The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Wednesday, October 28, 2009

Amendments to PIPA tabled, including breach notification and regulation of export of personal information 

Yesterday (October 27, 2009), the Alberta Government introduced Bill 54, the Personal Information Protection Amendment Act, 2009. The Bill includes notification requirements for export of personal information to a service provider outside of Canada and breach notification. The principal export provision is:
Notification respecting service provider outside Canada

13.1(1) Subject to the regulations, an organization that uses a service provider outside Canada to collect personal information about an individual for or on behalf of the organization with the consent of the individual must notify the individual in accordance with subsection (3).

(2) Subject to the regulations, an organization that, directly or indirectly, transfers to a service provider outside Canada personal information about an individual that was collected with the individual’s consent must notify the individual in accordance with subsection (3).

(3) An organization referred to in subsection (1) or (2) must, before or at the time of collecting or transferring the information, notify the individual in writing or orally of

(a) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and

(b) the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.

(4) The notice required under this section is in addition to any notice required under section 13.

Permitted "as required by law" disclosures are now limited to required by Canadian or Alberta law. The breach notification provisions require notice to the Commissioner and the Commissioner may order that individuals be notified. I'm sure we'll be hearing more about this. Here's an extract from yesterday's Hansard:

ISYSweb 8 Search Results for Bill 54

Bill 54

Personal Information Protection Amendment Act, 2009

Mr. Denis: Thank you very much, Mr. Speaker. I rise to introduce Bill 54, the Personal Information Protection Amendment Act, 2009. Mr. Speaker, this bill is a direct result of the hard work of the SelectSpecialPersonalInformation Protection ActReviewCommittee, an all-party special committee of the Legislature that in 2006 undertook a complete review of the act and tabled a report to the Legislature in November 2007 outlining recommendations for amendments. This bill incorporates a number of their proposed amendments.The main proposals for change include emerging issues such as notifying the commissioner or individuals about security breaches that place personal information at risk and informing individuals when services involving personal information are occurring outside of Canada. Mr. Speaker, as required for any new legislation in a rapidly evolving area, this bill also does some updating and finetuning of the existing provisions of this act.

Thank you very much, Mr. Speaker.

[Motion carried; Bill 54 read a first time]

The Speaker: The hon. Government House Leader.

Mr. Hancock: Thank you, Mr. Speaker. I move that Bill 54 be moved onto the Order Paper under Government Bills and Orders.

[Motion carried]

Labels: , , ,

Monday, April 21, 2008

PIPA review released in BC 

The Special Committee of the BC Legislature reviewing the Personal Information Protection Act has recently released its report:

April 17, 2008: Special Committee Recommends Changes to Streamline B.C.’s Private-Sector Privacy Law Media Releases Special Committee to Review the Personal Information Protection Act 4th Session 38th Parliament Committees

SPECIAL COMMITTEE RECOMMENDS CHANGES TO STREAMLINE B.C.’S PRIVATE-SECTOR PRIVACY LAW

VICTORIA – The Special Committee to Review the Personal Information Protection Act submitted its Report to the Legislature this afternoon. The all-party committee was appointed in 2007 by the Legislative Assembly to review the act that regulates the collection, use and disclosure of personal information by private-sector organizations in the province. During the past year, the committee received 39 submissions.

The key findings from the consultations are that the act seems to be working well overall for private-sector organizations operating in British Columbia, while the public is not as aware of the purpose, rules and scope of the act. The act also aligns with the federal and Alberta private-sector privacy laws.

The report, titled Streamlining British Columbia’s Private Sector Privacy Law, was unanimously adopted by all committee members. The report contains 31 recommendations, including:

  • Making private-sector organizations accountable for personal information they transfer for processing outside Canada
  • Requiring organizations to notify affected individuals of privacy breaches in certain circumstances
  • Banning the use of blanket consent forms by provincially regulated financial institutions
  • Revising consent exceptions to better address business practices in the insurance industry
  • Permitting disclosure of personal contact information for health research
  • Retaining the minimal fee for access to personal information
  • Streamlining the complaints process in the province’s privacy laws
  • Strengthening the Information and Privacy Commissioner’s oversight powers

“Keeping personal information private is vitally important,” said committee chair Ron Cantelon, MLA. “We want to enhance safeguards, but at the same time, balance that goal against imposing unnecessary regulations on business, particularly small businesses.”

The members of the Special Committee to Review the Personal Information Protection Act are:

Ron Cantelon, MLA Nanaimo-Parksville

Harry Lali, MLA Yale-Lillooet

Leonard Krog, MLA Nanaimo

Mary Polak, MLA Langley

John Rustad, MLA Prince George-Omineca

Information about the committee’s work can be found on its website at http://www.leg.bc.ca/cmt/pipa/index.asp, or by contacting the committee chair, Ron Cantelon, MLA, or any committee member.

Labels: , , , ,

Tuesday, April 01, 2008

BC Commissioner's submissions on PIPA Review 

The British Columbia Information and Privacy Commissioner has submitted a report to the Special Committee of the British Columbia Legislature to Review the Personal Information Protection Act (BC). The Commissioner has found that the Act was a balanced and effective law that did not require major changes.

Labels: , ,

Privacy commissioner raps home improvement retailer for collecting drivers licenses on product returns 

The Information and Privacy Commissioner of Alberta has ruled that Home Depot violated the Personal Information Protection Act (Alberta) when it collected and recorded a customer drivers license information in connection with a product return. The company's policy was that returns for purchases that were made with a debit card, even with a receipt, are treated as a "no receipt" return and the information is collected. The Commissioner noted that the information would be placed in a database maintained by the American parent company in the United States, which is a disclosure of personal information.

The article on Canada.com quotes a Home Depot spokesperson who says this is no longer the policy as customers thought it to be an invasion of privacy. See: Privacy commissioner raps Home Depot.

Labels: , , ,

Monday, March 31, 2008

What's new from Alberta 

There have been some interesting releases from the Information and Privacy Commissioner of Alberta's office:

OIPC

Order P2007-014

Posted: Mar/19/2008

Adjudicator rules personal information released in contravention of Personal Information Protection ActAn Adjudicator with the Office of the Information and Privacy Commissioner has ruled that the Alberta Teachers’ Association contravened the Personal Information Protection Act (PIPA), when it published an article containing the personal information of former members.

The Complainants filed the complaint when the ATA published their names in a newsletter stating that they no longer were required to adhere to the ATA’s Code of Professional Conduct.

The ATA argued while it had published personal information, it had done so for “journalistic purposes” and that PIPA did not apply.

The Adjudicator determined that PIPA did apply and that the information was disclosed contrary to sections 7 and 19 of PIPA.

Order F2007-026

Posted: Mar/18/2008

Adjudicator finds Alberta Energy and Utilities Board did not disclose personal information in contravention of the FOIP Act

Order F2007-019

Posted: Mar/11/2008

Information and Privacy Commissioner, Frank Work, has ruled that the parents of a student had no legal standing in a complaint over the seizure of their son’s cell phone. The Commissioner says he was not presented with any evidence under section 84 of the Freedom of Information and Protection of Privacy Act (FOIP) that the parents were authorized to act on behalf of their son, nor is there any evidence that the son is even aware of a complaint being made on his behalf.The parents complained to the Commissioner their son’s cell phone had been seized by school administrators who had accessed photographs contained on the phone.

During an inquiry into the matter, the Commissioner found the evidence did not establish that the parents had standing to make a complaint. The Commissioner also found there was little evidence that the son’s personal information had been collected or used by the school.

Investigation Report P2008-IR-002

Posted: Mar/06/2008

Commissioner releases investigation report on DeVry Institute of Technology, related to discovery of identity theft.

News Release P2008-IR-002

Posted: Mar/06/2008

Commissioner releases investigation report related to discovery of identity theft

News Release: New Video Surveillance Guidelines

Posted: Mar/06/2008

New guidelines set out how companies should evaluate the use of video surveillance that respects privacy rights and complies with the law.

Order F2008-007

Posted: Mar/06/2008

Adjudicator upholds decision not to release Crown Prosecutor records

Order P2008-001

Posted: Mar/06/2008

Adjudicator rules company tried to find applicant's personal information

Labels: , , , ,

Thursday, March 06, 2008

Privacy Commissioners Release New Video Surveillance Guidelines 

The Privacy Commissioners of Canada, British Columbia and Alberta today have released Guidelines for Overt Video Surveillance in the Private Sector to help businesses consider privacy matters when deciding whether to and how to implement overt video surveillance. (I wonder whether they'll also produce guidelines on covert surveillance?)

