The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Thursday, February 08, 2007

Recruiting software company sets up data centre in Canada to address Patriot Act concerns 

This is the first public announcement of the establishment of a data centre in Canada in response to privacy concerns about data being hosted in the United States:

Cytiva Responds to Canadian Privacy Concerns With New Canadian Data Centre: Financial News - Yahoo! Finance

Wednesday February 7, 9:00 am ET

New Data Centre Helps Canadian Employers Comply With Privacy Laws and Addresses Concerns About the United States Patriot Act

VANCOUVER, BC--(MARKET WIRE)--Feb 7, 2007 -- Cytiva Software Inc. (CDNX:CRX.V - News), a leading provider of on-demand recruiting software solutions, announced today the establishment of a new data centre located in Burnaby, BC. This new data centre provides Canadian clients of Cytiva's SonicRecruit recruiting software with assurance that their candidate and employee data will remain in Canada. This is important news for Canadian companies trying to comply with privacy laws. A growing number are concerned about their employee data being subject to a United States Patriot Act that lessens requirements for government seizure of personal data in U.S. territories.

Because of the Personal Information Protection and Electronic Documents Act (PIPEDA), and other provincial privacy laws, Canadian companies that use software from U.S. companies to manage their recruiting and other human resource processes face a complicated landscape in trying to protect employee data. When employee data is transferred outside of Canada to U.S. servers that run on-demand human resources software, the issue becomes even more complicated. This data may become subject to the United States Patriot Act, which supersedes PIPEDA inside the U.S.

Canadian privacy laws are some of the most stringent in the world and have been evolving rapidly over the last ten years. All this has compelled many Canadian companies to require that their customer and employee data stay in Canada.

"Some vendors walk away from Canadian business, while others try and deal with the issue through contractual language regarding privacy," said Jason Moreau, president and CEO of Cytiva Software. "But Cytiva recognizes how important an issue this is to Canadian companies, so we have taken the extra step of establishing a data centre on Canadian soil."

The Burnaby BC data centre provides state-of-the-art security, network access, climate control and power backup.

Cytiva announces the establishment of the Canadian data centre a few months after implementing a host-based Intrusion Protection System (IPS) which goes beyond mere firewalls or detection systems and provides the highest level of data protection available.

"With the Intrusion Protection System and the option of local hosting for our Canadian clients, Cytiva sets the standard for privacy and data protection for on-demand recruiting software," says Moreau. "We believe that all companies should expect this level of protection."

About Cytiva Software Inc.

Cytiva Software Inc. (CDNX:CRX.V - News) provides innovative recruiting software and services to mid-sized and Fortune 500 companies. More than an application, its flagship talent acquisition product, SonicRecruit, allows corporations to screen applicants, automate their recruiting departments, customize their corporate career sites and hire great people. This premier applicant tracking system improves recruiting effectiveness, speeding up the hiring process and reducing cost per hire. For more information, visit http://www.sonicrecruit.com

The TSX has not reviewed and does not accept responsibility for the accuracy or adequacy of this news release, which has been prepared by management.

Distributed by Filing Services Canada and retransmitted by Market Wire

Labels: , ,

Call for a privacy law in Thailand 

The Managing Director of Oracle ASEAN is calling on the Thai government to pass a strong privacy law so that Thailand will not be left behind in the BPO boom:

Bangkok Post : We need data privacy act to attract BPO:

"Thailand needs to quickly pass the Data Privacy Act if it is to avoid being left out of the world's IT and business process outsourcing (BPO) boom, according to Natasak Rodjanapiches, managing director of Oracle ASEAN.

Other requirements include a need for strong security standards, interoperability standards as well as the legal and privacy frameworks that are needed for a knowledge-based industry to flourish.

'Nobody will feel secure outsourcing to Thailand if the legal and privacy framework is still so uncertain. The interim government has an opportunity to do something good for the industry now by passing this law quickly,' he said. ..."

Labels: ,

Saturday, January 20, 2007

Australia's Attorney General presses India on privacy 

Individual countries tend to leave each other alone in the area of law reform, privacy and data protection. So it is rather unusual that the Attorney General of Australia is pushing India's government to strengthen privacy in the outsourcing sector. Currently, NSSCOM (the Indian outsourcing advocacy group) is working on voluntary guidelines for data protection, which the Indian government says may be replaced with legislation if they are not robust enough. See: Australia's Attorney General presses India on privacy data .:. NewKerala.Com, India News Channel.

Labels: , ,

Sunday, January 14, 2007

UK intelligence outsources terror alert service to US direct marking company 

People who want to stay on top of the UK terror alert level can sign up to receive periodic e-mail updates from MI5. Sorta but not quite, since MI5 has outsourced managing the e-mail service to an American company. See: MI5 terror alert blunder sends private data to US mailshot firm | the Daily Mail.

This is not a disaster, but clearly the UK intel folks didn't think about the perception of doing things this way.

What's the lesson here? When you are dealing with personal information, think about every facet of how the service is being offered and how it may be perceived.

Update (20070117): According to Spy Blog, MI5 is now handling its email subscriptions in-house.

Labels: , , , ,

Wednesday, November 15, 2006

Patriot Act blocking statute now the law in Nova Scotia 

The Governor-in-Council for Nova Scotia today proclaimed into force the new Personal Information International Disclosure Protection Act.

For more background, see

Here's the official release from the government of Nova Scotia:

News Release: Department of Justice

November 15, 2006 13:07


Legislation to ensure that Nova Scotians' personal information is not disclosed under the U.S. Patriot Act was proclaimed today, Nov. 15.

The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.

"This legislation will help ensure that Nova Scotians' personal information will be protected," said Justice Minister Murray Scott. "The act outlines the responsibilities of public bodies, municipalities and service providers and the consequences if these responsibilities are not fulfilled."

The act provides protection regarding storage, disclosure and access to personal information outside of Canada or in the custody or under the control of a public body or municipality.

The legislation comes into effect for government, school boards, universities, district health authorities and other public bodies today and on Nov. 15, 2007 for municipalities.

Under the act, the minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. It also requires that service providers storing information only collect and use personal information necessary for their work for a public body or municipality.

The act also address whistleblower protection for employees of external service providers to ensure they are protected if they report an offense under the act. Whistleblower protection for Nova Scotia government staff already exists under the Civil Service Act.

Penalties under the act include up to $2,000 per government employee for malicious disclosure by employees of public bodies and municipalities. The act also creates offences for service providers, with penalties of up to $2,000 for employees and $500,000 for companies.

Offences relate to the improper storage, collection, use, or disclosure, failure to notify the minister of Justice of foreign disclosure demands, and improper discipline or termination of employees.

Information sessions have been held in Truro and Halifax over the past month to educate partners and stakeholders about the provisions of the act.


FOR BROADCAST USE:

New provincial legislation which will ensure that Nova Scotians' personal information is not at risk from activities under the U-S Patriot Act has been proclaimed today (November 15th).

The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.

The act provides protection regarding storage, disclosure and access to personal information in the custody or under the control of a public body.

Labels: , , , , , ,

Saturday, July 15, 2006

Nova Scotia passes USA Patriot Act blocking statute 

In one of the shortest sittings that I can recall, the Legislature of Nova Scotia has passed the Personal Information International Disclosure Protection Act, also known as Bill 19.

Nova Scotia Legislature - House Business - Status of Bills

Bill No. 19 An Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada

Hon. Murray K. Scott Minister of Justice

First Reading June 30, 2006

Second Reading (Second Reading Debates) July 6, 2006

Law Amendments Committee July 10, 2006; July 11, 2006

Committee of the Whole House July 13, 2006

Third Reading July 14, 2006

Royal Assent July 14, 2006

I do not believe it has been proclaimed into force, so stay tuned for that part. (See update below.)

The Personal Information International Disclosure Protection Act is a response to the USA Patriot Act, specifically designed to prevent the export of personal information in the custody or control of public bodies in Nova Scotia to any other country. Though the prohibition is generic, it is clearly meant to prevent personal information from being the subject of a demand under the USA Patriot Act. It is also subject to the individual's consent, meaning that the prohibition does not apply if the individual data subject has identified the information and has specifically consented to the export of his or her information.

The Act is binding on all public bodies, their employees and specifically their service providers.

The Act requires that all public bodies ensure that all personal information in its custody or control is kept in Canada and is accessed only in Canada, unless the head of that public body has determined that storage or access outside of Canada is necessary for the public body's operations. If the head so determines, he or she has to notify the Minister of Justice for the province within ninety days of the end of the year.

The Act also contains a requirement that the Minister of Justice be notified forthwith of any "foreign demand for disclosure" or of any request that may be such a demand. The notice has to include the following:

as known or suspected,
(a) the nature of the foreign demand for disclosure;

(b) who made the foreign demand for disclosure;

(c) when the foreign demand for disclosure was received; and

(d) what information was sought by or disclosed in response to the foreign demand for disclosure.

It is an offence to disclose any personal information except in compliance with the Act and it contains specific penalties for public bodies, employees and service providers. Public sector employees may be subject to a fine of up to $2000 and imprisonment for six months. Corporate service providers may be subject to a fine of up to $500,000.

Interestingly, the Act grandfathers in contracts already entered into with service providers, but public bodies are expected to use all reasonable efforts to come into compliance with the new disclosure rules as soon as reasonably possible.

Nova Scotia is now the third Canadian province to enact such legislation, after British Columbia and Alberta.

Probably the most unmanageable portion of the Act deals with temporary exports. These are permitted (for example, in an employee's blackberry or on their laptop), but only with the permission of the head of the public body. This will be very difficult to administer because virtually every public sector employee's cell phone, laptop or briefcase contains information that is considered to be "personal information" under the statute. Every public sector employee who goes to a conference with her laptop will need the permission of the minister or university president or crown corporation president. However, given the rash of laptop thefts as of late, it may be a good thing to make public bodies think much more carefully about how information is carried around.

Interestingly, the Act is not an amendment to the Freedom of Information and Protection of Privacy Act which generally governs the collection, use and disclosure of personal information by public bodies. It is a stand-alone statute, unlike the way this was done in Alberta and BC.

For some background, see:

Update (20060717): The Bill has received Royal Assent, but is has not yet been proclaimed into force. (I've added the bold bit in the table above.)

Labels: , , , , , , , ,

Tuesday, July 11, 2006

Nova Scotia USA Patriot Act response is back on! 

After a brief recess for an election, the Nova Scotia House of Assembly is back with a new session but a boatload of bills that fell off the order paper. Among them is (newly renumbered) Bill 19, the Personal Information International Disclosure Protection Act, which I blogged about earlier.

The Bill was reintroduced on June 30 and received second reading on July 6, 2006. It is now headed to committe for consideration, with what appears to be the approval of all three parties.

Here is the Minister of Justice making the motion for second reading and the response from the opposition parties:

Handsard - July 6, 2006, p. 314

MR. SPEAKER: The honourable Minister of Justice.

HON. MURRAY SCOTT: Mr. Speaker, this legislation will strengthen protections against the disclosure of Nova Scotians' personal information, under the U.S. Patriot Act. The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure. We know that the U.S. security legislation has caused concerns about the American Government's ability to access personal information of Nova Scotians, held outside of Canada. This legislation clearly outlines responsibilities of public bodies, municipalities and technology service providers and the consequences if these responsibilities are not fulfilled.

Under the bill, the Minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. The bill also requires that service providers storing information only collect and use personal information for the purposes of their work, for a public body or a municipality. In order for these measures to be successful, staff must be sure they will be protected if they come forward to report wrongdoing, under this bill. To that end, the bill will also provide whistle-blower protection for employees of external service providers to ensure they are protected if they report an offence under the bill. Whistle-blower protection for Nova Scotia Government staff already exists under the Civil Service Act.

Mr. Speaker, penalties under the Act include a fine of up to $2,000, or six months of imprisonment for malicious disclosure by employees of public bodies and municipalities. The Act also creates offences for service providers with penalties of up to $2,000 for employees and $500,000 for companies. Under this bill, these penalties will become part of any new contract. At the same time, we are working to strengthen our existing contracts with current service providers.

Mr. Speaker, this is a serious issue and this bill will help ensure that the privacy of Nova Scotians' information continues to be protected. With those few comments, I move second reading of Bill No. 19. Thank you.

MR. SPEAKER: The honourable member for Cole Harbour-Eastern Passage.

MR. KEVIN DEVEAUX: Mr. Speaker, Bill No. 19 is a bill that the NDP has been pressuring the government to pass for, I guess, two years. This is a bill that two years ago when the NDP discovered, I think it happened in British Columbia originally where the Privacy Commissioner - where they actually have a Privacy Commissioner, I may note, for the record - noticed that under the Patriot Act in the United States, an American investigating body, FBI, CIA, National Security Agency, what have you, under the Patriot Act, if there are records held

[Page 315]

by an American corporation or its subsidiary, in another country, that those organizations can go in and access those records; it may even be without a subpoena, but there's probably very little judicial review, but under the Patriot Act they have access to that information.

So, for example, in Nova Scotia, if our government contracts out the maintenance of the data for people who are on social assistance, or motor vehicle records, that information is handed over to an American corporation to manage that data, that maybe even a subsidiary of that company in this province or in Canada, the American authorities would have access to that. That is a concern, one that British Columbia addressed a while back and it's one that I know that this province, for two years we've asked this government to do this, it's one that we have introduced legislation on and it's one that we're now glad to see the government also understands, finally, that what the NDP was asking for is something we need to do.

It is abhorrent that even for two years we allowed this province to farm out information that could easily be accessed under the Patriot Act. Now even more, we've heard recently how the American authorities have been poring over telephone records, have been monitoring telephone calls. In this age in which - if you want to call it Neo-McCarthyism, in many ways - it's very important that we have an opportunity to ensure that the information in the private information and data of Nova Scotians is protected.

Now, someone raised this with me when the bill was first introduced back in the Spring, before the election, Mr. Speaker. At that time, we had an opportunity - it was asked, well, what's a $2,000 fine going to do? They're probably right. To be frank, the fines in this legislation are not punitive, are not a form that is going to look at these findings and say to themselves wow, do we pay a $2,000 fine and give them information to the FBI or do we say under this act we can't?

The real punitive measure in this is that the contract can be cancelled immediately if there's a violation, that is important. I suspect if we're talking about a long-term contract of maintaining data, I would suggest to you that it would result in that company having to think long and hard about having that contract ripped up and voided. That's the kind of punitive measure we can put in. I would also suggest to the government, for the record, that if they want to avoid this from happening it can easily be done by ensuring that the maintenance of that information remains in house within the government and isn't contracted out. When you contract it out then the opportunity arises.

Mr. Speaker, these are things that can be done, I'm glad to see this legislation coming forward, I'm glad to see the Tory government finally agreeing with us. I will note for the record that the minister's comments that there is a whistle-blower protection in the Civil Service Act is not correct. I would suggest to you that the regulations that were passed about a year ago, a year and a half ago in regard to whistle-blower, do not provide any protection for civil servants. Frankly, they only require them to basically have to report their problems higher up and God knows what will happen after that happens. I would suggest to you that this legislation is the

[Page 316]

first step, it's a good step, the NDP has asked for this for two years, we're glad to see this legislation coming forward, we're glad to see it go to the Law Amendments Committee and we're hopeful we can get it passed in this session. Thank you.

MR. SPEAKER: The honourable member for Cape Breton South.

MR. MANNING MACDONALD: Mr. Speaker, on behalf of our Leader and our Justice Critic, I stand in my place this evening and say that we too will be supporting Bill No. 19 as it moves through the House. I want to commend the minister for bringing this bill forward this evening. I believe that it's an important protection for Nova Scotians and I think all Parties in this House realize that this is a bill, as the NDP House Leader states, that may be able to be improved on over time. Certainly it's a first step to have it here and hopefully it will meet with a smooth passage throughout the Law Amendments Committee and on to third reading. Thank you.

MR. SPEAKER: If I recognize the honourable minister it will be to close the debate.

The honourable Minister of Justice.

HON. MURRAY SCOTT: Mr. Speaker, I'd like to thank the Leader of the Opposition and also the House Leader for the Liberal Party for their support of this government bill. We can stand in the House and we can all take credit for good things that have happened here. This is an initiative of government and over the next coming weeks there's going to be a pattern formed here that this government is intent on increasing the penalties and supporting the laws in this province, bringing new legislation such as this, that will make our province as safe as we possible can, and that's what Nova Scotians want.

Mr. Speaker, this is a good bill that goes a long way to doing that and with that I move to close debate on second reading of Bill No. 19.

MR. SPEAKER: The motion is for second reading of Bill No. 19. Would all those in favour of the motion please say Aye. Contrary minded, Nay.

The motion is carried.

Ordered that this bill be referred to the Committee on Law Amendments.

(See: Nova Scotia introduces amendments to thwart USA Patriot Act, Bill 16: The Personal Information International Disclosure Protection Act (Nova Scotia), Nova Scotia's Personal Information International Disclosure Protection Act to die on the order paper.)

Labels: , , , , , , ,

Friday, May 12, 2006

Nova Scotia's Personal Information International Disclosure Protection Act to die on the order paper 

Monday, May 08, 2006

Bill 16: The Personal Information International Disclosure Protection Act (Nova Scotia) 

Bill 16, the proposed Personal Information International Disclosure Protection Act (Nova Scotia) was introduced in the Nova Scotia legislature last week, but the full text hasn't appeared yet on the legislature's website. For those who are too impatient to wait, here is a pdf copy of Bill 16: http://www.privacylawyer.ca/Bill_16_PIIDPA.pdf. I tried to OCR it for posting the text, but the quality of the fax isn't that great.

Update (20060508): The text of the bill is now online at the official Nova Scotia government legislature site here.

Labels: , , , , ,

Saturday, May 06, 2006

Nova Scotia introduces amendments to thwart USA Patriot Act 

Yesterday, in the second day of the spring sitting of the provincial legislature, Nova Scotia's Justice Minister, Murray Scott, tabled Bill No. 16 - Entitled an Act to Protect the Personal Information of Nova Scotians from Disclosure Outside Canada. (Hon. Murray Scott), (the full text is not yet available online). It will amend the Freedom of Information and Protection of Privacy Act to address the perceived threat to privacy posed by the USA Patriot Act if the processing or storage of personal information is outsourced by Nova Scotia public bodies to companies operating in the US (or US companies operating in Canada).

The appearance of the bill was foreshadowed by consultations among public bodies and IT service providers (see: The Canadian Privacy Law Blog: Nova Scotia consultations on Patriot Act amendments to FOIPOP).

Here's the press release from the Nova Scotia government:

News Release: Department of Justice:

"New Legislation to Protect Privacy

Department of Justice

May 5, 2006 11:15

New provincial legislation will better ensure that Nova Scotians' personal information is not disclosed under the U.S. Patriot Act.

The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.

"We know that American security legislation has led to concerns about the ability to access personal information of Nova Scotians held outside Canada," said Murray Scott, Minister of Justice. "This legislation clearly outlines the responsibilities of public bodies, municipalities and technology service providers, and the consequences if they are not fulfilled."

The act provides protection regarding storage, disclosure and access to personal information outside of Canada in the custody or under the control of a public body or municipality.

Under the act, the minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians. It also requires that service providers storing information only collect and use personal information necessary for their work for a public body or municipality.

The act also address "whistleblower" protection for employees of external service providers to ensure they are protected if they report an offense under the act. Whistleblower protection for Nova Scotia government staff already exists under the Civil Service Act.

"In order for these measures to be successful, staff must be sure they will be protected if they come forward to report wrongdoing under this act," said Mr. Scott.

Penalties under the act include up to $2,000 per government employee for malicious disclosure by employees of public bodies and municipalities. The act also creates offences for service providers, with penalties of up to $2,000 for employees and $500,000 for companies.

Offences relate to the improper storage, collection, use, or disclosure, failure to notify the minister of Justice of foreign disclosure demands, and improper discipline or termination of employees.

"We are putting in place serious and significant penalties to protect the privacy of Nova Scotians," said Mr. Scott.

The minister also announced that the Wills Act is being amended. Updates will bring it more in line with other Canadian jurisdictions. The amendments respond to recommendations of the Law Reform Commission and will make it easier for people to ensure their final wishes are fulfilled by clarifying the effect divorces have on wills and the distribution of property in Nova Scotia under wills made outside the province. It will also permit handwritten wills.

The province is also introducing a number of housekeeping amendments under the Justice Administration Act.


FOR BROADCAST USE:

Justice Minister Murray Scott has introduced new provincial legislation that will help ensure Nova Scotians' personal information is not at risk from activities under the U.S. Patriot Act.

The new Personal Information International Disclosure Protection Act outlines a series of requirements and penalties that protect personal information from inappropriate disclosure.

The act provides protection regarding storage, disclosure and access to personal information in the custody or under the control of a public body or municipality.

-30-

I'll definitely have more to say about this once I've had a chance to review Bill 16 in some detail.

Labels: , , , , ,

Thursday, April 06, 2006

Canadian federal strategy for trans-border information flows (including the USA PATRIOT ACT) 

The Government of Canada, through the Treasury Board Secretariat, has released its long-awaited Report on Assessment of Privacy Concerns Related to USA PATRIOT Act, including a multipart federal strategy: Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows

I haven't had a chance to review it yet, but here's the executive summary. Hopefully, I'll have something more substantive to say shortly:

Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows - Part 2 of 10

Executive Summary

The Government of Canada takes the issue of privacy very seriously, including concerns about possible privacy risks posed by foreign legislation, such as the USA PATRIOT Act.*

These laws point to the need for current privacy best practices to become more uniform throughout the federal government and for additional measures to build upon and complement the existing safeguards.

For over a quarter century, Canada has been a world leader in privacy. It has introduced ground‑breaking legislation and policies designed to respect the personal information of its citizens.

Recent trends and events, however, have raised new concerns about whether the personal information of Canadians is adequately protected by governments and companies when it travels outside of Canada’s borders.

Transborder data flows and contracting

The emergence of new information technologies, such as the Internet, allows information to be transferred quickly and easily across borders. This includes personal information and other sensitive information. The transfer of such information across borders is known as “transborder data flows.”

Transborder data flows are becoming more common as companies and governments take advantage of outsourcing, a practice in which a supplier is hired under contract to manage certain activities, often because the institution does not have adequate internal resources to improve efficiency and levels of service. Federal government institutions are among the organizations that contract out or outsource some programs and services.

Information under foreign laws

It is not uncommon for an organization in Canada to outsource the management of personal information about Canadians to a company in the U.S. or elsewhere. Information stored or accessible outside of Canada can be subjected not only to Canadian laws but also to laws in the other country.

One such law is the USA PATRIOT Act. The Act permits U.S. law enforcement officials to seek a court order allowing them to access the personal records of any person for the purpose of an anti‑terrorism investigation, without that person’s knowledge.

In theory, it means U.S. officials could access information about Canadians if that information is physically within the U.S. or accessible electronically.

British Columbia court case sparks national debate

In 2004, a court case in British Columbia (B.C.) sparked a national debate on the potential impact of the USA PATRIOT Act on the privacy of Canadians.

The British Columbia Government and Service Employees’ Union sought an order to stop the provincial government from hiring the Canadian affiliate of a U.S. company to administer the province’s medical records, claiming that the contract would make the records vulnerable under the USA PATRIOT Act.

The union lost the court case and is appealing. The province, meanwhile, proceeded with the contract using the U.S.-based firm but added new privacy measures.

In addition to the court case, the Information and Privacy Commissioner for B.C. conducted a review. The Commissioner for B.C. concluded that the issue was larger than the USA PATRIOT Act, that transborder data flows could make Canadians’ information accessible under other foreign laws, and that the matter should be addressed by both the public and private sectors.

The Privacy Commissioner of Canada agreed with the results of the B.C. review, and together with the B.C. Commissioner, called for actions to be taken by the federal government to enhance protection of Canadians’ personal information that can flow across borders.

The federal government’s strategy

The Government of Canada responded to the USA PATRIOT Act concerns and other transborder data issues with a federal strategy. It is confident that the right to privacy related to key federal personal and sensitive information can be both respected and achieved.

The strategy was created with the following factors in mind.

Shared responsibility: The federal government is not alone. Other governments, the private sector, and Canadians themselves all have a role to play in the protection of privacy.

Balanced approach: Privacy needs to be weighed against other important considerations. Among these are the following: the need to ensure that contracting protects privacy and results in improved service to Canadians; international trade agreements that allow for fair and equitable treatment of foreign companies and play a major role in the health of Canada’s economy; and the need to protect the public safety and national security.

Build on existing measures: The latest measures are an extension of privacy safeguards put into place long before the USA PATRIOT Act was enacted. They complement previous statutes such as the Privacy Act, enacted in 1983 to impose obligations on federal government institutions to respect the privacy rights of Canadians. The Personal Information Protection and Electronic Documents Act (PIPEDA), which took full effect in January 2004, protects personal information held by the private sector. In addition, the Government of Canada was the first national government in the world to introduce a mandatory Privacy Impact Assessment Policy. The Policy requires government departments to build in privacy protection when changing or creating programs and services that collect personal information.

Informational privacy can also find constitutional protection under section 8 of the Canadian Charter of Rights and Freedoms.

The federal strategy consists of the following steps.

  1. Awareness: The government made all of its 160 institutions that are subject to the federal Privacy Act aware of the privacy issues raised by the USA PATRIOT Act.
  2. Risk identification and mitigation: Institutions reviewed their contracting and outsourcing arrangements to identify any risks under the USA PATRIOT Act, assess the seriousness of those risks, take corrective actions as needed, and report to the Treasury Board of Canada Secretariat (the Secretariat).

Here are the results reported to the Secretariat:

Most of the federal institutions, 83 per cent, had their contracting classified as “no risk” (77 institutions) or “low risk” (57 institutions) under the USA PATRIOT Act or other foreign legislation. Of the remaining institutions, many with mandates that include international activities, contracting risks were rated as “low to medium” (19 institutions) and “medium to high” (7 institutions). It should be noted that, if an institution identified only one contract as high risk, the institution was classified in the high risk category. That said, in all cases where risks were identified, institutions have taken, or are planning, remedial actions to mitigate risks.

  1. Guidance on privacy in contracting: For many years, federal institutions have had privacy and security safeguards in place to protect personal and other sensitive information that is handled or accessible under contract. Risk management strategies are also in place to cope with emerging privacy issues and, where necessary, institutions have outlined further measures to mitigate risk.

Existing Best Practices include the following: Prior to initiating a contract, inspections of private sector facilities may be carried out by government security experts to ensure that adequate protection is available for information handled or stored off government premises by a contractor; the requirement that core information stays at home—in other words, part or all of the work must be completed within the department or within Canada; the return of records or approved destruction of all records at the end of a contract; the inclusion of contractual clauses to address confidentiality; and the signing of non-disclosure agreements.

Guidance document: The government has recently issued a policy guidance document for federal institutions that provides a privacy checklist and upfront advice on considering privacy prior to initiating contracts. It also includes specific considerations for maximizing privacy protection that can be used to develop clauses to include in requests for proposals (RFP) and contracts.

  1. Follow up: The government will be taking additional steps to further mitigate risk.

Highlights of ongoing measures and those planned for within the next year:

  • Follow-up assessment of federal contracting activities, ongoing contract advice, and implementation of risk management strategies for contracting where information may potentially be at risk under the USA PATRIOT Act or other foreign laws.
  • Ensuring that key government policies are in step with privacy issues and reflect the new global reality.
  • The exploration of technology and data architecture solutions to protect information flows, including the use of encryption technology and electronic audit trails.
  • Continued monitoring of new technologies, trends, and events to address their possible effects on privacy.
  • The development of additional guidelines to cover government-to-government information sharing (within Canada and abroad), auditing of contracts, and technical solutions to protect privacy.
  • Increased awareness and training related to transborder data flows and existing federal safeguards.

Highlights of planned measures between one to two years:

  • A scheduled 2006 review of the PIPEDA and determination if the federal Privacy Act should also be reviewed.
  • The development of a privacy management framework to establish high standards of privacy protection throughout the federal government.
  • Addressing privacy and transborder data flows for the recently announced Security and Prosperity Partnership (SPP) between Canada, Mexico, and the U.S.

The federal government will also continue to share best practices in protecting transborder data flows with provincial and territorial governments as well as the private sector and foreign governments.

Labels: , , , , , , , ,

BC to weaken USA PATRIOT Act amendments to FIPPA? 

According to the Georgia Straight, the Campbell government of British Columbia may be poised to loosen the amendments that the government made to the Freedom of Information and Protection of Privacy Act over USA Patriot Act concerns. Complaints from public servants that the new law is inflexible are apparently responsible. See: Straight.com Vancouver | Victoria Secrets | Will privacy law be eased?.

Labels: , , , , ,

Tuesday, March 21, 2006

Nova Scotia consultations on Patriot Act amendments to FOIPOP 

The Nova Scotia Department of Justice is hosting an information gathering and consulation session about potential amendments to the Nova Scotia Freedom of Information and Protection of Privacy Act to address concerns raised by the USA Patriot Act. The session is open to companies that operate in the ICT sector in Nova Scotia and provide services to public bodies.

Passed by the United States Congress in the wake of the terrorist attacks of September 11, 2001, the USA Patriot Act significantly expands law enforcement and intelligence access to personal information. The Act requires companies to provide certain information to law enforcement upon request – in some cases without a warrant or court order – and prohibits the company from telling anyone that the information was requested.

Though this is a US law, these powers would apply to information about Canadians that is being processed in the United States and likely applies to information about Canadians being processed by US companies in Canada.

The British Columbia government has amended its public sector privacy law and the government of Nova Scotia is contemplating doing the same. Amendments to Nova Scotia’s privacy law would affect companies that provide services to Nova Scotia public bodies, including the government, municipalities, hospitals, universities and colleges.

All affected companies are invited to an information session with the Nova Scotia Department of Justice on Friday, March 31, 2006 at 2:00 p.m. in the Commonwealth B Room at the Westin Hotel in Halifax. To expedite arrangements for seating and refreshments, please RSVP by e-mailing Ms. Dominika Thompson at thompsdd@gov.ns.ca, or by phoning 424-5585 before Tuesday, March 28, 2006.

Note: Updated 20060323 to clarify the intended audience and invitees of the session.

Labels: , , , , , , ,

Saturday, February 25, 2006

Alberta Commissioner concludes inquiry into outsourcing 

The Information and Privacy Commissioner of Alberta has released his report into the impact of outourcing of public sector services on the privacy of Albertans. The report, entitled Public Sector Outsourcing and Risks to Privacy, follows in the footsteps of similar report issued by the BC Commissioner last year.

Here is the press release and the backgrounder issued by the Commissioner:

Information and Privacy Commissioner releases report into Security Risks associated with Outsourcing

Alberta's Information and Privacy Commissioner has released a report into Public Sector Outsourcing and security concerns associated with the practice, and has developed recommendations for public bodies to follow. In his report, the Commissioner makes it clear it is the responsibility of the Public Body to ensure due diligence in awarding outsourcing contracts.

The report and survey of outsourcing practices was done in partnership with the Ministry of Government Services.

Frank Work wants to ensure that proper security measures are in place to protect information handled by companies in charge of outsourcing agreements. In recent years outsourcing of information and communications technology (ICT) has become common practice for many public bodies, and includes payroll administration, health care insurance and other information technology based services.

Work says Public Bodies in Alberta are doing a reasonably good job of protecting information, but a networked and security conscious world presents a number of issues and challenges.

Work says the report was prompted by concerns raised in other jurisdictions. "The Patriot Act in the United States raised many concerns about the information held by outsource providers and the protection of that information, and I wanted to make sure that outsourcing agreements in Alberta provide protection to individuals. Issues around the Patriot Act are just one type of risk that needs to be addressed in outsourcing agreements".

One of the key recommendations in the report includes ensuring that a public body has a template or check list in place to ensure that an outsource provider has proper contractual and administrative mechanisms in place for the protection of information.

The report also recommends that Public Bodies should consider a provider's physical location as a factor. "We should keep as much information as possible in Alberta. If there is no provider in Alberta the next logical step is to keep the information in Canada. If we keep personal information within our borders, it is easier to ensure it doesn't fall into the wrong hands", concluded the Commissioner.

- 30 -

All recommendations in the report are included in the attached background document. For a copy of the report, visit our web site at: www.oipc.ab.ca Backgrounder


February 24, 2006

Background Information - Outsourcing Report Office of the Information and Privacy Commissioner

The Office of the Information and Privacy Commissioner has issued a report on Public Sector Outsourcing and the security risks involved in outsourcing. In this report, the Commissioner has developed recommendations to protect information held by outsource providers:

It is important that the Government make a strong and unequivocal assertion of the value it places on the privacy and security of the personal information of Albertans. This does not need to extend to a complete ban on foreign disclosures.

  1. Amend applicable legislation (i.e. Freedom of Information and Protection of Privacy Act) to clearly define responsibility for outsourcing personal information. The onus for due diligence in outsourcing should be clearly placed on the outsourcing organization (i.e. the public body).
  2. Amend section 40(1)(g) of the Freedom of Information and Protection of Privacy Act and section 35(1)(i) of the Health Information Act to make it clear that personal information can only be disclosed pursuant to an order of a Canadian court having jurisdiction.
  3. Increase the penalties for breach of the FOIP Act and the HIA.
  4. Ensure that the offence provisions of the FOIP Act and the HIA can be reasonably sustained, that is, the standard is not so high as to preclude a reasonable chance of conviction. The current standard is "willful".
  5. Consider the advisability of making similar amendments to the Health Information Act.

Contractual

First, there should be a checklist or template of matters to be considered in making the decision to outsource. This could be done via a privacy impact assessment. Secondly, develop a model outsourcing contract and a checklist of contractual provisions to be considered in outsourcing arrangements. Such contract or checklist should address at least the matters referred to in sections 2.3 and 4.1 and should include provisions dealing with:

  1. A prohibition on assignment or subcontracting of the outsourcing contract without written consent.
  2. A requirement for notification by the outsourcer in the event of notice of creditor's remedies or Court applications for bankruptcy or protection from creditors.
  3. A requirement of notice on any demand for access to or disclosure of personal information received by the outsourcer.
  4. A requirement of notice of any loss of or unauthorized access to personal information by the outsourcer or its employees.
  5. Right to audit, not only for compliance with the contract but compliance with any legislation stipulated to be applicable to the contract.
  6. In addition to the right to audit, the outsourcer may be required to have in place a system which monitors or audits the outsourcers' use and disclosure of the personal information. The outsourcing entity may require access to those logs on certain conditions.
  7. Stipulate consequences for breach. In addition to right of termination and damages, provision should be made for: return of personal information and any copies of it; assistance in recovering lost or otherwise disclosed personal information.

Policy/Operational

Retain, as a first principle, that personal information only be outsourced within Alberta first, Canada second, and anywhere else third, depending on the specific circumstances. This policy may only be deviated from where the requirements of program delivery, such as cost, service, security, cannot reasonably be met within Alberta or Canada. The outsourcing organization should bear responsibility for making this decision and for the consequences of having made it. Whether to make such policy into law poses a dilemma, as discussed. As stated, the decision to outsource is based on a large number of factors. The decision to outsource outside of Canada requires reconsideration of these factors in light of the fact that the public body is that much more removed from the outsourcer:

  • Different laws;
  • Different customs (are laws pertaining to fraud, theft of information and so on regarded or enforced differently?)
  • Different workforces (are the outsourcer's employees more transient, less reliable, more difficult to hold accountable, etc.?)

The gains realized from outsourcing have to be weighed against the risks presented by the nature (sensitivity, value) and the volume of the information outsourced.

  1. Require preparation of a privacy impact assessment (which would include issues of security) for all outsourcing arrangements involving "significant" amounts of personal information. We debated recommending that this be put into law. Legislated provisions can be inflexible. For example, it would not make sense to prepare a privacy impact assessment every time a single sample of genetic material is sent to another country for analysis.
  2. Require outsourcing organizations to keep a master list (inventory) of outsourcing agreements. This could be accomplished by requiring privacy impact assessments. This list should be accessible to the Chief information/Chief Privacy Officer for the public body. The purpose of the list is to: know what personal information is outsourced where and to who; enable timely action in the event that the outsourcee becomes insolvent; and to enable agreements to be updated when they end to include state of the art privacy and security provisions.
  3. Someone in the public body must be specifically responsible for each outsourcing agreement. This person should know the outsourcer and the contract. There should be regular contact, check ups, and queries. Scheduled or spot audits may be advisable.
  • With respect to foreign outsourcers, consider having a trusted agent in the jurisdiction to monitor social/legal developments respecting the outsourcer.
  • The entire report is available on our Web site: www.oipc.ab.ca.
  • Technorati tags: :: ::

    Labels: , , , , ,

    Wednesday, January 11, 2006

    Nova Scotia Auditor General concerned about effect of USA Patriot Act on citizen privacy 

    The Nova Scotia Auditor General released his report for 2005 in December. The fourth chapter is entitled Electronic Information Security and Privacy Protection.

    In his report, he reviews the privacy and information security practices of a number of departments, including Justice and Community Services. He also touches upon the USA Patriot Act and its possible impact on the personal information of Nova Scotians. Data processing and information storage services for the province are provided by wholly-owned subsidiaries of American companies, which are undoubtedly subject to American laws. The province has carried out a study of the situation, but refused to provide it to the Auditor General, citing solicitor-client and cabinet privilege. In an interview by the Canadian Press, the provincial Minister of Justice hinted that Nova Scotia will be introducing a law in the spring sitting of the Legislature to mirror that passed by British Columbia to better protect personal information from being disclosed to foreign law enforcement.

    Read the CP article here: N.S. auditor concerned citizens information could be leaked to U.S. agencies - Yahoo! News.

    Technorati tags: privacy :: Patriot Act :: Nova Scotia :: privacy law.

    Labels: , , , , , , ,

    Wednesday, October 12, 2005

    The Impact of U.S. Law on Canadian IT Businesses 

    Canadian information technology companies are players on a global stage. Few large information technology projects are restricted to only one country and any venture into electronic commerce invariably crosses borders. No ambitious Canadian IT company is content to narrow its sights to the domestic market. Lawyers advising these businesses have always had to maintain an awareness of legal developments elsewhere but the last few years have brought with them a range of new laws that affect their southward-looking clients. No area of law has seen as much change at that touching upon the protection of personal information.

    The one law that has received the greatest publicity and, perhaps, the greatest scrutiny, is the USA Patriot Act, which was passed by the Congress within two months of the terrorist attacks of September 11, 2001. This law does not single out the technology industry but a number of its provisions have had a particular impact on cross-border services, regardless of the direction in which those services flow. Section 505 of the USA Patriot Act short-circuits ordinary search warrant requirements and allows the Federal Bureau of Investigation to have access to records such as financial records, credit reports, ISP logs and transactional records for intelligence, counter-intelligence and anti-terrorism purposes by use of a “national security letter”. The recipient of a national security letter is required to hand over the information requested and is specifically precluded from informing the individual concerned that the US government has sought access to the information. When information on Canadians is within the jurisdiction of the United States, privacy advocates fear that this information will be too-readily made available to law enforcement, who are able to dispense with the usual “probable cause” requirements. Information in the custody of a US company (or a subsidiary) in Canada may be within the Act’s jurisdiction.

    In May of 2004, the Information and Privacy Commissioner of British Columbia initiated a public consultation on whether these provisions of the USA Patriot Act would infringe upon the privacy of British Columbians following an announcement by the BC Government that it would outsource the processing of medicare claims to a Canadian subsidiary of a US company. The request for submissions resulted in more than five hundred contributions from individuals and organizations throughout Canada.

    As was pointed out in a number of submissions to the BC Commissioner, personal information has always been available for law enforcement, intelligence and anti-terrorism investigations, regardless of where the information actually resides. The principal effect of the BC Commissioner’s report was to shine a spotlight on the cross-border sharing of personal information and to raise awareness – some might say paranoia – about Canadian personal information being stored in the United States. The attention to the issue spawned significant changes to the BC public sector privacy law and put government outsourcing under the microscope. Many outsourcing customers, government included, are now including language to prohibit the transfer of personal information outside of Canada, and in some cases outside the home province of the customer.

    Legal changes in California’s privacy laws are spilling over to other states and are having an impact upon Canadian technology companies. California’s trail-blazing consumer privacy law, which has been followed in a number of US states, requires that organizations notify affected individuals whose personal information may have been compromised or accidentally disclosed. The California law is intended to operate extra-territorially. These laws not only place the company in the uncomfortable position of having to notify customers, but also provide penalties for failing to do so. The California law in particular has prompted the recent deluge of public disclosures of privacy and security breaches in the United States and has also increased consumer expectations on both sides of the border. Similar provisions have found their way into Ontario’s relatively new Personal Health Information Protection Act and the concept of mandatory notification will undoubtedly be considered as part of the five year review of the Personal Information Protection and Electronic Documents Act.

    In an era in which privacy and security are perceived to be clashing on a regular basis and in which identity theft is characterized as one of the fastest-growing crimes, it should not be surprising that technology lawyers have to grapple with privacy on a more regular basis as both a customer-relations issue and as a significant regulatory concern. At least a baseline knowledge of the legal regimes on both sides of the border are necessary to get a sense of the big picture for advising clients.


    This article originally appeared in the Oct 7, 2005, issue of The Lawyers Weekly

    Labels: , , , , , , ,

    Monday, April 04, 2005

    BC Court dismisses union's privacy arguments in case over outsourcing 

    Professor Michael Geist, in his blog, is reporting on the BC union's loss in the courts in the battle against the provincial government's outsourcing of medicare processing services. The court opined on the adequacy of privacy protection in the oursourcing arrangement: B.C. Government and Services Employees' Union v. British Columbia (Minister of Health Services), 2005 BCSC 446.

    www.MichaelGeist.ca - B.C. Court Dismisses Privacy Claim Over Data Outsourcing :

    "The British Columbia Supreme Court has dismissed a claim by a B.C. union challenging the outsourcing of the management of health information to a U.S. company. The court emphasized the importance of privacy protection, but concluded that 'the contractual provisions, the corporate structure, and the legislative provisions provide more than reasonable security with respect to records in British Columbia.' It also noted that 'all reasonable steps to ensure the confidentiality of the information which Maximus will receive in order to discharge its contractual obligations. Privacy is not absolute.' Case name is BC Govt Serv. Empl. Union v. British Columbia (Minister of Health Services).

    A very interesting decision since it may set the standard for the privacy issues and protections to consider when creating a data outsourcing to the United States. The case is part of an ongoing battle dating back to last summer over the Patriot Act and the protection of Canadian personal information. As I argued with Milana Homsi, the real issue is not the outsourcing of data to the U.S. Rather, it is the ability of U.S. courts to assert jurisdiction over Canadian organizations with even a small U.S. presence, which, notwithstanding PIPEDA, effectively limits the privacy protection enjoyed in Canada."

    Labels: , , , , , ,

    Friday, March 18, 2005

    BC outsourcing fight not over yet 

    The BC union that kicked off the Canadian debate over privacy, outsourcing and the USA Patriot Act has taken their arguments to court, according to ITBusiness. The article doesn't really say what the legal basis of their attempt to derail the government's ousourcing plans are, particularly after the government amended the public sector privacy law:

    ITBusiness.ca:

    "The British Columbia Government and Service Employees' Union on Wednesday ended the third and final day of a Supreme Court case to block the outsourcing of its Medical Services Plan database management to a U.S. firm.

    Union lawyers told the court that privatization of the Medical Services Plan (MSP) would violate the Canada Health Act and potentially jeopardize the privacy of patient data. The province has already signed a $324-million with Reston, Virginia-based Maximus Inc., which will deliver its services through two new Canadian subsidiaries, Maximus BC Health Inc. and Maximus BC Health Benefit Operations Inc. The BCGEU has asked for an injunction that would prevent the partnership from moving ahead until the broader issues in the case can be resolved. The Supreme Court had not made a decision at press time...."

    Labels: , , , ,

    Friday, February 04, 2005

    Canadian Privacy and the USA Patriot Act 

    Interesting how this has only now appeared on the US radar screens. When this was only about the British Columbia and Alberta governments, the only coverage was Canadian. Now that there is some small reaction out of Ottawa, it shows up in the US media ...

    UPI Intelligence Watch - (United Press International):

    "Washington, DC, Feb. 4 (UPI) -- Because of security concerns related to the Patriot Act, the Canadian government will revise the wording of future federal contracts. Ottawa will attempt to blunt U.S. ability, granted under the act to tap into personal information about Canadians. The Canadian government is particularly concerned that the FBI might attempt to view sensitive Canadian data the government supplies to American firms doing business with federal departments in Ottawa. Ottawa has requested that all government agencies and departments conduct a "comprehensive assessment of risks" to Canadian information they release to U.S. companies when fulfilling work under contract. The Patriot Act gave the FBI broader access to the records of U.S. firms. Under its provisions, the FBI can apply to a U.S. court to force a business to allow access to its records, including information about Canadians, to assist with investigations involving prevention of terrorism or espionage. Canadian Privacy Commissioner Jennifer Stoddart says that if a Canadian federal entity hires an American company to process personal information about Canadians, then U.S. laws apply to the data if the work is being done in the United States. The federal Treasury Board is in charge of a working group that is drafting special clauses to be used in future business proposal requests and contracts. According a federal notice recently circulated to departments, the group is consulting with Stoddart's office on clauses "that we believe to be fundamental" to include in future request proposals and contracts. Treasury Board spokesman Robert Makichuk said the changes would "further enhance and clarify existing protection" for such things as establishing custody and control of data, ensuring confidentiality of information and setting conditions related to use and disclosure."

    Labels: , , , , ,

    Wired News: Canadians Fight for Privacy 

    Wired News is carrying a story about the USA Patriot Act and the Canadian reaction to it. It isn't really news to those in the Canadian privacy community, but full points to Wired for bringing the issue to a wider community: Wired News: Canadians Fight for Privacy

    Labels: , ,

    Sunday, January 30, 2005

    Canada moves to counter privacy threat posed by U.S. Patriot Act 

    According to the Canadian Press, the Federal Government is in the final stages of taking contractual steps to limit the access of American authorities to personal information of Canadians. It is worth noting that this appears to apply only to future contacts and that the government is content to include blocking clauses in agreements with contractors, rather than amending the Privacy Act, as has been done in British Columbia:

    Yahoo! News - Canada moves to counter privacy threat posed by U.S. Patriot Act:

    "OTTAWA (CP) - The government will revamp the wording of future federal contracts with the aim of countering U.S. powers, granted under anti-terrorism laws, to tap into personal information about Canadians.

    The move is intended to prevent the U.S. Federal Bureau of Investigation from seeing sensitive Canadian data the government supplies to American firms doing business with federal departments in Ottawa.

    The government has also asked all agencies and departments to conduct a 'comprehensive assessment of risks' to Canadian information they release to U.S. companies carrying out work under contract.

    The U.S.A. Patriot Act, passed following the Sept. 11, 2001 terrorist attacks, gave the FBI broader access to records held by firms in the United States.

    The FBI can apply to a U.S. court to have a company disclose records, including information about Canadians, to assist with investigations involving prevention of terrorism or espionage.

    Privacy Commissioner Jennifer Stoddart says that if a federal institution hires a U.S. company to process personal information about Canadians, then American laws apply to the data if the work is being done south of the border.

    The federal Treasury Board leads a working group that is now busy finalizing special clauses to be used in future business proposal requests and contracts.

    The group is consulting with Stoddart's office on clauses 'that we believe to be fundamental' to include in future request proposals and contracts, says a federal notice recently circulated to departments...."

    Labels: , , , , ,

    Saturday, December 18, 2004

    Federal Government secrets may be vulnerable to Patriot Act 

    Today's Vancouver Sun has a lengthy article that reports officials in the federal government are concerned about the security and privacy of information that is handled by American contractors or subsidiaries of US companies. The article is interested, but does not suggest what the federal government is considering doing in reponse:

    U.S. law 'threatens Canada's secrets'

    OTTAWA -- Highly sensitive personal, military and national security information held by the Canadian government is accessible to U.S. authorities under the Patriot Act, according to a document obtained Friday.

    A team of Canadian government lawyers studied the vulnerability of top-secret data after a controversy broke out in B.C. earlier this year over whether British Columbians' personal medical records were being put at risk due to the provincial government's plan to contract out services to a U.S.-owned firm.

    The federal lawyers agreed with B.C. privacy commissioner David Loukidelis that the Patriot Act, enacted after the 2001 terrorist attacks in New York, gives the U.S. government enormous ability to probe into the databases of American companies that do business with Canadian governments.

    "Their preliminary findings indicate that the Federal Bureau of Investigation could require an American corporation under the U.S. Patriot Act to disclose information under its control, including information held by its Canadian subsidiaries," wrote Mark Seely, an official with Public Works and Government Services Canada, in a July 22, 2004 e-mail to more than two dozen Public Works officials....

    Labels: , , ,

    Thursday, December 16, 2004

    Alberta Commissioner to conduct his own "PATRIOT ACT" outsourcing inquiry 

    The Alberta Information and Privacy Commissioner, Frank Work, announced that his office will be working jointly with the Government of Alberta to examine the implications of public sector outsourcing for the personal information of Albertans. The news release can be found here.

    Labels: , , ,

    Outsourcing of Canadian student loans process to US results in complaint to the Privacy Commissioner 

    This is the first week that I've thought it would be easier to blog about who isn't complaining to the Office of the Privacy Commissioner ...

    A Vancouver man is taking his complaint about foreign outsourcing of studen loans to the Privacy Commissioner, according to the Georgia Straight:

    Straight.com: Student-Debt Activist Seeks Privacy Probe:

    "A Vancouver man has asked the federal privacy commissioner to investigate the outsourcing of Canada student loans to a U.S.-owned company. Mark O'Meara, founder of the www.canadastudentdebt.ca/ Web site, claimed that as a result of a recent corporate takeover, Nebraska-based Nelnet has access to all federal student debtors' personal information and financial data.

    On December 6, Nelnet announced that its wholly owned Canadian subsidiary had completed its purchase of a CIBC subsidiary, Edulinx Canada Corp., which administers the Canada Student Loans Program on behalf of the federal government. According to Human Resources and Skills Development Canada, more than 1.8 million students have borrowed approximately $15.6 billion through the Canada Student Loans Program since 1993.

    In an e-mail to the Straight, O'Meara stated that the federal privacy commissioner should examine whether student-loan data is now subject to the USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism). Under Section 215 of the act, the FBI is permitted to obtain secret court orders to obtain "any tangible things".

    On October 29, provincial Information and Privacy Commissioner David Loukidelis released a report concluding that there is a "reasonable possibility" of unauthorized disclosure of personal information under the USA PATRIOT Act. He issued numerous recommendations to mitigate this risk.

    O'Meara claimed that the federal privacy commissioner's office never responded to his e-mail asking for an investigation. Federal Privacy Commissioner Jennifer Stoddart also did not respond to the Straight's request for an interview by deadline.

    Nelnet's Nebraska-based spokesperson, Ben Kiser, told the Straight that nothing will change for students and borrowers as a result of the change in ownership. "Edulinx will remain a Canadian firm with operations in Canada," he said. "That means all processing, call-centre, data-storage, records-storage, and other student-loan functions will continue to take place exclusively in Canada."

    Last August, however, the American Civil Liberties Union filed a submission to Loukidelis claiming that the FBI could obtain personal records stored by a subsidiary of a U.S. corporation operating in another country. In one instance, a U.S. grand jury subpoenaed a foreign-bank employee while he was on U.S. soil. In a separate submission filed by the B.C. Government and Service Employees' Union, ACLU lawyer Jameel Jaffer claimed that the USA PATRIOT Act could enable the FBI to obtain entire databases of personal records without notifying anyone."

    Labels: , , , ,

    Wednesday, December 01, 2004

    Round two of labour-sponsored privacy campaign against BC government to begin 

    Labour groups are once again attacking the government of British Columbia for outsourcing public services that involve personal information. This second campaign comes after its high-profile attempt to derail the outsourcing of the province's medicare administration (See BCGEU's privacy campaign). While that campaign did not dissuade the Campbell government from its plans (BC announces medical privatization plan), it did lead to a significant inquiry by the province's Information and Privacy Commissioner. Now under attack is the province's plan to outsource bill collection:

    B.C. opens private bank and credit data to U.S. scrutiny: "B.C. opens private bank and credit data to U.S. scrutiny

    New privatization deal means U.S. authorities will have access to bank account and credit card numbers, property records, income and driver's licence information on B.C. residents

    Vancouver - The B.C. Government and Services Employees' Union (BCGEU/NUPGE) plans to launch a new campaign this week warning residents that the Liberal government of B.C. Premier Gordon Campbell is making highly personal data vulnerable to American scrutiny through outsourcing and privatization.

    The latest information to be placed in the hands of private American companies involves a wide range of information on most B.C. residents, including bank account and credit card numbers, property records, income and driver's licence information.

    The province announced a $572-million ($483-million US) deal Friday with Electronic Data Systems (EDS) of Plano, Texas, to take over much of its bill collection activity. The 10-year deal comes with barely six months remaining in the Liberals' current mandate.

    The province argues that privacy provisions contained in the contract will safeguard personal information but the union says the government is misleading citizens because it is already known that the contract will not withstand the overriding and intrusive powers available to American authorities under the U.S. Patriot Act.

    The Patriot Act was passed by Congress and signed into law by President George Bush following the Sept. 11, 2001 terrorist attacks on New York and Washington.

    The deal is even worse than a recent 10-year, $324-million contract signed with U.S.-based Maximus Inc. to privatize the processing of the medical claims of B.C. residents.

    Privacy commissioner ignored

    Once again, the province has ignored concerns raised by its own information and privacy commissioner, putting private sector ideological interests ahead of those of its own people, the BCGEU says.

    Essentially, the latest contract means that intensely personal information on most British Columbians will be exposed to potential scrutiny by the FBI and other U.S. government agencies, the union warns.

    "It’s another example of the Liberals bullying ahead without heeding the warnings of privacy commissioner David Loukidelis issues raised by the privatizing of records management, says BCGEU president George Heyman.

    Loukidelis said the U.S. Patriot Act creates a real risk that personal information, once placed in the hands of private companies with U.S. links, will be open to scrutiny by the FBI and other American agencies. He recommended a series of measures to protect the privacy of British Columbians.

    Heyman says Premier Campbell has failed to take the necessary range of measures recommended by the commissioner.

    Patriot Act applies

    "The fact is that the Patriot Act applies. EDS is an American company, and all the records in its possession are exposed," Heyman says.

    "The Campbell government is clearly misleading the public and betraying the promise they made to British Columbians that real protections would be in place before any contracts were signed."

    A long list of personal data at risk, Heyman warns..

    "It includes everything from credit card and bank account numbers, personal property and asset details, individual and family income, and drivers license, vehicle and insurance information. It’s pretty serious stuff that British Columbians wouldn’t want to share with the Bush government," he says.

    Meanwhile, the BCGEU leader said full details on his union's latest campaign to warn residents will be announced this week. The union is also continuing efforts to mount a legal challenge to the government.

    The union says privacy guarantees written into the contract by EDS and the province will be overridden by the all-intrusive federal powers of the U.S. Privacy Act.

    NUPGE

    Labels: , , , , , ,

    Tuesday, November 09, 2004

    The Privacy Lawyer: Privacy Policies And The Patriot Act  

    Parry Aftab's November 8, 2004 column in Information Week is an interesting week. She dicusses the challenges now faced by organizations if they are served with a Patriot Act "National Security Letter" to hand over customer information. Because the validity of these instruments are in question, an organization can be stuck between a rock and a hard place if they are legally restricted from handing over the info or if they have promised not to in their privacy policies, subject to a lawful request.
    The Privacy Lawyer: Privacy Policies And The Patriot Act "...In the meantime, businesses are well advised to review all governmental requests and their reaction to such requests. Once again, if your privacy policy (especially those of telecommunications or Internet-related providers) provides that you will not share personal information about subscribers except through valid legal process (for which they will receive notice, except to the extent prohibited by law) or otherwise in accordance with your privacy policy, the law prohibiting your informing them of any inquiry is key. If the decision is not overturned, you may not be able to rely on the Patriot Act to protect you if you don't inform your subscribers of a governmental inquiry. Make sure your counsel understands the laws and your policies and can guide you when government or anyone else comes knocking."

    All organizations that are presented with an official looking document need to consult counsel because the document may be flawed or it may be based on unconstitutional legislation. Simply believing it is valid might not cut it.

    Libraries should read the related posting in the LibraryLawBlog.

    Labels: , ,

    Saturday, November 06, 2004

    BC announces medical privatization plan 

    Over the protests of public sector unions and privacy advocates, the government of British Columbia has formally announced that it is outsourcing the processing of medicare claims to a US-based company, Maximus. The prospect of this happening led to complaints by the BC Government and Service Employees Union to file a complaint to the province's Information and Privacy Commissioner, prompting the Commissioner's investigation into the impact of outsourcing and the USA Patiot Act on the privacy of British Columbians (see BC Privacy Watchdog Seeks US Government, FBI Input in Patriot Act). For more info on the recent outsourcing announcement, see:

    CNEWS - Politics: B.C. announces medical privatization plan:

    "...Maximus, Inc., a U.S.-based firm, has been given a 10-year contract worth $324 million, the government announced Thursday. The company also has a five-year renewal option...."

    Labels: , , , ,

    Monday, November 01, 2004

    BC Privacy Commissioner's report leads to questions in Australia 

    The recent report by the BC Privacy Commissioner on privacy and outsourcing to US-controlled companies has led to questions in Australia:

    Australian IT - US law raises privacy worries :

    "THE South Australian Government has promised to review the access of US outsourcer Electronic Data Systems to information on citizens in the wake of a Canadian government report finding a 'reasonable possibility' of unathorised disclosure by US outsourcers to US government agencies.

    A spokesman for Administrative Services Minister Michael Wright, who oversees the EDS whole-of-government outsourcing contract, said the the Government was 'taking the issue seriously'.... "

    As alluded to above, much Australian government data processing is done by EDS. A related story, from Yahoo News, includes a statement from EDS that there has been no disclosure of Austrialian personal information to US authorities under the USA PATRIOT Act:

    EDS denies breaching Privacy Act

    "... The company's managing director Chris Mitchell says EDS is a corporate citizen and it complies with the Privacy Act of Australia.

    "The US Government would have to talk to the Australian Government about superseding the laws of the land, that's all I can say," he said.

    Mr Mitchell says the data for the Federal Government's accounts are dealt with in Australia and some other clients' data is processed offshore, but only with their agreement...."

    Labels: , ,

    Sunday, October 31, 2004

    Release: President of the Treasury Board responds to BC cross-border privacy report 

    The following was released by the President of the Treasury Board, Reg Alcock, on Friday, October 29, 2004:

    Statement by Reg Alcock, President of the Treasury Board, in response to the report issued by the Information and Privacy Commissioner for British Columbia:

    "For immediate release
    October 29, 2004

    Ottawa - Reg Alcock, President of the Treasury Board issued the following statement today in response to the report issued by the Information and Privacy Commissioner for British Columbia on Privacy and the USA Patriot Act:

    "The Government of Canada is currently reviewing the report released today by the Information and Privacy Commissioner for British Columbia on Privacy and the USA Patriot Act. We are committed to doing everything we can to protect the privacy of Canadians with respect to key federal personal and sensitive information holdings. The Government will continue to work closely with the federal Privacy Commissioner, provincial governments and the private sector to protect the security and privacy of Canadians and the interests of Canadian businesses.

    We are also calling on Canadian businesses to continue to respect the privacy rights of Canadians with regards to information the private sector possesses on individual Canadians, as legislated under the Personal Information Protection and Electronic Documents Act.

    The actions taken by the Government in response to potential privacy and contracting risks posed by the USA Patriot Act include: a review by Government departments of their outsourcing arrangements to determine if action is needed; continuing the review of federal privacy laws and policies; and cooperating with the OPC on the planned audit in 2004-2005 of the transfer of personal information between Canada and the United States".

    Labels: , , ,

    Friday, October 29, 2004

    BC Information and Privacy Commissioner releases his report: Patriot Act contravenes BC privacy laws 

    The Information and Privacy Commissioner of BC has released his report into the impact of the USA PATRIOT Act on the privacy of British Columbians. His report is available here and a summary is available here.

    See below for media coverage:

    U.S. Patriot Act can eyeball private Canadian records, says B.C. report
    Canadian Press via Yahoo! News Fri, 29 Oct 2004 11:10 AM PDT
    VICTORIA (CP) - The USA Patriot Act has the power to eyeball private information about Canadians despite attempts by governments in Canada to thwart probes by American authorities, says a report released Friday by British Columbia's privacy commissioner.

    Patriot Act contravenes B.C. privacy laws: report
    CBC British Columbia Fri, 29 Oct 2004 11:06 AM PDT
    VICTORIA - B.C Privacy Commissioner David Loukidelis says the U.S. Patriot Act violates provincial privacy laws – and he wants the province to temporarily ban the transfer of personal information to the U.S.

    Canada Study Sees Risk in U.S. Anti-Terrorism Law
    Reuters via Yahoo! News Fri, 29 Oct 2004 11:31 AM PDT
    A key U.S. anti-terrorism law threatens the privacy of Canadians and rigorous steps are needed to protect private medical and financial information, a government study said on Friday.

    Labels: , , , ,

    Thursday, October 28, 2004

    BC Privacy Commissioner to release report on USA PATRIOT Act and outsourcing of personal information management 

    According to a press-release on the BCGEU website, the Information and Privacy Commissioner of British Columbia will be releasing his long-awaited -- and delayed -- report on the impact of the USA PATRIOT Act on the privacy of British Columbians' personal information. The report will be released at 10:00 am (PST), to be followed by the reaction of the BCGEU. (See BCGEU: News conference to respond to privacy ......)

    Labels: , , ,

    Tuesday, October 26, 2004

    Right-to-Privacy Campaign presents 50,000-name petition opposing the privatization of government jobs 

    The British Columbia Government Employees Union, which started the USA PATRIOT ACT and outsourcing firestorm in BC a while ago, has presented a fifty-thousand name petition against privatizing government jobs by outsourcing:

    BCGEU: Right-to-Privacy Campaign presents 50,000-name petition opposing the privatization of government jobs:

    "The BC Government and Service Employees� Union congratulated Right-to-Privacy-Campaign representatives who turned over petitions totaling 51,203 names to the Opposition caucus in Victoria today, opposing the contracting out of Medicare and Pharmacare jobs to private companies.

    ...

    While support for stopping the privatization of Medicare and Pharmacare jobs is welcome, President Heyman cautioned that all personal information in government data banks is at risk.

    "The Campbell Liberals are proceeding with plans to contract out help desk, disaster recovery and many other services to the private sector," Heyman said. "If these contracts proceed, virtually every piece of confidential information handled by the government could be accessed by private multi-national corporations.""

    Labels: , , ,

    Friday, October 22, 2004

    BC Unions continue to slam privacy impact of outsourcing of IT services 

    More on the BC outsourcing privacy front: The British Columbia Government Employees' Union continues to attack the outsourcing of IT services, using privacy fears related to the USA PATRIOT ACT:
    Privacy risks for 'hundreds and hundreds' of B.C. contracts

    Gordon Campbell Liberals outsourcing IT contracts to U.S. companies

    Vancouver - The British Columbia government has admitted that "hundreds and hundreds" of provincial contracts will be vulnerable to privacy concerns despite the passage of new controls by the legislature.

    The province is in the process of outsourcing B.C. information technology (IT) contracts to American companies. The U.S. firms are subject to the Patriot Act, a sweeping piece of legislation passed following the Sept. 11, 2001, terrorist attacks on New York and Washington.

    American courts have already ruled that the Patriot Act takes precedence over any privacy protections enacted by foreign governments.

    Critics, led by the B.C. Government and Service Employees' Union (BCGEU/NUPGE), are strongly opposed to outsourcing of IT contracts because of this vulnerability.

    Meanwhile, Joyce Murray, B.C.'s government services minister, acknowledged this week that the strengthened legislation will only apply to contracts signed after Oct. 12, not to "hundreds and hundreds" of already-existing contracts.

    No deadline for compliance

    Contracts signed prior to Oct. 12 will be brought into compliance with the new legislation "as soon as possible," Murray told MLAs in the legislature. However, she did not indicate how long this might take.

    Diane Wood, the BCGEU's secretary-treasurer, says the revelations by the minister make an even stronger case against outsourcing IT contracts. In effect, U.S. companies awarded IT contracts will have no alternative but to break the law, she says.

    “If they comply with the Patriot Act, they break B.C.’s law. If they follow our legislation, they risk prosecution in the United States,” Wood notes.

    She also objects to the province forcing the amendments through the legislature before the B.C. Privacy Commissioner files a report on the Patriot Act and its potential impact on B.C. outsourcing contracts.

    “The only way to ensure that our personal and confidential information is fully protected, is to keep it in our own government where it belongs,” says Wood. NUPGE"

    Labels: , , ,

    Saturday, October 09, 2004

    BC Government Employees' Union says amendments won't protect personal information 

    The BCGEU (who started all the fuss about privacy and outsourcing in BC in the first place) has issued a release saying that the amendments to the Freedom of Information and Protection of Privacy Act (BC) do not go far enough to protect the privacy of British Columbians:

    BCGEU: Amendments to privacy laws won't protect our personal data from the FBI:

    "The B.C. Government and Service Employees' Union (BCGEU) is rejecting the government's claim that amendments to B.C. privacy laws will be sufficient protection for British Columbians if their medical and financial records and other personal information are handed over to U.S.-linked companies.

    'The Campbell Liberals can try to build a fortress around our personal data but once it outsources information technology (IT) services to American-linked companies, the FBI can use the USA Patriot Act to knock down any legal, constitutional or electronic walls to get British Columbians' personal information,' said Diane Wood, BCGEU Secretary-Treasurer..."

    See, also, my blog entry on the amendments: BC amends public sector privacy law to block access to information is services are outsourced.

    UPDATE: The Canadian Union of Public Employees, a federal public sector union, has also come out against the proposed amendments:

    B.C. Liberals using FOI amendments to mask privatization agenda, says CUPE Bill 73 pre-empts Privacy Commissioner's report on effects of USA Patriot Act:

    "BURNABY, BC, Oct. 8 /CNW/ - Amendments to the Freedom of Information and Protection of Privacy (FOIPP) Act are mere window dressing for the provincial government's privatization agenda and do nothing to alleviate British Columbians' concerns about the all-powerful USA Patriot Act, says CUPE BC president Barry O'Neill.

    Bill 73, tabled in the legislature yesterday by Management Services Minister Joyce Murray, includes restrictions on public bodies and service providers storing, accessing or disclosing personal information outside Canada.

    But amendments to Canadian law cannot protect the privacy of Canadians when U.S. companies are in possession of Canadians' personal information, says O'Neill...."

    Labels: , , , ,

    Wednesday, September 29, 2004

    Article: U.S. Patriot Act Raises Canadian Privacy Fears 

    Reuters is carrying a story on its wire service about the effect of the USA Patriot Act on the privacy of Canadians. Yahoo! News - U.S. Patriot Act Raises Canadian Privacy Fears

    Labels: , ,

    Wednesday, September 22, 2004

    BC Privacy Commissioner delays PATRIOT ACT report a second time 

    The Information and Privacy Commissioner of BC says his report on the impact of the USA PATRIOT ACT on the privacy of British Columbians will be delayed a second time:

    Privacy commissioner delays again report into impact of Patriot Act on B.C.:

    "'The sheer volume of the submissions and the complexity of the issues have forced a second extension of the report's release date,' said Mary Carlson, director of policy and compliance for the Office of the Information and Privacy Commission.

    The commission received more than 500 submissions from individuals, governments, other privacy commissioners, businesses, unions, technology associations, non-profit associations, civil liberties groups, health care bodies and seniors' organizations."

    Labels: , , , ,

    This page is powered by Blogger. Isn't yours? Creative Commons License
    The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs