case files to the center.
Researchers reviewed 517 cases closed by the Secret Service between 2000 and 2006. Two-thirds of the cases were concentrated in the Northeast and South and there were 933 defendants. The Federal Trade Commission has said about 3 million Americans have their identities stolen annually.
The study found that 42.5 percent of offenders were between the ages of 25 and 34. Another 18 percent were between the ages of 18 and 24. Two-thirds of the identity thieves were male.
Nearly a quarter of the offenders were born outside the United States.
Eighty percent of the cases involved an offender working solo or with a single partner, the report found.
While identity thieves used a wide combination of methods, fewer than 20 percent of the crimes involved the Internet. The most frequently used non-technological method was the rerouting of mail through change of address cards. Other prevalent non-technological methods were mail theft and dumpster diving.
Of the 933 offenders, 609 said they initiated their crime by stealing fragments of personal identifying information, as opposed to stealing entire documents, such as bank cards or driver's licenses.
Most of the offenses were committed by non-employees who victimized strangers. Employee insiders were the offenders in just one-third of the 517 cases. When an employee did commit identity theft, the offenders were employed in a retail business in two out of every five instances, the report said. Stores, gas stations, car dealerships, casinos, restaurants, hotels, doctors and hospitals were all considered retail operations in the study.
In about a fifth of the cases, the employee worked in the financial services industry.
"This is important research," said Ann Wallace, executive director of the Identity Theft Assistance Center, a national nonprofit group that helps victims and law enforcement agencies fight identity theft crimes.
Wallace had not read the study but said she was familiar with its findings, which were "consistent with what we hear from victims."
"We have to know more about the crime in order to fight it. This will help law enforcement understand the problem and it will help consumers better understand the risk."
On the Net:
Center for Identity Management and Information Protection: http://www.cimip.org
Identity Theft Assistance Center: http://www.identitytheftassistance.org
Wednesday, October 03, 2007
Speaking Notes for the Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada for the Announcement of Intent to Introduce Legislation Dealing with Identity Theft
October 2, 2007
Check against delivery
Good afternoon, ladies and gentlemen.
I am pleased to be here with my colleague Minister Blackburn to announce another step in our Government’s plan toward safer communities.
Our Government was elected to build a strong, safer, better Canada. We said we would tackle crime, and we remain committed to that goal – targeting crimes that affect Canadians most.
Identity theft has been identified as one of the fastest growing problems in North America, and one that easily crosses borders. Every day, the issue of identity theft affects or threatens more Canadian families, seniors and businesses.
Identity theft is costly to banks, retailers and consumers alike. The Canadian Council of Better Business Bureaus estimates that identity theft may cost Canadian consumers, banks and credit card firms, stores and other businesses more than $2 billion annually.
Technology has made it possible for individuals, governments and companies to collect and store huge quantities of personal information more efficiently. Consequently, technology has also made it easier, quicker and more lucrative for organized criminals to access and steal that information.
Identity theft has an impact on the daily lives of Canadians. It can affect our families, our businesses, our homes, our health and our bank accounts. And that is quite apart from the enormous emotional impact it has on its victims.
As it stands now, the misuse of another person’s identity information is covered by current offences in the Criminal Code, such as identity fraud, personation and forgery. But the preliminary steps of collecting, possessing and trafficking identity information are generally not captured by existing offences.
This is why today, along with my colleague the Minister of Labour and Minister of the Economic Development Agency of Canada for the Regions of Quebec , I am here to announce our Government’s intention to introduce legislation to amend the Criminal Code in the area of identity theft when Parliament resumes.
This new legislation will have one goal: to protect Canadians from identity theft by giving police the tools they need to stop this activity before the damage is done .
For any government, there is no greater duty than the protection of its citizens.
Our Government remains unwavering in its determination to keep Canadians safe. This new legislation is but one part of our tackling-community-crime agenda.
Thank you. Now my colleague Minister Blackburn will now say a few words…
Canada's New Government to Tackle Identity Theft
MONTREAL, October 2, 2007 – Minister of Justice and Attorney General of Canada, the Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, together with the Honourable Jean-Pierre Blackburn, Minister of Labour and Minister of the Economic Development Agency of Canada for the Regions of Quebec, today announced that Canada's New Government has developed a strategy to help combat identity theft, which is a serious criminal activity that has become more lucrative than ever before.
“ Canada's New Government understands that new and rapidly-evolving technologies have made identity theft a widespread criminal activity, especially involving organized crime. This growing issue is harming Canada's families, seniors and businesses, and we are committed to addressing it,” said Minister Nicholson. “By introducing Criminal Code amendments, our government will be giving police the tools to better protect Canadians by stopping identity theft activity before the damage is done .”
When Parliament resumes, Canada's New Government will introduce new legislation proposing Criminal Code amendments that will permit police to intervene at an earlier stage of criminal operations, before identity fraud or other crimes which actually cause financial or other harms are attempted or committed.
The Criminal Code currently covers offences involving the misuse of another person's identity information (such as personation and forgery), which are generally referred to as identity fraud. But the preparatory steps of collecting, possessing and trafficking in identity information are generally not captured by existing offences.
“Canadians are entitled to have their identities and personal information protected to the highest degree possible,” said Minister Blackburn. “That is why our Government will move quickly when Parliament returns to introduce legislation that targets identity theft.”
Canadians are concerned about becoming victims of identity theft, which has been identified as one of the fastest growing problems in North America and one that easily crosses borders. In 2006, almost 8000 victims reported losses of $16 million to PhoneBusters, the Canadian Anti-fraud Call Centre. Many more cases are thought to go unreported. The Canadian Council of Better Business Bureaus has estimated that identity theft may cost Canadian consumers, banks and credit card firms, stores and other businesses more than $2 billion annually.
Backgrounder: Identity Theft
Distinction between Identity Theft and Identity Fraud
While the term “identity theft” has no universal definition, it typically refers to the preliminary steps of collecting, possessing, and trafficking in identity information for the purpose of eventual use in crimes such as personation, fraud or misuse of debit card or credit card data. Identity theft can be contrasted with “identity fraud”, i.e., the subsequent actual deceptive use of the identity information of another person in connection with various crimes. Identity theft therefore takes place in advance of and in preparation for identity fraud, and constitutes the criminal use of information.
New Model of Crime
Canadian and U.S. law enforcement agencies have seen a growing trend in both countries towards greater use of identity theft as a means of furthering or facilitating other types of crime, from fraud to organized criminal activity to terrorism.
Also, instead of one person committing an offence, there may be a complex operation involving a number of different people. No one person may be individually responsible for committing an offence, but each may contribute a small part to the larger criminal operation. New legislation on identity theft will give police and prosecutors additional tools to address such complex criminal activities.
Scale of the problem
One incident of identity fraud may have many victims, from the person whose identity is stolen and whose credit rating and reputation may be damaged, to the commercial and financial institutions that may cover losses resulting from use of stolen information, to the Canadian taxpayer, who may be harmed when false identities are used to obtain government documents or benefits.
It is difficult to determine an accurate number of victims of identity theft or identity fraud because they are not always reported, and when they are, they may be reported to a number of different authorities or organizations. However, a November 2006 Ipsos-Reid survey indicated that 73 per cent of Canadians are concerned about becoming victims of identity theft, and 28 per cent say they or someone they know has already been a victim of identity theft.
Useful Tips on Identity Theft for Canadians
Office of the Privacy Commissioner of Canada: http://www.privcom.gc.ca/keyIssues/ki-qc/mc-ki-idt_e.asp
Royal Canadian Mounted Police: http://www.rcmp-grc.gc.ca/scams/identity_theft_e.htm
Canada 's Office of Consumer Affairs: http://consumer.ic.gc.ca/epic/site/oca-bc.nsf/en/h_ca02226e.html
The Privacy Commissioner of Canada thinks the initiative is lacking:
News Release: Privacy Commissioner Welcomes Government Action on Identity Theft (October 2, 2007) - Privacy Commissioner of Canada
Privacy Commissioner Welcomes Government Action on Identity Theft Ottawa, October 2, 2007 – The federal government’s plan to amend the Criminal Code to better address identity theft is a welcome first step towards stopping the explosion of a costly and emotionally devastating fraud, says Jennifer Stoddart, the Privacy Commissioner of Canada.
“Canadians have reason to fear being the victim of identity theft,” says Commissioner Stoddart. “The financial repercussions of losing their personal information can be crippling, and can affect victims for years to follow. The problem of identity theft highlights the value of personal information and the need to protect it.”
“Today’s announcement is encouraging. It promises to provide law enforcement officers with the tools to pursue identity thieves or fraudsters before Canadians suffer actual financial harm,” says the Commissioner, who will be closely reviewing details of the government’s plan in the coming days.
While this is a welcome step, the Commissioner still believes that the federal government must develop a broad-based strategy for tackling this type of fraud.
A comprehensive strategy should also include, for example:
- Measures to halt the dramatic proliferation of spam, which ID thieves often use to trick people into revealing personal information. Canada is the only G-8 country without anti-spam legislation.
- A plan to address “pretexting” – where a fraudster tries to obtain personal information about an individual, such as financial or telephone records, by posing as that person or someone else authorized to have the information.
- Reform of the badly out-of-date Privacy Act to ensure that personal information collected by federal departments and agencies is adequately protected.
- More extensive public education campaigns aimed at helping Canadians better protect their personal information.
Past efforts to combat identity theft and fraud using personal information have been hampered by a lack of coordination among various government departments and agencies, the provinces, law enforcement agencies and private-sector organizations.
As the Commissioner told the Standing Committee on Access to Information, Privacy and Ethics in May 2007: “We need better information about identity theft. One reason for the lack of information is the lack of a centre of responsibility. Everyone is interested in preventing identity theft, but no one has overall responsibility for doing anything about it,” said the Commissioner.
The Privacy Commissioner’s submission to the committee is available at http://www.privcom.gc.ca/parl/2007/sub_070508_e.asp.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Monday, September 03, 2007
I just heard about a new website, www.yourprivacy.co.uk, from its creators. The site, based in the UK, provides over sixty articles related to privacy. They say they'll be adding ten articles a month to the site. They also have an rss feed to keep up on what they're publishing.
Protecting Your Privacy and Anonymity at yourprivacy.co.uk
- Biometric Finger Print Scanning
- Disposing of Personal Information
- Disposing of Personal Information
- Financial Security and Privacy
- ID Cards
- Telephone Monitoring at Work
- Loyalty Cards
- Your Privacy on Your Mobile Phone
- Your Privacy on the Telephone
- Your Privacy Rights at Work
Saturday, September 01, 2007
I've blogged a few times before about the growing practice of bars and nightclubs scanning patrons' ID (see: Canadian Privacy Law Blog: New technologies for scanning IDs, Canadian Privacy Law Blog: Calgary student challenges nightclub over scanning ID, Canadian Privacy Law Blog: Article: Swiping driver's licenses - instant marketing lists?).
It appears to also be a concern for the Privacy Commissioner in Australia.
ID scanners may breach privacy laws - Queensland - brisbanetimes.com.au
The Australian Privacy Commissioner Karen Curtis yesterday warned publicans to "seriously consider their obligations" under the Privacy Act.
"If pubs and clubs that scan people's ID fail to heed their obligations under the Privacy Act, they run the risk of breaching their customers' privacy and having a privacy complaint lodged against them," Ms Curtis said.
At least 12 licensed venues in and around Brisbane use the technology to combat what they see as a rise in alcohol-fuelled violence.
"People are understandably concerned that having their ID scanned could lead to identity theft or that their details will be used by the pubs or clubs for unrelated purposes, such as direct marketing," she said.
Ms Curtis said her office received its first complaint about the devices in 2001 - but more than 100 phone calls and numerous written complaints had been made in recent months.
Companies should take a close look at their duties under the Privacy Act, she said, which include allowing customers to interact anonymously where possible and only scanning an ID if a business can prove it is totally necessary.....
Monday, August 27, 2007
CAPAPA supports Canadian’s Right to Know “Privacy IS Your Business”(Calgary, Alberta)
August 26, 2007 – CAPAPA (Canadian Association of Professional Access and Privacy Administrators) is pleased to support international Privacy Awareness Week, August 26th to September 1st, 2007. Privacy Awareness Week, a campaign first initiated by Privacy Victoria (Australia) in 2001, has for the first time gone international.
As Canada’s leading association serving privacy and access professionals, CAPAPA is spearheading the campaign to promote privacy awareness in Canada. “Identity theft and information security breaches are happening more often than ever,” says CAPAPA National Chair Sharon Polsky. “To reverse that trend, Canadians must recognize the importance of protecting their personal information — at home, in the workplace, and in the consumer marketplace.”
Privacy Awareness Week provides an opportunity for individuals to raise questions about privacy legislation and its impact on how individuals conduct their business and personal lives. Privacy Awareness Week spotlights the need for Canadians to recognize their rights and obligations to maintain the privacy of their personal information. The theme for Privacy Awareness Week 2007 is ‘Privacy is your business'.
Know your Rights and Obligations
Canadian organizations, governments, and government agencies are bound by a variety of wide-reaching privacy laws. Ms. Polsky notes that, “As consumers, each of us is responsible to understand what our rights and responsibilities are under those laws.”
CAPAPA is a key source for helping Canadians recognize their privacy rights and responsibilities, and is the privacy advocate’s source for issues such as the passenger name record exchange, emerging RFID CHIP technology, and CAPAPA's Submission to the Senate on proposed changes to Canada’s Election Act.
More information on these and other Canadian privacy issues is at http://www.capapa.org./ For more information on how you can promote Privacy Awareness Week 2007, visit http://www.capapa.org/ or contact CAPAPA at: firstname.lastname@example.org.
Thursday, August 23, 2007
A plaintiff seeking compensation for having personal information compromised has to face the hurdle of needing to prove damages. Under a conventional cause of action for negligence, harm is an essential element. If there is no harm, there's no negligence. No negligence, no cash. Just a risk of harm or an increased risk of harm is not enough.
This was recently affirmed by a US federal appeals court, which denied a class action brought following the release of personal information of customers of Old National Bancorp. See Wired's coverage:
Threat Level - Wired Blogs
Tens of thousands of Old National Bancorp customers whose personal and financial information was hijacked by a computer hacker cannot recover damages from the Indiana banking institution who lost the data in 2005, a federal appeals court ruled Thursday.
In dismissing a proposed class action against Old National Bancorp, the 7th U.S. Circuit Court of Appeals said damages were unavailable to victims of data theft if those victims did not suffer economically.
The three-judge panel of the circuit, mirroring decisions of federal courts in Ohio, Minnesota, Arizona and Michigan, ruled (.pdf): "Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy."
The plaintiffs did not allege direct financial loss and did not claim they had been the victim of identity theft. They alleged they suffered "substantial potential economic damages" and demanded compensation for emotional harm out of fear they would suffer economic damages by those who stole their information.
The bank's customers also demanded a "monitoring procedure to insure prompt notice to plaintiffs of any attempt to use their confidential personal information stolen from the defendants."
The appeals court also ruled that the law in Indiana, where the bank is located, did not protect the customers either.
"Had the Indiana Legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent," the court wrote.
The court added that the plaintiffs "have not come forward with a single case or statute, from any jurisdiction, authorizing the kind of action they now ask this federal court, sitting in diversity, to recognize as a valid theory of recovery under Indiana law."
The court noted that the investigation into the security breach was under seal. But the judges added that "the scope and manner of access suggests that the intrusion was sophisticated, intentional and malicious."
Sunday, August 19, 2007
Many businesses deal with personal information that they would not consider "sensitive" personal information. Names, addresses, delivery instructions, maybe payment information. Other than credit card data (which isn't retained, right?), most is seen to be routine, mundane transactional data.
But businesses need to constantly ask themselves what is the worst that can happen if personal information is disclosed? Or if any of their usual practices could somehow cause their customers harm of any kind. Privacy goes well beyond preventing fraud and identity theft. Personal information is powerful and what might be perfectly mundane to most may cause particular individuals real problems.
There's a story out of Texas that provides a great illustration of what can go wrong and how businesses should be thinking about their practices. A Texas resident is suing 1-800-FLOWERS for a million bucks because they sent him a card thanking him for his patronage. Nothing offensive there, right? But the thank you card was read by his soon-to-be ex-wife and it showed that the plaintiff had sent a dozen long-stemmed roses to someone else. What had been an amicable separation went sideways and she has significantly upped her demands. (See: Married Man Sues Florist for Revealing Affair: Man Sues for $1 Million After Wife Discovers He Bought Flowers for His Girlfriend.)
You may think he is a cheating weasel who deserves everything he gets. But, assuming the article is correct, was it really his florist's job to drop a dime on him? Simply put, no it isn't.
Some time ago, a cellular phone carrier in Ontario provided a customer's billing records to his wife because she said she was doing the monthly bills and couldn't understand some of the charges. He was having an affair and the bills told the tale. (National Post, 27 September 2003.)
I've heard of a clinic in Nova Scotia that called to ask a question about scheduling a patient's vasectomy and, when the patient wasn't home, asked his wife. No harm done in that case, but what if the spouse didn't know about the man's plans? What if it wasn't his wife who answered, but a friend, housekeeper, etc?
A while ago, the Alberta Privacy Commissioner "named and shamed" a pharmacist for disclosing a patient's prescriptions to the patient's spouse. The question related to tax records, but it did disclose psychiatric prescriptions.
What does all of this mean? Many of these disclosures are made in good faith with no intention to harm anyone. On the contrary, most are made to be helpful. But for some customers/patients, these disclosures can have disastrous consequences. Every business that collects, uses or discloses personal information has to be mindful of this.
I've blogged before about Facebook. I like the service and I especially like the privacy controls they've built into the system. Users control how much information they make available, either to strangers or friends. Most users who give any thought to privacy lock down what information is made available to the world at large and only let chosen "friends" have access to the piles of pesonal information that most users put online.
The distinction in Facebook is always between "friends" and others. But the user's only defence is carefully choosing who is let into that select group.
Unfortunately, more than four in ten users will let anyone (including a frog) be their friend. Sophos did a recent study, setting up a fake profile of a frog and sent out 200 friend requests. More than forty percent of the requests were accepted, allowing those who created the frog profile to see their personal information. (See: Sophos Facebook ID probe shows 41% of users happy to reveal all to potential identity thieves.)
"So what?" you might ask. Many Facebook users' profiles contain:
If I know your address, your full name, your employer and your date of birth, that's enough to fill out a credit card application in your name. (Not that I would!)
Promiscuous, undiscriminating Facebook users beware!
Friday, August 03, 2007
The Federal Privacy Commissioner has just released privacy breach guidelines, which are similar to guidelines produced by the Ontario and British Columbia commissioners. Here is the press release, with links to the guidelines:
News Release: Privacy Commissioner releases privacy breach guidelines (August 1, 2007) - Privacy Commissioner of Canada
Privacy Commissioner releases privacy breach guidelines
Ottawa, August 1, 2007 – New guidelines will help organizations take the right steps after a privacy breach, including notifying people at risk of harm after their information has been stolen, lost or mistakenly disclosed, says the Privacy Commissioner of Canada, Jennifer Stoddart.
The guidelines outline some of the key steps in responding to a breach, such as containing the breach, evaluating the risks associated with it, notifying the people affected and preventing future breaches.
“It’s clear that most businesses take seriously their responsibilities under Canada’s private-sector privacy law. I want to thank the industry groups, civil societies groups and privacy commissioners' offices that helped my office in developing these,” Commissioner Stoddart says.
The Office of the Privacy Commissioner (OPC) has become increasingly concerned about privacy breaches and breach notification following some major data breaches in recent months. Earlier this year, Commissioner Stoddart urged the federal government to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) to make it mandatory for businesses to notify people when their personal information has been breached.
“Our new voluntary guidelines do not take away from the need for breach notification legislation,” the Commissioner says. “I would once again urge the Minister of Industry and his cabinet colleagues to help better protect Canadians by making breach notification a legal requirement for businesses.” The guidelines call on businesses to notify people that their personal information has been compromised in cases where the breach raises a risk of harm. For example, there may be a risk of identity theft or fraud in cases where sensitive personal information has been lost or stolen.
Organizations are also encouraged to inform the appropriate privacy commissioner(s) of a privacy breach. (In British Columbia, Alberta and Quebec, provincially regulated businesses should speak to their provincial privacy commissioners. In Ontario, breaches involving personal health information must be reported to the provincial commissioner.)
The OPC is currently investigating two high-profile privacy breach cases involving large amounts of personal information.
In one case, the Canadian Imperial Bank of Commerce reported to the OPC the disappearance of a hard drive containing the personal information and financial data of close to half a million clients of its subsidiary, Talvest Mutual Funds.
The other investigation, being conducted jointly with the Information and Privacy Commissioner of Alberta, is looking at a breach at TJX Companies Inc., which affected thousands of Canadians who shopped at TJX’s Winners and HomeSense stores.
The new guidelines as well as a privacy breach checklist and a list of organizations which participated in the consultation process to develop the guidelines are available on the OPC website, http://www.privcom.gc.ca/.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Tuesday, July 31, 2007
This is very interesting ....
Worker: Postal Service sold private data on Yahoo! News
By GENE JOHNSON, Associated Press Writer
Mon Jul 30, 11:08 PM ET
A Postal Service employee sued the agency Monday, accusing it of selling the personal information of its workers to credit card and other companies without consent.
Lance McDermott, a mechanic for mail-processing equipment, said in the complaint in U.S. District Court that he has been inundated with credit card, cell phone and life insurance offers in the past two years.
In some instances, it appears the agency provided the companies with eight-digit employee identification numbers, used for sensitive tasks such as accessing health care records, the complaint said.
McDermott said he was deluged with offers from Visa, Sprint Nextel Corp. and other companies.
The lawsuit seeks class-action status on behalf of other Postal Service workers, the return of any money the agency may have made by violating the federal Privacy Act, and other damages.
An agency spokesman in Seattle said he could not immediately comment.
"His major concern is that he doesn't want to take the risk that his personal information is going to be released to a third party and be subject to identity theft," McDermott's lawyer, Steve Berman, said. "And he doesn't think his employer should be benefiting from his personal information without his permission."
Berman said he does not know how much the companies may have paid the Postal Service for access to its "master file" of employee information. Nearly 800,000 people work for the agency, he said.
McDermott's complaint cited the Postal Service's April 2005 "Guidelines for Privacy" handbook, which included a section on direct marketing to workers: "Growing revenue is a critical strategy for the Postal Service," it said, and for that reason, the agency would allow companies to bid for the right to mail promotional offers to Postal Service workers. The offers arrive "cobranded" with the Postal Service's logo.
While employees could choose not to have their information forwarded to other companies, the policy still violated the Privacy Act by releasing data to companies without explicit permission from the employees, the complaint said.
With few exceptions, the law forbids federal agencies from releasing personal information of employees without consent.
Representatives of Visa and Sprint Nextel did not immediately return calls seeking comment.
Tuesday, July 10, 2007
You may recall some time ago when pretexting made the headlines in Canada after a MacLean's reporter purchased the Privacy Commissioner's phone records (Canadian Privacy Law Blog: That's a little cheeky: MacLean's Magazine buys Privacy Commissioner's cellphone records off the 'net). Today the Commissioner released a finding into the incident, accompanied by a big media release:
Here's the release:
Data broker exploits human error, weak safeguards to access phone records
OTTAWA, July 10 /CNW Telbec/ - Recent experience has shown Canadian companies must take precautions to ensure personal information and customer data is not vulnerable to data thieves and pretexters. Strong identification and authentication procedures are essential in blocking unauthorized attempts to access the personal information of Canadians.
An investigation by the Office of the Privacy Commissioner of Canada (OPC) has found that human error and weaknesses in the policies and procedures of three telecommunications companies allowed a data broker to gain unauthorized access to personal phone records.
The investigation was prompted by an article in Maclean's alleging the magazine had been able to purchase the telephone records of Privacy Commissioner Jennifer Stoddart and a senior Maclean's editor from US-based data broker Locatecell.com.
The investigation found that Locatecell.com used "social engineering" to trick phone company customer service representatives into divulging confidential information, either in the specific instances alleged and/or subsequent test cases. Social engineering involves manipulating people into divulging personal information, for example, by pretexting, or pretending to be someone authorized to obtain the information.
The OPC looked at improper disclosures of personal information to pretexters seeking to gain unauthorized access to phone records of individuals without their knowledge or consent. The three companies investigated were Bell Canada, Telus Mobility and Fido.
"In each case, we found that customer service representatives had not followed the companies' established authentication procedures. We also found that training of customer service representatives was not comprehensive enough to protect customers' personal information from illegal access by pretexters," says Assistant Commissioner Raymond D'Aoust. "As a result, the three companies failed to meet the requirements of the Protection of Personal Information and Electronic Documents Act (PIPEDA)."
All three companies revised their customer authentication procedures shortly after the disclosures took place. The OPC reviewed those changes and recommended further steps to address weaknesses in their policies and procedures to prevent unauthorized individuals from gaining access to customers' personal information. All three companies have since taken additional steps to further mitigate the risks resulting from pretexting and unauthorized access to personal records. The Office of the Privacy Commissioner is generally satisfied that all three companies have put in place an adequate set of measures to address the problems.
Nonetheless, the Assistant Commissioner says the companies should have been better prepared to deal with social engineering in the first place. The issue of data brokers using social engineering to obtain call records in the United States had been in the news some time before these incidents occurred.
"It's particularly troubling that not enough was done to let call centre employees know about this kind of threat," says Assistant Commissioner D'Aoust.
"Given the prevalence of identity theft, it is absolutely crucial that all companies adopt strong authentication processes to help ensure that they are providing information to someone who is actually authorized to have that information. It is equally vital that companies ensure that their employees are following these processes and are aware of the threats to personal information that pretexting poses."
The OPC has developed Guidelines for Identification and Authentication on its web site.
A summary of findings in the three cases is also available on the web site.
New laws in the US have recently made it an offence to use pretexting to obtain individuals' phone records in an effort to curb the activities of US information brokers, including Locatecell.com. However, this does not mean the problem has gone away either in the US, or elsewhere, particularly in other countries, including Canada, where no similar legislation yet exists.
In an appearance before a Parliamentary committee last month, Commissioner Stoddart called on the federal government to work collaboratively with the provinces and international partners to adopt a range of legislative and policy solutions to address this problem.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Monday, July 09, 2007
Federal Computer Week recently ran an article on a new report from the GAO that found that few large privacy breaches lead to fraud. The report is here: Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown (Government Accountability Office); and the FCW.com article is here:
FCW.com News - Few breaches lead to identity theft, GAO finds
Although data breaches in the public and private sectors are frequent, few incidents of identity theft have occurred as a result of the loss or unauthorized exposure of personal information, the Government Accountability Office said.
Fortunately for potential victims, only three of the 24 biggest breaches that GAO reviewed led to detected incidents of fraud on existing accounts and one incident of the unauthorized creation of a new account, according to GAO’s analysis of available data and interviews with researchers, law enforcement officials and industry representatives.
Retailers and a credit card processor were responsible for the data breaches that led to identity theft. GAO said it uncovered no clear evidence of fraud in 18 incidents, and insufficient data was available to make a determination in two incidents. However, it is difficult to know for certain the magnitude of identity theft, GAO said.
“The extent to which data breaches result in identity theft is not well-known, in large part because it can be difficult to determine the source of the data used to commit identity theft,” wrote David Wood, a director of GAO’s Financial Markets and Community Investment team, in a report posted today.
Perpetrators might hold stolen data for more than a year before using it to commit identity theft, law enforcement officials told GAO.
The data breaches GAO examined represent a fraction of the incidents in which public and private organizations have exposed or lost personal information. From 2005 through 2006, the news media have reported more than 570 data breaches. The House Oversight and Government Reform Committee identified more than 788 data breaches at 17 agencies from January 2003 through July 2006, and banks have reported several hundred incidents to their federal regulators in the past two years.
GAO studied breaches that were reported before July 2005. None involved federal agencies.
Encryption and hardware requirements for access control and certain data-reading equipment can prevent or restrict unauthorized access to data if it falls into the wrong hands.
Requirements to notify affected individuals could serve as incentives for organizations to improve data security practices so they can minimize legal liability and avoid the public relations issues that could result from a publicized breach. But that approach could also result in organizations spending money to develop incident response plans for identifying and notifying affected individuals.
A requirement that is too broad could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard all notices, GAO said.
The agency instead recommended the use of a risk-based notification standard to identify the incidents in which the potential for harm exists and the appropriate actions to take. Consumers who are notified that their data was compromised could then take steps to protect themselves from possible identity theft, such as monitoring their bank or credit card statements for suspicious activity.
“Should Congress choose to enact a federal breach-notification requirement, use of the risk-based approaches that the federal banking regulators and the President’s Identity Theft Task Force advocate could avoid undue burden on organizations and unnecessary and counterproductive notifications to consumers,” Wood wrote in the report.
In April, the task force recommended a national notification standard for public and private organizations similar to its risk-based guidance for federal agencies. It involves notifying consumers who face a significant risk of identity theft, but it avoids excessive notification.
In addition, the Office of Management and Budget has issued guidance to help federal agencies respond to data breaches. No federal law requires that companies or other organizations notify affected individuals of data breaches, although federal banking regulators have provided guidance to the financial institutions they supervise and 36 states have enacted breach-notification laws.
Friday, June 01, 2007
Choicepoint, the poster child of security breaches, reportedly has settled with the Attorneys General of 44 states. The settlement is nominal cash-wise ($500,000) and includes requirements for tougher security measures:
ChoicePoint Settles Data Security Case - New York Times
June 1, 2007
ChoicePoint Settles Data Security Case
ChoicePoint has settled with 44 states over a data breach that potentially gave criminals access to personal information from more than 145,000 consumers.
The company agreed to adopt stronger security measures and pay $500,000 to the states, Richard Blumenthal, the attorney general of Connecticut, said yesterday.
ChoicePoint, which sells information about consumers to employers, marketers and others, said in 2005 that criminals posing as legitimate businesses had gained access to consumer data, including Social Security numbers and credit histories.
The company, based in Alpharetta, Ga., was one of several to announce large-scale security breaches in 2005, raising identity theft as an issue for many legislators and regulators.
ChoicePoint characterized the settlement as “fair and reasonable.”
In January 2006, ChoicePoint settled a case with the Federal Trade Commission involving the security breach.
Thursday, May 31, 2007
Hot on the heels of the Ontario report yesterday, the Federal Privacy Commissioner has released her annual report on PIPEDA. It really should be a must read for anyone interested in PIPEDA, as it discusses many of the notable cases of the last year and some of the issues in the Office of the Privacy Commissioner of Canada. For example, the average resolution time from initial complaint to final finding has moved to sixteen months, five more months than in 2005.
Here's the media release with links to the report.
News Release: Privacy Commissioner calls for stronger data protection: Tabling of Privacy Commissioner of Canada's 2006 Annual Report on the Personal Information Protection and Electronic Documents Act (May 31, 2007)
Privacy Commissioner calls for stronger data protection: Tabling of Privacy Commissioner of Canada's 2006 Annual Report on the Personal Information Protection and Electronic Documents Act
Ottawa, May 31, 2007 — There has never been a greater need to take data protection seriously as new data breaches reinforce concerns about both security issues and trans-border data flows, according to the Privacy Commissioner of Canada, Jennifer Stoddart. Her 2006 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.
High-profile data breaches among a few well-known banking and retail organizations during 2006 reinforce the very serious nature of privacy breaches and the need to better protect personal information held by private sector companies.
Despite these cases, complaints against some of the major sectors covered by PIPEDA since 2001 (financial institutions, insurance companies and the transportation sector) have declined slightly. This is in contrast, however, to those industries which have been subject to PIPEDA only since 2004, such as the retail and accommodation sectors. These sectors have been the subject of substantially more complaints than in previous years. Overall, there were 424 complaints in 2006, compared with 400 in 2005.
“We are pleased to see fewer complaints related to sectors more familiar with PIPEDA; I believe it stems from a stronger understanding of the Act. It would appear that compliance is improving with time and we look forward to seeing this trend continue,” says Commissioner Stoddart.
“Sectors with less experience with PIPEDA have more work to do. As they gain a better understanding of what the law requires, we expect to see a decrease in complaints involving them,” she says.
“Research we are releasing today shows a majority of businesses covered by the Act appreciate their role in protecting consumer information, although there are still too many firms that need to take their role more seriously.”
That research, a survey of Canadian businesses on a number of issues relating to privacy, was conducted by Ekos Research Associates earlier this year. The results raise important questions about whether some businesses are doing enough to fulfill their PIPEDA obligations.
The survey found:
- While the majority of businesses that collect personal customer information have fully implemented PIPEDA provisions (67 per cent), there are a small but not insignificant number that are only in the process of implementing (16 per cent) and others that are not in the process of doing so (15 per cent).
- Only a third of all businesses report having staff that has been trained about their responsibilities under Canada’s privacy laws.
- Less than one in five has sought clarification of their role, although this is also much higher among larger businesses.
“Almost half of the businesses studied tend to rate their company’s awareness of its responsibilities under the privacy laws favourably. However, a similar number report either low or moderate awareness. PIPEDA and its provincial counterparts regulate commercial activity in Canada. All businesses that handle personal information need a good understanding of what the law requires,” says Commissioner Stoddart. “Businesses must realize the importance of living up to the law’s privacy protection principles and the consequences of failing to do so.
“I am particularly concerned to see that only a third of businesses have provided privacy training for staff. Good training is absolutely essential to prevent privacy breaches.”
Going forward, these companies will need to take steps to ensure greater compliance with the Act. Canadians expect private sector organizations to safeguard their personal information, particularly given the proliferation of identity theft.
In the fall of 2007, the Office of the Privacy Commissioner will be hosting the who’s who of the privacy world at the 29th International Conference of Data Protection and Privacy Commissioners in Montreal. Details are available at http://www.privacyconference2007.gc.ca/.
To view the reports:
- Annual Report to Parliament 2006 – Report on the Personal Information Protection and Electronic Documents Act (Adobe format)
- Backgrounder: Findings of a 2007 poll commissioned by the Office of the Privacy Commissioner of Canada
- 2007 EKOS Research Associates survey: Canadian Businesses and Privacy-Related Issues
Thursday, May 24, 2007
From CSO Online:
Why Your Company Needs a Chief Privacy Officer - Security Feed - News - CSO Magazine
May 23, 2007
In this era of data breaches and identity theft, chief privacy officers working hand-in-hand with security groups play a crucial if little-known role in protecting identifiable personal information.
The position of privacy executive is a relatively new one, dating back less than ten years, says Chris Zoladz, vice president of information protection and privacy with Marriott International. He pegs this role at about the stage where the security profession was 10 to 15 years ago. Although many organizations might believe the privacy function is covered by security groups, Zoladz told security professionals at The International Information Systems Security Certification Consortium’s (ISC2) 2007 SecureAmericas conference, held near Washington, D.C. last week, why the privacy function is separate but complementary.
"There are a lot of similarities between the professions, [such as] the focus on business value," he told the audience. The CPO is more focused on what data in an organization needs to be protected, however, while the security department develops and manages the way to protect it. "The CPO defines the ’what,’ the CISO deals with the ’how,’" he said.
"Good privacy is good business. The stakes in this area are constantly getting higher and higher . . . now we’re reading about [data breaches] in major media outlets," he said. "That’s done a lot for consumer awareness . . . and has raised the consciousness and awareness of our managers. That’s a positive move forward."
Zoladz defined privacy professionals as custodians -- not owners -- of personal information and said they must ensure that data is used in a responsible manner. Offering an example of his company’s Web site, he said because Marriott collects personal information from guests as part of the hotel chain’s reservation process, marketing executives have proposed personalizing the information that appears on the site so it’s customized to each visitor’s preferences. He said he gets involved in these proposals to make sure guests’ information is used properly.
There’s something else CPOs and CISOs have in common: Their career paths usually aren’t well defined, he said -- "Which means there’s a lot of opportunity."
Zoladz is also treasurer of the International Association of Privacy Professionals (IAPP), which has launched the IAPP certification, a three-hour test that is to the privacy profession what the CISSP is to the security profession, he said.
-- By Cara Garretson Network World (US)
Wednesday, May 23, 2007
MPR: wavLength: Private medical records of Colorado residents exposed on Internet Private medical records of Colorado residents exposed on Internet
Posted at 10:03 PM on May 22, 2007 by Jon Gordon
On Friday's Future Tense, you'll hear this story:As medical records are created and transmitted electronically more and more, the chance of private information falling into the wrong hands is growing. Sometimes records are stolen by hackers, other times just improperly secured. Compromised records can lead to a range of problems, from loss of employment to identity theft to plain old embarrassment.
Future Tense has discovered that detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time through at least last Friday, May 18. The data included patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois. It's unclear how many people may have seen the records.
Experts say the case likely runs afoul of federal health information privacy laws, even though there is no evidence that the records were misused.
The unsecured computer, which was accessible through a Web browser, was operated by Beacon Medical Services of Aurora, Colorado, which provides billing, coding and other services to emergency physicians at 17 facilities.
Beacon CEO Dennis Beck says he was shocked to learn about the breach and that the company took immediate steps to correct it.
"We've implemented a culture of compliance and data security and it just did not seem consistent with our culture, our practice and our experience," he said.
The medical records resided on an FTP server. FTP stands for File Transfer Protocol. It's a means by which users send and receive computer files over the Internet or private networks. In Beacon's case - and this is typical of the industry - health care providers sent encrypted data to the server for Beacon to access so it could bill patients and insurance companies. The data was unencrypted on Beacon's end, and the FTP server was not supposed to be accessible to the public. But in this case it was. No username or password was required to view the records.
The data included details of patients' visits to emergency rooms -- what ailments they complained of, diagnoses and treatments, and medical histories, along with the patients' names, occupations, addresses, phone numbers, insurance providers, and in some cases, Social Security numbers. Some of the records detailed sensitive cases, from sexually transmitted diseases to severe depression. The site also contained financial information, such as a list of low-income patients who received state aid to help pay their medical bills.
Beacon has employed two firms to help investigate what led to the security hole.
"It appears to us now at this point as if there was some back door that was opened to this server," said Beck. "We don't know when, but we believe it may have been done when a consultant did some work for us several years ago."
The company is trying to determine the exact number of patients affected, but Beck says the number looks to be fewer than 5,000.
Future Tense discovered the Beacon site after a tip from a source who stumbled upon it. We followed up on the tip, staying just long enough to confirm the existence of the records and get an idea what kind of data they contained. We notified several health care providers whose patient data was exposed. Those providers informed Beacon, which promptly shut the server down when it learned of the problem.
Bill Byron is spokesman for Banner Health Corporation, the parent company of McKee Medical Center of Loveland, Colorado, one of the providers whose data was included on the FTP site. Byron said McKee physicians won't transmit any more records to Beacon
until they're satisfied the security problem is fixed.
"We're trying to understand what our obligations are going to be, in terms of disclosing to patients that this has occurred, so that's still in process, to determine what we have to do," he said.
The Colorado medical records incident appears to be a serious violation of federal law governing medical record privacy, according to Janlori Goldman, director of the Health Privacy Project at Georgetown University.
"Large-scale breaches like this are not uncommon," she said. "They may not happen every day but they happen enough that you have to wonder, why aren't people taking greater care with this information?"
About a year ago, for example, a data security breach exposed medical information and Social Security numbers of some 26 million veterans after data was stolen from the home of an employee of the Department of Veterans Affairs.
Tomorrow on Future Tense, we'll explore the potential harm of compromised medical records, and at the federal law designed to protect patients. One critic of current law says patients have very little recourse when their most sensitive medical records become public.
Here is a list of physician groups, clinics and hospitals which had data of various kinds on the exposed site:
-McKee Medical Center of of Loveland, CO
-Big Thompson Emergency Physicians of Longmont, CO
-Presbyterian St. Luke's Hospital of Denver
-North Suburban Medical Center of Thornton, CO
-Carepoint Emergency Physicians of the greater Denver area
-Long's Peak Emergency Physicians
-Longmont United Hospital
-Boulder Community Hospital
-Emergency Medical Specialists PLC
-Memorial Hospital of Colorado Springs
-Proctor Hospital of Peoria, IL
Thursday, May 03, 2007
The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:
ETHI (39-1) — Fourth Report: STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) — Standing Committee on ACCESS TO INFORMATION, PRIVACY AND ETHICS - Committees of the House of Commons
The Standing Committee onACCESS TO INFORMATION, PRIVACY AND ETHICS
has the honour to present its
Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:
The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.
Here are the recommendations:
The Committee recommends that a definition of “business contact information” be added to PIPEDA, and that the definition and relevant restrictive provision found in the Alberta Personal Information Protection Act be considered for this purpose.
The Committee recommends that PIPEDA be amended to include a definition of “work product” that is explicitly recognized as not constituting personal information for the purposes of the Act. In formulating this definition, reference should be added to the definition of “work product information” in the British Columbia Personal Information Protection Act, the definition proposed to this Committee by IMS Canada, and the approach taken to professional information in Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector.
The Committee recommends that a definition of “destruction” that would provide guidance to organizations on how to properly destroy both paper records and electronic media be added to PIPEDA.
The Committee recommends that PIPEDA be amended to clarify the form and adequacy of consent required by it, distinguishing between express, implied and deemed/opt-out consent. Reference should be made in this regard to the Alberta and British Columbia Personal Information Protection Acts.
The Committee recommends that the Quebec, Alberta and British Columbia private sector data protection legislation be considered for the purposes of developing and incorporating into PIPEDA an amendment to address the unique context experienced by federally regulated employers and employees.
The Committee recommends that PIPEDA be amended to replace the “investigative bodies” designation process with a definition of “investigation” similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose .
The Committee recommends that PIPEDA be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction. This amendment should be modeled on the Alberta Personal Information Protection Act in conjunction with enhancements recommended by the Privacy Commissioner of Canada.
The Committee recommends that an amendment to PIPEDA be considered to address the issue of principal-agent relationships. Reference to section 12(2) of the British Columbia Personal Information Protection Act should be made with respect to such an amendment.
The Committee recommends that PIPEDA be amended to create an exception to the consent requirement for information legally available to a party to a legal proceeding, in a manner similar to the provisions of the Alberta and British Columbia Personal Information Protection Acts.
The Committee recommends that the government consult with the Privacy Commissioner of Canada with respect to determining whether there is a need for further amendments to PIPEDA to address the issue of witness statements and the rights of persons whose personal information is contained therein.
The Committee recommends that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts.
The Committee recommends that consideration be given to clarifying what is meant by “lawful authority” in section 7(3)(c.1) of PIPEDA and that the opening paragraph of section 7(3) be amended to read as follows: “For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is […]”
The Committee recommends that the term “government institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA to specify whether it is intended to encompass municipal, provincial, territorial, federal and non-Canadian entities.
The Committee recommends the removal of section 7(1)(e) from PIPEDA.
The Committee recommends that the government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amendments to PIPEDA in this regard.
The Committee recommends that no amendments be made to PIPEDA with respect to transborder flows of personal information.
The Committee recommends that the government consult with members of the health care sector, as well as the Privacy Commissioner of Canada, to determine the extent to which elements contained in the PIPEDA Awareness Raising Tools document may be set out in legislative form.
The Committee recommends that the Federal Privacy Commissioner not be granted order-making powers at this time.
The Committee recommends that no amendment be made to section 20(2) of PIPEDA with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest.
The Committee recommends that the Federal Privacy Commissioner be granted the authority under PIPEDA to share personal information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities.
The Committee recommends that any extra-jurisdictional information sharing, particularly to the United States, be adequately protected from disclosure to a foreign court or other government authority for purposes other than those for which it was shared.
The Committee recommends that PIPEDA be amended to permit the Privacy Commissioner to apply to the Federal Court for an expedited review of a claim of solicitor-client privilege in respect of the denial of access to personal information (section 9(3)(a)) where the Commissioner has sought, and been denied, production of the information in the course of an investigation.
The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.
The Committee recommends that upon being notified of a breach of an organization’s personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner.
The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a “without consent” power to notify credit bureaus in order to help protect consumers from identity theft and fraud.
Monday, April 02, 2007
The Canadian Internet Policy and Public Interest Clinic has released a number of very interesting working papers on the topic of identity theft. Check 'em out:
CIPPIC News « CIPPICThanks to Library Boy for the link.
CIPPIC has issued the first batch of a series of working papers on identity theft. The papers released today include Introduction and Background, Techniques of Identity Theft, and Legislative Approaches to Identity Theft (all PDF). Additional papers examining identity theft caselaw, law enforcement, and policy approaches, as well as a Bibliography on identity theft, will be forthcoming. These working papers reflect research conducted during 2006 with funding from the Ontario Research Network for Electronic Commerce (ORNEC).
Thursday, March 15, 2007
Stephane Dion, the leader of the Liberal Party of Canada, pledged in a speech yesterday to require breach notification if he becomes Prime Minister. He also pledged to implement the recommendations of the federal Anti-Spam Task Force:
Liberal.ca :: Speeches:
Protecting Our Homes and Our Rights March 14, 2007
- To protect Canadian seniors, we will act on the recommendations of the Privacy Commissioner to address the problem of identity theft. There were almost 8,000 reports of identity theft in the past year, resulting in more than $16 million being lost, much of it taken from vulnerable seniors. A lifetime of hard work and savings can vanish in an instant. We need tougher laws to prevent this kind of crime.
- One of the main recommendations of the Privacy Commission is that we need to change private-sector privacy laws, so companies are forced to notify customers when their personal information gets leaked. If your social security number gets into the wrong hands, you deserve to find out about it, so you can avoid becoming a victim of identity theft. This kind of change would finally cause businesses to take the security of their customers more seriously.
- Another recommendation is that we need laws implementing the recommendations of the federal Task Force on Spam – recommendations that have so far been ignored by the Conservatives. Spam is the weapon of choice for identity thieves, who use phony e-mails to trick people into revealing personal information. Canada is the only G-8 country without anti-spam legislation, and a Liberal government led by me will change that.
Thanks to Michael Geist for pointing me to Dion's speech.
PS: I'm not sure why the first point is solely for the protection of seniors.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.