From the media release:

Privacy Commissioners Release New Video Surveillance Guidelines

Privacy Commissioners Release New Video Surveillance Guidelines

OTTAWA, March 6, 2008 — Private-sector organizations considering video surveillance systems must take specific steps to minimize the impact on people’s privacy, say video surveillance guidelines released today.

The new guidelines set out how companies should evaluate the use of video surveillance and ensure any surveillance they undertake is conducted in a way that respects privacy rights and complies with the law.

These guidelines have been endorsed by Jennifer Stoddart, the Privacy Commissioner of Canada, Frank Work, the Information and Privacy Commissioner of Alberta, and David Loukidelis, the Information and Privacy Commissioner for British Columbia.

“We have seen a dramatic increase in the use of surveillance cameras by private-sector organizations. Many of our day-to-day activities are now captured by these cameras,” says Commissioner Stoddart.

“There are some legitimate reasons to conduct video surveillance, but privacy laws in Canada impose restrictions and obligations when, where and how businesses can conduct this kind of surveillance,” says Commissioner Loukidelis.

“These guidelines make it clear that businesses must carefully evaluate why they are installing video surveillance equipment, and what they will do with the information that is collected,” says Commissioner Work.

The Commissioners say it is disturbing to hear stories about video surveillance operators deliberately pointing cameras to ogle women, as well as surveillance images of people caught in unflattering situations finding their way onto video sharing sites like YouTube and Vimeo.

The new guidelines are aimed at businesses subject to the Personal Information Protection and Electronic Documents Act, or PIPEDA. They are also targeted at businesses subject to the provincial Personal Information Protection Acts in Alberta and British Columbia.

The overarching principle for video surveillance – which stems from the key legal test under the federal and provincial laws – is that it should be used only for purposes that a reasonable person would consider appropriate in the circumstances.

The guidelines state that, in order to limit the impact on privacy, cameras should be positioned to avoid capturing the images of people not being targeted (e.g., someone walking outside a store). As well, cameras should not be used in areas where people have a heightened expectation of privacy, such as washrooms, and through building windows.

The guidelines also say:

  • People should be notified about the use of cameras before they enter the premises.
  • Individuals whose images are captured on videotape should, upon request, be given access to this recorded personal information.
  • Organizations must ensure that video surveillance equipment and videotapes are secured and used for authorized purposes only.
  • Individuals who operate video surveillance systems should understand the privacy issues related to surveillance and their obligations under the law.
  • Video surveillance recordings should be retained only as long as necessary and destroyed securely.

The complete guidelines for private-sector organizations are available at www.privcom.gc.ca, www.oipc.ab.ca and www.oipc.bc.ca. The Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner for British Columbia have previously published guidelines for the use of video surveillance in public places by police and law enforcement authorities.

All three privacy commissioners are statutorily mandated to oversee compliance with the Acts and are advocates and guardians of privacy and the protection of personal information rights of Canadians.

Labels: , , , , , ,

Wednesday, February 20, 2008

Alberta Commissioner forbids license scanning 

In a long awaited decision, the Information and Privacy Commissioner of Alberta has ordered a nightclub to cease scanning drivers licenses. The practice is an unreasonable collection of personal information and is not justified under the Personal Information Protection Act.

From the decision, the Commissioner didn't see the connection between the collection of drivers license information and the supposed purposes for collecting it:

[para 31] From my review of the evidence and the parties’ submissions, I find that, at best, the Organization offers conjecture that collecting driver’s license information of patrons may act as a deterrent to violent behaviour. The Organization did not submit any evidence to establish that collecting the Complainant’s driver’s license information, or that of other patrons, is in any way a deterrent to violent behavior. In addition, it did not provide any evidence regarding the causes of violence in bars or statistics relating to the incidence of violence in bars before and after the implementation of a driver’s license collection program. I draw the inference that the Organization is unable to produce any evidence to draw a correlation between violence, patron safety, and collecting driver’s license information. As a result, the Organization has failed to establish any reasonable relationship between collecting driver’s license information and any of its stated purposes for scanning driver’s licenses. I am therefore unable to conclude that the Organization has a reasonable purpose within the meaning of section 11 when it scans patrons’ driver’s licenses.

[para 32] For these reasons, I find that the Organization did not comply with the requirements of either section 11(1) or (2) when it scanned the driver’s license information of the Complainant, as its collection of personal information is not reasonable related to its purpose....

On the topic of whether putting up a poster results in informed consent:

[para 53] The Complainant’s evidence is that his driver’s license was scanned before he could raise an objection. He had assumed that the Organization’s employee would check his birth date, but she instead scanned the information on the license into a database. The Organization does not challenge the Complainant’s version of events, but points to a poster it has now posted for patrons explaining why it collects driver’s licenses and what it does with them. It argues that this poster satisfies the requirements of section 13(1).

[para 54] As noted above, the poster explains that its collection practice is intended “to encourage our patrons to behave responsibly and deter those who are seeking to ruin your experience with us, from entering the venue.” The poster is not clear about the purposes of the Organization in collecting the information and does not warn patrons that information will be retained for a period of 7 – 10 days or longer by the Organization.

[para 55] I find that the poster is misleading and does not provide sufficient information for patrons to provide informed consent to the Organization’s collection of personal information. In addition, the Organization provided no evidence that the poster was in place when it scanned the Complainant’s driver’s license. In fact, paragraph 8 of the Organization’s affidavit establishes only that the notice was posted on August 24, 2006, the date of the affidavit.

[para 56] I find that the Complainant did not consent to the scanning of the information on the face of his driver’s license, other than to permit the Organization employee to confirm his date of birth. I also find that the Organization did not provide adequate notice to the Complainant of its collection of his personal information. As none of the provisions of 14 apply, and because an individual cannot consent to the unreasonable collection of personal information, I find that the Organization was required to provide notice of its collection and did not. As a result, I find that the Organization contravened section 13 of the Act when it collected the Complainant’s personal information.

The Calgary Sun reports that the owner of the bar is considering appealing and is "furious" about the decision: The Calgary Sun - Bar owner furious after licence checks halted.

Labels: , , , ,

Saturday, January 12, 2008

Alberta Commissioner considers reference checks under PIPA 

From Alberta:

Commissioner rules reference check was in compliance with Personal Information Protection Act

January 8, 2008

Commissioner rules reference check was in compliance with Personal Information Protection ActInformation and Privacy Commissioner, Frank Work, has determined that information collected in an employment reference check was in compliance with the Personal Information Protection Act (PIPA).

An individual had complained that a former employer had disclosed information not related to her job to a prospective employer in contravention of PIPA and that the prospective employer had collected the information in contravention of the Act. The individual also complained that the former employer had not responded to her request for her personal information.

Following an inquiry into the matter, the Commissioner determined that the information collected in the reference check was personal employee information as defined in PIPA and that no unrelated personal information about the individual was collected. The Commissioner found no evidence that personal information, aside from work related information, had been disclosed or collected.

The Commissioner did find, however, that the former employer did not properly respond to the Complainant’s request for her personal information and has ordered the former employer to respond to that request.To obtain a copy of Orders P2006-006 and P2006-007, visit our website, http://www.oipc.ab.ca/.

Labels: , , ,

Wednesday, January 02, 2008

Happy birthday to the Canadian Privacy Law Blog 

Today marks the fourth anniversary of the Canadian Privacy Law Blog. Four years ago, on January 2, 2004, I put fingers to keyboard and joined the interesting conversation that was beginning to take shape on the internet among veteran bloggers and I'm glad I did. (Welcome to the Canadian Privacy Law blog.) According to Blogger, this will be my 2740th post to the blog.

Forgive me if I get a bit melancholic and wistful as I look back on the past four years, but it has been a very eventful one for me and for the world of privacy. And both are related, I think. (I mean the changes in the world of privacy have influenced me, not the other way around.)

The day before my first posting, the Personal Information Protection and Electronic Documents Act ("PIPEDA") came fully into force for all commercial activities in Canada. That day, the Personal Information Protection Acts of British Columbia and Alberta came into force, but were not declared to be "substantially similar" to PIPEDA until ten months later (Alberta and British Columbia privacy laws declared to be substantially similar.) Also on the legislative front, Ontario passed the Personal Health Information Protection Act and it became law in May, 2004 (Ontario's Personal Health Information Protection Act receives royal assent.) Perhaps as importantly, it was declared substantially similar on November 28, 2005. (PHIPA declared substantially similar.)

Much attention has been paid to the continuing erosion of privacy rights in the United States and Canada. In 2004, the Information and Privacy Commissioner of British Columbia brought the USA Patriot Act under scrutiny. (U.S. Patriot Act worries Privacy Commissioner and BC Information and Privacy Commissioner releases his report: Patriot Act contravenes BC privacy laws.) In response, British Columbia, Alberta and Nova Scotia have passed laws or amendments to existing laws to closely regulate the export of personal information outside of Canada. In the US, the USA Patriot Act has been subject to many judicial challenges with some success.

Perhaps the area that has been most visible to laypeople is the growing trend of requiring companies to report data breaches. California led the way and now more than thirty US states have such requirements. We haven't seen it in Canada (except in PHIPA in Ontario) but advocates are calling for such a requirement in Canada's privacy laws of general application. Coming clean has led to the public disclosure of a number of huge breaches, including Cardsystems, TJX/Winners, Department of Veterans Affairs and the UK Revenue and Customs Service. Whether we see a change in Canadian law has yet to be seen. Despite the huge publicity given to these breaches, business built on personal information -- such as Facebook -- thrive.

On the professional front, I've been very fortunate to have been invited to speak on the topic of privacy on more occasions than I can estimate. Highlights have been speaking at the Canadian Bar Association general meeting in Winnipeg in 2005, Canadian IT Law Association for the past few years and innumerable professional organizations. The blog has also led to innumerable media interviews and some amazing awards (I'd like to thank the academy. And my blog ... and An honour to even be considered.)

Perhaps more satisfying is that I've been fortunate to have met (in some cases, in the flesh) and to have been inspired by some great fellow legal bloggers. This list includes Connie Crosby, Rob Hyndman, David Canton, Michael Geist, Michael Fitzgibbon and the amazing Slawyers.

To my readers, thank you very much for taking the time to drop by. I hope it has been informative and useful. Please pass along any suggestions or your thoughts, either in the comments to my posts or via e-mail at david.fraser@mcinnescooper.com.

Birthday cake graphic used under a creative commons license from K. Pierce.

Labels: , , , , , , , , ,

Wednesday, December 19, 2007

Alberta faults Ticketmaster for requiring consent to secondary purposes 

The Alberta Information and Privacy Commissioner has found that Ticketmaster violated that province's privacy law by requiring that purchasers consent to use of their information by concert promoters. From the Commissioner:

OIPC

Office of the Information and

Privacy Commissioner of Alberta

December 19, 2007

Ticketmaster investigated under Personal Information Protection Act

The Office of the Information and Privacy Commissioner has found that Ticketmaster Canada Ltd (Ticketmaster) contravened the Personal Information Protection Act (PIPA) by requiring on-line customers to consent to the use of personal information for the event provider’s marketing purposes, as a condition of a ticket sales transaction. The investigation also determined Ticketmaster’s on-line opt-out process did not allow customers to make an informed decision about consent nor did it offer customers a reasonable opportunity to decline or object to the use of their personal information for event providers’ marketing purposes. Ticketmaster’s on-line privacy policy was also found to be complex and ambiguous.

The Complainant went on Ticketmaster’s website, www.ticketmaster.ca to purchase tickets for an event. During the on-line transaction, the Complainant was unable to proceed with his on-line ticket purchase unless he consented to Ticketmaster’s “Use of Personal Information” privacy statement. The Complainant was particularly concerned with the contents of this privacy statement, which authorized Ticketmaster to share his email address with event providers for the event providers’ marketing purposes.

Ticketmaster agreed to implement the Investigator’s recommendations, which included launching, across Canada, a new on-line and telephone opt-in mechanism for event providers’ marketing communications. This mechanism offers on-line and telephone customers the opportunity to opt-in to receiving marketing materials from event providers by checking a box during the on-line ticket purchase process. In conjunction with the new on- line opt-in mechanism, Ticketmaster posted its revised on-line privacy policy with an easily navigable table of contents linking to appropriate section of the policy. To obtain a copy of Investigation Report P2007-IR-007, please visit our website at: www.oipc.ab.ca

CBC has some coverage of the story here: CBC.ca Arts - Ticketmaster's online sales violated Alberta privacy law.

Labels: , ,

Wednesday, September 26, 2007

Inadequate security safeguards led to TJX breach, Commissioners say 

The federal Privacy Commissioner and the Information and Privacy Commissioner of Canada have released their reports on the TJX/Winners breach (Report of Findings (September 25, 2007) Privacy Commissioner of Canada and Investigation Report P2007-IR-006). The moral of the story: don't collect information you don't need, don't keep it any longer than you need and properly secure the information you have.

Here's the media release:

News Release: Inadequate security safeguards led to TJX breach, Commissioners say (September 25, 2007) - Privacy Commissioner of Canada

Inadequate security safeguards led to TJX breach, Commissioners say

September 25, 2007 –The risk of a breach of sensitive personal information held by TJX Companies Inc., the US parent company of Winners and HomeSense stores in Canada, was foreseeable, but the company failed to put in place adequate security safeguards, an investigation by the Privacy Commissioners of Canada and Alberta has found.

“The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it – putting the privacy of millions of its customers at risk,” says Privacy Commissioner of Canada Jennifer Stoddart.

“Criminal groups actively target credit card numbers and other personal information,” says Commissioner Stoddart. “A database of millions of credit card numbers is a potential goldmine for fraudsters and it needs to be protected with solid security measures.

“The TJX breach is a dramatic example of how keeping large amounts of sensitive information – particularly information that is not required for business purposes – for a long time can be a serious liability.”

The joint investigation by the two Commissioners was launched after TJX disclosed in January that its computer system had been breached. This breach involved millions of credit and debit card numbers as well as other personal information, such as driver’s license numbers collected when customers returned merchandise without receipts.

“This case is a wake-up call for all retailers. They must collect only the personal information necessary for a transaction,” says Frank Work, the Information and Privacy Commissioner of Alberta.

“One positive outcome of this extremely unfortunate breach is that TJX worked cooperatively with us to develop a new process for dealing with unreceipted returns which strikes an appropriate balance between privacy rights and a retailer’s need to take steps to prevent fraud.”

TJX believes the intruder may have initially gained to customer information via the wireless local area networks at two of its US stores. Customer information was stolen from mid-2005 through December 2006, a TJX investigation found. Some stolen information involved transactions dating back to 2002.

Stolen information included credit card account data as well as data collected when customers returned merchandise without a receipt (drivers’ license numbers, names and addresses).

The investigation concluded TJX did not comply with the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), and Alberta’s Personal Information Protection Act (PIPA). The investigation found:

  • TJX did not properly manage the risk of an intrusion against the amount of customer data that it collected.
  • The company failed to act quickly in converting from a weak encryption standard to a stronger standard. The conversion process took two years to complete, during which time the breach occurred.
  • TJX did not meet its duty to monitor its computer systems vigorously. An adequate monitoring system should have alerted the company of an intrusion prior to December 2006.
  • The company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address the growing problem of credit card data theft.

The investigation also found the company did not have a reasonable purpose to collect driver’s license and other identification numbers when unreceipted merchandise was returned. TJX stated it asked for this information as part of a fraud prevention process to identify people frequently returning merchandise. It retained the driver’s license numbers – an extremely valuable piece of information for identity thieves – indefinitely.

In response to these concerns, TJX proposed a new process to address fraudulent returns. Store staff will continue to ask for identification, however, information such as a driver’s license number will instantly be converted into a unique identifying number when it is keyed into the point-of-sale system. This will allow the company to track unreceipted merchandise returns without keeping original driver’s license numbers in its system.

The Commissioners called on TJX to take a number of steps to improve its security measures and privacy practices and are pleased the company has agreed to follow these recommendations.

Commissioner Stoddart says the Winners/HomeSense breach illustrates the need to get security right in the first place to avoid the potentially huge costs of mopping up after a security breach. “Organizations need to ensure they have multiple layers of security and that they keep up with advances in security technologies. The cost of failing to do this can be enormous – not only to a company, but to its customers,” she says, adding that a data breach can also have a major impact on credit card companies, banks, law enforcement agencies and regulatory bodies.

A summary of the findings in the case is available on the Commissioners’ websites.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

The Information and Privacy Commissioner of Alberta has a mandate to promote a society where personal privacy is respected and public bodies are open and accountable.

Labels: , , , , ,

Monday, August 13, 2007

BC auto body shops object to auto insurer's credit-card policy 

Auto body repair shops in British Columbia are complaining to the province's privacy commissioner about the public auto insurer requiring that the shops hand over customer credit card information in the course of routine audits.

I wonder whether there's anything in the customer's policy allowing ICBC to collect this information?

Check it out:

Auto body shops take aim at ICBC's credit-card policy

Neal Hall, Vancouver Sun

Published: Monday, August 13, 2007

An association representing auto body shops and automotive glass repair companies has filed a complaint with B.C.'s information and privacy commissioner about having to hand over customer credit card numbers to the Insurance Corp. of B.C.

The United Auto Trades Association of B.C. says disclosure of a customer's personal and financial information during ICBC audits should not be done without a customer's written consent.

The complaint, obtained by The Vancouver Sun, says the disclosure without written consent is "clearly unlawful."

"It's of concern to us," said Gerry Preddy, vice-president of the association. "We've had examples of files being lost [by ICBC]."

The association, in its complaint, cites the federal Personal Information Protection Act, which states: "An organization must not, as a condition of supplying a product or service, require an individual's consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service."

ICBC demands such information during audits of auto body and glass repair shops that participate in ICBC's Glass Express Program to make sure shops are charging the vehicle insurance deductible amount.

"When a customer makes a claim, they are required to pay a deductible," explained ICBC spokeswoman Kate Best, "so repair shops provide ICBC with credit card information to confirm the payment of the deductible."

ICBC's position is that audits of repair shops are reasonable to verify payments, she said.

"The matter is currently before the information and privacy commissioner and ICBC will await the ruling," Best said.

The association says while membership in the glass express program is voluntary -- about 700 businesses and 60 per cent of glass repair shops participate in the program -- shops would suffer a drastic loss in business if they withdrew or refused to hand over the financial information of customers during ICBC audits.

The association made a final submission to the privacy commissioner on July 30, pointing out a recent B.C. Court of Appeal decision "confirmed that the collection and disclosure must be authorized by law."

The appeal court, in its ruling involving Royal City Jewellers & Loans Ltd., struck down a New Westminster bylaw allowing police to collect financial and personal information about people selling or pawning items to second-hand stores and pawn shops. The shops still collect the information but take the position they won't hand it over to police without a court order or search warrant.

Royal City Jewellers launched the court challenge, stating it was an invasion of privacy for law-abiding customers.

Labels: , , ,

Thursday, May 03, 2007

Parliamentary review of PIPEDA: Report 

The Parliamentary Committee on Access to Information, Privacy and Ethics has just released its report following the five year PIEDA review:

ETHI (39-1) — Fourth Report: STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) — Standing Committee on ACCESS TO INFORMATION, PRIVACY AND ETHICS - Committees of the House of Commons

The Standing Committee onACCESS TO INFORMATION, PRIVACY AND ETHICS

has the honour to present its

Fourth Report

Pursuant to its mandate under Standing Order 108(2), the Committee has studied a Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) and agreed to the following report:

The HTML version of this report will be available soon. In the meantime, the Committee is pleased to make available the report entitled STATUTORY REVIEW OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) (.PDF, 262 KB) in printable format.

Here are the recommendations:

47

Recommendation 1

The Committee recommends that a definition of “business contact information” be added to PIPEDA, and that the definition and relevant restrictive provision found in the Alberta Personal Information Protection Act be considered for this purpose.

Recommendation 2

The Committee recommends that PIPEDA be amended to include a definition of “work product” that is explicitly recognized as not constituting personal information for the purposes of the Act. In formulating this definition, reference should be added to the definition of “work product information” in the British Columbia Personal Information Protection Act, the definition proposed to this Committee by IMS Canada, and the approach taken to professional information in Quebec’s An Act Respecting the Protection of Personal Information in the Private Sector.

Recommendation 3

The Committee recommends that a definition of “destruction” that would provide guidance to organizations on how to properly destroy both paper records and electronic media be added to PIPEDA.

Recommendation 4

The Committee recommends that PIPEDA be amended to clarify the form and adequacy of consent required by it, distinguishing between express, implied and deemed/opt-out consent. Reference should be made in this regard to the Alberta and British Columbia Personal Information Protection Acts.

Recommendation 5

The Committee recommends that the Quebec, Alberta and British Columbia private sector data protection legislation be considered for the purposes of developing and incorporating into PIPEDA an amendment to address the unique context experienced by federally regulated employers and employees.

Recommendation 6

The Committee recommends that PIPEDA be amended to replace the “investigative bodies” designation process with a definition of “investigation” similar to that found in the Alberta and British Columbia Personal Information Protection Acts thereby allowing for the collection, use and disclosure of personal information without consent for that purpose .

Recommendation 7

The Committee recommends that PIPEDA be amended to include a provision permitting organizations to collect, use and disclose personal information without consent, for the purposes of a business transaction. This amendment should be modeled on the Alberta Personal Information Protection Act in conjunction with enhancements recommended by the Privacy Commissioner of Canada.

Recommendation 8

The Committee recommends that an amendment to PIPEDA be considered to address the issue of principal-agent relationships. Reference to section 12(2) of the British Columbia Personal Information Protection Act should be made with respect to such an amendment.

Recommendation 9

The Committee recommends that PIPEDA be amended to create an exception to the consent requirement for information legally available to a party to a legal proceeding, in a manner similar to the provisions of the Alberta and British Columbia Personal Information Protection Acts.

Recommendation 10

The Committee recommends that the government consult with the Privacy Commissioner of Canada with respect to determining whether there is a need for further amendments to PIPEDA to address the issue of witness statements and the rights of persons whose personal information is contained therein.

Recommendation 11

The Committee recommends that PIPEDA be amended to add other individual, family or public interest exemptions in order to harmonize its approach with that taken by the Quebec, Alberta and British Columbia private sector data protection Acts.

Recommendation 12

The Committee recommends that consideration be given to clarifying what is meant by “lawful authority” in section 7(3)(c.1) of PIPEDA and that the opening paragraph of section 7(3) be amended to read as follows: “For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is […]”

Recommendation 13

The Committee recommends that the term “government institution” in sections 7(3)(c.1) and (d) be clarified in PIPEDA to specify whether it is intended to encompass municipal, provincial, territorial, federal and non-Canadian entities.

Recommendation 14

The Committee recommends the removal of section 7(1)(e) from PIPEDA.

Recommendation 15

The Committee recommends that the government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amendments to PIPEDA in this regard.

Recommendation 16

The Committee recommends that no amendments be made to PIPEDA with respect to transborder flows of personal information.

Recommendation 17

The Committee recommends that the government consult with members of the health care sector, as well as the Privacy Commissioner of Canada, to determine the extent to which elements contained in the PIPEDA Awareness Raising Tools document may be set out in legislative form.

Recommendation 18

The Committee recommends that the Federal Privacy Commissioner not be granted order-making powers at this time.

Recommendation 19

The Committee recommends that no amendment be made to section 20(2) of PIPEDA with respect to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest.

Recommendation 20

The Committee recommends that the Federal Privacy Commissioner be granted the authority under PIPEDA to share personal information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities.

Recommendation 21

The Committee recommends that any extra-jurisdictional information sharing, particularly to the United States, be adequately protected from disclosure to a foreign court or other government authority for purposes other than those for which it was shared.

Recommendation 22

The Committee recommends that PIPEDA be amended to permit the Privacy Commissioner to apply to the Federal Court for an expedited review of a claim of solicitor-client privilege in respect of the denial of access to personal information (section 9(3)(a)) where the Commissioner has sought, and been denied, production of the information in the course of an investigation.

Recommendation 23

The Committee recommends that PIPEDA be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the Privacy Commissioner.

Recommendation 24

The Committee recommends that upon being notified of a breach of an organization’s personal information holdings, the Privacy Commissioner shall make a determination as to whether or not affected individuals and others should be notified and if so, in what manner.

Recommendation 25

The Committee recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a “without consent” power to notify credit bureaus in order to help protect consumers from identity theft and fraud.

Labels: , , , , , , , , ,

Wednesday, May 02, 2007

Alberta order on consent and withdrawal thereof 

A new and interesting Order from Alberta:
Order P2007-003

Two Complainants brought complaints under the Personal Information Protection Act with respect to the collection, use and disclosure of their personal information by International Stereo Ltd., (now operating as Urban Audio Video Inc.) (the “Retailer”). The information had been collected by the Retailer and then conveyed to Wells Fargo Financial Corporation of Canada, so as to permit the latter organization to conduct credit checks for determining whether it would grant credit for buying the Retailer’s merchandise. Although the Complainants signed applications containing clauses consenting to use of personal information for credit checks, they said they had been assured their personal information would not be used in this way. They also said they had been led to believe the cards for which they applied would allow them to get 10% discounts on purchases. As well, one of them complained that his request to withdraw his application had been refused.

The Adjudicator found that the Retailer collected, used and disclosed the Complainants’ personal information in violation of section 7 of the Act (collection, use and disclosure without consent), that it failed to provide adequate notification of the purpose for collection in contravention of section 13, and that it failed to cease collecting, using or disclosing the personal information after consent had been withdrawn, in violation of section 9(4).

Labels: , , , ,

Tuesday, April 10, 2007

Investigator: Employer did not violate PIPA by investigating whether staffer was looking for another job 

An interesting investigation report from the Information and Privacy Commissioner of Alberta, in which the investigator found that an employer did not violate PIPA by seeking information about whether a current employee had sought employment with another company:
OIPC

April 10, 2007

EPCOR Utilities Inc. found in compliance with Personal Information Protection Act

The Office of the Information and Privacy Commissioner has found that EPCOR Utilities Inc. (EPCOR) complied with the Personal Information Protection Act (PIPA) when it collected, used and disclosed personal employee information without consent. EPCOR’s collection, use and disclosure of the employee’s personal information was also found to be reasonable for purposes of an investigation.

The complainant, an EPCOR employee at the time, took a leave of absence from EPCOR. Shortly thereafter, EPCOR received unsolicited information suggesting the complainant was about to begin work for another company. EPCOR contacted the other company to verify the complainant’s alleged employment there. The complainant complained that EPCOR collected, used and disclosed his personal information without consent.

The Investigator found that EPCOR had collected, used and disclosed the complainant’s personal information to investigate a possible contravention of the complainant’s employment agreement. As such, consent was not required.

Further, the Investigator found that the information qualified as personal employee information under PIPA: the information was reasonably required to manage the complainant’s employment relationship with EPCOR, and consisted only of information related to that employment relationship. The complainant was notified at the time of hire that his personal information could be collected, used or disclosed for investigation purposes. As such, EPCOR did not require consent to collect, use and disclose the complainant’s personal employee information in these circumstances.

For more information about investigation report P2007-IR-004, please visit our website at: http://www.oipc.ab.ca/

Labels: , , ,

Thursday, March 22, 2007

Alberta Commissioner upholds cameras in locker rooms at health club 

This is likely to spur some interesting discussion:

OIPC

A complaint was made against the Organization which operates the “Talisman Centre for Sport and Wellness”. The Complainant stated that the Organization had placed overt security cameras in the Talisman Centre’s men’s locker rooms. The Complainant was concerned about a loss of privacy and that patrons of the Centre would be unable to change without being viewed by the cameras. The Organization stated that the security cameras were installed in 1997 in response to over 900 incidents of theft and property damage during the years 1994-97. The security cameras were installed after all other means to prevent criminal activity had failed. The cameras’ field of vision was restricted to the lockers and had no zoom, panoramic or audio capabilities. The cameras were not actively monitored and a protocol was in place which restricted the viewing of images to instances where there was an incident or reported criminal activity with a case number assigned by the Calgary Police Service. Viewing of the images occurs only in the presence of two senior staff members or by one such member and a police constable. If images are not reviewed they are automatically overwritten in approximately 21 days. After installation of the cameras there was a sharp reduction in criminal activity. As of the date of the Organization’s submission to the Commissioner only 19 images had ever been viewed. The Commissioner found that due to the history of theft, the attempt to use other measures prior to using security cameras as a last resort, and the fact that the images recorded were only accessed in the event of a criminal incident, that the Organization’s collection of personal information was for purposes that were reasonable, as required by section 11(1) of the Personal Information Protection Act (“PIPA”). However, the Organization’s signage was not in compliance with section 13(1) of PIPA. The Commissioner ordered the Organization to change the signage.

Click to view more information Order P2006-008

Labels: , , ,

Wednesday, February 28, 2007

Alberta Commissioner Order about journalistic collection and disclosure of personal information 

The Information and Privacy Commissioner of Alberta just released a new Order in which the he determined he did not have jurisidction because the personal information in question was collected and disclosed for journalistic purposes, which is excluded from the purview of the Personal Information Protection Act.

Order P2005-004

Summary: The Complainant alleged that the Organization had disclosed the Complainant's personal information when it published a newspaper article. The Organization argued that the disclosure of personal information in the form of a newspaper article was for journalistic purposes only as provided for by section 4(3)(c) of the Personal Information Protection Act. As such the Act did not apply to the personal information in question. The Commissioner decided the personal information disclosed were materials written for publication in the media and therefore collected and disclosed for journalistic purposes only in accordance with section 4(3)(c). The Commissioner, having determined that he had no jurisdiction in the matter, further stated that he had no authority to determine the remaining issue of the inquiry, regarding the allocation of a complainant's burden of proof.

Labels: , ,

Monday, February 12, 2007

Alberta Commissioner's office faults EAP provider 

Released today from the Information and Privacy Commissioner of Alberta:

Employee Assistance Provider found in contravention of Personal Information Protection Act

The Office of the Information and Privacy Commissioner has found that Wilson Banwell Human Solutions Inc. (Wilson Banwell) contravened the Personal Information Protection Act (PIPA) by disclosing more personal information than was necessary to a complainant's employer. The investigation also determined Wilson Banwell contravened PIPA by disclosing the complainant's personal information to a union for purposes that were not reasonable, and to an extent that was not reasonable.

After failing to pass a drug and alcohol test, the complainant was referred to Wilson Banwell, an Employee Assistance Provider (EAP), for a "return to work assessment." He signed a consent authorizing release of "assessment / treatment summaries" to his employer to facilitate his return to work. The complainant believed Wilson Banwell would limit its report to recommendations arising from the assessment. However, the Wilson Banwell psychologist sent a three-page report to both the complainant's employer and union. The report provided a summary of the clinical interview the psychologist conducted with the complainant, including details of a previous visit the complainant had made to Wilson Banwell on his own initiative, and some personal information of the complainant's wife.

The Investigator recommended Wilson Banwell:

  • revise its "Release of Information" form to clarify exactly what information will be disclosed to a client's employer for return to work purposes, and
  • remind all staff of Wilson Banwell's policies respecting written consent, and the requirement to disclose only the least amount of information necessary for reasonable purposes.

Wilson Banwell agreed to implement these recommendations.

For more information about investigation report P2007-IR-001, please visit our website at: http://www.oipc.ab.ca/

I expect the result would have been the same if the complaint was brought under PIPEDA, except the parties wouldn't have been named.

Labels: , , ,

Thursday, January 25, 2007

Alberta Commissioner on Freedom of Expression and disclosure of personal information 

The Information and Privacy Commissioner of Alberta released a very interesting order today, considering whether the right to freedom of expression in the Charter overrides the restriction on disclosure of personal information without consent. In this case, a shopper at Safeway was allegedly caught shoplifting. The "shopper" was an employee of another grocery chain and a representative of Safeway reported the incident to her employer, and she was fired. She then complained that Safeway had disclosed her information without her consent, in breach of the Personal Information Protection Act. At an inquiry under that Act, Safeway argued that the restriction on disclosure was unconstitutional. In the order, the Commissioner disagreed.

Order P2005-006

Summary: The Complainant, an employee of another food retail chain, entered a store of Canada Safeway Limited (the “Organization”) while wearing her employee uniform. The Complainant gathered several goods, paying for some and not for others. When the Complainant left the store, security for the Organization stopped the Complainant and accused the Complainant of theft. The unpaid items were returned and the police were notified. Upon review of the incident, no charges were laid.

The Organization, without the consent of the Complainant, advised the Complainant’s employer about the incident. As a result the Complainant was dismissed. The Complainant initiated a complaint with the Office of the Information and Privacy Commissioner, and the matter proceeded to a written inquiry. The Organization argued that it did not require consent to disclose personal information of the Complainant under section 7(1)(d) (consent to disclose) of the Personal Information Protection Act, (the “Act”) as the section is contrary to section 2(b) (freedom of expression) of the Canadian Charter of Rights and Freedoms (the “Charter”). The Organization also argued that if it is found that section 7(1)(d) of the Act is not contrary to the Charter, then section 20(b) (disclosure pursuant to a statute of Canada that authorizes or requires disclosure) of the Act and section 20(m) (disclosure reasonable for investigation or legal proceeding) of the Act apply and permit the disclosure of the Complainant’s personal information.

The Commissioner found that section 7(1)(d) of the Act did not contravene section 2(b) of the Charter; that sections 20(b) and 20(m) of the Act did not authorize the Organization to disclose the Complainant’s personal information without consent; and that the Organization disclosed the Complainant’s personal information contrary to section 7(1)(d) of the Act.

Labels: , ,

Sunday, December 03, 2006

PIPEDA Case Summary #351: Use of personal information collected by Global Positioning System considered 

On Thursday, the Office of the Privacy Commissioner of Canada posted a very interesting and detailed finding on the use of GPS tracking of company vehicles. The finding is lengthy and worth a read: Commissioner's Findings - PIPEDA Case Summary #351: Use of personal information collected by Global Positioning System considered (November 9, 2006).

A summary of the summary is in the following media release:

News Release: Privacy Commissioner urges caution before installing GPS in company vehicles (November 30, 2006):

News Release

Privacy Commissioner urges caution before installing GPS in company vehicles

Ottawa, November 30, 2006 – Employers need to carefully consider the privacy rights of their workers before installing Global Positioning Systems (GPS) into their vehicle fleets, according to the Privacy Commissioner of Canada, Jennifer Stoddart.

The Office of the Privacy Commissioner of Canada (OPC) today released a summary of its findings into a case involving the workplace use of GPS, which can track the location of a vehicle in real time. The Commissioner discussed her Office’s findings at a workplace privacy seminar hosted by Ryerson University.

“This is an important issue for employers and employees across Canada. We’re seeing more and more organizations installing GPS in their cars and trucks and it’s unclear whether they are adequately addressing privacy issues,” Ms. Stoddart said.

In the case investigated by the OPC, several workers complained that their employer, a telecommunications company, is using GPS to improperly collect their personal information – specifically their daily movements while on the job.

The company is using GPS in its installation and repair, and construction vehicles to locate, dispatch and route employees to job sites. Some workers worried, however, that GPS is also being used to monitor work performance and that information gleaned from this technology will be used to justify disciplinary action.

The OPC investigation accepted most of the company’s arguments for using GPS. It agreed, for example, that using GPS to dispatch vehicles is likely to lead to better service for the company’s customers and also could help locate missing vehicles.

However, the OPC expressed concern about using GPS as an employee surveillance tool. While using GPS to track a vehicle is not overly privacy invasive, routinely evaluating worker performance based on assumptions drawn from GPS information impinges on individual privacy.

The use of GPS as an employee surveillance tool may be acceptable in certain situations, which are defined and communicated to employees beforehand, according to the OPC findings. However, a company should not routinely use GPS to monitor its workforce.

In this case, the OPC asked the company to clearly explain to its employees how GPS would be used to check up on them, and also to develop a policy outlining an appropriate process of warnings and progressive monitoring. The policy subsequently prepared by the company spelled out situations in which the company will use GPS data to monitor employees. These include an investigation into a complaint – about speeding, for example – from a member of the public; an investigation into concerns raised within the company; or to address productivity problems. The company also made a commitment to train its managers about the appropriate use of the technology.

“Systematically using GPS to check up on workers and try to determine how well they are doing their jobs would be going too far,” said Ms. Stoddart. “Employers do not have carte blanche to use GPS to constantly monitor their workforce.”

The OPC finding also cautions employers about “function creep” – collecting information for one purpose, and then using it for some other unrelated purpose in violation of basic fair information practices.

“Managing workplace privacy is a balancing act. On the one hand, employers have the right to know what workers are up to on company time. On the other, employees have a right to privacy,” the Commissioner said.

“Workers do not check their privacy rights at the factory or office door. Workplace privacy is an important part of the basic autonomy rights of individuals in our society,” she said. “Employers must find ways to weed out the bad employees without shattering the dignity and privacy rights of the good employees – who make up the vast majority of the workforce.”

The OPC is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights in Canada.

The summary of the findings in the GPS investigation is available on the OPC Web site:

PIPEDA Case summary #351: Use of personal information collected by Global Positioning System considered

Once again, I am left at a bit of a loss when it comes to using PIPEDA in the workplace. Unlike PIPA in Alberta and BC, PIPEDA has no deemed consent for reasonable collection, use and disclosure in the workplace. To "make do", the practice seems to have been to use s. 5(3) of the Act to say that as long as it's reasonable, you have implied consent (particularly if there is notice). But logically you can't have consent by implication if it is clearly negated by an employee complaint. Hopefully this will become moot if the Parliamentary Committee recommends fixing up that portion of PIPEDA and something is done about it.

Labels: , , , ,

Saturday, December 02, 2006

More on warrants for ISP records 

Back in October, I blogged about the CIPPIC and Online Rights privacy pledge (Canadian Privacy Law Blog: The ISP Privacy Pledge). In that post, I referred to a posting by Mark Goldberg called "Online rights is wrong."

More recently, Mark has posted 7 reasons why warrants aren't needed. This one has resulted in a bit of a debate between David Butt and Mark Goldberg, on one side, and Rob Hyndman on the other side.

The seven reasons are listed, as is additional information offered by David in the course of the debate with Rob Hyndman:

Internet child abuse investigators routinely need bare bones subscriber information (name and address) from ISPs to conduct their investigations. A question commonly asked by ISPs and privacy advocates is, why shouldn’t the police use a search warrant to get that bare bones subscriber information? There are seven really good answers to this question.
  1. Bare bones subscriber information is not the kind of private information that requires a search warrant. The highest court in Canada, the Supreme Court, has clearly said so. [R. v. Plant, [1993] 3 SCR 281]
  2. Every other business in Canada must supply this kind of bare bones customer information to the police upon request. There is no principled reason why ISPs should be exempted from the rules that apply to every other business. [This engages the moral calculus of social, not legal obligation. Simply put, fighting child abuse is more important than "protecting" the confidentiality of basic subscriber information that is widely recognized as not engaging core privacy values. In other words, I [David] challenge any business to state publicly that they would rather hamper child abuse investigations than voluntarily surrender upon request non-intimate basic customer information for which a search warrant is not necessary.]
  3. PIPEDA has a specific section in it whose purpose is to authorize the granting of this bare bones subscriber information to police. ISPs therefore have specific statutory authority to rely upon. [PIPEDA s.7(3)(c.1)(ii) Based on the comfort provided by this section, the letter of authority endorsed by CAIP is a commendable step taken by the industry to address internet based child abuse.]
  4. Police services are always understaffed and over worked. The demand for policing services always exceeds the available supply. Therefore, adding unnecessary burdens on police by requiring them to go to the trouble of getting legally unnecessary warrants prevents police officers from devoting their limited time to more important work. The result is that the whole community suffers unnecessarily.
  5. Search warrant requirements under Canadian law are onerous. A typical search warrant, even for bare bones subscriber information, may often run to more than 40 pages in length. This will require several hours of work by an officer, sometimes many officers. It will involve at least two visits to a judge. Given the limited availability of judges, the entire process may take days. All of this effort is legally unnecessary and therefore a complete waste of public funds.
  6. Bare bones subscriber information is necessary to identify the location of the suspect so that the case can be conducted by the local police service. If a search warrant were necessary for every such bare bones request, the police service in the city where the ISP head office is located would be obliged to do a great deal of onerous search warrant work simply to pass the file on to another jurisdiction when the bare bones subscriber information comes back. This places not only an unnecessary but a disproportionate burden on police services in those cities that host ISP head offices.
  7. Other democratic countries, that fully respect privacy rights, require businesses to supply this type of bare bones subscriber information to the police upon request. Internationally, the practice is routine.

With respect, I don't think it is legally correct to say that subscriber information can be provided by an ISP in response to a "letter of authority". And I am not going to get into the political debate that starts with the premise that if you follow the Charter, you are supporting child exploitation.

The first point relies entirely on R. v. Plant, a 1993 and pre-PIPEDA decision from the Supreme Court of Canada. It did not deal with subscriber information from an ISP or other telco, but electricity consumption records from a publicly owned power generation company. At the time, this information was provided to cops on a routine basis. In fact, the police had a direct computer connection to the hydro company's system. In addition, at the time, the electricity consumption records of every customer was available to anyone who asked. The majority of the Court concluded that there was no reasonable expectation of privacy in this information and a warrant was not required. It is also notable that the current Chief Justice wrote a very strong dissent arguing that there was a reasonable expectation of privacy in this information.

In my personal opinion, R. v. Plant is readily distinguishable. Plant deals with electricity consumption at a particular address, not specifically identifying information that is now being discussed from ISPs. Since PIPEDA and the PIPAs, it would be very difficult to say that there is no expectation of privacy in your name and address in ISP billing records. Just look at BMG Canada Inc. v. John Doe (F.C.), [2004] 3 F.C. 241, 2004 FC 488 (CanLII) where the Court noted:

[37]In respect of the internet specifically, Wilkins J. in Irwin Toy Ltd. v. Doe (2000), 12 C.P.C. (5th) 103 (Ont. Sup. Ct.) stated, at paragraphs 10-11:
Implicit in the passage of information through the internet by utilization of an alias or pseudonym is the mutual understanding that, to some degree, the identity of the source will be concealed. Some internet service providers inform the users of their services that they will safeguard their privacy and/or conceal their identity and, apparently, they even go so far as to have their privacy policies reviewed and audited for compliance. Generally speaking, it is understood that a person's internet protocol address will not be disclosed. Apparently, some internet service providers require their customers to agree that they will not transmit messages that are defamatory or libellous in exchange for the internet service to take reasonable measures to protect the privacy of the originator of the information.

In keeping with the protocol or etiquette developed in the usage of the internet, some degree of privacy or confidentiality with respect to the identity of the internet protocol address of the originator of a message has significant safety value and is in keeping with what should be perceived as being good public policy. As far as I am aware, there is no duty or obligation upon the internet service provider to voluntarily disclose the identity of an internet protocol address, or to provide that information upon request.

[38]Parliament has also recognized the need to protect privacy by enacting PIPEDA, which has as one of its primary purposes the protection of an individual's right to control the collection, use and disclosure of personal information by private organizations (section 3).

The context of this case is a civil lawsuit, but the sentiments would apply in the criminal context as well. The Ontario courts have more recently dealt the exact issue we are discussing here (including the use of a so-called "letter of authority") in Re S.C., 2006 ONCJ 343 (CanLII). In this case, Justice of the Peace Conacher was being asked to issue a search warrant on the basis of information provided by an ISP to the police pursuant to a letter of authority. The Court considered both the expectation of privacy and section 7(3)(c.1)(iii) of PIPEDA, referred to by David Butt. This section reads:

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province; [emphasis added]

In the result, the Court in Re S.C. concluded that an ongoing criminal investigation is not "lawful authority" under PIPEDA that would permit the ISP to disclose the name and address of a subscriber without consent or a warrant:

[9] However, s. 7(3) stipulates that the information can be provided without consent only if the body seeking the information has "identified its lawful authority to obtain the information" and has indicated that the disclosure is requested (in this case) for law enforcement purposes. The Act does not set out that the existence of a criminal investigation is, in and of itself, “lawful authority” within the meaning of the Act nor, therefore, does a “Letter of Request for Account Information Pursuant to a Child Sexual Exploitation Investigation” establish such authority. Accordingly, there must still be some “legal authority” to obtain the information; in the view of this Court s. 7(3)(c.1)(ii) by itself does not establish what that “lawful authority” is. The section provides authority for disclosing information. It does not establish the authority for obtaining and possessing the information.

[10] The Information to Obtain does not otherwise reflect that the Informant established to Bell Canada the lawful authority, within the meaning of the Act, by which the investigators were seeking to obtain the requested information. Accordingly, Bell Canada did not have a basis upon which to disclose the information.

[11] In the absence of express authority within the legislation, the Charter right not to have one’s reasonable expectation of privacy interfered with, except through prior judicial authorization with all the protections that affords, must govern. Accordingly, it is the view of this Court that the Informant is not lawfully in possession of the information that was provided by Bell Canada. Therefore, that information must be set aside in the overall consideration of this application to obtain a search warrant.

With respect to the other points raised, the current Criminal Code allows for searches and obtaining personal information if there are exigent circumstances that require the information immediately. Whether the bar should be further reduced (or can be further reduced in light of the Charter), I leave to others to debate.

Labels: , , , ,

Tuesday, September 26, 2006

Alberta Commissioner faults MD Management for laptop theft 

The Office of the Information and Privacy Commissioner of Alberta has released its investigation report into the missing laptop case (for some background, see: Canadian Privacy Law Blog: Alberta commissioner launches investigation into stolen laptop). In the wake of the theft of a laptop from an employee of MD Management (a subsidiary of the Canadian Medical Association), the Commissioner's office concluded that the organization violated the Personal Information Protection Act by not adequately securing the information of 8,000 customers. See the report here: Investigation Report P2006-IR-005.

Labels: , , ,

Monday, August 21, 2006

Alberta Commissioner issues first PIPA order 

Sorry, no summary: I'm on vacation. Stay tuned, I will try to write one later ....

http://www.oipc.ab.ca/ims/client/upload/P2005-001.pdf

Posted from the top of the CN Tower. (The elevators went offline for a few hours and you can only look down for so long!)

Labels: , ,

Monday, July 17, 2006

Can you record telephone calls without consent? 

During the last week, the Supreme Court of California overturned a lower court and held that it is unlawful to record phone conversations of Californians, even if one party to the call is in a jurisdiction that permits such recording. (See: State Supreme Court Says Out-of-State Firms Can't Secretly Record Californians' Calls - Los Angeles Times.)

If often get e-mail from readers of this blog and the most common question is whether you can record phone calls (to which you are a party) without the other party's knowledge or consent. The answer to this question is a bit complicated, particularly because of rulings like that of the California Supreme Court.

What follows is a general discussion of the laws in Canada that need to be consulted to determine if recording is lawful. Circumstances vary widely and this is not a full review of all the laws that may be relevant, so this should not be considered to be legal advice. I also note this is not about recording for law enforcement purposes, where different rules will apply.

For calls originating and terminating in Canada, the first place to look (but not the last!) is the Criminal Code of Canada. Part VI of the Code is entitled "Invasion of Privacy" and addresses the issue of the interception of private communications. In short, it makes it illegal to intercept a private communications unless authorized by the Code (e.g. with a warrant or as part of maintaining the communications system) or unless the consent of one of the parties is obtained. The same holds true for radio-based communications, under both the Code and the Radiocommunications Act, which also prohibits divulging a radio-based communication without the consent of a party to that communication.

For private actors (as opposed to agents of the state), we have to also look at general privacy legislation, including the Personal Information Protection and Electronic Documents Act (Canada) aka PIPEDA, the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia) and an Act Respecting the Protection of Personal Information in the Private Sector (Quebec). None of these statues apply to purely personal endeavours. For example, PIPEDA says:

[3](2) This Part does not apply to ...
(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or

(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

Alberta's PIPA similarly reads:

[3](3) This Act does not apply to the following:
(a) the collection, use or disclosure of personal information if the collection, use or disclosure, as the case may be, is for personal or domestic purposes of the individual and for no other purpose;

(b) the collection, use or disclosure of personal information if the collection, use or disclosure, as the case may be, is for artistic or literary purposes and for no other purpose;

However, if the recording is for commercial purposes, such as the recording of customer service calls, the knowledge and consent of the individual is required. (Some consent exceptions may apply, but should not be relied upon unless you have specific legal advice.)

But that's not the end of the inquiry. Before you hit "record", you also have to consider whether the recording may be an invasion of privacy under the common law or those statutes which have created an express tort of invasion of privacy. For example, Newfoundland's Privacy Act creates a private right of action for an unreasonable invasion of privacy, but specifically excludes listening to or recording a conversation by a lawful party to a phone conversation. (Though the recording is not an invasion of privacy per se, the specific use of that call might be an invasion of privacy.)

So what is the conclusion? A lawful party to a call that starts and ends in Canada can record that call if they are doing so for a personal or journalistic reason and not a commercial purpose. If recording is to be carried out in connection with a commercial activity, check out "Focus on Privacy - Call Monitoring".

Labels: , , , ,

Saturday, July 15, 2006

Alberta legislature to begin PIPA review for the fall 

The Legislature of Alberta is about the begin consultations on the Personal Information Protection Act, which is the province's general private sector and employee privacy law.

Committee seeks public input on review of Personal Information Protection Act (PIPA):

Edmonton- An Alberta Legislative Assembly all-party committee is currently reviewing the Personal Information Protection Act. Following an initial orientation meeting held June 28, the committee will meet again in the Fall to begin a comprehensive review of the Act.

"We want to consult with as many people as we can who are governed by this legislation" said Mrs. Cindy Ady, MLA, Calgary-Shaw and Chair of the Select Special Personal Information Protection Act Review Committee. "We want to ensure that there is an appropriate balance of the right of an individual to have personal information protected and the organization's need to collect, use and disclose personal information."

Ady explained that the committee will actively consult with Albertans throughout the review and encourages those with an interest to download the discussion guide from the website at www.pipareview.ab.ca

"Public input and consultation is important for this review," said Ady. "We are advertising to the public the ways in which they can become involved and will make all relevant documentation available on a committee website."

- 30 -

For further information, contact:

Mrs. Cindy Ady, MLA, Calgary-Shaw
Chair, Select Special Personal Information Act Review Committee
Legislature Office
#131 Legislature Building,
10800 - 97 Avenue
Edmonton, AB T5K 2B6
Phone: (780) 427-1234
Fax: (780) 415-9472

For general information about the Committee:

Karen Sawchuk
Legislative Assembly of Alberta
Committee Clerk, Select Special Personal Information Act Review Committee
pipireview@assembly.ab.ca
Phone: (780) 427-1350

Labels: , ,

Saturday, April 29, 2006

BC Government proposes rollbacks to USA Patriot Act provisions in FIPPA 

The British Columbia Government has introduced amendments to the Freedom of Information and Protection of Privacy Act, the province's public sector privacy and access law, to roll back some of the more recent amendments made in response to fears about the USA Patriot Act. (BILL 30 -- 2006: MISCELLANEOUS STATUTES AMENDMENT ACT (No. 2), 2006). The Information and Privacy Commissioner is generally in agreemenet with the cross-border amendments and has issued a statement published on his website:

Bill 30 (Miscellaneous Statues Amendment Act, 2006)––Amendments to the Freedom of Information and Protection of Privacy Act (“FIPPA”) and the Personal Information Protection Act (“PIPA”)––OIPC File No. F05-26470

Further to my letter of April 27, 2006, I have now had an opportunity to consider the other amendments that the above Bill would make to FIPPA and to PIPA. I support these amendments.

In the case of amendments to FIPPA in relation to location of personal information outside of Canada or access to it from outside Canada, I support these amendments as reasonable. I note that they are narrowly tailored and would permit location of personal information outside Canada or access from outside Canada only where a public body official is temporarily travelling outside Canada or for “installing, implementing, maintaining, repairing, trouble shooting or upgrading an electronic system or equipment that includes an electronic system” or “for data recovery that is being undertaken following failure of an electronic system”.

The BC Government Employees Union, which started the USA Patriot Act and oursourcing fuss some time ago, is not at all happy. Here's their statement:

BCGEU: Liberal efforts to weaken privacy protection, .....:FOR IMMEDIATE RELEASE

APRIL 28, 2006

Liberal efforts to weaken privacy protection, limit freedom of information buried in omnibus legislation

The B.C. Government and Service Employees’ Union is adding its name to the list of groups opposed to sweeping changes in privacy protections and access to information contained in the Freedom of Information and Protection of Privacy Act (FIPPA) which the Campbell government tried to bury in an omnibus piece of legislation introduced Thursday in the Legislature.

“These are very troubling measures that are ill advised and just plain dangerous,” warns BCGEU president George Heyman. “It’s a real setback for open and transparent government.”

Heyman says the proposed amendments roll back provisions to protect personal privacy implemented in 2004 to address concerns around the USA Patriot Act, based on recommendations by B.C.’s privacy commissioner. That Act—which was just renewed by the Bush government—gives U.S. security agencies like the FBI sweeping powers to obtain information from companies and individuals in that country.

“Victoria is putting British Columbians’ highly sensitive personal information at risk by weakening current protections—thereby increasing the risk of loss and theft, or exposure to the intrusive powers of the USA Patriot Act.”

Changes to section 33 of FIPPA will severely compromise current privacy protections by giving the green light to public bodies to release British Columbians’ personal information outside B.C. and Canada to a shopping list of officials and interests—including employees of private U.S. companies like Maximus and EDS hired by the government—to administer our personal medical and financial records.

“Given the recent high profile failures of this government to protect sensitive personal information, this is a development that will alarm British Columbians,” says Heyman.

Meanwhile, other changes to sections 17 and 21 of FIPPA will enable Victoria to expand the heavy veil of secrecy around privatization projects and private-public partnerships by giving government sweeping powers to withhold information from the public. “These amendments establish that the interests of private companies will take precedent over British Columbians’ right to know,” Heyman says.

He also cautions that proposed Liberal amendments include provisions that will compound the lengthy delays already faced by British Columbians filing access to information requests with government and public bodies, by allowing the government to manipulate response deadlines.

Labels: , , , , , ,

Friday, April 28, 2006

Personal information in the hiring process 

The Office of the Information and Privacy Commissioner for BC has released a guide to PIPA and the Hiring Process. For those outside of British Columbia, it's an interesting read and embodies some good practices for dealing with personal information of employment applicants. But be careful: PIPEDA does not have the same consent exceptions that are described in this publication.

Labels: , , ,

Thursday, April 20, 2006

Incident: Alberta Commissioner faults store for inadequate security of personal information after customers' information used fraudulently 

In case you were wondering whether printing credit card numbers on receipts is a risky venture, think about Monarch Beauty Supply in Edmonton, Alberta. The company, like many others, prints this information on receipts. And this company threw them out in a dumpster behind the store.

Edmonton Police received from an anonymous informant copies of that confidential information and began an investigation. The Information and Privacy Commissioner of Alberta also received a complaint from a customer of Monarch Beauty Supply that her credit card had been fraudulently used to buy a laptop. The investigation found that other personal information originating with the company had found its way into the hands of criminals.

The Commissioner found that the company did not adequately safeguard personal information, in violation of PIPA. The Commissioner also noted that there was inadequate training of staff because store managers were not trained in privacy.

Lessons learned:

  1. Do not print credit and debit card numbers on receipts.
  2. Do not dispose of personal information by throwing it out.
  3. Make sure that all staff who handle personal information are trained in their obligations under the law.

Under most of Canada's privacy laws, individuals who have been harmed by a company's violation of the law can seek damages from the company that violated the law. Victims of identity theft can seek compensation for all the damage done because of a company's screw up.

See the Commissioner's report:

Investigation Report P2006-IR-003

Information and Privacy Commissioner's investigation finds Monarch Beauty Supply improperly disposed of over 2600 customer receipts by placing them in a dumpster. The Alberta business failed to protect personal information from identity thieves.

Click to view more information Investigation Report P2006-IR-003

See coverage from the Edmonton Sun: Crook used dumped credit data.

Labels: , , , ,

Friday, April 14, 2006

Courts and PIPEDA: Why the federal law does not apply in British Columbia 

It is always interesting to see how the courts are dealing with privacy laws.

I just came across a somewhat interesting case from British Columbia, in which the Court was asked to determine whether the Personal Information Protection Act could be used to refuse to identify a witness based on the "privacy" of that witness. The answer, not surprisingly, is no:

Shilton v. Fassnacht, 2006 BCSC 431 (CanLII)

[12] The plaintiffs object to disclosure on a number of bases. First, they submit that the opening words of Rule 27(22) give the court a discretion to order non-disclosure. They submit that non-disclosure should be ordered here for reasons of privacy and privilege.

[13] On the privacy issue, the plaintiffs referred to the Personal Information Protection Act, S.B.C. 2003, c. 63. That Act governs the collection, use and disclosure of personal information by organizations. In the Act “organization” is defined as including a person. However, s. 3(4) provides:

3(4) This Act does not limit the information available by law to a party in a proceeding.

[14] Given other definitions in the Act, it is clear that the present lawsuit comes within the meaning of “a proceeding.” Moreover, s. 1 of the Act specifies that “personal information” does not include “contact information.”

[15] In my view, there is nothing in the Personal Information Protection Act that would limit the defendant’s right under Rule 27(22) to obtain the names and contact information of relevant witnesses.

Even more interesting is the way the Court considered the Personal Information Protection and Electronic Documents Act. The Judge concluded that PIPEDA does not apply in British Columbia because of the effect of s. 30(1) of that Act:

[16] It is even clearer that the federal Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 has no application here by virtue of s. 30(1), which provides:
30(1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.

[17] The present lawsuit relates to matters wholly within the province of British Columbia and the federal act has no application.

With the greatest respect to the judge and to the party that made the argument, this is just plain wrong. It is true that PIPEDA does not apply to the provincially-regulated private sector in BC, but it has nothing to do with s. 30(1) in 2006. If you look at all of s. 30, you'll see that s. 30(1) is no longer in effect.

DIVISION 5
TRANSITIONAL PROVISIONS

Application

30. (1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.

Application

(1.1) This Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.

Expiry date

*(2) Subsection (1) ceases to have effect three years after the day on which this section comes into force.

* [Note: Section 30 in force January 1, 2001, see SI/2000-29.]

Expiry date

*(2.1) Subsection (1.1) ceases to have effect one year after the day on which this section comes into force.

* [Note: Section 30 in force January 1, 2001, see SI/2000-29.]

The Act came into force on January 1, 2001, so s. 30(1) ceased to have any effect on January 1, 2004.

The real reason why PIPEDA does not apply to the provincially regulated private sector in British Columbia is because of the effect of s. 26(2):

Orders

(2) The Governor in Council may, by order,

(a) ...

(b) if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.

The Governor in Council did make such an order (Organizations in the Province of British Columbia Exemption Order ) on October 12, 2004. For this reason, if PIPA (BC) does apply, PIPEDA will not.

Labels: , , , , ,

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs