The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, November 17, 2009
The Privacy Commissioner of Canada has tabled her annual report on the public sector privacy law, the Privacy Act: Annual Report to Parliament 2008-2009 - Report on the Privacy Act.
At the same time, she has also tabled additional privacy audits, related to FINTRAC and the Canadian no-fly list:
Here's the media release that accompanied the tabling of the reports:
Audits of major national security programs raise concerns for privacy Excessive reporting of personal information to FINTRAC and potential information technology risks with Canada’s “no-fly list” are among concerns identified in audits highlighted in the Privacy Commissioner’s annual report on public sector issues.
OTTAWA, November 17, 2009 — The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has more personal information in its database than it needs, uses or has the legislative authority to receive.
This was one of the key findings of the Privacy Commissioner of Canada’s in-depth audit of the independent agency mandated to analyze financial transactions and identify suspected money laundering and terrorist financing in Canada.
A separate audit, also published today, examined the Passenger Protect Program – better-known to Canadians as the no-fly list. It identified several concerns, such as the fact that the Deputy Minister ultimately in charge of who is on the list was not provided with complete information to allow for informed decision-making.
“Since the terrorist attacks of 9/11, we’ve seen a proliferation of new national security programs. We fully appreciate the underlying aim of many security programs – protecting Canadians. However, it is critical – a point reinforced by our new audits – for government officials to integrate privacy protections into all of these programs at the outset,” says Privacy Commissioner Jennifer Stoddart.
The findings of the two audits are highlighted in the Commissioner’s 2008-2009 report to Parliament on Canada’s federal public-sector privacy legislation, the Privacy Act.
Legislative changes passed in 2006 expanded the types of transactions that must be reported to FINTRAC, as well as the number of professionals and organizations that are required to collect information about clients and to report it to FINTRAC. Examples of entities required to report to FINTRAC include financial institutions, life insurance companies, accountants and casinos.
The audit found that FINTRAC needs to do more to ensure that the amount of personal information it acquires is kept to an absolute minimum. A random sample of files examined in the audit turned up several reports that did not clearly demonstrate reasonable grounds to suspect money laundering or terrorist financing. For example:
A reporting entity filed several reports stating it was “taking a conservative approach in reporting this … because there are no grounds for suspecting that this transaction is related to the commission of a money laundering offence, but there is a lack of evidence to prove that the transaction is legitimate.”
An individual deposited a government cheque for an amount less than $300 and then withdrew the entire amount. The financial institution filed a suspicious-transaction report, but did not indicate why the transaction was deemed suspicious.
A financial institution filed a report about an individual who had deposited a cheque from a law firm. The institution was satisfied that the individual had provided legitimate reasons for the source of funds, but decided to notify FINTRAC anyway because of the individual’s ethnic origin and the fact that this person had visited a particular country.
“It is clear that such reports, containing not a shred of evidence of money laundering and terrorist financing, should not be making their way into the FINTRAC database,” says Commissioner Stoddart.
“It is a bedrock privacy principle that you collect only the personal information you need for a specific purpose,” she says. “The federal government needs to have a justifiable need to collect someone’s personal information. Clearly, FINTRAC needs to do more work with organizations to ensure it does not acquire personal information that it has no legislative authority to receive – and that it does not need or use.”
The audit recommended enhanced front-end screening of reports; stronger ongoing monitoring and review to ensure that information holdings are relevant and not excessive, and the permanent deletion of information that FINTRAC did not have the statutory authority to receive.
Under amendments passed in 2006, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires the Privacy Commissioner to review FINTRAC every two years and report the results to Parliament.
Passenger Protect Program Audit
The “no-fly list” is a passenger screening tool introduced in 2007 to prevent people named on a “specified persons list” from boarding domestic and international flights from or to Canadian airports.
The program has sparked privacy concerns, in part because it is secretive in that it uses personal information without the knowledge of the individuals concerned. Moreover, the repercussions for a person named on the list being denied boarding on an aircraft can be profound in terms of privacy and other human rights, such as freedom of association and expression and the right to mobility.
The focus of the audit, however, was to determine whether the program has adequate controls and safeguards in place to protect personal information.
“We were concerned to learn that officials did not always provide the Deputy Minister – who is ultimately responsible for adding to or removing people’s names from the ‘specified persons’ list – all the information needed to make these sorts of decisions,” says Assistant Privacy Commissioner Chantal Bernier.
Other concerns identified during the audit included:
Transport Canada has not verified that airlines are complying with federal regulations related to the handling and safeguarding of the “specified persons list.” The risk of this information being inappropriately disclosed is particularly high for the small number of air carriers that rely on paper copies of the list.
There were no requirements that air carriers report to Transport Canada security breaches involving personal information related to the no-fly list.
Transport Canada did not demonstrate that the application used to transmit information to air carriers met government security standards.
The Passenger Protect Program and the FINTRAC audits, as well as the latest Privacy Act annual report, are available at http://www.priv.gc.ca/.
The annual report also includes details of privacy-related complaints against federal departments and agencies investigated during the 2008-2009 fiscal year. The Office received 748 formal complaints in 2008-2009, down slightly from the previous year. The most common complaints related to access to personal information and to the length of time government departments and agencies were taking to respond to access requests.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
To view the reports:
Friday, June 12, 2009
The Parliamentary Standing Committee on Access to Information, Privacy and Ethics has released its long-awaited report on proposed reforms to the Privacy Act. I appeared before the committee on behalf of the Canadian Bar Association and was pleased to see that many of our recommendations to the Committee are also recommendations made by the Committee to the government.
The report is available here.
Friday, January 02, 2009
Five years ago, on January 2, 2004, a new age of privacy was creeping across Canada and this blog was born. The day before, at the stroke of midnight, the Personal Information Protection and Electronic Documents Act (Canada) had come fully into force. The Alberta and British Columbia Personal Information Protection Acts also became effective on the first day of 2004.
Since then, we have seen dramatic changes in privacy throughout the world: Identity theft is on the rise; there have been literally thousands of data breaches exposing the personal information of millions of people; governments are looking for easier access to personal information; video surveillance is more widespread; more personal information is generated digitally and aggregated in private hands.
And in the past year specifically, things have remained interesting on the privacy front. We've seen debate over changes to PIPEDA without anything definitive coming from the mandatory five year review. We've also seen arguments put forward to reform the public sector Privacy Act. Focus has also been drawn to the increasing practice of examining laptops at US border crossings. Litigation between Viacom and Google has raised awareness of log information that's often retained by internet companies. And Google has also been sued by a couple claiming their privacy has been violated by presenting pictures of their house in Google Street View. But in the last year, the one big privacy story that was supposed to have the largest impact on Canadians was the implementation of the National Do Not Call List. Whether it has, in fact, had an impact is the subject of debate.
I'd like to thank the many thousands of readers of the blog for visiting this site and thanks to those who have contacted me with comments, compliments, suggestions and links to interesting news. It's been a pleasure to write and I plan to keep it going as long as there's interesting privacy news to report.
Birthday cake graphic used under a creative commons license from K. Pierce.
Friday, December 05, 2008
Just posted on Slaw, but like of interest to readers of this blog:
Slaw: Privacy Commssioner focuses on protection of personal information in accessible tribunal records
by David T. S. Fraser on December 5th, 2008
Yesterday, the Privacy Commissioner of Canada tabled her annual report on the Privacy Act. While she came down hard on a number of federal bodies such as the passport office, one aspect of the report should be of interest to lawyers generally.
The Commissioner reports on a whole range of complaints against tribunals and quasi-judicial bodies for publishing sensitive personal information about parties and non-parties. Decisions and tribunal records have always contained such information, but now that more of these decisions are readily available online, complainants are not happy that searching for their names online will bring up these decisions in the results.
The Commissioner is hampered by the fact that she can’t order them to change their practices and that many of the disclosures are arguably permissible under the Privacy Act. In any event, she has issued a number of recommendations that have been ignored by many of the tribunals at issue:
- Reasonably depersonalize future decisions that will be posted on the Internet through the use of randomly assigned initials in place of individuals’ names; or post only a summary of the decision with no identifying personal information.
- Observe suggested guidelines respecting the exercise of discretion to disclose personal information in any case where an institution proposes to disclose personal information in decisions in electronic form on the Internet.
- Remove decisions that form the basis of the complaints to the OPC from the Internet on a priority basis until they can be reasonably depersonalized through the use of randomly assigned initials and re-posted in compliance with the Privacy Act.
- Restrict the indexing by name of past decisions by global search engines through the use of an appropriate “web robot exclusion protocol;” or remove from or reasonably depersonalize all past decisions on the Internet through the use of randomly assigned initials, within a reasonable amount of time.
And in case you were thinking this may sound somewhat familiar, the Canadian Judicial Council tackled this issue in its 2005: Use of Personal Information in Judgments and Recommended Protocol (PDF).
Thursday, December 04, 2008
The Federal Privacy Commissioner has today tabled her annual report on the Privacy Act. And she isn't happy with how certain government departments handle personal information:
News Release: Privacy issues given short shrift in passport operations and tribunal Internet postings, Commissioner says (December 4, 2008) - Privacy Commissioner of Canada
Privacy Commissioner’s 2007-2008 Annual Report to Parliament on the Privacy Act outlines audit of Passport Canada; investigative findings regarding online posting of personal information by administrative and quasi-judicial bodies
Ottawa, December 4, 2008 — Privacy concerns are not given enough weight in the day-to-day operations of a number of federal government institutions, the Privacy Commissioner of Canada says.
The Commissioner’s latest Annual Report to Parliament on the Privacy Act, which was tabled today, describes how privacy and security problems in Canada’s passport operations added up to a significant risk for Canadians applying for passports.
The annual report also highlights the Commissioner’s concerns that the online posting of personal information by some federal administrative and quasi-judicial bodies does not strike the right balance between the public interest and privacy rights.
Privacy Commissioner Jennifer Stoddart says her Office’s audit of passport operations raised a broad range of concerns about how personal information was handled.
“Given the high sensitivity of the personal information involved in processing passport applications, better privacy and security measures are needed,” says Commissioner Stoddart. “Unfortunately, the shortcomings we found raised the risk that Canadians’ information could wind up in the wrong hands.”
The audit found that passport applications and supporting documents were kept in clear plastic bags on open shelves; documents containing personal information were sometimes tossed into regular garbage and recycling bins; and some documents that were shredded could be easily put back together. Meanwhile, computer systems allowed too many employees to access passport files. The investigation also concluded there was inadequate privacy training for employees – an issue which is a concern across government institutions.The Commissioner is pleased that Passport Canada and the Department of Foreign Affairs and International Trade have indicated they will act on her recommendations and improve privacy and security safeguards.
The annual report also outlines the Commissioner’s concerns about the online posting of federal administrative and quasi-judicial bodies’ decisions which contain highly sensitive personal information.
The OPC investigated 23 complaints regarding the disclosure of personal information on the Internet by seven bodies created by Parliament to adjudicate disputes. The complaints involved: the Canada Appeals Office on Occupational Health and Safety; the Military Police Complaints Commission; the Pension Appeals Board; the Public Service Commission; the Public Service Staff Relations Board; the RCMP Adjudication Board; and Umpire Benefits decisions.
Decisions of these bodies often include highly personal information such as an individual’s financial status, health and personal history.
“This is private information. Law-abiding citizens fighting for a government benefit should not be forced to expose the intimate details of their lives to everyone with an Internet connection,” says Commissioner Stoddart.
The Commissioner agreed that the “open court” principle is an important part of Canada’s legal system, but noted there is a crucial distinction between the courts and the bodies the OPC investigated: The Privacy Act does not apply to the courts, but it does apply to many administrative tribunals and quasi-judicial bodies.
In order to respect their obligations under the Privacy Act, the Commissioner recommended, among other steps, that the bodies reasonably depersonalize decisions posted online by replacing names with random initials. However, the Commissioner noted that, where there is a genuine and compelling public interest in such a disclosure, these bodies have the legal authority under the Act to exercise discretion in disclosing personal information.
Service Canada and Human Resources Development Canada agreed to fully implement the OPC’s recommendations. Other bodies took important but incomplete steps towards compliance with the Commissioner’s recommendations.
Currently, unlike its private-sector counterpart, the Privacy Act does not empower the Privacy Commissioner to enforce her recommendations through legal actions. The OPC has recommended an overhaul of the legislation to address this and other concerns.
The OPC has also asked Treasury Board Secretariat to develop centralized policy guidance on the online posting of personal information by administrative and quasi-judicial bodies.The annual report outlines key activities undertaken by the OPC during 2007-2008, including audits, investigations and policy work. The report notes that new complaints against government institutions dropped slightly to 759 in 2007-2008 from 839 the previous year.
The report is available on the OPC website.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Wednesday, December 03, 2008
The Commissioner is going to be tabling her annual report on the Privacy Act before parliament tomorrow:
CNW Group OFFICE OF THE PRIVACY COMMISSIONER OF CANADA Media Advisory - Privacy Commissioner's 2007-2008 Annual Report to be tabled
OTTAWA, Dec. 3 /CNW Telbec/ - The Privacy Commissioner of Canada's 2007-2008 Annual Report to Parliament on the Privacy Act is expected to be tabled in Parliament on Thursday, December 4, 2008.
The report will highlight:
- Findings of an audit of Canada's passport operations;
- Investigative finding related to complaints about several federal administrative tribunals and quasi-judicial bodies posting decisions containing highly sensitive personal information to the Internet;
- The Commissioner's call for improved privacy training in the federal government; and
- Other investigations, audits and policy work undertaken by the Office of the Privacy Commissioner.
After the report is tabled, copies will be available to the media through the Parliamentary Press Gallery and on the Privacy Commissioner's website at www.privcom.gc.ca.
This may be a legitimate complaint, but a futile one under the Privacy Act:
TheStar.com Canada Privacy commissioner urged to probe Tory eavesdropping
Dec 03, 2008 03:18 PM
OTTAWA — A public interest researcher has filed a formal complaint with Privacy Commissioner Jennifer Stoddart, charging top prime ministerial aides, a parliamentary secretary and an MP with "serious breaches" of the privacy laws.
Ken Rubin is asking Stoddart to investigate the eavesdropping, recording and distribution of a New Democratic conference call by a Conservative MP last weekend about a proposed alternative coalition government.
The office of Prime Minister Stephen Harper claimed that the MP was "invited" to participate by email, but the NDP suggested Conservative MP John Duncan mistakenly received an email intended for their MP Linda Duncan, and should not have participated in the call, let alone tape it.
The party has asked the RCMP to investigate whether an offence under the Criminal Code occurred.
Rubin contends that even if criminal law wasn't broken, there were serious breaches of privacy by a government that has claimed it would fight identity theft with tougher criminal code provisions.
In a letter sent to Stoddart today, Rubin writes that provisions in privacy legislation "mean you cannot collect or share personal information or conversations of others that you are not a legitimate party to."
He alleges several breaches, all related to the "wrongful" and wide distribution to the media of the contents of the conference call "by a government entity (who receives significant taxpayers' monies)."
He suggests it is a case of potential "identity theft" when a person (in this case one elected MP) "allegedly assumes the identity of another elected MP with the same last name, whether there was a mix up in the communications sent or not."
Rubin described himself as "both a privacy and access to information advocate with no partisan axe to grind."
He urged an investigation by Stoddart, the Ethics Commissioner, and a Parliamentary committee, reminding Stoddart of her advocacy for stronger protections against identity theft.
"No public official should be seen to be or partake in any such activity."
"These privacy breaches are all the more onimous when they are carried out by the central state and with the Prime Minister's Office in the lead. This is the very institution whose elected head and parliamentary secretary (Pierre Poilievre, who commented on the call) are supposed to be leaders in upholding Canadians' privacy protections."
Rubin acknowledged the PMO is not "directly covered under either privacy or access legislation."
But he reminded Stoddart that Ontario ministers have had to resign in the past when they misused personal data derived from government institutions.
"Someone in this case needs to be held accountable and to offer Parliament and the appropriate parliamentary committee an explanation."
"It is disturbing too to see that on one hand, the government denies public access to much of its key operations, including the PMO. But it then feels it can gain intelligence on the operations of others by using deceptive means."
Dimitri Soudas, a spokesman for the Prime Minister's Office, said "no comment" in response to a request from the Star.
Meantime, Rubin's complaint my reach a dead end.
Valerie Lawton, a spokesperson for Stddart, said in an emailed: "The Privacy Act does not cover political parties or members of Parliament."
The privacy commissioner also does not have jurisdiction over either political parties or MPs.
Monday, August 18, 2008
News Release: Commissioner welcomes legal community’s call for privacy law reform (August 18, 2008) - Privacy Commissioner of Canada
Commissioner welcomes legal community’s call for privacy law reform
Quebec City, August 18, 2008 — A Canadian Bar Association (CBA) resolution once again highlights the urgent need for reform of Canada’s federal public sector privacy legislation, says the Privacy Commissioner of Canada, Jennifer Stoddart.
“With this resolution, lawyers from across the country are urging the government to strengthen privacy protection for Canadians. Canada’s federal sector privacy legislation, the Privacy Act, is unbelievably inadequate,” says Commissioner Stoddart. “I hope the federal government will heed the CBA’s call for modernization of the Act. This is the latest in a string of appeals from privacy experts about the need to update legislation which has been far outpaced by technological and societal changes.”
The CBA, which is holding its 2008 Legal Conference in Quebec City, passed the resolution calling for comprehensive revision of the Privacy Act on the weekend.
In particular, it proposes changes to the legislation to ensure that:
- Federal government departments only collect personal information when demonstrably necessary for clear and articulated state goals;
- Once collected, personal information is rigorously protected with stringent safeguards and accountability requirements, including a breach notification requirement; and
- Personal information is not shared within or beyond Canada’s borders unless those safeguards and requirements can be guaranteed.
The Office of the Privacy Commissioner of Canada (OPC) has long been advocating for reform of the Privacy Act, which is a quarter-century old and has never been substantially updated.
Last spring, the House of Commons Standing Committee on Access to Information, Privacy and Ethics began a study of the Privacy Act and possible amendments. The OPC reform proposals to the committee are posted at http://www.privcom.gc.ca/keyIssues/ki-qc/mc-ki-pa_e.asp. The OPC looks forward to the Committee’s recommendations.The CBA resolution is available at www.cba.org/cba/resolutions/pdf/08-06-a-pdf.pdf. The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
Thursday, February 14, 2008
The Privacy Commissioner of Canada has completed a review of the exempt databanks maintained by the RCMP and has concluded that many of the records should not be there in the first place. She calls it "disturbing":
News Release: Large number of files mistakenly held in RCMP exempt data banks "disturbing," says Privacy Commissioner (February 13, 2008) - Privacy Commissioner of Canada
Large number of files mistakenly held in RCMP exempt data banks "disturbing," says Privacy Commissioner
Commissioner tables first special report to Parliament; raises serious concerns about data banks containing documents Canadians can’t access
February 13, 2008 — An audit has found that many of the national security and criminal operational intelligence files sheltered from public access in the RCMP’s exempt data banks did not belong there, says the Privacy Commissioner of Canada in a special report to Parliament.
"These data banks have been crowded with tens of thousands of files that should not have been there," says Commissioner Jennifer Stoddart.
"Government transparency and accountability are fundamental concepts in democratic countries like Canada. Being named in a national security exempt bank file could have a harmful impact, particularly in a post 9-11 environment. For example, it could potentially affect someone trying to obtain an employment security clearance, or impede an individual’s ability to cross the border."
Exempt data banks serve to withhold the most sensitive national security and criminal intelligence information. Government departments and agencies which control these records will consistently refuse to confirm or deny the existence of information in response to an individual’s request for access.
Canadians should be able to see their personal information – except under limited circumstances, such as where the disclosure could threaten national security, international affairs or lawful investigations.
"The large number of documents held in these exempt banks when their inclusion was unwarranted is disturbing – particularly given the RCMP was advised of compliance problems 20 years ago and made a commitment to properly manage such banks " says Commissioner Stoddart.
"More than half of the files examined as part of our audit should not have been there."
The Privacy Commissioner announced during her appearance before the Maher Arar inquiry – where the sharing of personal information by police became a central issue – that her Office would audit exempt data banks held by federal government departments and agencies.
The audit findings are detailed in a special report tabled today in Parliament. This is the first time the Privacy Commissioner has used her powers under the Privacy Act to issue a special report.
RCMP’s Exempt Banks
The RCMP has two exempt banks: Criminal Operational Intelligence Records and National Security Investigations Records.
Of the files the Office of the Privacy Commissioner (OPC) tested, more than half of the national security files and over 60 per cent of criminal operational intelligence files did not warrant exempt bank status. Exempt banks are designed to hold only the most sensitive of such information. These files did not meet the threshold for inclusion in an exempt bank as set out in the Privacy Act and/or the RCMP’s own policy.
These findings are of particular concern given that, with few exceptions, the audit was conducted on files already examined by the RCMP as part of a recent internal review.
To illustrate, one seven-year-old file in the national security exempt bank detailed a resident’s tip that a man had gone into a rooming house and drugs might be involved. Police investigated, but found the man had simply dropped his daughter off at a nearby school and stepped out of his car to smoke.
RCMP Internal Review
While the OPC audit was proceeding, the RCMP conducted its own internal review, which has so far resulted in the removal of more than 45,000 records from the criminal operational intelligence exempt data bank. This review found varying rates of compliance:
- Almost 99 per cent of criminal intelligence exempt data bank holdings – more than 2,700 documents – at RCMP headquarters should not have been there.
- At B Division in Newfoundland and Labrador, roughly two-thirds of documents – close to 37,000 records – were incorrectly kept in the criminal intelligence exempt bank.
An internal review of the national security exempt data bank holdings at 13 divisions resulted in the removal of more than 1,400 files – more than 40 per cent of the files examined.
Notwithstanding the large number of records removed from the exempt data bank holdings as a result of the internal review, the OPC audit concluded both banks remain overpopulated.
"The problems are largely due to a general lack of awareness within the force of exempt bank policy and the absence of ongoing monitoring," says Commissioner Stoddart.
Past History of the RCMP Exempt Bank
In the late 1980s, the RCMP’s criminal operational intelligence exempt bank order was rescinded for non-compliance following another OPC review.
"That exempt bank order was reinstated with an understanding that the RCMP would adhere to guidelines for managing exempt bank holdings. Unfortunately, the RCMP has not met this commitment," the Commissioner says.
"While there is a clear need for exempt data banks to ensure highly sensitive information related to security and intelligence work is protected, privacy concerns must also be considered. Greater care must be taken to ensure that personal information is concealed in an exempt data bank only when absolutely necessary."
The Privacy Commissioner is satisfied that the RCMP is taking the audit observations and recommendations seriously and will take action to ensure its exempt banks comply with the Privacy Act and RCMP policy.
The OPC will examine how the RCMP has followed through on its plans to improve how the exempt banks are managed within the next two years.
The special report and a backgrounder are available at http://www.privcom.gc.ca/.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.
From the Globe & Mail:
globeandmail.com: No need for RCMP to keep files secret, privacy czar says
No need for RCMP to keep files secret, privacy czar says
OMAR EL AKKAD
February 14, 2008
OTTAWA -- More than half the files in the RCMP's secret data banks should not be there, the federal Privacy Commissioner said yesterday in a report that is likely to renew calls for an overhaul of the national police force.
An audit by the commissioner's office found that tens of thousands of files in the RCMP's two "exempt" banks - which are designed to hold the most sensitive national security and criminal intelligence information - should not be secret, and many should have been removed years ago.
"These finds are particularly concerning given that, with few exceptions, the audit was conducted on randomly selected files already examined by the RCMP as part of an internal review," Privacy Commissioner Jennifer Stoddart said in a news release accompanying the report.
Ms. Stoddart said the large number of files kept secret was not only unjustifiable, but illegal.
In one case, a man on a Canada-U.S. bus tour, exasperated with a delay by the tour guide, joked that he should hijack the bus, Ms. Stoddart said. The bus driver told U.S. customs officials, and the RCMP were called. Even though it was deemed that the incident was clearly not a serious hijacking attempt, a file was kept in one of the secret banks for more than five years.
Ms. Stoddart said Canadians should be concerned about the large number of unnecessarily secret files because they can have a serious impact on someone looking to cross the border or obtain security clearance for a job.
Because the files are part of the secret data banks, she said, the RCMP will neither confirm or deny they exist when individuals ask the police force if they have any files on them.
Ms. Stoddart said her findings were especially surprising because a previous audit 20 years ago also discovered serious compliance problems with the data banks - problems the RCMP undertook to fix at the time.
The RCMP made the same pledge again yesterday."We will be implementing every one of this report's recommendations," Chief Superintendent Dan Killam said in a news release. He said that the force will re-examine files retained in banks known as Criminal Operational Intelligence Records and National Security Investigation Records.
"The end result will be a new accountability structure that will see responsibility for these banks shared between operational areas of the force and experts from our Access to Information and Privacy Branch," Mr. Killam said. "Based on our reading of Ms. Stoddart's report, we believe this increased oversight of the exempt banks is what she and other Canadians want."
Ms. Stoddart's report, which marks the first time the commissioner has used her powers under the Privacy Act to issue a special report to Parliament, is more bad news for a police force already under intense public scrutiny.
Liberal MP Ujjal Dosanjh said the new findings are a clear indication that the government should adopt the recommendations of a federal task force last year that proposed a new civilian board of management for the force.
"It is absolutely shocking that the RCMP would show such reckless disregard for information about individuals of which 99 per cent did not deserve to be there in the first place," Mr. Dosanjh said. "That should send shivers down every Canadian's spine."
Ms. Stoddart said she believes the large number of unnecessarily secret files are the product of negligence rather than malice.
"I think it just fell by the wayside."
Friday, December 28, 2007
Privacy resolutions from the Privacy Commissioner of Canada:
News Release: Do you resolve to protect your privacy in 2008? (December 27, 2007) - Privacy Commissioner of Canada
Do you resolve to protect your privacy in 2008?
OTTAWA, December 27, 2007 – Threats to the privacy rights of Canadians will intensify in 2008 unless organizations resolve to do more to protect personal information, warns Privacy Commissioner of Canada Jennifer Stoddart.
“Heightened national security concerns, the growing business appetite for personal information and technological advances are all potent – and growing – threats to privacy rights,” says Commissioner Stoddart.
“The coming year will be another challenging one for privacy in Canada.”
With that prediction in mind, Commissioner Stoddart today released her 2008 list of top 10 suggested New Year’s resolutions for businesses, individuals and government.
Resolutions for businesses in Canada:
1. Protect personal information with strong security.
More than 162 million records were compromised by theft or loss in 2007, triple the number of data losses for the previous year, according to a USA Today analysis of breaches in the US, Canada and other countries. This alarming trend can be reversed if businesses begin to recognize the value of personal information. The disastrous breach involving Winner’s and HomeSense stores is an example of what can go wrong if businesses don’t invest in the latest security.
2. Use encryption to protect personal information on mobile devices such as laptops.
We are seeing too many headlines about personal information at risk because a laptop has been lost or stolen. Organizations must ensure personal information on a mobile device is encrypted – protecting information stored on a laptop with a password is simply not enough.
3. Ensure credit card processing equipment masks complete card numbers on receipts.
Complete credit card numbers should not be printed on receipts for electronically processed transactions. Businesses were supposed to switch to electronic processing equipment that masks card numbers – for example, by printing Xes – by the end of 2007. Printing complete card numbers exposes customers to the risk of identity theft. (Some very small businesses may still be manually taking imprints of cards because it is not economically feasible for them to purchase electronic equipment. They should still take all steps necessary to protect the information they collect.)
Resolutions for Canadians:
4. Think twice before posting personal information on social networking sites.
Many Facebook and Myspace users think of these sites as private, when, in reality, the information they post can often be seen by just about anyone. Before posting something, ask questions such as: How would I feel defending this comment or photo during a job interview five years from now? Am I harming someone else or invading someone’s privacy by posting this comment, photo or video? We like this simple rule of thumb: If Grandma shouldn't know, it shouldn't be posted.
5. Ask questions when someone asks for personal information.
It’s a good idea to understand why information such as your phone number or postal code, or driver’s licence is being requested and how it will be used. If you are concerned about receiving junk mail or telemarketing calls, decline to provide the information. Canada’s privacy laws offer you a choice about providing personal information that is not necessary for a transaction.
6. Take steps to protect your personal information.
Invest in a good shredder or burn all documents that include your name, address, SIN, financial information or other sensitive personal information. Papers containing personal information don’t belong in the recycling bin.
Resolutions for the federal government:
7. Overhaul the no-fly list to ensure strong privacy protections for Canadians.
The no-fly list involves the secretive use of personal information in a way that has very serious impact on privacy and other human rights. Innocent Canadians face the very real risk they will be stopped from flying because they’ve been incorrectly listed or share the name of someone on the list.
8. Move forward with proposed reforms to Canada’s privacy laws.
The federal government is currently holding consultations on important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). These proposed changes include mandatory breach notification, a step that would encourage businesses to take security more seriously and protect Canadians against identity theft.
We also urge the federal government to open a review of the Privacy Act, which will be celebrating its 25th anniversary in 2008. Canadians should be offered the same level of legal protection under the Privacy Act as they have, as consumers, under PIPEDA.
9. Ensure that identity theft legislation is swiftly passed.
The government has introduced Criminal Code amendments to help police stop identity thieves or fraudsters before Canadians suffer actual financial harm. The changes include explicit penalties for collecting, possessing and trafficking in personal information.
10. Develop anti-spam legislation.
Canada remains the only G-8 country without anti-spam legislation, raising the danger that we will become a harbour for spammers. Halting the proliferation of spam is another important measure necessary to address identity theft.
Saturday, November 10, 2007
Karen Selick, a lawyer from Belleville, has an opinion piece in a recent National Post going on a tirade against privacy laws. I can certainly see her point. But the problem is not the privacy laws themselves, but the general cluelessness of the people who cite them to avoid doing something they can and likely should do.
The examples raised by Ms. Selick are general bureaucratic nonsense, but I do agree that privacy laws are increasingly and incorrectly cited by people who should know better:
The CRA vs. Canadian men
Wednesday, November 07, 2007
It appears that the Canada Revenue Agency (CRA) has recently established a policy of ripping off divorced or separated men on the flimsiest of pretexts. Within the past month, two of my legal clients have had their spousal support deductions disallowed, despite having filed copies of the documents (court order or separation agreement) proving that they have to pay.
They've both received letters from CRA bureaucrats saying they must provide signed receipts from their estranged wives. Fat chance. The wives have no obligation to provide receipts. Many women in these circumstances would withhold receipts either as a bargaining tactic to exact some other concession, or from sheer malice.
I phoned the CRA and spoke to a "pre-assessment review officer." She told me that it was within an officer's discretion to accept other evidence of support having been paid, without insisting that a man approach a hostile wife for receipts, and that she herself would have accepted the copy of the wife's tax return. I suspected that her apparent reasonableness may have arisen because she was talking to an irate lawyer, so I pressed on, asking why the CRA would not, on its own initiative, simply compare the two tax returns and allow the husband's deduction so long as the wife had reported the same amount of income.
Oh no, she said, that would violate the privacy laws. If they allowed the man's deduction so easily, that would be tantamount to spilling some confidential information that the wife had provided on her return.
My mind boggled. The CRA would choose to overtax a man by thousands of dollars rather than have him infer, from the fact that his deduction was allowed, that his wife had complied with the Income Tax Act and reported the money he already knew he had given her.
Could anyone really believe that this is what the Privacy Act requires? What nonsense. Men wouldn't necessarily assume that the CRA had cross-checked their wives' returns. They'd just assume the deduction was allowed because they're legally entitled to it.
The Privacy Act and its private sector counterpart, the Personal Information Protection and Electronic Documents Act (PIPEDA), now loom up unexpectedly and absurdly in many situations, I've observed. Few people know what they really require, so they've become a bogeyman, lurking ominously in the background, waiting to trip up some insufficiently vigilant flunky. It's like being a kid again, worrying that Santa's always watching and will know if you'd been bad or good. When in doubt, don't stick your neck out by saying anything about anything, no matter how absurd and inconvenient the consequences may be to anyone else.
Here's another example: Last year, I spent nine hours at a hospital emergency ward with a relative, who ultimately died there following a stroke. Days later, I wrote a letter praising the three doctors and one nurse who had attended her for their diligence and compassion. I didn't know their names but asked the hospital to pass my letter on to them. Astonishingly, the hospital replied that doing so would violate the privacy laws, unless the deceased's executor consented. Huh? I was there. I watched them doing their jobs. They discussed things with me. I observed their competence and kindness. I wanted them to know that. How on Earth could it violate anybody's "privacy" for the hospital to pass along my letter?
Aah, PIPEDA -- I've pondered this farce before. Every divorce lawyer in the country collects and uses personal information about their clients' spouses. We couldn't do our jobs otherwise. Theoretically, PIPEDA says we're supposed to seek the opposing party's consent to collecting and using information about their incomes, their adultery, their alcoholism, their bankruptcies, etc. Never yet has another lawyer contacted a client of mine seeking consent, so I assume my colleagues are as mystified as I am over how we're supposed to comply. Legislation like this, applied in the ridiculous way in which it is so often applied, undermines respect for the law. And the law could sure stand a little respect these days.
The only thing that I'd add is the last paragraph is likely incorrect. The case between the spouses is not a "commercial activity" so PIPEDA would not apply to that, even if it is facilitated by a lawyer. No PIPEDA, no consent required.
Thursday, October 18, 2007
The Privacy Commissioner of Canada has tabled her annual report on the Privacy Act in parliament today. The Commissioner notes that the Privacy Act became law when the Commodore 64 was new on the shelves and is getting long in the tooth.
Canadians continue to think personal information not well protected: Tabling of Privacy Commissioner of Canada’s Annual Report on the Privacy Act
October 17, 2007
Canadians continue to think personal information not well protected: Tabling of Privacy Commissioner of Canada’s Annual Report on the Privacy Act
Ottawa, October 17, 2007 — Canadians overwhelmingly feel their personal information is less well protected than it was a decade ago, and they are right to be worried, says the Privacy Commissioner of Canada, Jennifer Stoddart.
Commissioner Stoddart’s 2006-2007 Annual Report on the Privacy Act was tabled today in Parliament. At the same time, the Privacy Commissioner’s Office released new research confirming that Canadians are unsure of how their personal information is protected, and by whom.
Increasingly, Canadians’ personal information is being exchanged with law enforcement and security agencies in other countries. The government has claimed that this transborder flow of information will improve transportation safety and enhance our national security. “We are particularly concerned about the number of travel-related security programs that have been put in place,” says Commissioner Stoddart. “Parliament may not be sufficiently informed about how these programs work and their individual and collective impact on the privacy rights of Canadians.”
The increased collection of personal information under these programs increases the risk that Canadians will be the victims of inappropriate data matching, intrusive data mining, or the unintended consequences of the disclosure of personal information. This increases the risk of surveillance, rendition and unwarranted attention from law and security enforcement both at home and abroad.
These concerns could be addressed, in part, by a review and modernization of the Privacy Act. As the Annual Report notes, “Parliament passed Canada’s public sector privacy law back in 1982 – the same year the Commodore 64 computer hit the market. At the time, both were considered pioneering.”
The Privacy Act, unfortunately, is not equipped to deal with the pressures imposed by tremendous technological change. In fact, Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act, provides more protection for Canadians.
As the results of an audit of the government’s Privacy Impact Assessment (PIA) Policy confirm, government departments are not doing enough to protect Canadians’ personal information as they plan new programs or redesign existing programs.
“While we did not identify cases of pervasive non-compliance, many institutions are not fully meeting their commitments under the policy and, by extension, the intent or spirit of the Privacy Act,” says Commissioner Stoddart.
Under the PIA policy, federal institutions are required to assess the potential privacy risks of programs before they are implemented. These institutions must also identify the measures in place to protect personal information as it is collected, stored, used, disclosed and ultimately destroyed.
The Office of the Privacy Commissioner audit found that some institutions made serious efforts to apply the PIA policy but many are lagging behind. PIAs are sometimes completed well after the program has been implemented and, in some cases, not done even when potential privacy issues are evident.
“Privacy protection should be a key consideration in the initial framing of a program or service,” says Commissioner Stoddart. “Current PIA reports offer little assurance to Canadians who want to understand how a government service or program will affect their privacy.”
Canadians not only want to be reassured that their personal information is being protected; they also want to be informed when it is disclosed inappropriately.
Research conducted for the OPC shows that a majority of Canadians (seven in ten) expect to be informed if a security breach leads to the disclosure of information – whether that information is sensitive or not.
That research, a survey of 2,001 Canadians conducted by EKOS Research Associates earlier this year but released for the first time today, also found that:
- Seven in ten Canadians feel their personal information is less protected than it was ten years ago.
- A bare majority of Canadians agree that they have enough information to know how new technologies might affect their personal privacy.
- About seven in ten Canadians believe that they are doing a relatively good job of protecting their own personal information.
- Despite this, almost half of Canadians (46 per cent) carry a Social Insurance Number (SIN) card in their wallet, although this number is a key piece of information used by identity thieves.
“These survey results underline that we – my Office, privacy advocates, regulators and consumer protection authorities – have to work harder to reassure Canadians that their privacy rights are protected,” says Commissioner Stoddart. “We also have to give them the information and tools so they can better protect their own information.”The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.
To view the reports:
- Annual Report to Parliament 2006-2007 – Report on the Privacy Act (Adobe format)
- Backgrounder: Findings of a 2007 poll commissioned by the Office of the Privacy Commissioner of Canada
- 2007 EKOS Research Associates survey: Canadians and the Privacy Landscape
- Assessing the Privacy Impacts of Programs, Plans, and Policies (Adobe Format)
Wednesday, January 17, 2007
I was interviewed today for Global National's most recent report on privacy problems at the Canada Revenue Agency (our IRS, for my American readers). Since earlier reports on misdirected tax information, many more people have come out to report they have also been the unwitting recipients of information about other taxpayers. See: Taxman moves to protect privacy and also note the many comments in which others relate receiving others' personal information.
I think you can get the video of the feature here: http://video.canada.com/VideoContent.aspx?13750&vc=1&popup=1, but it seems hit and miss to me.
Monday, January 08, 2007
The Canada Revenue Agency continues to be in the news as of late.
The Canadian Press has found that the CRA official leading the investigation into the disclosure of information about high profile taxpayers, including MP and former hockey star Ken Dryden, once faced the wrath of George Radwanski:
CRA commissioner probing Dryden tax leak once dismissed privacy breach finding
Monday, January 08, 2007
TORONTO (CP) - The senior public servant leading a probe into the leak of Ken Dryden's confidential tax information once dismissed a scathing ruling by the federal privacy commission that found Canada Revenue Agency employees had violated the Privacy Act.
Larry Hillier, the agency's assistant commissioner for the Ontario region, launched an "immediate investigation" last month after a published report that employees had violated the Income Tax Act, the Privacy Act and possibly criminal law by leaking Dryden's information.
In an internal e-mail sent to CRA employees, Hillier also warned of possible disciplinary action, including dismissal.
"When one employee breaches confidentiality, as is currently alleged, each and every one of us is impacted," he wrote.
Hillier, however, had a decidedly different response in 2003, when the federal privacy commissioner found CRA employees committed a "serious violation" of the Privacy Act by accessing and disclosing the tax information of former employee Lillian Shneidman while investigating allegations that she had violated a taxpayer's privacy rights.
In an October 2003 letter obtained by The Canadian Press, Hillier defended the actions of his employees, despite the privacy commissioner's findings.
"I offer the following regarding the above-referenced report, which concludes that we inappropriately accessed Ms. Shneidman's tax information," Hillier writes in a letter to then-CRA human resources branch assistant commissioner Dan Tucker.
"It is felt that this particular investigation warranted the accessing of Ms. Shneidman's tax information, as a taxpayer raised serious allegations."
CRA employees who are found guilty of disclosing confidential tax information - a violation of the Income Tax Act - face fines of up to $5,000 or jail time of up to 12 months. Under the Criminal Code of Canada, breach of trust by a public officer is punishable by a maximum prison sentence of five years.
Shneidman, who was fired from the CRA in 2001, had been assured in a July 2003 letter from Tucker that the agency viewed "any breach in privacy as a very serious matter."
The CRA "will ensure that appropriate corrective action will be taken," Tucker wrote.
At least one of the employees involved in the incident has been promoted, said Shneidman - who continues to fight her termination, with cases pending before the Public Service Labour Relations Board and the Federal Court of Appeal.
Former privacy commissioner George Radwanski was unequivocal in his condemnation of the CRA's treatment of Shneidman.
"Accessing that information . . . for the sole purpose of confirming your status as a (CRA) employee was, in my view, totally unnecessary and a gross misuse of taxpayer information," wrote Radwanski, who faces charges of fraud and breach of trust after resigning that same year amid an expense-abuse scandal.
"I consider the use of your (tax) information in this instance to constitute a serious violation of the confidentiality rights afforded you under . . . the Privacy Act."
Thursday, January 04, 2007
A Halifax resident was more than slightly surprised when he went to the Canada Revenue Agency to pick up his requested notice of assessment. While the notice was conspicuously absent from the envelope, he did find a raft of information about ten complete strangers. Apparently, the CRA stuffed the wrong envelopes and handed over confidential and sensitive information to the wrong person.
When the individual who received the information was not satisfied with the CRA's reaction, he called the other taxpayers and went to the media. The story is on the front page of the Halifax Chronicle Herald.
To make matters worse, the notice of assessment was mailed but nobody knows who to.
CTV is doing a piece for the supper hour news here in Halifax, for which I was interviewed earlier today. They are hoping to get some comment from the unshuffled Minister responsible for CRA.
From today's paper:
More than he wanted to know
Government mistakenly mails other people’s tax papers to Whites Lake man
By JOHN GILLIS Staff Reporter
Andrew Doiron of Whites Lake just wanted to find out his RRSP contribution limit for the year. But what he got was a raft of personal information about 10 strangers from as far away as British Columbia.
The Canada Revenue Agency is now investigating how the confidential tax documents landed in Mr. Doiron’s mailbox and where the information he requested ended up.
"It looks like somebody just picked a handful of paper off a printer and just slipped it in an envelope with my (address) page on top," Mr. Doiron said Wednesday. "But of course they didn’t put my papers in there."
The confusion began Dec. 20 when Mr. Doiron went to the Canada Revenue Agency’s Halifax office in person to ask for a copy of his notice of assessment. He was told he had to call a toll-free number to ask for the document. Staff let him use a phone in the building.
Mr. Doiron was surprised Tuesday when he found an envelope from the agency in his mailbox, and it contained about 35 pages. The documents bore the names, addresses, social insurance numbers, income, marital status and other personal information for 10 other people. His own notice of assessment was not included.
He immediately called a toll-free Canada Revenue Agency number again but said it was tough to persuade the person who answered to let him speak to a supervisor. When he finally did, he said he was asked to mail the documents back to the agency and advised he could claim the price of the postage stamp on his tax return next year.
Mr. Doiron also called as many of the people whose tax information he’d been sent as possible.
One, Sandra Ambersley of Brampton, Ont., told CTV she was very concerned about what might have happened if someone had wanted to use that information.
"I was totally shocked yesterday when I received a call from Halifax, this man saying that he’d received all my personal information," she said Wednesday.
Mr. Doiron noted that on the same online telephone directory he used to find people’s telephone numbers, there was an ad pointing to a Capital One credit card application that required only an address and a social insurance number.
He personally returned all the strangers’ documents to the Halifax office Wednesday.
Mr. Doiron said he felt he did not get a serious response from the agency until after he began contacting the media.
Jack Lee, acting director of the Nova Scotia office, called to apologize and had a copy of the notice of assessment Mr. Doiron requested sent to him. It arrived safely.
The notice had been mailed previously, but not to him.
"Mine’s out there somewhere, floating around," Mr. Doiron said. "I hope somebody threw it away."
Canada Revenue Agency spokesman Roy Jamieson said security is the No. 1 priority for the service, but mistakes happen.
"We’re certainly scrambling to try and piece together what took place," he said. "There’s quite an active and quite an intense investigation going on right now."
He said a call to a toll-free number could be answered at any one of a number of call centres across the country, depending in part on the nature of the request. A requested document could be printed at the appropriate location and mailed from there.
The agency sends about 90 million pieces of mail per year and it’s rare that something gets mixed up, he said.
"To be misdirected in the magnitude of this case, it’s certainly unusual," Mr. Jamieson said.
He said the agency will contact all of the people whose documents were involved and will keep Mr. Doiron abreast of its investigation into the mix-up.
"There’s no question that any kind of breach of security and compromising of an individual’s privacy and confidentiality is our most significant issue in this agency," Mr. Jamieson said.
Mr. Doiron has little confidence that anything will change.
"My gut feeling is, this is government, nothing’s going to happen," he said.
Update: From CTV:
Canada Revenue investigates botched mailout
The Canada Revenue Agency is scrambling to restore public trust and has launched an internal investigation after confidential information on several Canadians was sent to a Halifax-area man.
Documents that Andy Doiron of White's Lake, N.S., were mistakenly sent include social insurance numbers, income, addresses and the marital status of 10 Canadians, including some from as far west as Edmonton.
Doiron said he called most of the people to tell them what happened, and returned the documents to Revenue Canada.
With the trust of Canadians potentially on the line and tax time just around the corner, the agency is promising tough action if necessary.
Revenue Canada spokesperson Roy Jamieson called the incident a rare case of misdirected mail, but admitted somebody in the department made a mistake.
"Certainly if we identify breaches of policy process and procedure, there are disciplinary measures that can be taken and I expect they will be looked at quite seriously," he told CTV Atlantic.
Federal Minister of National Revenue Carol Skelton said she was "disturbed" by the security breach.
"The instant that I found out about it we had launched an investigation," she told CTV News in Saskatoon. "I really can't say much more about it than that. The incident is being looked into."
The agency is still trying to determine which one of five locations was responsible for the botched mail out.
David Fraser, a legal expert in security matters, told CTV Halifax that if such information were to fall in the wrong hands, it could easily be used to commit fraud.
"There really does need to be something done in order to make sure the trust is always there. Accidents happen but so often trust is won or lost in the aftermath of how they decide to deal with it," he said.
Sandra Ambersley of Brampton, Ont. was one of the people Dorion called.
"I was totally shocked when I received the call (on Tuesday) from Halifax," Ambersley told CTV Toronto.
"This man (was) telling me that he received all my personal information. As a joke he did say 'I could duplicate you right now.'"
The confusion began when Doiron called the revenue agency on Dec. 20 requesting a copy of his notice of assessment.
On Tuesday, an envelope from the agency arrived in his mailbox, containing over 30 pages of documents with all the information. His own assessment wasn't included.
Doiron said he immediately called the toll-free Canada Revenue Agency number again and he was asked to mail the documents immediately.
With a report from CTV Atlantic reporter Marc Patrone.
Monday, December 18, 2006
Bill C-25, An Act to amend the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and the Income Tax Act and to make a consequential amendment to another Act, is now in force. For the purposes of attacking money laundering and the financing of terrorism, the statute expands the amount of personal financial information collected and the sources of that information. But this amendment also gives the Privacy Commissioner of Canada with a unique role. Under the statute, the Commissioner is to audit the personal information handling practices of FINTRAC every two years. We'll see how the first such audit goes ....
From the Commissioner's office:
New money laundering law requires Privacy Commissioner to review FINTRAC's compliance with Privacy Act
Ottawa, December 18, 2006 –The Privacy Commissioner of Canada, Jennifer Stoddart, has new oversight responsibilities under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Bill C-25), which just received Royal Assent. Under this new legislation, the Commissioner's Office is now required to regularly review the Financial Transactions and Reports Analysis Centre (FINTRAC's) compliance with the Privacy Act, the federal public sector privacy law.
Under the Privacy Act, the Privacy Commissioner already has the power to audit the personal information-handling practices of federal departments and agencies. However, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act specifically mandates the Office to review and report to Parliament on FINTRAC's activities every two years. The Commissioner's Office had already planned to conduct an audit of FINTRAC in 2007-08, pursuant to its authority under the Privacy Act.
"We understand the need to address suspected money laundering and terrorist financing activities, but we do have concerns about the potential impact on privacy rights resulting from an increase in the amount of personal information collected and disclosed by FINTRAC," said Ms. Stoddart. "In light of this, I am pleased to see that we will have increased oversight over these activities."
In the recent report of the Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar, Justice O'Connor also generally highlighted the need for increased oversight and review of activities that touch on national security. In Justice O'Connor's report, he recognized that the sharing and disclosure of personal information by government to foreign entities raises concerns.
Providing the Privacy Commissioner with mandated review of FINTRAC's activities is an important step because, as a result of the passage of Bill C-25, the number of organizations required to monitor and to collect information about their clients and customers will increase, the amount of personal information being collected will expand and more transactions will be subject to scrutiny and reporting. FINTRAC will be able to share more information with more organizations. FINTRAC is Canada's financial intelligence unit, a specialized agency created in July 2000 to collect, analyze and disclose financial information and intelligence on suspected money laundering and terrorist activities financing.
Last week, Ms. Stoddart appeared before the Standing Senate Committee on Banking, Trade and Commerce to discuss Bill C-25. Her statement and submission are available on the Office's Web site.
The Office of the Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights of Canada.
Thursday, April 06, 2006
The Government of Canada, through the Treasury Board Secretariat, has released its long-awaited Report on Assessment of Privacy Concerns Related to USA PATRIOT Act, including a multipart federal strategy: Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows
I haven't had a chance to review it yet, but here's the executive summary. Hopefully, I'll have something more substantive to say shortly:
Privacy Matters: The Federal Strategy to Address Concerns About the USA PATRIOT Act and Transborder Data Flows - Part 2 of 10
The Government of Canada takes the issue of privacy very seriously, including concerns about possible privacy risks posed by foreign legislation, such as the USA PATRIOT Act.*
These laws point to the need for current privacy best practices to become more uniform throughout the federal government and for additional measures to build upon and complement the existing safeguards.
For over a quarter century, Canada has been a world leader in privacy. It has introduced ground‑breaking legislation and policies designed to respect the personal information of its citizens.
Recent trends and events, however, have raised new concerns about whether the personal information of Canadians is adequately protected by governments and companies when it travels outside of Canada’s borders.
Transborder data flows and contracting
The emergence of new information technologies, such as the Internet, allows information to be transferred quickly and easily across borders. This includes personal information and other sensitive information. The transfer of such information across borders is known as “transborder data flows.”
Transborder data flows are becoming more common as companies and governments take advantage of outsourcing, a practice in which a supplier is hired under contract to manage certain activities, often because the institution does not have adequate internal resources to improve efficiency and levels of service. Federal government institutions are among the organizations that contract out or outsource some programs and services.
Information under foreign laws
It is not uncommon for an organization in Canada to outsource the management of personal information about Canadians to a company in the U.S. or elsewhere. Information stored or accessible outside of Canada can be subjected not only to Canadian laws but also to laws in the other country.
One such law is the USA PATRIOT Act. The Act permits U.S. law enforcement officials to seek a court order allowing them to access the personal records of any person for the purpose of an anti‑terrorism investigation, without that person’s knowledge.
In theory, it means U.S. officials could access information about Canadians if that information is physically within the U.S. or accessible electronically.
British Columbia court case sparks national debate
In 2004, a court case in British Columbia (B.C.) sparked a national debate on the potential impact of the USA PATRIOT Act on the privacy of Canadians.
The British Columbia Government and Service Employees’ Union sought an order to stop the provincial government from hiring the Canadian affiliate of a U.S. company to administer the province’s medical records, claiming that the contract would make the records vulnerable under the USA PATRIOT Act.
The union lost the court case and is appealing. The province, meanwhile, proceeded with the contract using the U.S.-based firm but added new privacy measures.
In addition to the court case, the Information and Privacy Commissioner for B.C. conducted a review. The Commissioner for B.C. concluded that the issue was larger than the USA PATRIOT Act, that transborder data flows could make Canadians’ information accessible under other foreign laws, and that the matter should be addressed by both the public and private sectors.
The Privacy Commissioner of Canada agreed with the results of the B.C. review, and together with the B.C. Commissioner, called for actions to be taken by the federal government to enhance protection of Canadians’ personal information that can flow across borders.
The federal government’s strategy
The Government of Canada responded to the USA PATRIOT Act concerns and other transborder data issues with a federal strategy. It is confident that the right to privacy related to key federal personal and sensitive information can be both respected and achieved.
The strategy was created with the following factors in mind.
Shared responsibility: The federal government is not alone. Other governments, the private sector, and Canadians themselves all have a role to play in the protection of privacy.
Balanced approach: Privacy needs to be weighed against other important considerations. Among these are the following: the need to ensure that contracting protects privacy and results in improved service to Canadians; international trade agreements that allow for fair and equitable treatment of foreign companies and play a major role in the health of Canada’s economy; and the need to protect the public safety and national security.
Build on existing measures: The latest measures are an extension of privacy safeguards put into place long before the USA PATRIOT Act was enacted. They complement previous statutes such as the Privacy Act, enacted in 1983 to impose obligations on federal government institutions to respect the privacy rights of Canadians. The Personal Information Protection and Electronic Documents Act (PIPEDA), which took full effect in January 2004, protects personal information held by the private sector. In addition, the Government of Canada was the first national government in the world to introduce a mandatory Privacy Impact Assessment Policy. The Policy requires government departments to build in privacy protection when changing or creating programs and services that collect personal information.
Informational privacy can also find constitutional protection under section 8 of the Canadian Charter of Rights and Freedoms.
The federal strategy consists of the following steps.
- Awareness: The government made all of its 160 institutions that are subject to the federal Privacy Act aware of the privacy issues raised by the USA PATRIOT Act.
- Risk identification and mitigation: Institutions reviewed their contracting and outsourcing arrangements to identify any risks under the USA PATRIOT Act, assess the seriousness of those risks, take corrective actions as needed, and report to the Treasury Board of Canada Secretariat (the Secretariat).
Here are the results reported to the Secretariat:
Most of the federal institutions, 83 per cent, had their contracting classified as “no risk” (77 institutions) or “low risk” (57 institutions) under the USA PATRIOT Act or other foreign legislation. Of the remaining institutions, many with mandates that include international activities, contracting risks were rated as “low to medium” (19 institutions) and “medium to high” (7 institutions). It should be noted that, if an institution identified only one contract as high risk, the institution was classified in the high risk category. That said, in all cases where risks were identified, institutions have taken, or are planning, remedial actions to mitigate risks.
- Guidance on privacy in contracting: For many years, federal institutions have had privacy and security safeguards in place to protect personal and other sensitive information that is handled or accessible under contract. Risk management strategies are also in place to cope with emerging privacy issues and, where necessary, institutions have outlined further measures to mitigate risk.
Existing Best Practices include the following: Prior to initiating a contract, inspections of private sector facilities may be carried out by government security experts to ensure that adequate protection is available for information handled or stored off government premises by a contractor; the requirement that core information stays at home—in other words, part or all of the work must be completed within the department or within Canada; the return of records or approved destruction of all records at the end of a contract; the inclusion of contractual clauses to address confidentiality; and the signing of non-disclosure agreements.
Guidance document: The government has recently issued a policy guidance document for federal institutions that provides a privacy checklist and upfront advice on considering privacy prior to initiating contracts. It also includes specific considerations for maximizing privacy protection that can be used to develop clauses to include in requests for proposals (RFP) and contracts.
- Follow up: The government will be taking additional steps to further mitigate risk.
Highlights of ongoing measures and those planned for within the next year:
- Follow-up assessment of federal contracting activities, ongoing contract advice, and implementation of risk management strategies for contracting where information may potentially be at risk under the USA PATRIOT Act or other foreign laws.
- Ensuring that key government policies are in step with privacy issues and reflect the new global reality.
- The exploration of technology and data architecture solutions to protect information flows, including the use of encryption technology and electronic audit trails.
- Continued monitoring of new technologies, trends, and events to address their possible effects on privacy.
- The development of additional guidelines to cover government-to-government information sharing (within Canada and abroad), auditing of contracts, and technical solutions to protect privacy.
- Increased awareness and training related to transborder data flows and existing federal safeguards.
Highlights of planned measures between one to two years:
- A scheduled 2006 review of the PIPEDA and determination if the federal Privacy Act should also be reviewed.
- The development of a privacy management framework to establish high standards of privacy protection throughout the federal government.
- Addressing privacy and transborder data flows for the recently announced Security and Prosperity Partnership (SPP) between Canada, Mexico, and the U.S.
The federal government will also continue to share best practices in protecting transborder data flows with provincial and territorial governments as well as the private sector and foreign governments.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.