The Information and Privacy Commissioner of Ontario has released written guidance on the "circle of care" under that province's Personal Health Information Protection Act, entitled Circle of Care: Sharing Personal Health Information for Health-Care Purposes.

Here's the news release:

Privacy Commissioner Cavoukian and seven health organizations team up to eliminate confusion over key element of health privacy law

TORONTO, Sept. 2 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, today released a new publication that includes specific practical examples to help clarify any confusion over when health information custodians can assume a patient's implied consent to collect, use or disclose personal health information.

The brochure, Circle of Care: Sharing Personal Health Information for Health-Care Purposes, was developed with the collaboration of seven health organizations. "This brochure cuts through the confusion surrounding the term circle of care," said the Commissioner. "We are using seven relevant examples from across the broader continuum of the health sector to provide such clarification."

"There had been some confusion in the health sector as to the meaning and scope of the circle of care concept," explained Commissioner Cavoukian. "In part, this may have been because the term does not appear in the Personal Health Information Protection Act, 2004. It is, however, commonly used in the health-care community to describe the provisions in the Act that permit health-care providers to assume a patient's implied consent to collect and use personal health information - and to share that information with other health-care providers - in order to provide health care to that patient, unless the patient expressly indicates otherwise."

The Act is based on the premise that privacy can be protected, without needless delays in the health system.

"Overall, the Act is working very well, but clarity needed to be brought to bear on the circle of care concept," said Commissioner Cavoukian.

The seven examples in the brochure address this. As a fictional 61-year-old patient is followed through much of the health-care system, the examples provide specific guidance relating to when a health provider can assume implied consent.

The seven health organizations that worked with the IPC include (in alphabetical order): the College of Physicians and Surgeons, the Ontario Association of Community Care Access Centres, the Ontario Association of Non-Profit Homes and Services for Seniors, the Ontario Hospital Association, the Ontario Long Term Care Association, the Ontario Medical Association and the Ontario Ministry of Health and Long-Term Care.

Here is a condensed version of one of the examples used in the brochure:

A patient is sent by his family doctor to a laboratory for blood and urine testing. A geriatrician, a specialist whom the patient has been referred to by his family doctor, would like to obtain the results of those tests. He would also like to obtain a list of the patient's current prescriptions from the pharmacy where he fills all his prescriptions.

Can the laboratory and pharmacy disclose this personal health information and can the geriatrician collect information based on assumed implied consent?

Yes. The laboratory, pharmacy and geriatrician may assume implied consent. The personal health information was received by the laboratory and pharmacy - and will be received by the geriatrician - for the purpose of providing health care to this patient.

"Personal health information may be shared within the circle of care - among health-care providers who are providing health care to a specific patient - but not outside that circle," stressed Commissioner Cavoukian. "Any sharing of personal health information with other health-care providers for purposes other than the provision of health care - or the sharing of personal health information with persons or organizations that are not health-care providers, such as insurers and employers - requires the express consent of the patient."

To see a copy of the brochure, visit http://www.ipc.on.ca/.

Labels: health information, ontario, phipa, privacy

ITBusiness has an interesting article on the collaboration between the Ontario Privacy Commissioner and Facebook, including a video interview with the commissioner: Your privacy, your responsibility says Ontario Privacy Commissioner.

Labels: facebook, ontario, privacy, social networking

This just crossed the wires and is likely of interest to those who followed the earlier discussions about using privacy legislation as an excuse for inaction.

CNW Group OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER/ONTARIO Ontario and B.C. Privacy Commissioners issue joint message: personal health information can be disclosed in emergencies and other urgent circumstances

Ontario and B.C. Privacy Commissioners issue joint message: personal health information can be disclosed in emergencies and other urgent circumstances

TORONTO, May 9 /CNW/ - In light of recent events, such as the tragic suicide of Nadia Kajouji, a student at Carlton University, and the Virginia Tech massacre of 2007, the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, and the Information and Privacy Commissioner of British Columbia, David Loukidelis, are reaching out to educational institutions, students, parents, mental health counsellors and healthcare workers in both provinces: personal health information may, in fact, be disclosed in emergencies and other urgent circumstances. The two Commissioners want to ensure that people realize that privacy laws are not to blame because they do permit disclosure.

The Commissioners want to send the clear message that privacy laws do not prevent counsellors or healthcare providers from contacting a person's family if there are real concerns that they may seriously hurt themselves. "When there is a significant risk of serious bodily harm, such as suicide, privacy laws in Ontario clearly permit the disclosure of personal information without consent, regardless of age. In such situations, schools may contact parents or others if there are reasonable grounds to believe that it is necessary to do so," says Commissioner Cavoukian. Commissioner Loukidelis adds that, "If there are compelling circumstances affecting health or safety, or if an individual is ill, B.C.'s privacy laws allow disclosure to next of kin and others, including school officials and health care providers. Individual cases can be fuzzy, but if someone uses common sense and in good faith discloses information, my office is not going to come down on them. Privacy is important, but preserving life is more important."

In Ontario, the Personal Health Information Protection Act (PHIPA) allows health care providers, such as mental health counsellors, to disclose personal health information when necessary to eliminate or reduce a significant risk of serious bodily harm. This would include disclosure to a physician or parent if there are reasonable grounds to believe it is necessary to do so. In fact, PHIPA specifically allows for this kind of disclosure in emergency or urgent situations. Commissioner Cavoukian clarified this in a Fact Sheet she issued in 2005 entitled, Disclosure of Information Permitted in Emergency or other Urgent Circumstances, available at http://www.ipc.on.ca/.

In British Columbia, Commissioner Loukidelis underscored, the public sector Freedom of Information and Protection of Privacy Act allows universities, schools, hospitals and other public institutions to disclose personal information where someone's health or safety is at risk. He also noted that the private sector Personal Information Protection Act contains similar authority to disclose personal information for health and safety reasons.

Both Commissioners are today announcing their joint project to issue a new publication aimed at clarifying the role that privacy laws play when workers are trying to decide whether they can disclose personal health information. Commissioner Cavoukian said of the joint project, "Our goal is to ensure that educational institutions understand the legislative framework in advance of problems occurring. We are looking forward to working further with the educational community - stay tuned."

Commissioners Cavoukian and Loukidelis are urging those responsible for the health and safety of others to educate themselves about how the privacy laws covering them apply to their work and familiarize themselves with the provisions allowing them to disclose personal health information in emergency situations. Commissioner Loukidelis says, "I know that frontline decisions have to be made quickly and sometimes the facts may not be as clear as you'd like. But there's no doubt that privacy laws support disclosures to protect health and safety." Commissioner Cavoukian agrees that privacy laws are not at fault. "To infer that privacy laws were responsible for someone's death is to completely misunderstand the role that privacy laws are designed to play. The tragedy here lies if you take a default position of non-disclosure and inaction," says Commissioner Cavoukian. She also adds that, "However, Commissioner Loukidelis and I both recognize that the decision to notify someone's family without their consent can be extremely difficult, requiring very sound judgment. We are also clear that notification cannot be done on a routine basis and that students need to feel reassured that their privacy will be protected when they seek counselling or other health care services."

Labels: bc, breach notification, health information, ontario, privacy

If you handle personal information and only read one privacy law article, this one should be it:

Far too often, bureaucrats, cops and others use poorly understood privacy laws as a justification for inaction. Maybe it's just that they don't fully understand the myriad rules and the multiplicity of exceptions.

Privacy laws are complicated and are not well understood, even by people whose day-to-day operations are affected by them. But they are generally sensible and coherent. And -- believe it or not -- they are laced with common sense.

I've had the opportunity to look at every privacy law in Canada and I don't think I've seen one that does not have a public interest override. A public body, in the public sector context, can disclose personal information without consent if it is in the public interest to do so. There are often other exceptions from the general rule that requires consent.

Some may recall the aftermath of the south Asian tsunami where the federal government said they couldn't name victims or survivors because of the Privacy Act. The Privacy Commissioner and others were pretty quick to point out s. 8 of the Privacy Act, which allows the government to disclose personal information where it is in the public interest:

8(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed

...

(m) for any purpose where, in the opinion of the head of the institution,

(i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or

(ii) disclosure would clearly benefit the individual to whom the information relates.

(I wrote about it on this blog at the time: Editorial urges that naming Canadian tsunami victims is in the public interest & Fallout from naming/not naming Canadian victims)

I was recently reminded of this in a discussion about the failure of the police in Merritt BC to identify a suspect on the lam after a family was found murdered. Police blamed privacy laws. (RCMP grilled for delay in alerting town over suspect) The National Post Editorial Board called them out on the misstep:

The Post editorial board on the Allan Schoenborn case: The RCMP's high-profile failure - Full Comment

...Two days later, Ms. Clarke returned from errands to find her children murdered, and their father vanished along with his dog. The RCMP, confronted with a gruesome spectacle that may have resulted from their failed efforts to get Schoenborn under lock and key, took nearly a full day to announce to the public in Merritt that he was the prime suspect in the killings. Their excuse? "Due to privacy concerns," said RCMP Staff Sergeant Scott Tod, "we had to make sure that we had information that this was the suspect before we released his name."

"Privacy" is a popular item these days in the lexicon of justice, as it is used by the Mounties. No act of ineptitude in communicating with the public can possibly escape its reassuring cover, even though every privacy law or code written down anywhere in the last 50 years contains public-interest exemptions.

Most recently, a University in Ontario has been called to account for not notifying the parents of a mentally ill student who subsequently committed suicide. Privacy laws were pointed to as preventing such action. Anne Cavoukian and her counterparts have reminded universities that these laws are easy scapegoats, but without exception contain provisions that allow privacy rights to be overridden in certain circumstances.

Universities grapple with providing health services, protecting privacy

...University officials say they followed procedures and couldn't tell Kajouji's parents about her mental health because of the province's privacy law. They also indicated universities that don't respect the privacy of their students' health information risk driving students away from the very services designed to help them.

Ontario's privacy commissioner, Ann Cavoukian, and several of her counterparts in other provinces, say universities need to have a clearer understanding of what privacy laws allow and they cautioned that too often privacy laws are the automatic target of blame when controversy arises.

Cavoukian's office provided a fact sheet several years ago to universities explaining the law allows them to disclose personal health information in "compelling circumstances" and if they believe on reasonable grounds it would eliminate or reduce the risk of bodily harm.

Determining whether a situation warrants disclosure is a judgment call, Cavoukian said in an interview, though the law affords protection to the decision-maker as long as he or she acted in good faith.

"If you are a health-care practitioner or a university professional and you have information relating to a student that is considering suicide and you fear for that person and want to reduce the risk of suicide, absolutely you are allowed to release that information," she said. "It's not an easy decision but it is one that is permitted under our privacy laws and I'm sick and tired of people saying that it's the privacy laws that prevented the counsellors from contacting the girl's parents. That's incorrect," she said.

... Suzanne Blanchard, vice-president for student support services, said in an e-mail message the university has specific procedures to deal with students who are in "imminent danger of doing harm to themselves or others."

"Carleton University has reviewed its actions in the aftermath of Nadia's tragic death. We believe that we followed all proper procedures and provided all the support services we could for Nadia," she said. "Carleton University is always diligent in its compliance with Ontario's privacy laws and we believe that we acted, and continue to act, in accordance with those laws."

Cavoukian said some universities take their obligations under the privacy law seriously, but there is still a lot of confusion. She plans to convene a meeting with the Council of Ontario Universities in an attempt to clarify any lingering questions.

Saskatchewan's privacy commissioner agreed there is a "significant need for more education" about the flexibility that is built into privacy laws.

"Sometimes you have people who don't want to do the wrong thing and so therefore you get a kind of paralysis and they don't share information even when the law allows them to and it's appropriate to do so," said Gary Dickson.

Dickson said Kajouji's death, while tragic, provides incentive for universities to ensure they are prepared to deal with students' mental health issues and with situations where informing the parents is up for debate. "Decisions will have to be made and then there have to be people with the appropriate training and judgment who can then make that discretionary decision," he said.

Frank Work, Alberta's privacy commissioner, said it has to be kept in mind Kajouji was an adult and the university may have felt her situation was under control. All the law asks is that a standard of reasonableness be applied, said Work.

"I think it's true in just about every privacy law, the standard is always reasonableness, not perfection," he said.

People will disagree on whether Carleton made the right decision, but one thing the privacy commissioners all agree on is the decision needs to be given due consideration.

"The worst case scenario is if it's just neglect. They saw the bus coming and they didn't yell: 'Get out of the way.' We don't know here. Hopefully in this case they made a judgment call," said Work.

Ontario's commissioner similarly said university officials have to take the time to make the difficult determination and should not rely on privacy laws as the default reason for not disclosing personal information.

"I would urge people to resist the knee-jerk reaction of automatically blaming privacy laws," Cavoukian said.

Here is the moral of this story: Whenever common sense or humanity seem to bump up against privacy laws, take a close look at the law and its exceptions. You will probably find that the drafters have designed the laws to accommodate common sense and humanity.

Labels: health information, ontario, privacy, public sector

I reported last month that the Information and Privacy Commissioner has issued a report on the proposal to dramatically increase video surveillance on public transit in Toronto. (Canadian Privacy Law Blog: Ontario Commissioner releases detailed report on TTC surveillance cameras)

InterGovWorld.com has an extensive article on the Commissioner's suggestion that reversible faceblurring technology may make the system more palatable. I spoke with the author, Rosie Lombardi, at length on the topic who has done a good job of summing up my take on the topic:

More privacy-boosting technology begets more video surveillance

... A point that's often overlooked is that privacy legislation is ultimately about feelings, says David TS Fraser, a privacy lawyer at Halifax-based law firm McInnes Cooper. "Although the legislation is written in a way that talks about personally identifiable information and identity theft, it's ultimately designed to protect people's sensibilities about unwanted intrusions," he says.

PET technology may not be enough to address those sensibilities unless the rules governing the use of surveillance are stated. "While the technology may do a good job of limiting the actual intrusions, I'm not sure it does much to address people's feelings about being watched. Unless the policies and procedures around surveillance are clearly communicated, it won't diminish that visceral feeling of unease about being spied upon."

Fear of the unknown is at the core. "If you see a cop at a corner, you can tell from his uniform who he is, what he's looking at, and if you've aroused his suspicions," he says. "But a camera is completely faceless. You don't know who's watching and how the information captured is used - will it wind up on late-night television?"

He notes a significant number of videos in these shows displaying people caught in embarrassing situations come out of Britain, where an extensive network of cameras in public places is rousing a public backlash. Cavoukian noted in her report that U.K. camera operators have caught entertaining themselves by zooming in on attractive women. "If you're going to outsource surveillance to a bunch of badly-paid guys locked in dark rooms, they're going to see more bums than bombs," agrees Fraser.

He concedes that automating the enforcement of policies and procedures around surveillance with PET technology rather than relying on fallible human operators to refrain from misusing the information offers some comfort. But he warns this may have the unintended effect of increasing video surveillance. "Unfortunately, this stuff makes it more acceptable to put video cameras all over the place, and by making it better and safer with less intrusive technology, it may ironically lead to more surveillance."

Labels: media-mention, ontario, privacy, surveillance, vanity, video surveillance

The Ontario Information and Privacy Commissioner is investigating after old medical records were found in a dumpster behind a coffee shop by a retiree. The affected patients will have to be notified as the information is subject to PHIPA, which contains Canada's only mandatory breach notification. See: TheSpec.com - Local - St. Joe's patient files found in dumpster.

Labels: breach notification, health information, incident, ontario, phipa, privacy

Last week's New York Times had an editorial on Safeguarding Private Medical Data:

... These are good steps, but a larger solution is needed. There should be a federal law imposing strict privacy safeguards on all government and private entities handling medical data. Congress should pass a bill like the Trust Act, introduced by Representative Edward Markey, a Democrat of Massachusetts, imposing mandatory encryption requirements and deadlines for notifying patients when their privacy is breached. As the N.I.H. has shown, medical privacy is too important to be left up to the medical profession.

In today's edition, Ontario's Information and Privacy Commissioner responds:

Ontario’s Example on Privacy - New York Times

To the Editor:

Re: Editorial: Safeguarding Private Medical Data (March 26, 2008)

I couldn’t agree with you more. In Ontario, we take privacy very seriously, especially when it comes to medical data.

Four years ago, we passed the Personal Health Information Protection Act, or Phipa, and haven’t looked back. This law provides solid privacy protection for health data but doesn’t act as a barrier to the delivery of health services. It doesn’t interfere with health care but ensures that it comes wrapped in a layer of privacy.

As privacy commissioner of Ontario, I can investigate complaints and issue orders if Phipa is breached. One order I issued requires that any identifiable health data must be encrypted if removed from a health care facility on a laptop or any other medium.

Medical privacy is far too important to be left to chance, or to the well intentioned. Strong legislated safeguards are needed.

Take a look at Phipa, which could serve as an excellent model.

Ann Cavoukian

Toronto, March 27, 2008

Labels: health information, laptop, ontario, phipa, privacy

The Toronto Sun is reporting that information about children who participated in a city-funded summer program was found in an open trash bin in a Toronto apartment building. The Sun also notes that a resident of the building was recently charged for child pornography offenses, but the two do not appear to be related.

TorontoSun.com - Toronto And GTA- Kids' data exposed

Documents containing detailed information on children who participated in a city-funded summer program were carelessly left out in the open at a public housing apartment building where a man was recently charged with possession of child pornography.

George Pappas, director of the Glamorgan Resident's Association, was running one of his weekly social events for the residents when he and another member of his group found approximately 200 pages near the top of a garbage can in the rec room.

The papers contained the birth dates, health card numbers, contact details and other personal information on children from 6 and 7 Glamorgan Ave. and other nearby Toronto Community Housing buildings who participated in the summer program. ...

Labels: health information, incident, ontario, privacy

The Information and Privacy Commissioner of Ontario has released an extensive report on the use of video surveillance by the Toronto Transit Commission. The report can be found here: Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report - Privacy Investigation Report MC07-68.

From the media release:

TTC’s surveillance cameras comply with privacy Act, but additional steps needed to enhance privacy protection, says Privacy Commissioner Ann Cavoukian

TORONTO – Ontario Information and Privacy Commissioner Ann Cavoukian ruled today that the Toronto Transit System’s expansion of its video surveillance system, for the purposes of public safety and security, is in compliance with Ontario’s Municipal Freedom of Information and Protection of Privacy Act – but she is calling on the TTC to undertake a number of specific steps to enhance privacy protection.

The Commissioner’s office conducted a four-month special investigation that went beyond the scope of the usual privacy investigation conducted in that it included:

• A detailed review of the literature and analysis from various parts of the world on the effectiveness of video surveillance;
• An examination of the role that privacy-enhancing technologies can play in mitigating the privacy-invasive nature of video surveillance cameras; and
• A detailed investigation into a privacy complaint by U.K-based Privacy International about the expansion of the TTC’s video surveillance system.

“Video surveillance presents a difficult subject matter for privacy officials to grapple with impartially because, on its face, it is inherently privacy-invasive due to the potential for data capture – despite that fact, there are legitimate uses for video surveillance … that render it in compliance with our privacy laws,” said the Commissioner. “Mass transit systems like the TTC, that are required to move large volumes of people, in confined spaces, on a daily basis, give rise to unique safety and security issues for the general public and operators of the system.”

“The challenge we thus face is to rein in, as tightly as possible, any potential for the unauthorized deployment of the system. We have attempted to do this by ensuring that strong controls are in place with respect to its governance (policy/procedures), oversight (independent audit, reportable to my office) and, the most promising long-term measure, the introduction of innovative privacy-enhancing technologies to effectively eliminate unauthorized access or use of any personal information obtained.”

While the expectation of privacy in public places is not the same as in private places, it does not disappear. People have the right, the Commissioner stresses in her report, to expect the following when it comes to video surveillance:

• That their personal information will only be collected for legitimate, limited and specific purposes;
• That the collection will be limited to the minimum necessary for the specified purposes; and
• That their personal information will only be used and disclosed for the specified purposes.

“These general principles,” said Commissioner Cavoukian, “should apply to all video surveillance systems. Where developments such as video surveillance in mass transit systems, like the TTC, can be shown to be needed for public safety, you must also ensure that threats to privacy are kept to an absolute minimum.”

Among the 13 recommendations the Commissioner is making to the TTC are the following:

• That the TTC reduce its retention period for video surveillance images from a maximum of seven days to a maximum of 72 hours (the same standard as the Toronto Police), unless required for an investigation;
• That the TTC’s video surveillance policy should specifically state that the annual audit must be thorough, comprehensive, and must test all program areas of the TTC employing video surveillance to ensure compliance with the policy and the written procedures. The initial audit should be conducted by an independent third party using Generally Accepted Privacy Principles, and should include an assessment of the extent to which the TTC has complied with the recommendations made in this special report;
• That the TTC should select a location to evaluate the privacy-enhancing video surveillance technology developed by University of Toronto researchers, K. Martin and K. Plataniotis; and
• That, prior to providing the police with direct remote access to the video surveillance images, the TTC should amend the draft memorandum of understanding (MOU) with the Toronto Police to require that the logs of disclosures be subjected to regular audits, conducted on behalf of the TTC. A copy of the revised draft MOU should be provided to the Commissioner prior to signing.

EMERGING PRIVACY-ENHANCING TECHNOLOGY

The Commissioner devotes part of her 50-page special report, and a specific recommendation, to the area of emerging privacy-enhancing video surveillance technology.

“In light of the growth of surveillance technologies, not to mention the proliferation of biometrics and sensoring devices, the future of privacy may well lie in ensuring that the necessary protections are built right into their design,” said the Commissioner. “Privacy by design may be our ultimate protection in the future, promising a positive sum paradigm instead of the unlikely obliteration of a given technology.”

As an example of the research being conducted into privacy-enhancing technologies, the Commissioner cites the work of researchers Karl Martin and Kostas Plataniotis at the University of Toronto, who used cryptographic techniques to develop a secure object-based coding approach. While the background image captured by a surveillance camera can be viewed, the sections where individuals are caught in the image would automatically be encrypted by the software. Designated staff could monitor the footage for unauthorized activity, but would not be able to identify anyone. Only a limited number of designated officials with the correct encryption key could view the full image.

The Commissioner is recommending that the TTC select a location to evaluate the video surveillance technology developed by Martin and Plataniotis.

A copy of the special report is available on the IPC’s website, www.ipc.on.ca.

Labels: ontario, privacy, public sector, retention, surveillance, video surveillance

In an apparently unprecedented move, the Information and Privacy Commissioner for Ontario, Ann Cavoukian, has issued a cease and desist order and an order to destroy personal information related to the collection of personal information from people who sell second hand goods to resellers. This follows a battles in the Ontario courts, where the Commissioner's position was ultimately upheld by the Court of Appeal (See: Canadian Privacy Law Blog: Oshawa second-hand store bylaw invades privacy). For more info from the Commissioner's office, see: Privacy Commissioner Ann Cavoukian issues seminal Order to cease collecting detailed personal information from individuals selling used goods, and to destroy all existing records.

I think this is a very important move on the part of the Commissioner.

We are seeing a growing trend in Canada that forces some serious thought about privacy. Private businesses are increasingly being conscripted to collect information on behalf of law enforcement or for law enforcement purposes. For example, money laundering legislation, no-fly lists operated by airlines, "lawful access" and databases of used goods sellers. Meanwhile, the Privacy Commissioners and privacy advocates are taking a stronger stand against this. We've seen various statements and submissions to legislative committees, unanimous declarations against the no-fly list and now the exercise of dramatic coersive powers. It will be very interesting to see how this all plays out.

Labels: air travel, law enforcement, lawful access, ontario, privacy, public sector, surveillance

Earlier this week, the Ontario Court of Appeal, in Cash Converters Canada Inc. v. Oshawa (City) (July 4, 2007) (an appeal from Cash Converters Canada Inc. v. Oshawa (City), 2006 CanLII 3469 (ON S.C.)), overturned a City of Oshawa Bylaw that required sellers of second hand goods to collect detailed personal information about those who sell second hand goods to the stores. The bylaw was inconsistent with the Municipal Freedom of Information and Protection of Privacy Act.

Here's what the Toronto Star had to say about it:

TheStar.com - News - Oshawa second-hand store bylaw invades privacy: Court

Tracey Tyler

LEGAL AFFAIRS REPORTER

The Ontario Court of Appeal has struck down sections of a controversial Oshawa bylaw that require second-hand dealers to collect detailed personal information from people who sell them goods and transmit the data to police.

The bylaw conflicts with provincial privacy legislation, which requires the collection and retention of personal information to be strictly controlled, the court ruled Wedneday, The 3-0 decision could influence challenges to similar bylaws in other parts of the country, including Alberta and British Columbia.

“This decision comes at a time when cities are gaining broader law-making powers,” said David Sterns, a lawyer representing the Oshawa franchise of Cash Converters Canada Inc., a second-hand store that challenged the bylaw.

“The court has sent a strong signal that all forms of information gathering and surveillance by municipalities are subject to the public’s overriding right to privacy.”

Under the Oshawa bylaw, passed by the city in 2004 as part of a new licensing system for second-hand dealers, stores were required to record the name, address, sex, date of birth, phone number and height of their vendors, who also had to produce three pieces of identification, such as a driver’s licence, birth certificate or passport.

“This information is then transmitted and stored in a police data base and available for use and transmissions by the police without any restriction and without any judicial oversight,” said Justice Kathryn Feldman said, writing on behalf of Associate Chief Justice Dennis O’Connor and Justice Paul Rouleau.

Store owners were required to send reports to police at least daily, in some cases at the time of purchase. The city argued the bylaw was meant to protect consumers from purchasing stolen goods.

But the municipality offered no evidence of a growing problem involving the sale of stolen goods to second-hand dealers, said Feldman.

Nor is there evidence that unscrupulous people are more likely to be deterred by the electronic collection and transmission of personal information, she said.

In 2003, Cash Converters purchased more than 28,000 used items from people in 2003. About 30 of those were seized by police in connection with criminal investigations.

It’s unknown whether any were confirmed as stolen, the court said.

The bylaw did not apply to pawn shops, which are provincially regulated.

See, also, James Daw's column: TheStar.com - columnists - New ruling stands up for privacy.

Labels: alberta, bc, british columbia, law enforcement, ontario, privacy, public sector, retention, surveillance

Ontario's new Adoption Information Disclosure Act is being challenged in the courts and it looks like those arguing in favour of privacy are facing an uphill battle:

TheStar.com - News - Adoptees challenge disclosure legislation

"I'm not ready to buy those three words: right to privacy," said Justice Edward Belobaba, who noted earlier that the lawyers mounting the constitutional challenge on behalf of three adoptees and a birth parent "have the tougher job."

Labels: ontario, privacy

Yesterday, Anne Cavoukian released the 2006 annual report for the Office of the Information and Privacy Commissioner of Ontario. It's a pretty slick report and chock full of interesting info.

Labels: ontario, privacy

The Information and Privacy Commissioner of Ontario yesterday released order HO-004 under the Personal Health Information Protection Act following the theft of a laptop containing confidential personal health information on 2,900 patients at the Sick Kids hospital in Toronto.

The order requires the hospital

• to develop or revise and implement policies and procedures the ensure that records of personal health information are safeguarded
• to develop a corporate policy that prohibits the removal of identifiable personal health information in from the premises. If identifiable personal health information must be removed in electronic form, it must be encrypted;
• to develop an encryption policy for mobile computing devices, a policy relating to the use of virtual private networks, a privacy breach policy, and to educate staff regarding the policies how to secure the information contained on mobile computing devices.

While the order directly relates to a hospital, it would applyl to all health information custodians in the province of Ontario and will likely serve as guidance to all health care providers in the country.

For more info, see TheStar.com - News - Sick Kids ordered to encrypt all electronic patient files.

Labels: breach notification, health information, laptop, ontario, phipa, privacy

The Winter 2007 edition of the Ontario Information and Privacy Commissioner's Perspectives was just released. It includes a look at some of the major projects relating to privacy or freedom of information that her office has been working on.

The newsletter also contains reviews of recent significant orders issued under the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, or the Personal Health Information Protection Act, information about recent IPC publications, upcoming presentations and more.

Labels: health information, ontario, phipa, privacy

Thanks to John Gregory for passing this along ...

Bill 152 has now passed in the Ontario Legislature and is heading for royal assent. This Bill contains a number of amendments to a range of statutes, but most interestingly provides for the creation of regulations for notifications if information is disclosed contrary to the Freedom of Information and Protection of Privacy Act (and its equivalent that applies to municipalities):

9. Subsection 60 (1) of the Act is amended by adding the following clauses:

(b.1) requiring the head of an institution to assist persons with disabilities in making requests for access under subsection 24 (1) or 48 (1);

. . . . .

(d.1) providing for procedures to be followed by an institution if personal information is disclosed in contravention of this Act;

. . . . .

(f.1) respecting the disposal of personal information under subsection 40 (4), including providing for different procedures for the disposal of personal information based on the sensitivity of the personal information;

It'll be interesting to see what the regs look like.

Labels: breach notification, ontario, privacy, public sector

The Ontario Superior Court of Justice has just released an interesting case considering relief from the implied undertaking rule and the potential of a tort of invasion of privacy in Ontario. (The implied undertaking rule generally prohibits the use of any information obtained in litigation for a purpose other than the instant litigation.)

Shred-Tech Corp. v. Viveen, 2006 CanLII 41004 (ON S.C.) is a case in which Shred-Tech is suing former employees for violating a non-competition covenant. The plaintiff Shred-Tech hired a private investigator to look into the situation and the PI's report was part of the rationale for initiating the lawsuit. When the PI's report was disclosed to the defendants as part of pre-trial discovery, the defendants discovered that the PI had obtained the defendants' calling records from Bell Canada and had covertly videotaped on the defendants' new business premises.

In the motion before the Court, the defendants sought an order for relief from the implied undertaking rule so they could use the materials to launch complaints under the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5; and the Private Investigators and Security Guards Act, R.S.O. 1990, c.P. 25.

The Court granted the order requested and made the following observations (the observations about the tort of invasion of privacy must be considered to be obiter dicta, but will likely be quoted as further support of the existence of the tort in Ontario):

The distinguishing feature of this motion is the reference to privacy rights, a relatively new development in our law. Public concern as to the manner of collecting personal information, and the use made of it resulted in legislative response. The Personal Information Protection and Electronic Documents Act came into existence in 2000 and is presently under review, no doubt due to the now recognized importance of privacy rights. A regulatory body was established to handle complaints regarding contraventions. There is, of course, other legislation that may be relevant to the nature of the complaint regarding the investigator’s conduct.

[27] In Ferency v. MCI Medical Clinics 2004 CanLII 12555 (ON S.C.), (2004), 70 O.R. (3d) 277 (Ont. S.C.J.), the defendant retained a private investigator to conduct video surveillance of the plaintiff. At trial, the defendant sought to use the video evidence for impeachment purposes. The plaintiff’s opposition to admission of the evidence relied on the Personal Information Protection and Electronic Documents Act. Dawson J. rejected the plaintiff’s submissions and raised the question of the statute’s application in the circumstances of that case. He also determined, by applying the principles of agency, it was the defendant who, in effect, collected the information for personal use in the defence of the plaintiff’s allegations.

[28] Ferency, as noted, dealt with the issue of admissibility of evidence at trial. Of particular importance was that the surveillance occurred in public. Dawson J. found the plaintiff had given “implied consent” saying at para. 31:

The complainant has effectively, by commencing this action and through her pleadings, put the degree of injury to her hand and its effect on her life into issue. One who takes such a step surely cannot be heard to say that they do not consent to the gathering of information as to the nature and extent of their injury or the veracity of their claim by the person they have chosen to sue. Consent is not a defined term under the Act, and there is no indication in the Act that consent cannot be implied.

[29] In the case at bar, however, the defendant’s present evidence to suggest information was obtained in circumstances that do not support a finding of consent, implied or otherwise, particularly with reference to their Bell Canada records.

[30] There is some debate as to whether there now exists a tort of invasion of privacy. I am of the view recognition of such a tort in law is the logical result of the acknowledgment of privacy rights. There must be a remedy available for the breach of any right. In this regard, I am in agreement with the comment by Stinson J. in Somwar v. McDonald’s Restaurant of Canada Ltd., [2006] O.J. No. 64 (Ont. S.C.J.) where, at para. 29, he said:

With advancements in technology, personal data of an individual can now be collected, accessed (properly and improperly), and disseminated more easily than ever before. There is a resulting increased concern in our society about the risk of unauthorized access to an individual’s personal information. The traditional torts such as nuisance, trespass, and harassment may not provide adequate protection against infringement of an individual’s privacy interests. Protection of those privacy interests by providing a common law remedy for their violation would be consistent with the Charter values and an ‘incremental revision’ and logical extension of the existing jurisprudence.

[31] The investigation appears to have resulted from the concerns of the plaintiff regarding the conduct of the defendants in establishing a competing business. The allegations raised by the defendants regarding the manner of the investigative process are serious. Evidence is provided in support of these allegations. The evidence is not challenged. Indeed, by their failure to defend the counterclaim and respond to this motion, Sintrack and Mrowiec are deemed to admit the validity of the allegations. The defendants’ Bell Canada records, for example, were obtained by the investigator without the consent of the defendants or court order. The obvious question is how such occurred and, indeed, whether an illegal act is involved.

[32] The evidence presented by the defendant is sufficient to establish, at least, the basis of their claim. This triable issue will be determined in due course.

[33] In this case, it would be unjust to restrict the enforcement of privacy rights to the lawsuit. If the rights were violated, damages may be awarded but such, in my view, ought not be the exclusive remedy. Regulatory bodies, established for this very purpose, must be permitted to investigate the complaint and have made available to it the best evidence. Preventing a regulatory investigation, by restricting the evidence that may be considered would, in effect, condone what may be an illegal act. Such is clearly not the intent of the deemed undertaking rule.

[34] The defendants have established entitlement to the relief claimed on this motion regarding Sintrack and Mrowiec. The intended complaint is not for an improper purpose but, rather, for a legitimate inquiry by a regulatory body. While connected to the issues raised in the lawsuit, the complaint goes further in terms of the challenged conduct.

[35] There is no evidence, at present, implicating the plaintiff or its corporate officials in the investigative process. Indeed, in their defence to the counterclaim, they deny any involvement. It is to be noted, as well, the plaintiff made disclosure of the investigative report and other information as required in the discovery process.

[36] Counsel for the defendants relies on the concept of agency in arguing in favour of allowing the complaint to proceed regarding the plaintiff, Glass and Roberto. The principles of agency may be relevant in a consideration of admissibility of evidence, such as in Ferency, or with respect to the tort claim. To subject others to a regulatory investigation necessitates a foundation for the claimed relief. Agency, in my view, is insufficient for this purpose.

[37] Counsel for the defendants also suggested a lack of evidence ought not be a determining factor, referring to the comments of Granger J. in 755568 Ontario Ltd. v. Linchris Homes Ltd., supra, at p. 651 where he said:

The plaintiff in its motion, which is not supported by any affidavit material setting out its motive, seeks leave to send the transcripts of the examinations for discovery to the police in order that an investigation can be carried out, and presumably charges laid, if there are reasonable and probable grounds to believe that an offence has been committed. In my view I need not, nor should I, determine if there are reasonable and probable grounds to believe the defendants have committed a criminal offence. The sole issue is whether the request of the plaintiff is a bona fide request or made for a collateral purpose.

[38] With respect, I do not read this passage as saying evidence is not required. Granger J. refers to a “bona fide request” which, in my view, necessitates some evidence. Otherwise, an innocent party could be subjected to regulatory or other investigation. Such would be prejudicial in terms of the lawsuit and, as well, improper.

[39] In this respect, the motion as it pertains to Shred-Tech, Glass and Roberto is premature. Examinations for discovery have not yet taken place. It may be that evidence will become available and, therefore, the defendants ought then be permitted to seek relief. At this point, however, without an evidentiary foundation, the motion must be dismissed as against these parties.

[40] On behalf of the plaintiff, counsel submits prejudice will result even by allowing the complaint to proceed with respect to the investigators. No affidavit or other evidence was presented in support of this position. Judicial notice, as referred to in Ribeiro, would acknowledge the possibility of some involvement in the complaint process, such as a witness. It is to be noted, however, it was the plaintiff who retained the investigators.

[41] I do not see any significant prejudice to the plaintiff in this regard. Any prejudice is far outweighed by the injustice to the defendants if the complaint could not proceed. The defendants have an absolute right to present their complaint to the regulatory bodies. The documents and other information is the best evidence and such is of critical importance in a regulatory inquiry.

[42] I am also of the view there is a public interest in allowing the complaint to proceed against the investigators. A potential breach of a privacy right is an important matter for the complainant and for the public. If the complaint is found to be legitimate, prevention of future abuse of the rights of others is an important consideration.

Labels: ontario, privacy, surveillance, tort, video surveillance

The Federal Court of Appeal yesterday released its decision in Blood Tribe Department of Health v. Canada (Privacy Commissioner). This is the important decision in which the Federal Court had held that the Privacy Commissioner had jurisdiction to review documents that are claimed to be privileged to determine if the privilege was properly claimed in a request for access (FCT case).

The Court of Appeal held (and forgive the bad OCR of a faxed copy of the decision -- a cleaned up version will appear shortly):

(e) How to Deal with a Claim of Solicitor-Client Privilege under PIPEDA

[31] Section 15 of PIPEDA permits the Commissioner to apply to the Federal Court in relation to any matter referred to in section 14 which in turn encompasses solicitor-client privilege pursuant to subsection 9(3) of that Act (supra, at paragraph 4).

[32] The Intervener, the Law Society of Alberta, directed the panel to the Supreme Court of Canada of R v, McClure, 2001 SCC 14 [McClure]. That case outlined useful principles to be applied regarding a review of solicitor-client privilege by civil and criminal courts. McClure faced sexual charges from twelve former students, including one 'J.C.' who had also commenced a civil action. In the criminal action, McClure sought production of JC's civil litigation file in order to determine the nature of his allegations and to test his motivation in fabricating or exaggerating incidents of abuse. Major J. outlhed a three stage procedural test to protect the solicitor-client privilege. In the first two stages, the party seeking privileged material must establish that there i s no other compellable source for the privileged information as well as an evidentiary basis upon which to conclude that the information would be legally useful. In the third stage, the judge must then examine the documents and will not release them unless satisfied that they would likely give rise to an issue of relevance pertinent to the ,ultimate disposition of the case.

[33] In my analysis, the Commissioner's ability to conduct her investigation is not fettered by a rule that protects privileged communication. In circumstances where a broad claim of solicitor client privilege is used as a shield to thwart on investigation, judges of the Federal Court are equal to the task of developing procedures that adequately minimize the potential invasion of the privilege (see also Goodis v. Ontario (Ministry of Correctional Services}, 2006 SCC 3 1 at paragraph 2 1).

V. Conclusion

[34] In summay, the Judge erred in adopting a purposive and liberal interpretation of paragraphs 12(l)(a) and (c) of PIPEDA and in adopting AIA principles in a PIPEDA review. The appeal should be allowed, the order of the Judge dated March 8, 2005 should be set aside and the Commissioner's order for production of rccords dated October 22, 2003 should be vacated. Costs to the appellant in this appeal. No costs were sought by the intervener, the Law Society of Alberta.

Labels: alberta, health information, litigation, ontario, pipeda review, privacy

As alluded to earlier this week, the Information and Privacy Commissioner of Ontario has released her whitepaper, 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age. It's interesting reading but probably will not be comprehensible to lay readers. Here's the media release and links for more info:

IPC - Commissioner Ann Cavoukian unveils plan for privacy-embedded Internet identity

TORONTO – Consumers today are being spammed, phished, pharmed, hacked and otherwise defrauded out of their personal information in alarming numbers, in large part because there are few reliable ways for them to distinguish the “good guys” from the “bad” online.

Dr. Ann Cavoukian, Information and Privacy Commissioner of Ontario, today announced her support for a global online identity system framework by outlining seven far-reaching “privacy-embedded” laws, which would help consumers verify the identity of legitimate organizations before making online transactions.

These laws were inspired by the 7 Laws of Identity formulated through a global dialogue among security and privacy experts, headed by Kim Cameron, Chief Identity Architect at Microsoft. The 7 Laws of Identity propose the creation of a revolutionary “identity layer” for the Internet, providing a broad conceptual framework for a universal, interoperable identity system.

Dr. Cavoukian’s 7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age incorporates additional key insights from the privacy arena. An extension of the original 7 Laws, they encourage privacy-enhanced features to be embedded into the design of the IT architecture and be made available early in the emerging universal identity system.

The Internet was built without a way to know who and what individuals are connecting to. This limits what people can do and exposes computer users to potential fraud. If the IT industry and government do nothing, the result will be rapidly proliferating episodes of theft and deception that will cumulatively erode public trust. That confidence is already eroding as a result of spam, phishing and identity theft, which leaves online consumers vulnerable to the misuse of their personal information and minimizes the future potential of e-commerce. The Privacy-Embedded Laws of Identity support the global initiative to empower consumers to manage their own digital identities and personal information in a much more secure, verifiable and private manner.

“Just as the Internet saw explosive growth as it sprang from the connection of different proprietary networks, an ‘Identity Big Bang’ is expected to happen once an open, non-proprietary and universal method to connect identity systems and ensure user privacy is developed in accordance with privacy principles,” said Dr. Cavoukian. “Microsoft started a global privacy momentum. Already, there is a long and growing list of companies and individuals who now endorse the7 Laws of Identity and are working towards developing identity systems that conform to them.”

“We are honoured to work with Dr. Cavoukian on this project, who along with us and other IT companies are endorsing global privacy laws and fair information practices,” said Peter Cullen, Chief Privacy Strategist, Microsoft. “Best business practices that ensure both security and identity are what is needed to help keep the Internet’s integrity intact. These 7 Laws, with specific articulation of privacy protections, are a big step in that direction.”

Other privacy-enhanced laws will help to minimize the risk that one’s online identities and activities will be linked together, said Dr. Cavoukian. “We already expect this in the real world when we present a library card, for example, to check out a book, and present our passport to cross a national border. We don’t expect these to be linked together. Nor is the access card we use to enter our office the same as the transit pass we use to board a bus. In the physical world, different transactions require different identity credentials, but they need not be linked together. It should be no different in the online environment.”

The next generation of intelligent and interactive web services (“Web 2.0”) will require more, not fewer, verifiable identity credentials, and much greater mutual trust to succeed.

Identity systems that are consistent with the Privacy-Embedded Laws of Identity will help consumers verify the identity of legitimate organizations before they decide to continue with an online transaction.

These Privacy-Embedded Laws offer individuals:

• easier and more direct user control over their personal information when online;
• enhanced user ability to minimize the amount of identifying data revealed online;
• enhanced user ability to minimize the linkage between different identities and actions;
• enhanced user ability to detect fraudulent messages and websites, thereby minimizing the incidence of phishing and pharming.

Corresponding Privacy-Embedded Principles

Take, for example, Law #1, Personal Control and Consent, which emphasizes that individuals should be in full local control of their own identity information, and exercise informed consent over how their identity information is collected and used by others. One privacy benefit of applying this principle is that identity credentials could be stored locally and securely on a user’s own computer rather than in a centralized online database.

Another example: Law #2, Minimal Disclosure for Limited Use: Data Minimization, speaks to building technical identity systems that minimize the amount of identity information used and disclosed in a given online transaction. In the privacy world, a cardinal rule is that the identification provided should be proportional to the sensitivity of the transaction and its purpose. Why should a credit card number ever be used to verify one’s age? Put another way, why isn’t there a credential that allows people to prove they’re over 65 without revealing all of their other identity information? If someone can prove she is a bona fide university student to gain preferential access to online resources at other educational institutions, then why is her name needed? These privacy-enhanced solutions are all possible under the Privacy-Embedded Laws of Identity.

“We call upon software developers, the privacy community and public policymakers to consider the Privacy-Embedded Laws of Identity closely, to discuss them publicly, and take them to heart,” Dr. Cavoukian declared. “In joining with us to promote privacy-enhanced identity solutions at a critical time in the development of the Internet and e-commerce, both privacy and identity/security will more likely be strongly protected.”

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.

Additional Resources:

7 Laws of Identity: The Case for Privacy-Embedded Laws of Identity in the Digital Age

Kim Cameron’s Identity Weblog

The LAWS OF IDENTITY The key to this site: an introduction to Digital Identity – the missing layer of the Internet.

The IDENTITY METASYSTEM A proposal for building an identity layer for the Internet

Labels: cardsystems, health information, identity theft, ontario, phipa, privacy

Anne Cavoukian, the Information and Privacy Commissioner of Ontario, always has interesting things to say. The Canadian Press is running an article foreshadowing a press conference to take place in Toronto on Wednesday:

CANOE -- CNEWS - Tech News: Internet Privacy commish calls for Net ID system

TORONTO (CP) — Ontario Privacy Commissioner Ann Cavoukian warns online fraud is threatening to cripple e-commerce on the Internet.

She says because of the growth of online fraud, the identity infrastructure of the Internet is no longer sustainable.

Cavoukian will hold a news conference in Toronto on Wednesday to outline what could, and should, be done to foster the development of a universal identity system....

I think I need to be convinced that a university identity system is needed and how it will work without becoming incredibly intrusive. But I'll keep an open mind until Wednesday.

Labels: ontario, privacy

Thanks to the Canadian Information Technology Law Association's blog (http://www.it-can.ca/blog/?p=70) for ferreting out this interesting case from Ontario.

In Re S.C., 2006 ONCJ 343 (CanLII), a Justice of the Peace denied a police officer's application for a search warrant related to a specific individual. The police had obtained the individual's name and address from Bell, his internet service provider, who had provided it in response to a request "pursuant to PIPEDA". Oddly, the demand for information faxed to Bell strongly suggested that the ISP was required to provide the information because of PIPEDA.

The Justice of the Peace considered the consent exception contained in s. 7(3)(c.1)(iii) of PIPEDA, which reads:

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

. . .

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority (emphasis added) to obtain the information and indicated that . . .

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

The Justice of the Peace considered (the correct, in my view) application of that section:

[9] However, s. 7(3) stipulates that the information can be provided without consent only if the body seeking the information has "identified its lawful authority to obtain the information" and has indicated that the disclosure is requested (in this case) for law enforcement purposes. The Act does not set out that the existence of a criminal investigation is, in and of itself, “lawful authority” within the meaning of the Act nor, therefore, does a “Letter of Request for Account Information Pursuant to a Child Sexual Exploitation Investigation” establish such authority. Accordingly, there must still be some “legal authority” to obtain the information; in the view of this Court s. 7(3)(c.1)(ii) by itself does not establish what that “lawful authority” is. The section provides authority for disclosing information. It does not establish the authority for obtaining and possessing the information.

[10] The Information to Obtain does not otherwise reflect that the Informant established to Bell Canada the lawful authority, within the meaning of the Act, by which the investigators were seeking to obtain the requested information. Accordingly, Bell Canada did not have a basis upon which to disclose the information.

[11] In the absence of express authority within the legislation, the Charter right not to have one’s reasonable expectation of privacy interfered with, except through prior judicial authorization with all the protections that affords, must govern. Accordingly, it is the view of this Court that the Informant is not lawfully in possession of the information that was provided by Bell Canada. Therefore, that information must be set aside in the overall consideration of this application to obtain a search warrant.

[12] The balance of the information contained in the Information to Obtain does not, however, establish a reasonable nexus between the matters being investigated and the individual and residence identified as the targets for the warrant to search.

[13] Therefore, the request for a search warrant is denied.

In short, just because someone has a badge or official looking letterhead doesn't mean they have "lawful authority". The appropriate response to a request such as this is "come back with a warrant".

Labels: lawful authority, ontario, privacy

The Information and Privacy Commissioner of Ontario and the Bank of Montreal have just released a brochure related to safety, security and privacy in using mobile devices. Here's the media release:

IPC - Guard the information you take out of the office, urges Privacy Commissioner Ann Cavoukian:

NEWS RELEASE : September 7, 2006

Guard the information you take out of the office, urges Privacy Commissioner Ann Cavoukian

In a number of recent cases, thousands of people have found themselves facing the potential threat of identity theft simply because someone took a laptop – packed with people’s personal information – home with them or on a business trip, and the laptop was later lost or stolen.

Ontario’s Information and Privacy Commissioner, Ann Cavoukian, and BMO Financial Group (BMO) have met this challenge head on by partnering together to create a joint brochure, Reduce Your Roaming Risks – A Portable Privacy Primer, which outlines specific steps that everyone can take to minimize the chance that the information contained on one’s laptop or personal digital assistant (PDA) will be accessed by unauthorized parties.

“With today’s technology, people have the flexibility to connect to their organization’s network from virtually anywhere in the world,” said Commissioner Cavoukian. “But working away from the bricks and mortar office means that you are also working outside of the traditional security layers. You need to re-assess the privacy and security risks associated with working remotely or while travelling.”

“It is critical that you take the steps needed to safeguard all confidential information, whether it be your own, that of your employer, or, most importantly, that of the people who entrusted their personal information to your custody and care, in the belief that it was in safe hands,” said the Commissioner.

“As a financial services provider, it is fundamentally important that we continue to earn the trust and confidence of our customers that their personal information is safe and secure,” said Dina Palozzi, Chief Privacy Officer, BMO Financial Group. “We were pleased to work with Commissioner Cavoukian on the development of the brochure. It’s a timely and relevant tool that all workplaces should make available to any employees who share a responsibility for safeguarding important customer or company information.”

Among the recommendations that the Commissioner and BMO make in the brochure:

• Always use strong password protection, preferably in conjunction with data encryption;
• Do not remove any client information from your organization’s network or premises without proper authorization from your supervisor;
• Remove all confidential information, or any devices containing confidential information, from plain sight in your vehicle. Lock your valuables in the trunk before you start the trip, not in the parking lot of your destination;
• In public places, do not discuss any confidential information on your cell phone; and
• Only conduct confidential business on business or personal computers. Do not use public computers or networks, or conduct business in public places.

Laptops, PDAs, Cell Phones:

Laptops, PDAs and, more recently, cell phones, are considered to be the “golden eggs” by identity thieves. Here are some of the precautions the brochure recommends be taken to minimize the risks:

• Ensure that all of your devices require passwords for access: power-on passwords, screensaver passwords, account passwords. Strong passwords consist of at least eight characters, upper and lower case, numerals and special characters. The password should not be a word that can be found in any dictionary;
• Enable the automatic lock feature of your device after five minutes of idle time;
• Encrypt your data according to your company’s policies. This is essential if you transport personal and/or confidential customer data – it should never be left in “plain view;”
• When no longer needed, remove all confidential data from your devices using a strong “digital wipe” utility program. Do not simply rely on the “delete” function.

  Confidential and Financial Information:

  If you handle confidential information online or perform financial transactions, then your laptop (and sometimes your PDA) should, at a minimum, have a personal firewall, anti-virus and anti-spyware protection. In addition, install the latest updates and security patches for your mobile devices, including your cell phone.

  When connecting to public wireless networks or HotSpots in airports, hotels, coffee shops, etc., bear in mind that these networks are inherently unsafe. Remember the following:

  • Watch out for shoulder surfing – someone “casually” observing the work on your laptop; Never connect to two separate networks simultaneously (such as Wi-Fi and Bluetooth);
  • Do not conduct confidential business unless you use an encrypted link to the host network (such as a Virtual Private Network – VPN).

  The brochure also contains advice on what to do if you lose confidential data, as well as providing a quick reference checklist.

Labels: air travel, airlines, identity theft, laptop, ontario, privacy

I blogged yesterday about the controversy surrounding an indirect CIA investee company providing services to Canadian health providers (Canadian Privacy Law Blog: Privacy groups slam use of CIA-backed software to index Canadian health files). The Information and Privacy Commissioner of Ontario just issued an investigation report ((PHIPA Report HI06-45) and the following media release in response:

CNW Group:

Electronic health information strongly protected in Ontario: Commissioner Cavoukian

TORONTO, Aug. 28 /CNW/ - An investment in Initiate Systems Inc., a company providing software to an electronic health record application in Ontario, does not provide the CIA or anyone else with access to personal health information, says Dr. Ann Cavoukian, Ontario's Information and Privacy Commissioner.

In March 2006, In-Q-Tel, the venture capital arm of the CIA, invested in Initiate Systems Inc., whose software is being used in provincial electronic health record applications across Canada under an agreement with Canada Health Infoway, a federally funded, non-profit corporation that leads electronic health initiatives in Canada.

Prior to In-Q-Tel's investment, Initiate Systems' software was selected for use in one application in Ontario - the Enterprise Master Patient Index (EMPI). Although the EMPI contains health card numbers and other identifying information, it does not include diagnoses, prognoses, or other clinical information typically shared between health care providers and their patients. In Ontario, the Personal Health Information Protection Act establishes rules for the collection, use and disclosure of personal health information and designates the Office of the Information and Privacy Commissioner/Ontario as the body responsible for overseeing compliance with the legislation.

On August 11, 2006, privacy advocates expressed concerns that In-Q-Tel's investment in Initiate Systems may give the CIA access to provincial medical records. Commissioner Cavoukian immediately launched a privacy investigation into the allegations to determine if any personal health information was being disclosed in contravention of Ontario's health privacy legislation.

Among the Commissioner's findings in her investigation report:

• Cancer Care Ontario, which operates the EMPI on behalf of the Ministry of Health and Long-Term Care, allows Initiate Systems Inc. extremely narrow, on-site access to personal health information, under tightly controlled and limited conditions, and only as necessary to enable Initiate Systems Inc. to provide the services that it is contractually obligated to provide;
• No health information from the EMPI flows outside of Ontario;
• In-Q-Tel's investment in Initiate Systems Inc. does not allow In-Q- Tel to access any health information contained in the Ontario EMPI.

"Cancer Care Ontario, an organization that my office has worked with on privacy issues since the implementation of the Personal Health Information Protection Act nearly two years ago, has an extensive array of privacy safeguards in place," said Commissioner Cavoukian.

In addition to written privacy, confidentiality and security provisions in the Master Software License and Services Agreement with Initiate Systems Inc., other safeguards include:

• Initiate Systems does not have any remote access to EMPI data and performs all technical support for the EMPI in Ontario, with comprehensive security measures in place;
• Access to the EMPI by Initiate Systems' staff must be authorized and verified by CCO and may only occur on its Ontario premises; and
• Initiate Systems is prohibited from disclosing EMPI data to any party without the prior written consent of CCO, which has neither been sought nor granted.

Looking further ahead, Commissioner Cavoukian makes three recommendations in her investigation report, which is posted on the IPC's website: www.ipc.on.ca.

RECOMMENDATIONS

1. The Commissioner should be consulted concerning any proposed amendments or changes to the confidentiality or privacy obligations contained in the agreement between CCO and Initiate Systems.

2. The MOHLTC or any other person who operates the EMPI in the future should advise the Commissioner if there is a breach of the confidentiality or privacy obligations of the agreement by Initiate Systems, and the steps taken to mitigate the breach, the measures taken to prevent subsequent breaches, and the manner and nature of the notification provided to individuals whose personal health information is contained in the EMPI.

3. The MOHLTC or any other person who operates the EMPI in the future using the Initiate Software should advise the Commissioner when changes will be made to the source code for the Initiate Software, as well as the nature and rationale for these changes.

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.

For further information: Media Contact: Bob Spence, Communications Co-ordinator, Direct line: (416) 326-3939, Toll-free: 800-387-0073, Cell phone: (416) 873-9746, bob.spence@ipc.on.ca

Labels: breach notification, cardsystems, health information, ontario, phipa, privacy

The Information and Privacy Commissioner of Ontario has issued her second order under the province's new Personal Health Information Protection Act.

The complaint concerns a pretty deplorable situation that took place at the Ottawa Hospital. The complainant was admitted to the hospital and advised that shd did not want her estranged husband and his girlfriend (both were employees of the hospital) to know of her admission or of her situation. Subsequent discussion with her husband demonstrated that he knew about her admission and the patient complained.

An investigation revealed that the girlfriend had accessed the complainant's electronic health record a number of times and disclosed it to the estranged husband. The Commissioner was less than impressed, as demonstrated by the postscript to the executive summary:

POSTSCRIPT

This was a truly regrettable situation in which a patient who was admitted to a hospital, made a specific request to prohibit her estranged husband and his girlfriend, a nurse at the hospital, from having any information regarding her hospitalization, only to learn that the exact opposite had occurred.

Despite having alerted the hospital to the possibility of harm, the harm nonetheless occurred. While the hospital had policies in place to safeguard health information, they were not followed completely, nor were they sufficient to prevent a breach of this nature from occurring. In addition, the fact that the nurse chose to disregard not only the hospital’s policies but her ethical obligations as a registered nurse, and continued to surreptitiously access a patient’s electronic health record, disregarding three warnings alerting her to the seriousness of her unauthorized access, is especially troubling. Protections against such blatant disregard for a patient’s privacy by an employee of a hospital must be built into the policies and practices of a health institution.

This speaks broadly to the culture of privacy that must be created in healthcare institutions across the province. Unless policies are inter-woven into the fabric of a hospital’s day-today operations, they will not work. Hospitals must ensure that they not only educate their staff about the Act and information policies and practices implemented by the hospital, but must also ensure that privacy becomes embedded into their institutional culture.

As one of the largest academic health sciences centres in Canada, the Ottawa Hospital had properly developed a number of policies and procedures; but yet, they were insufficient to prevent members of its staff from deliberately undermining them.

See Health Order HO-002 released July 31, 2006. (Executive Summary)

Labels: health information, ontario, phipa, privacy

The Information and Privacy Commissioner of Ontario has written to David Canton at eLegal Canton in response to (and support of) his recent column on the practice of printing full credit and debit card numbers on point of sale receipts. Check out his blog for his summary and the text of the letter: eLegal Canton: Privacy commissioner responds to debit/credit card article.

Labels: ontario, privacy

Anne Cavoukian has tabled her annual report for 2005 in the Ontario Provincial Parliament. I haven't had a chance to review it in detail, but it appears to be full of interesting information.

Here is the media release:

IPC - Government spending must be open to the public: Commissioner Cavoukian says greater transparency needed:

NEWS RELEASE : June 27, 2006

Government spending must be open to the public: Commissioner Cavoukian says greater transparency needed

While considerable gains have been made, government organizations nonetheless continue to use the Freedom of Information and Protection of Privacy Act as a shield to block the release of consultants’ contracts and the financial arrangements made with suppliers of goods and services, said Information and Privacy Commissioner Ann Cavoukian.

Since early 2005, the IPC has overturned 11 decisions made by provincial or municipal organizations that refused to disclose this type of information. The requesters seeking the information had to appeal those decisions to my office to obtain the desired records, said Commissioner Cavoukian. Other requesters may have just given up, not bothering to file an appeal. “This is a complete waste of the time and resources of all parties involved,” said the Commissioner, who is urging municipal and provincial government organizations in Ontario to make a concerted effort towards ensuring that the public has full access to government spending records.

In her 2005 annual report, which she released today, Commissioner Cavoukian is asking every government office planning to hire a consultant, contractor, or service provider to immediately make it clear to them that the information they submit will most likely be made available to the public. “The default position should be that financial and all other pertinent information related to a contract will be made publicly available,” said Commissioner Cavoukian. Only in exceptional circumstances will withholding the financial terms of government contracts be justified on the basis of prejudice to one’s competitive position or privacy.

“The right of citizens to access government-held information is essential in order to hold elected and appointed officials accountable to the people they serve,” said the Commissioner. “This is particularly true for details of government expenditures and the public’s right to scrutinize how tax dollars are being spent. When government organizations use the services of individuals or companies in the private sector, the public should not lose its right to access this information.”

The need for transparency and accountability for government spending goes beyond contractual arrangements. In Order MO-1947, the Commissioner ordered the disclosure of information relating to lawsuits settled by the City of Toronto with third parties, including the number of lawsuits, dates settled and dollar amounts. The Commissioner again emphasized the importance of the disclosure of this type of information based on the taxpayers’ right to know and the need to hold both politicians and bureaucrats accountable for their actions.

In her wide-ranging 84-page annual report, Commissioner Cavoukian identifies and addresses seven other key issues. Among these, the Commissioner:

• dispells some of the common misconceptions about radio frequency identification (RFID) and addresses when privacy issues need to be considered. “ Users of RFID technologies and information systems should address the privacy and security issues early in the design stage, with a particular emphasis on data minimization,” said the Commissioner. “This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID data.” (Further to this issue, the Commissioner released new RFID Privacy Guidelines just last week. Here is a direct link to the Guidelines on the IPC’s website: www.ipc.on.ca/docs/rfidgdlines.pdf.);
• outlines a highly successful collaboration between the Ontario College of Pharmacists, the Ontario Pharmacists’ Association and the IPC. Within days of a controversy erupting in the media over the screening of womenattempting to access the emergency contraceptive pill, commonly known as Plan B, the Ontario College of Pharmacists, after working with the Commissioner and the Association, issued new guidelines for pharmacists operating in Ontario;
• examines the issue of the secure destructionof personal information, emphasizing that such information “must be permanently destroyed or erased in an irreversible manner that ensures the record cannot be reconstructed in any way, as reflected in the IPC Fact Sheet issued on secure destruction;”
• advises that the IPC is closely watching the steps being taken towards the development of an interoperable electronic health record (EHR) system in Ontario. “Governance is a key issue in the implementation of an interoperable E HR,” said Commissioner Cavoukian. “One of the questions that needs to be addressed is how will accountability for patient privacy and information security be established in the context of a record that may eventually be shared throughout the entire health care system;”
• stresses that privacy should not be used as a shield to minimize disclosure of essential information in emergency situations. “While access and privacy laws underline the importance of protecting the privacy of individuals, they also recognize that, in certain circumstances, privacy should not be an impediment to the sharing of vital – and, in some cases, life-saving – information, even in the absence of consent,” says the Commissioner;
• addresses the issue of fingerprints, photos and other personal information of people who were charged with a crime, but never convicted, being kept by police. “Many people assume that when charges are dropped, stayed, withdrawn, or a finding of ‘not guilty’ is made, the name of the accused person is automatically cleared,” said the Commissioner. “However, while these and other non-conviction dispositions may leave a person without a criminal record, police services in Ontario retain most police records in perpetuity, even where a person is found not guilty by the courts. A fair expungement process must take into account both the legitimate interest of law enforcement and the fundamental rights of innocent citizens;” and
• emphasizes the importance of building a culture of openness and transparency in all provincial and municipal government organizations. “Leadership on openness and transparency must come from the top,” said the Commissioner. “Public servants are more apt to disclose information without claiming inapplicable exemptions if they feel that their decisions will be supported by both the politicians and senior executives who lead their ministry, agency, board, commission or local government.”

The annual report also includes a detailed review of the impact of the Personal Health Information Protection Act (PHIPA) – Ontario’s first new privacy law in nearly 14 years – during its first full year.

Provincial ministries were praised by the Commissioner for a dramatic improvement in their 30-day-response compliance rate. Overall, ministries achieved an 80.1 per cent compliance rate – a significant increase from 68.7 per cent in 2004 and the highest provincial compliance rate in 17 years.

Elsewhere, the annual report includes statistical analysis of requests for information filed across Ontario in 2005 under FOI and PHIPA (34,957, the highest number ever), appeals to the IPC regarding some of the decisions government organizations made in response to FOI requests, and privacy complaints filed to the IPC under the provincial and municipal Freedom of Information and Protection of Privacy Acts, or under PHIPA.

Key IPC orders and privacy investigations are profiled, decisions rendered by the courts regarding Ontario access cases are cited, IPC educational efforts outlined, and information about the 25 publications the IPC issued in 2005 provided.

The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act, as well as the Personal Health Information Protection Act, and helping to educate the public about access and privacy issues.

Labels: health information, ontario, phipa, privacy, rfid

Ontario's Information and Privacy Commissioner has just produced a set of guidelines for implementing RFID technology to better protect privacy in its implementation. The guidelines are here and are being released along with a companion Practical Tips for Implementing RFID Privacy Guidelines. Earlier this month, the Commissioner released Worried about RFIDs? in video and paper form.

The Commissioner's press release is here:

Commissioner Cavoukian issues RFID Guidelines aimed at protecting privacy

TORONTO, June 19 /CNW/ - Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, today released privacy Guidelines for the growing field of radio frequency identification (RFID).

These Guidelines flow from her earlier work in 2003 when the Commissioner first identified the potential privacy concerns raised by RFID technology. Following a history of ground-breaking work on building privacy into the design of emerging technologies, these Guidelines are a natural progression of this pragmatic approach.

"I have always found it beneficial to assist those working on emerging technologies, and to be proactive whenever possible - to develop effective guidelines and codes before any problems arise," said Commissioner Cavoukian. "These made-in-Canada Guidelines provide guidance and solutions regarding item-level consumer RFID applications and uses."

EPCglobal Canada, an industry association that sets standards for electronic product codes, has been collaborating with the IPC in the development of these Guidelines, and will be seeking Board approval by its member companies to signify the association's endorsement of the Guidelines.

"This technology offers exciting benefits to consumers and businesses alike. As the trusted source for driving adoption of EPC/RFID technology for increased visibility within the supply chain, privacy is as important as anything else we are doing," said Art Smith, President and CEO, EPCglobal Canada. "We promote an environment that encourages ongoing innovation while respecting privacy issues."

RFID tags contain microchips and tiny radio antennas that can be attached to products. They transmit a unique identifying number to an electronic reader, which in turn links to a computer database where information about the item is stored. RFID tags may be read from a distance quickly and easily, making them valuable for managing inventory but pose potential risks to privacy if linked to personal identifiers. RFID tags are the next generation technology from barcodes.

Although RFID technology deployed in the supply chain management process poses little threat to privacy, item-level use of RFID tags in the retail sector, when linked to personally identifiable information, can facilitate the tracking and surveillance of individuals. The goal of these Guidelines is to alleviate concerns about the potential threat to privacy posed by this technology and to enhance openness and transparency about item-level use of RFID systems by retailers.

The Guidelines address key privacy issues regarding the use of RFID technology at an item-level in the retail sector, said Commissioner Cavoukian.

The Guidelines are based on three overarching principles, including:

• Focus on RFID information systems, not technologies: The problem does not lie with RFID technologies themselves, but rather, the way in which they are deployed that can have privacy implications. The Guidelines should be applied to RFID information systems as a whole, rather than to any single technology component or function;
• Build in privacy and security from the outset - at the design stage: Just as privacy concerns must be identified in a broad and systemic manner, so, too, must the technological solutions be addressed systemically. A thorough privacy impact assessment is critical. Users of RFID technologies and information systems should address the privacy and security issues early in the design stages, with a particular emphasis on data minimization. This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID data; and
• Maximize individual participation and consent: Use of RFID information systems should be as open and transparent as possible, and afford individuals with as much opportunity as possible to participate and make informed decisions.

A companion piece to the Guidelines - Practical Tips for Implementing RFID Privacy Guidelines, is also being released by the Commissioner to help organizations put the Guidelines into practice.

The Guidelines and Practical Tips for Implementing RFID Privacy Guidelines are available on the IPC's website (www.ipc.on.ca).

Labels: information breaches, ontario, privacy, rfid, surveillance