It’s safe to say that the Alberta provincial government is regarded as being right wing. But Manitoba’s? Not at all. So why then is Alberta light years ahead of Manitoba at protecting workers’ privacy?
The above link takes you to the Winnipeg Sun. I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis. I hope you find them of interest!
Leave a Comment » | 
Employee Monitoring, Government, Identity Theft, PIPA, PIPEDA, Personal Information, Privacy, Privacy Commissioner | Tagged: Employees, Government, Identity Theft, Manitoba, Personal Information | 
Permalink
Posted by Brian Bowman
Continuing a series of blog posts that I’m calling “A Conversation with…” (the first being A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada), I’m delighted to post the following conversation with Frank Work.
Commissioner Work is as personable as he is professional. I’ve had the pleasure to speak at privacy conferences with Commissioner Work and let’s just say that I’m glad I presented first! As privacy professionals will know, he’s a plain spoken, intelligent speaker and so his sessions are always a “must attend”.
Thanks to Commissioner Work for agreeing to engage in this online Q & A conversation. If you’d like to learn more about Frank Work, the Office of the Information and Privacy Commissioner of Alberta (the “Alberta OIPC”) or the issues raised in this conversation, I’d encourage you to visit the Alberta OIPC’s website.
Q. Your office has investigated identity theft arising from crystal meth abuse. What’s the link between the two?
A. A couple of years ago the Edmonton police raided a hang out for meth users. They found a lot of papers from businesses in the area, which they gave to us. Cell phone contracts, credit bureau checks, credit card information and so on. The police told me that meth users, unlike some other substance abusers, are pretty alert when they are high. They don’t sleep. They have lots of time to do the kind of detailed work necessary to engineer credit card fraud and identity theft.
Q. So what can the public do to protect itself from that kind of identity theft?
A. Individuals should shred bank and credit card statements. They shouldn’t carry certain ID, like birth certificates, on them. These kinds of foundation documents are very useful for identity theft. Always report lost or stolen credit cards, but also lost or stolen driver’s licences, birth certificates, and passports. Check your bank and credit card statements to make sure someone else isn’t using them. Do a credit bureau reference on yourself maybe once a year. If your score is lower than you think, find out why. If your score changes from one year to the next, find out why. Sometimes it can be identity theft (someone using your good name). Sometimes it can be an error on the part of the credit bureau.
The other side of the problem is organizations that have peoples’ info. They must take proper care of it. As I said, we have been given credit reports, draft mortgages, cell phone contracts, purchase of goods contracts and bookkeepers files, all thrown away. These papers all have potential for fraudulent use. Businesses need to shred this stuff. Furthermore, for businesses that have customer databases, how well secured is it? Who on their staff has access to it? We have had cases where someone in the business is taking the info and using or selling it for fraud and identity theft.
Q. Alberta’s private sector privacy legislation was recently amended to include mandatory breach notification. How will this impact privacy regulation in, and outside of, Alberta?
A. It is early days yet. Hopefully it will make organizations extra careful with personal information. Will that raise the bar for organizations in other provinces? Maybe. If you are going to change your practices here, you might as well change them everywhere. Possibly more provinces will legislate. A big piece of the picture will be when the Federal government amends PIPEDA in this regard. Maybe this will increase pressure to do so. It will be a challenge to figure out what “a real risk of significant harm” is. It will be a challenge to figure out in which cases there should be notice given and what kind of notice.
Q. You’ve worked as a lawyer in different countries around the world. How does Canada’s approach to privacy compare to your experience in other places?
A. We aren’t perfect but we are way ahead of most other jurisdictions. The “commissioner” system of enforcement has served us well because we do not have the kind of well funded civil society organizations which can advocate for privacy. Commissioners can and do advocate. I mean, I would love to have an ACLU, or and EPIC or an EFF in Canada. Our civil liberties people, like FIPA in BC do great work with the resources they have but resources are scarce. We need some rich people to endow some of these groups. The other thing is that I think, relative to other societies, Canadians have a disposition towards privacy. We get it to some extent. I like to think it is because we are, yes, polite, and respectful of other people. That makes us respect each other’s space. We must not lose that as the world becomes one big facebook/google culture. Teach your children well.
Q. Looking forward, what kind of privacy developments should we watch for in 2010?
A. Cyber attacks, hacks and other losses will continue. Governments will continue to bring surveillance technologies to bear every time anything bad happens. I will continue to get judicially reviewed. I would like to think people will start resisting surveillance and other intrusions into their lives but I don’t see it happening. Governments like surveillance. Heck, the public likes surveillance because we are just so bad at risk assessment. We are scared of everything it seems and we want someone to keep an eye on everything for us. It will be interesting to see if technology begins to fail us. For example, what if there is another airplane bombing attempt and the technology doesn’t prevent it? They bring in new technology. And that doesn’t prevent the next one (God forbid). Maybe they run out of technology, although, for the money involved I don’t see that happening. Someone will come up with a new toy. Will someone ever say “this technology isn’t doing what we want it to and it is costing us a bundle?” I think that will be a social shock.
Leave a Comment » | Airport Security, Identity Theft, PIPA, PIPEDA, Personal Information, Privacy, Privacy Breach, Privacy Commissioner, Security | Tagged: Identity Theft, Personal Information, PIPA, PIPEDA, Privacy, Privacy Commissioner, Privacy Compliance, Security | Permalink
Posted by Brian Bowman
I’d like to welcome my firm, and colleagues at Pitblado LLP, to the blogosphere!
We’ve just launched a new firm blog, called PitbLAWg, that’s intended to provide readers with practical commentary regarding timely and relevant legal issues affecting you and your business.
I hope you visit PitbLAWg by clicking here.
Leave a Comment » | Blogs | Tagged: Blogs, Businesses, Social Networking | Permalink
Posted by Brian Bowman
January 28th is Data Privacy Day 2010! Canada’s Privacy Commissioner is marking the day by “urging companies to ensure they have the proper systems in place to safeguard information; and reminding individuals to think twice about what they post on the Internet.” See the Privacy Commissioner’s news release here.
Leave a Comment » | Data Protection, Privacy, Privacy Commissioner | Tagged: Privacy, Privacy Commissioner | Permalink
Posted by Brian Bowman
I’m very pleased to be able to post the following conversation with Jennifer Stoddart.
Since becoming Canada’s Privacy Commissioner in 2003, Commissioner Stoddart has undoubtedly raised the value of privacy in a time when security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information. I might add that she has accomplished this admirable feat with passion and professionalism. As a result, Canadians have been exceptionally well-served.
Of course, I’d like to thank Commissioner Stoddart for agreeing to engage in this online Q & A conversation. If you’d like to learn more about Jennifer Stoddart, the Office of the Privacy Commissioner of Canada (the “OPC”) or the issues raised in this conversation, I’d encourage you to visit the OPC’s website and blog.
Q. How did you get involved in the world of privacy?
A. Back in the spring of 2000, I happened to read an article in the New York Times Magazine by the noted American legal scholar Jeffrey Rosen. Prof. Rosen was explaining how personal privacy was being subtly eroded in the digital age. I was fascinated.
I was working at the Quebec Human Rights Commission at the time. The next week, I was asked to head up Quebec’s Access to Information and Privacy Commission, and that’s the field I’ve been in ever since.
Q. But it’s coming to an end.
A. Sadly. My seven-year term as Privacy Commissioner will wind up this year. On the plus side, though, I can look back with considerable pride at the progress we’ve made. The encroachments on privacy in this digital era really are staggering, but that doesn’t mean we’re letting them bowl us over.
Last year’s investigation into a complaint against Facebook was surely the most high-profile example of the kind of influence we have. And beyond that I would say that we’re making a meaningful difference, in countless other ways, every day of the year.
Q. What are the most rewarding aspects of being the Privacy Commissioner of Canada?
A. Certainly one of the most rewarding things for me is to know that our work matters, that it has a real and positive impact on the lives of Canadians.
As you know, it’s become fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism. But I think that’s totally wrong. And the best evidence for that was the worldwide response to our Facebook investigation.
Privacy may look different today than it did a generation – or even a decade – ago. But it remains an incredibly important and cherished value to Canadians. And to the extent that my Office can help protect that value, and advance privacy rights, I would say that is the most rewarding aspect of my job.
Q. What do you consider to be the greatest challenges for the Office of the Privacy Commissioner of Canada?
A. Our biggest challenges are the same that preoccupy data-protection authorities around the world: How to safeguard privacy rights in the face of so many rapidly changing technologies. You yourself have blogged about many of them – cloud computing, behavioural marketing, genetic technologies, to name just a few.
We’re seeing unimaginable quantities of data flash around the world, including to countries where data-protection laws are slim to non-existent. We’re also seeing technologies employed in the service of national security and law enforcement, but they’re guarded behind a wall of secrecy.
So the challenges are real, and they are huge.
Q. So how does an Office like yours keep up?
A. I guess the short answer is: By working smarter. We have zeroed in on four priority privacy challenges that are shaping and streamlining our work for the years ahead: information technology, genetic technology, national security and the protection of identity integrity.
We are re-engineering our internal processes to better handle the complaints and inquiries that come to our Office. We’re picking and choosing our privacy audits and our communications and public outreach efforts in order to maximize our impact. We’re ramping up our issuance of guidance, on the theory that an ounce of prevention outweighs a pound of cure. And we’re working with the global data-protection community, since so many of the challenges are international in scope.
But, most important of all, we’ve recently attracted an infusion of very bright, very knowledgeable – and in many cases young – new employees to key positions in our Office. They are really making a difference.
Q. If you could make a few recommendations for Canadian business leaders, what would you say?
A. First I’d thank them for having embraced PIPEDA, the Personal Information Protection and Electronic Documents Act as it came into force over the past nine years. When I look at the situation of our neighbours to the south, where there is no single law at the federal level to protect the personal information of consumers in a commercial setting, I am deeply gratified by the way things can work up here.
Beyond that, I would encourage business leaders to continue to consult the guidelines we issue on specific topics for the purpose of clarifying the responsibilities of organizations under PIPEDA. And we invite them to work with us to fill any other information gaps they may have encountered.
I also want to take this opportunity to mention that data breach notification will become mandatory – and I suspect that will happen sooner rather than later. So I would encourage business leaders to start giving some thought now to how they can bring their processes into compliance.
Q. Do you have any “privacy-related” predictions for 2010?
A. I don’t think you need a crystal ball to conclude that national security will continue to dominate the privacy landscape in the year ahead. The controversy that erupted over Transport Canada’s deployment of millimetre-wave scanners at Canadian airports was just the first of the privacy-related issues that we can expect to be hearing about in 2010.
And stay tuned for more during and after the Vancouver Olympics. There, one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all the cameras and recordings after the flame is extinguished.
I’ll just mention two other issues of particular interest to our Office, because we will be consulting Canadians on them in the next few months. The first will focus on the tracking, profiling and targeting of consumers by marketers and other businesses, and we’ll be hosting consultation forums on that topic in Toronto in April and Montreal in May. Soon after, we’ll organize another forum to discuss the privacy implications of cloud computing.
4 Comments | Airport Security, Government, PIPEDA, Personal Information, Privacy, Privacy Breach, Privacy Commissioner, Privacy Commissioner of Canada, Security | Tagged: Government, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner of Canada, Privacy Compliance, Security | Permalink
Posted by Brian Bowman
I attended the 2010 Deloitte Technology, Media & Telecommunications Predictions seminar today with my colleagues Adam Herstein and Bruce King. The seminar was designed to highlight the top trends expected to impact businesses this year. Of particular interest to me was the Technology Predictions 2010, in which speaker Duncan Stewart listed seven predictions, including one that cloud computing is “likely to grow much faster than most other technology verticals…”. Deloitte further predicted that “we also expect to see [cloud computing] grow the fastest in the consumer and smaller medium enterprises (SME) market, rather than in the large enterprise and government markets”.
As I previously posted last July, cloud computing is certainly on the rise. The privacy issues are profound and, as a result, we’re spending more time these days working on cloud computing related agreements. In any event, I’d encourage you to review the Technology Predictions 2010 as it provides some great insight that might help your business.
Leave a Comment » | Cloud Computing, Privacy, Technology | Tagged: Cloud Computing, Privacy, Technology | Permalink
Posted by Brian Bowman
There sure has been quite a bit of chatter amongst privacy professionals about the virtual strip search scanners being installed in Canadian airports. My last post addressed the substantive privacy issues. But on the lighter side, CBC’s Rick Mercer has had some fun with the issue in this supposed “Message from Transport Canada”. Check it out if you need a good laugh.
Leave a Comment » | Privacy, Security, You Tube | Tagged: Privacy, Security, U.S. Patriot Act | Permalink
Posted by Brian Bowman
Will the virtual strip-search scanners soon to be operational in Winnipeg’s Richardson International Airport be an invasion of privacy? Absolutely. Should they be installed despite privacy concerns? Absolutely.
You may note that the above link takes you to the Winnipeg Sun. I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis. I hope you find them of interest!
1 Comment | Airport Security, Personal Information, Privacy, Privacy Commissioner, Security | Tagged: Personal Information, Privacy, Privacy Commissioner, Security | Permalink
Posted by Brian Bowman
The 2009 Canadian Law Blog Awards, or CLawBies, were recently released and I’m thrilled to be a runner-up in the category of “Best Practitioner Blog”.
It was particularly heart-warming to receive the nomination from fellow Manitoban blogger, Donna Seale (who writes an excellent blog called Human Rights in the Workplace). Congratulations to all of the award winners and finalists. The Canadian Law Blog Awards are a project started back in 2006 with the goal of highlighting great blogs published by the Canadian legal industry. Thanks to Steve Matthews of Stem Legal for his leadership in this regard.
Most importantly, thanks to you for reading my blog and to many of you for your ongoing topic suggestions and feedback. I hope you continue to check out my blog as it develops in 2010! In the meantime, I’d highly recommend checking out some of the other Canadian law blogs profiled on the Canadian Law Blog Awards website.
2 Comments | Blogs, CLawBies | Tagged: CLawBies, Law Blogs | Permalink
Posted by Brian Bowman
Since e-mail has become the dominant form of business correspondence, employers have been increasingly forced to deal with issues related to e-mail use, monitoring and access. It’s crucial that organizations stay on top of the legal landscape as it relates to e-mail monitoring, especially as it relates to privacy issues.
Unfortunately, privacy law does not offer black and white answers to the legal issues raised by e-mail monitoring practices. Instead, and like most other privacy law issues, the standard of “reasonableness” rules the day.
I recently penned an article on point (link below) with my colleague Andrew Buck (who is currently completing his Articles at Pitblado LLP) for the Canadian Bar Association’s National Privacy & Access Law section newsletter, Privacy Pages. Our article examines some of the case law and commentary that has arisen from e-mail monitoring with a view towards setting out practical solutions for the creation of “reasonable” e-mail monitoring practices. If you’re interested in reading the full article, please click on the link below.
1 Comment | Access to Information, E-mail, Employee Monitoring, Monitoring, PIPA, PIPEDA, Personal Information, Privacy, Technology | Tagged: Access to Information, E-mail, Monitoring, Privacy | Permalink
Posted by Brian Bowman
For years now, Ontario’s Personal Health Information Protection Act has contained provisions requiring health custodians to notify individuals if their personal health information is stolen, lost or accessed by unauthorized persons. Until now, such mandatory privacy breach notification provisions have been limited to the sphere of health care in Ontario. That’s about to change.
The federal Personal Information Protection and Electronic Documents Act will likely contain mandatory privacy breach notification provisions in the near future. Since 2006, Special Committees at both the Federal and Provincial (Alberta and B.C.) levels have convened and generated a series of recommendations relating to breach notification. For further information on these recommendations, see the final reports of the Federal , Alberta and B.C. committees.
The most important recommendation independently generated by each of the committees provides that organizations should be under a statutory breach notification duty. On October 27, 2009, the initial step toward implementing this recommendation was taken in the Alberta Legislature with the first reading of Bill 54: Personal Information Protection Amendment Act, 2009. The Alberta privacy breach notification provisions will soon come into force. British Columbia and the Feds are expected to follow suit and implement similar requirements in the near future. When that occurs, private sector organizations across Canada will be required by applicable law to notify affected individuals when privacy breaches occur.
The best advice is to make sure that privacy protection policies, procedures and training are implemented and enforced… now.
Leave a Comment » | PHIA, PIPEDA, Personal Information, Privacy, Privacy Breach | Tagged: Personal Information, PHIA, PIPEDA, Privacy, Privacy Breach | Permalink
Posted by Brian Bowman
University of Manitoba law student, Courtney Pope, has just drafted an in-depth paper (below) on Bill 219 – The Personal Information Protection and Identity Theft Protection Act. As I’ve previously posted here, Bill 219 seeks to regulate the management of personal information by organizations in the Manitoba private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Courtney’s paper, entitled “Bill 219: An Insurmountable Goal”, argues that the law is necessary in order to “effectively protect the privacy rights of all Manitobans”. The paper outlines the main features of the Bill; examines the role of PIPEDA and the concept of “substantially similar” legislation; and analyzes the main arguments advanced for and against the Bill, as expressed in Hansard and in the context of the Bill’s legislative history. Courtney also advances theories regarding the major impediments to its passing.
Courtney was a summer student at Pitblado LLP this past summer and will (fortunately for us) be returning in the New Year to complete her Articles. Thanks to Courtney for sharing her paper, which you can read by clicking on the hyperlink below.
Bill 219: An Insurmountable Goal
Leave a Comment » | Bill 219, PIPEDA, Personal Information, Privacy | Tagged: Bill 219, Manitoba, Personal Information, PIPEDA, Privacy | Permalink
Posted by Brian Bowman
CTV News is reporting that the U.S. federal government improperly posted an internal guide to its airport passenger screening procedures on the Internet in a way that could offer valuable tools to terrorists. The guide was posted on the U.S. Federal Business Opportunity website, but the sensitive information (which was electronically redacted, or blacked out) was not properly protected. Some websites, using widely available software, were able to uncover the original text of sections that had been redacted.
This situation is an example of redactions gone terribly wrong! And it should serve as a reminder to public and private sector organizations to take extra care when making redactions in documents that will be released to third parties. Different redaction strategies can be implemented depending on the circumstances. One strategy that I implement when records will be posted online is to make my redactions and then physically scan the document and save it as a PDF. It’s a basic way to protect sensitive portions of records. Please feel free to post a Comment below with other suggested strategies for making secure redactions.
Leave a Comment » | Airport Security, Data Protection, Personal Information, Privacy, Redactions, Safeguarding, Security, Security Breach | Tagged: Airport Security, Data Protection, Personal Information, Privacy, Redactions, Safeguarding, Security Breach | Permalink
Posted by Brian Bowman
Bill C-27, commonly referred to as the ”Anti-Spam Bill”, passed third reading in the House of Commons yesterday and has been referred to the Senate. I originally posted about the Anti-Spam Bill being introduced back in April, so don’t count on speedy passage through the Senate.
(Hat tip to @privacylawyer David Fraser for the heads-up!)
2 Comments | Internet, Marketing, Privacy, Spam | Tagged: Government, Marketing, Spam | Permalink
Posted by Brian Bowman
According to a Cyber-Ark survey entitled “The Global Recession and its effect on Work Ethics” (link below), 58% of U.S. employees surveyed said that if they thought their job was at risk they would, as a pre-emptive move, be prepared to download company/competitive data. Fifty two per cent (52%) said that if they were fired tomorrow they’d take their employer’s customer and contacts data.
More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information. The favoured medium for stealing corporate information is a USB memory stick followed by e-mail.
As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping. In today’s economy, information is the most valuable corporate asset. For this reason, businesses of all sizes should take proactive steps to protect corporate data. Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.
Leave a Comment » | Data Protection, Due Diligence, Mobile devices, Privacy, Safeguarding, Safekeeping | Tagged: Corporate Information, Due Diligence, Employees, Privacy Compliance, Safeguarding, Security | Permalink
Posted by Brian Bowman
I’ll be hosting a 2010 Privacy Prep Webinar on Tuesday, January 12th from 12:00 – 12:30 PM (CST). (FULL) Due to high demand, new dates added: Wednesday, January 13th from 12:00 – 12:30 PM (CST) and Thursday, January 14th from 12:00 – 12:30 PM (CST).
This complimentary 30 minute webinar will provide a plain language overview of the most significant privacy issues/events of 2009 and, more importantly, prepare you and your business for 2010. Among other things, I’ll highlight notable court cases and privacy commissioner findings from 2009 as well as point out anticipated privacy issues likely to affect Canadian businesses in the coming year.
Space is limited so please RSVP early by emailing me at bowman@pitblado.com.
Leave a Comment » | Due Diligence, Privacy, Training | Tagged: Due Diligence, Privacy Compliance | Permalink
Posted by Brian Bowman
The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies. Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.
As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping.
This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.
3 Comments | Data Protection, Due Diligence, PIPA, PIPEDA, Personal Information, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security | Tagged: Businesses, Corporate Information, Due Diligence, Employees, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Compliance, Safeguarding, Security | Permalink
Posted by Brian Bowman
In the words of Jerry Maguire, “Help me help you!”
I’d like to know what topics you want discussed on this blog. So please join the conversation by giving me your ideas on my new Submit a Topic! page. I’ll then consider drafting a post on your topic!
I may not be able to “Show you the Money!”, but I’ll do my best to address cutting edge legal issues of interest to you and your business.
Leave a Comment » | Blogs, Social Networking Websites, Training, Website Discussion Boards | Permalink
Posted by Brian Bowman
A great feature of website discussion boards is that they allow people to instantly share thoughts on a given topic with others from their community or around the world. However, they are fraught with complicated legal issues for the businesses, or website operators, who make them available on the Internet.
To prove defamation, a claimant must demonstrate that a defendant “published” defamatory words. Currently in Canada it’s clear that a person who posts defamatory comments about another person or business on a discussion board can be liable for defamation. It’s also clear, as I’ve mentioned in a previous post, that a person or business may be liable in certain circumstances if they hyperlink to defamatory content on another website. But what about defamatory comments made by others on your website? The answer is less than clear, primarily because of two generally competing public policy views. One view is that website operators should not be liable for defamatory content posted on their discussion boards because the task of monitoring is too onerous for most businesses; and that website operators aren’t “publishing” the defamatory content but are merely “distributing” (which generally doesn’t attract liability for defamation). The other view is that website operators should be liable because the potential for instantaneous and severe damage to claimant’s reputations caused by online defamation should compel website operators to monitor, and be responsible for, their discussion boards.
After American courts struggled with these competing public policy views, the U.S. Congress passed legislation granting immunity to businesses that operate website discussion boards, regardless of the level of control that website operators may have regarding posted comments. The case of Finkel v. Facebook is a recent example of the immunity that can be provided to U.S. based companies. There is no similar “immunity” legislation in Canada, and the specific issue has not yet come before a Canadian court. Of course, each case is decided on its own facts, and one would anticipate that key factors a Canadian court would consider would be a website’s Terms of Use, the degree of control and content monitoring by a website operator, and any actions a website operator took (or didn’t take) in response to a notice from a third party regarding defamatory comments.
This is a rapidly emerging area of law, and businesses should consult a lawyer with relevant expertise to assist in drafting adequate Terms of Use and to discuss potential risks prior to launching, or continuing to host, a website discussion board.
Leave a Comment » | Defamation, Facebook, Internet, Online Reputation Management, Social Networking Websites, Website Discussion Boards | Tagged: Defamation, Online Reputation Management, Website Discussion Boards | Permalink
Posted by Brian Bowman
I’d like to dispel a misconception about Bill C-27, An Act to Promote the Efficiency and Adaptability of the Canadian Economy by Regulating Certain Activities that Discourage Reliance on Electronic Means of Carrying Out Commercial Activities (the “Anti-Spam Bill”), which is working its way right now through the Parliamentary Committee process. When passed, the Anti-Spam Bill will provide much-needed relief from insidious electronic Spam like phishing and spyware. There is, however, an unfortunate misconception that the Anti-Spam Bill might create “loopholes” for spammers.
As originally drafted, the Anti-Spam Bill didn’t clearly define which types of electronic communication would be subject to regulation. While spyware and phishing would clearly be outlawed, questions arose as to whether other decidedly non-Spam and legitimate activities could possibly be caught within the scope of regulation. That’s because the Anti-Spam Bill was drafted to regulate “commercial activity”. Unfortunately, it didn’t clearly explain what this term meant. Here’s where the misconception comes in.
Some think “marketing research” is the same thing as telemarketing. In reality, the two activities have very little in common. Legitimate marketing research organizations do not try to sell products or services (in fact, if they are members of Canada’s Marketing Research and Intelligence Association (the “MRIA”), they are bound by a professional code of conduct which expressly prohibits such activities). Maybe you’ve heard of “mugging” (marketing under the guise of research) and “sugging” (selling under the guise of research). Let’s be clear: legitimate marketing research organizations do neither. If someone is trying to sell you something under the guise of a survey, they are not conducting legitimate marketing research. Nevertheless, comparisons of online marketing research to telemarketing abound, even though the Anti-Spam Bill will regulate online activity, not telephone calls.
Polls tell us that Canadians support the Anti-Spam Bill. How do we know this? Because members of the MRIA were able to conduct marketing research, quite likely, using an online survey. These surveys are fuel for polls that provide valuable and timely information to Canadian decision-makers. What’s more, online surveys are quick and convenient for participants. I have the privilege of serving as the MRIA’s legal counsel, and am also a member, so I ‘ve seen marketing research activities first hand and know the value they provide to Canadians.
My understanding and reading of the Anti-Spam Bill is that online marketing research is not intended to be caught by the law. But that’s the problem: given the ambiguity of the Anti-Spam Bill, it’s impossible to definitively say that online marketing research would not be regulated. Ambiguity leads to uncertainty, which is good for no one. The Personal Information Protection and Electronic Documents Act, for instance, has been criticized for being far too subjective. We should learn from this experience and cut as much ambiguity as possible from the Anti-Spam Bill. That’s why the Anti-Spam Bill should be clarified to ensure it’s clear that it won’t apply to online marketing research. Doing so would not create loopholes, as some have argued; it would simply ensure that online marketing research is not lumped into the annoying Spam that everyone wants to ban. Bringing clarity to the Anti-Spam Bill would also be consistent with the actions of other countries that have already created specific exemptions for marketing research in their anti-spam laws.
The bottom line is that no one likes Spam, except perhaps for these guys from Monty Python. Parliament still has an opportunity to clarify misconceptions and introduce a strong, effective law. Marketing research isn’t Spam, however, and the Anti-Spam Bill should clearly reflect this fact.
Leave a Comment » | Internet, Privacy, Spam | Tagged: Internet, Spam | Permalink
Posted by Brian Bowman
Don’t let anyone tell you that something can’t be done because of privacy laws. For example, how many times have you heard someone say, “privacy laws handcuff the ability of law enforcement to protect Canadians” or “businesses can’t compete because of heavy-handed privacy laws”? Yes, in very limited circumstances privacy laws can restrict certain activities. But, these cases are few and far between. In many more circumstances, privacy considerations simply need to be built into the design of a product or service.
Case in point is the recent coverage that Assistant Privacy Commissioner of Canada, Chantal Bernier, has approved the use of airport scanners that can see through your clothes. Who would have thought that the Office of the Privacy Commissioner of Canada would ever approve what have been refered to as “naked” airport scanners? But if you look at the manner in which the scanners will apparently be rolled out, there appears to be a balance between security and privacy considerations. As I’ve previously posted, “Privacy by Design” can help those with a “can-do” attitude.
Regardless of whether I agree that the “naked” airport scanners are lawful (and regardless of whether I’ll choose to walk through one of these scanners myself), it’s great to see an attempt at “Privacy by Design” in action. To be honest, however, my greatest concern is for the poor airport security professionals who may one day have to look at my less than stellar outline. I’m not sure how much they get paid, but it’s probably not enough!
Leave a Comment » | Privacy, Privacy Commissioner, Security | Tagged: Airport Screening Devices, Privacy, Privacy Commissioner, Privacy Compliance, Security | Permalink
Posted by Brian Bowman
You may know someone who has been a victim of identity theft. What you may not know is that, before today, police couldn’t charge fraudsters with “identity theft”. That changed when Bill S-4 was given Royal Assent by Parliament earlier today.
Thanks to the bill, titled An Act to amend the Criminal Code (identity theft and related misconduct), there are now three new Criminal Code offences related to identity theft:
Before Bill S-4 came into effect, police had to use other Criminal Code provisions to target identity theft. Today’s development should help law enforcement officials attack a growing problem: the Canadian Council of Better Business Bureaus has estimated that identity theft may cost Canadians more than $2 billion annually.
Leave a Comment » | Data Protection, Identity Theft, Personal Information, Phishing, Privacy | Tagged: Identity Theft, Personal Information, Phishing | Permalink
Posted by Brian Bowman
The number of cases involving Internet defamation seem to be growing every day. So too, are the number of related issues that businesses need to consider in relation to online activities. Case in point is the recent British Columbia Court of Appeal decision of Crookes v. Newton, where the court was asked if providing a hyperlink to another website containing defamatory comments constituted Internet defamation.
A key hurdle that claimants must prove in defamation lawsuits is that defendants “published” defamatory words. Internet defamation is no different, and in the Crookes case, the court concluded that providing a hyperlink does not necessarily equal the “publishing” of defamatory content. If a website simply provides a hyperlink, or describes a hyperlink’s content in a neutral manner, then according to the court in Crookes, the hyperlink is not adopting the offending words as its own and is not indirectly “publishing” them. However, if the linking website endorses the content of the hyperlink material or encourages the reader to click the hyperlink to the website that contains defamatory material, the defendant may be just as liable for defamation as the original author of the offending material.
The Crookes case provides useful guidance, but businesses should be reminded that each Internet defamation case will turn on its own specific facts, and factors that will be considered include the wording, tone and placement of hyperlinks. To help minimize the risk of being sued for the publication of defamatory comments, business owners should seek legal advice prior to hyperlinking to any potentially defamatory materials on the Internet.
1 Comment | Blogs, Defamation, Internet, Online Reputation Management | Tagged: Blogs, Defamation, Internet, Online Reputation Management | Permalink
Posted by Brian Bowman
The Federal Government’s recent initiative to modernize law enforcement related legislation for the Internet age has (at least within law enforcement and privacy circles) once again propelled the issue of privacy vs. security to the forefront. The issues are incredibly important for Canadians, yet there has been little debate within the wider public. That being said, I’m pleased to read Ian MacLeod’s recent Ottawa Citizen article, which (even if you don’t agree with some of the points) does a good job of raising the issues in plain language. For a more technical analysis of the legal issues, you may want to read fellow blogger David Fraser’s post regarding the debate about warrantless access to ISP customer information.
The debate surrounding the “lawful access” legislation stems from real challenges affecting Canada’s law enforcement agencies and their need for access to personal information in the course of investigations. What is concerning, however, is the prospect of warrantless searches without judicial oversight. As a citizen in a free and democratic society, it troubles me to see any legislative initiative that could lead to investigations without appropriate checks and balances. Privacy and security don’t need to be mutually exclusive. Let’s hope that through the upcoming Parliamentary Hearings on the “lawful access” legislation we see a balance emerge between privacy and security in such a way that empowers law enforcement agencies while preserving the judicial oversight that Canadians have come to rightfully expect in our society.
Leave a Comment » | Access to Information, Internet, Lawful Access, Online Reputation Management, Personal Information, Privacy, Security | Tagged: Access to Information, Internet, Lawful Access, Online Reputation Management, Personal Information, Privacy, Security | Permalink
Posted by Brian Bowman
A widely reported and controversial issue these days relates the identification of anonymous bloggers (I’ve commented on this issue in previous posts). On point, Cook County (Illinois) Circuit Court Judge Jeffrey Lawrence has ordered the identification of an anonymous commenter. According to the Daily Herald, Judge Lawrence has ruled that the Daily Herald and Comcast must reveal the identity of a person who posted a comment on dailyherald.com.
It seems that website operators are being increasingly asked, or ordered, to reveal the identity of anonymous commentators or bloggers, many of whom have likely presumed that their identity would never be disclosed. However, Northwestern University law professor and First Amendment scholar Martin Redish tells the Daily Herald, “[a]ssume a worst-case scenario”. “Proceed on the assumption that your identity can be revealed.”
Americans are very fond of their First Amendment right to free speech (in Canada we call it Freedom of Expression). However, this right does not protect writers whose comments are defamatory. As I’ve said before, this is a rapidly emerging area of law and it’s becoming increasingly important to stay on top of developments.
Leave a Comment » | Blogs, Defamation, Internet, Online Reputation Management, Privacy | Tagged: Blogs, Defamation, Identity, Internet, Online Reputation Management, Privacy | Permalink
Posted by Brian Bowman
BBC News is reporting that thousands of Hotmail accounts have been compromised in a phishing attack, which has reportedly affected at least 10,000 individuals.
Phishing involves identity thieves attempting to obtain personal information, such as user names, passwords and financial information, by pretending to be trustworthy organizations in need of such data.
Coincidentally, the Privacy Commissioner of Canada released her annual report today, which stresses the importance of making informed choices when sharing personal information online. The Privacy Commissioner reminds Canadians that there is a risk that unguarded personal information could be exploited by identity thieves. The Hotmail phishing attack, as well as the Privacy Commissioner’s annual report, should also remind businesses to remain vigilant in protecting their brands – or online reputations – from being damaged by identity thieves that use phishing attacks to exploit the well-earned trust that such businesses have built with their customers.
Leave a Comment » | Access to Information, Identity Theft, Internet, Online Reputation Management, Passwords, Personal Information, Phishing, Privacy, Safeguarding, Security | Tagged: Access to Information, E-mail Accounts, Hotmail, Identity Theft, Internet, Online Reputation Management, Passwords, Personal Information, Phishing, Privacy, Safeguarding, Security | Permalink
Posted by Brian Bowman
The Lawyers Weekly is running a story that focuses on one of the most cutting edge and rapidly emerging areas of law – online reputation management. Here are some excerpts from the story, which profiles an ongoing client matter:
“On the heels of a recent New York state court decision that ordered Google Inc. to reveal the identity of an anonymous blogger in a defamation suit, a Winnipeg business lawyer has asked the California-based online search engine giant to do the same and out a blogger on behalf of an Ottawa-area resident. Brian Bowman, a partner with Pitblado LLP in Winnipeg who specializes in privacy, access to information, online reputation management, intellectual property and technology matters, says that his client was defamed on a site appearing on Google-operated blogspot.com (also known as Blogger.com).”
“The New York court decision and the Canadian case raise “one of the fundamental legal questions of our time over the appropriate balance between legitimate, anonymous Internet speech versus the right for people to protect their reputations,” says Bowman, who expects more of these situations will emerge in the near future.”
Read the full story here.
1 Comment | Access to Information, Blogs, Defamation, Internet, Online Reputation Management, Privacy, Social Networking Websites | Tagged: Access to Information, Blogs, Defamation, Google, Internet, Online Reputation Management, Privacy, Social Networking | Permalink
Posted by Brian Bowman
Peruse through your Inbox and look at the e-mails you have received this week. No doubt there will be a few that include legal notices at the bottom of messages warning you of the confidential nature of the correspondence and stressing that if you are not the intended addressee that you are to return the e-mail to the sender… immediately! These automatically generated e-mail disclaimers have become standard business practice. They have become so commonplace it begs the question: are e-mail disclaimers legally enforceable?
This very question has yet to be the focus of judicial consideration in Canada, and it appears as though it remains an unresolved issue in most other jurisdictions. Although bloggers and writers have analyzed e-mail disclaimers, there is no authoritative jurisprudence or legislation to shore up their arguments. There are a number of issues surrounding the enforceability discussion, including, among other things:
That said, it is always safer to err on the side of caution. In the event your organization were unlucky enough to be sued for the contents of an e-mail, it may prove useful to have used an e-mail disclaimer. At the end of the day, even though the enforceability of e-mail disclaimers may not have yet been judicially considered, having an appropriately drafted e-mail disclaimer may help mitigate your businesses’ liability in the event of an unfortunate e-mail mishap.
E-mail disclaimers should be drafted with legal and business considerations in mind in such a manner that reflects the values, marketing strategy and risk tolerance of your organization. Please contact me if I can provide any assistance in drafting an e-mail disclaimer that suits your organization’s needs.
Leave a Comment » | E-mail Disclaimers, Internet, Marketing, Safeguarding, Security | Tagged: Businesses, E-mail Disclaimers, E-mails, Internet, Marketing, Privacy, Safeguards, Security | Permalink
Posted by Brian Bowman
Is there one set of privacy rules for regular businesses and one for the media? In a past case summary, the Office of the Privacy Commissioner of Canada (the “OPC”) found that a radio station which had broadcast the name and comments of a caller who had phoned the radio station’s news tips line to relay specific details of a robbery was not a violation of the Personal Information Protection and Electronic Documents Act (PIPEDA). Why wasn’t this a violation?
PIPEDA contains provisions aimed at protecting the media’s right to “freedom of expression”, which is a pretty fundamental right worth protecting in a free and democratic society. Specifically, PIPEDA’s privacy obligations don’t apply to “any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose”. When the collection of personal information is solely for journalistic purposes, journalists aren’t required to obtain the consent of individuals about whom the information relates. The result is that if a journalist’s activities are truly “journalistic” then they can proceed with the collection and broadcast of personal information without seeking permission from individuals. Of course, it’s still a good idea to obtain consent in most circumstances despite the exemption.
When the media collects, uses or discloses personal information for reasons that are not journalistic, serious issues arise as they would for any regular business. In the finding noted above, the OPC determined that the personal information collected by the radio station was intended soley for journalistic purposes. That’s why the OPC was of the view that there had not been any violation of PIPEDA. Any illusion that the media are not bound by PIPEDA is wrong. But there are appropriate exemptions in the law that help them to conduct their important work.
Leave a Comment » | Media, PIPEDA, Personal Information, Privacy, Privacy Commissioner, Security | Tagged: Media, Personal Information, PIPEDA, Privacy, Privacy Commissioner, Security | Permalink
Posted by Brian Bowman
A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner.
In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007. The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information. A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted.
These incidents demonstrate how easily sensitive data can be compromised when stored on laptops. Encryption is a relatively easy way to improve the security of such information. But, where do you start? There are numerous encryption options available. Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.
Leave a Comment » | Access to Information, Data Encryption, Data Protection, Laptops, Mobile devices, PIPEDA, PSDs, Personal Information, Privacy, Privacy Breach, Privacy Commissioner, Safeguarding, Safekeeping, Security, Security Breach, Smartphones, Technology | Tagged: Data Encryption, Data Protection, Due Diligence, Information Technology, Laptop, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance, Safeguarding, Security, Technology | Permalink
Posted by Brian Bowman
Call off the strike, some trade unions are protecting more than their members’ collective bargaining rights. In fact, many unions have taken a proactive approach to privacy by creating policies that attempt to comply with the benchmarks set out in the federal Personal Information Protection and Electronic Documents Act (“PIPEDA). However, there hasn’t yet been a case summary or court action under PIPEDA that definitively determines whether a union that collects personal information in their general capacity is obligated to observe the rules outlined in the legislation. As a result, some unions are complying with PIPEDA’s obligations to protect their members’ privacy and, regrettably, some unions are not.
The application of PIPEDA is dependent on the existence of a “commercial activity.” Although this term is vague, the case is strong that most union activities are, in fact, captured by PIPEDA. What is certain is the application of Alberta’s privacy legislation, the Personal Information Protection Act (“Alberta’s PIPA”), to the management of personal information by unions. The application of Alberta’s PIPA is not dependent on the existence of a “commercial activity”. As a result, a 2006 Investigation Report from the Alberta Information and Privacy Commissioner found that the collection of personal information by unions in their general capacity subjects them to the requirements found in Alberta’s PIPA. Manitoba’s Bill 219, The Personal Information Protection and Identity Theft Protection Act (the “Manitoba Bill”) is modeled after Alberta’s PIPA. Similar to Alberta’s PIPA, the application of the Manitoba Bill does not depend on whether an organization is engaged in a “commercial activity.”
As I’ve argued in previous posts, the Manitoba Government should support the Manitoba Bill (which was introduced as a private member’s bill by opposition member, Mavis Taillieu). The Manitoba Bill creates a level of certainty with regards to the privacy rights of union members. That’s one of the many reasons why the Manitoba government should ”cross the picket lines” to privacy and support the Manitoba Bill in this fall session of the Manitoba Legislature.
Leave a Comment » | Government, PIPA, PIPEDA, Personal Information, Privacy | Tagged: Bill 219, Government, Manitoba, Personal Information, PIPA, PIPEDA, Privacy, Unions | Permalink
Posted by Brian Bowman
For over a year, there has been widespread speculation in Ottawa over who is behind a particular blog. In this respect, I’ve been retained by a prominent individual residing in the Ottawa area to deal with defamatory content on the blog and to discover the identity of the anonymous blogger (or bloggers) for court action and, ultimately, damages and costs. Click here to listen to my recent interview on point with Ottawa’s CFRA radio station. The matters discussed in the interview have received considerable national media attention including from the National Post, Maclean’s magazine, the Ottawa Citizen, the Winnipeg Free Press and the Ottawa Sun.
1 Comment | Blogs, Defamation, Internet, Online Reputation Management, Privacy, Social Networking Websites | Tagged: Google, Online Reputation Management, Privacy | Permalink
Posted by Brian Bowman
The sound of ringing telephones has caused migraines for millions ever since Alexander Graham Bell placed the first call to Mr. Watson in 1876. But thanks to some newly released technology, that’s about to change. Got a headache? There is, to borrow a phrase from a successful ad campaign, an app for that. Bellaire, Texas med-web company BetterQOL is rolling out iHeadache, an iPhone application that purports to “classify” and assist with diagnosing a user’s headache. iHeadache is one of many cutting edge applications available for use with smartphones. Don’t expect this trend to stop any time soon: thanks to programs like Apple’s iPhone Developer (only $99 for the standard edition), it’s becoming even easier for technology-savvy businesses to create their own apps.
Still not convinced? Consider this list of impressive apps for today’s traveler: Pocket Express, an app that acts as a mobile concierge; Stanza, an app that allows a user to load magazines and books to their smartphone; and GoodFood, which helps a user pick and locate a restaurant based on an array of dining preferences. It’s a good time to be a smartphone user, but perhaps even a better time to be an entrepreneur. Smartphones are increasingly offering businesses a direct window into the hearts, minds and, yes, wallets of potential customers.
But it’s not all good news, privacy advocates remind us. Many smartphone apps guzzle fuel like your Dad’s ‘70 GTO, except they’re eating personal user information instead of gasoline. For example, your app may record your location, gender and birth year before it spits out the location of that perfect sale you’ve been looking for. A sizeable amount of personal information is in play, but, fortunately, Ontario’s Office of the Information and Privacy Commissioner (“IPC”) has been ahead of the curve with its call for “Privacy by Design“. Initially unveiled over 10 years ago, the concept of Privacy by Design combines privacy and security measures at the design specification stage of a project. Instead of waiting until privacy problems pop up to deal with them, Privacy by Design contemplates a proactive approach toward potential privacy issues. This methodology uses Privacy Enhancing Technology such as encryption to provide both maximum security and privacy protection. It is, as the IPC bills it, a “win-win” situation. Other examples of Privacy by Design include anonymous billing systems and depersonalization software.
It’s an exciting time to be a technologically-inclined entrepreneur, but the privacy consequences of smartphone apps cannot (and should not) be ignored. Any business that is considering creating or otherwise implementing an app should consider the privacy implications of doing so, preferably at the early stages of project development.
1 Comment | Internet, Marketing, Mobile devices, PIPEDA, Privacy, Privacy Commissioner, Safeguarding, Security, Smartphones, Technology | Tagged: Businesses, Enterpreneurs, Marketing, Mobile devices, Privacy, Safeguarding, Security, Smartphone Applications, Smartphones, Technology | Permalink
Posted by Brian Bowman
The Los Angeles Times is reporting that the Palm Pre phone secretly uses GPS to report users’ locations to the company.
It is an interesting story because it illustrates the importance of having clear and understandable privacy policies that customers can understand. It is also an interesting story because it (once again) demonstrates the attention that the media place on privacy matters and the potentially explosive reaction that customers can have if they feel their privacy isn’t being respected.
Leave a Comment » | Access to Information, Privacy Breach, Safeguarding, Security, Smartphones, Technology | Tagged: Access to Information, Palm Pre phone, Privacy, Privacy Policy, Safeguarding, Security, Technology | Permalink
Posted by Brian Bowman
Have you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner.
PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years. To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested. A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.
Changes to PIPEDA may include:
The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review. Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.
Leave a Comment » | Government, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Security Breach | Tagged: Businesses, Data Protection, Due Diligence, Employees, Identity Theft, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
Headline after headline these days talk about the growing incidences of identity theft. But who really are these identity thieves? Do they work alone or for KAOS (Get Smart fans will understand this joke)? To answer this timely question, there is a recent post on the Office of the Privacy Commissioner of Canada’s blog entitled “Who are these identity thieves?“
The post cites an earlier survey by the Privacy Commissioner that shows that one Canadian out of six has been the victim of some form of identity theft and that more than 90% of Canadians report that they are concerned about identity theft. The Privacy Commissioner’s post also cites a report by Benoit Dupont, the Canada Research Chair in Security, Identity and Technology at l’Université de Montréal, and his colleague Guillaume Louis, which offers an illuminating profile of identity thieves. Here are some highlights:
The Privacy Commissioner’s post also cites a 2008 report released by the McMaster eBusiness Research Centre that showed that victims spent more than 20 million hours and $150 million resolving problems associated with these crimes. If you’d like to read more about identity theft, please click on the “Identity theft” link under this blog’s Tags.
Leave a Comment » | Identity Theft, Internet, Privacy, Privacy Breach, Privacy Commissioner, Safeguarding, Safekeeping, Security | Tagged: Identity Theft, Personal Information, Privacy, Privacy Commissioner, Safeguarding, Security | Permalink
Posted by Brian Bowman
Have you heard the term “cloud computing“, but aren’t really clear what it means?
Cloud computing is an umbrella term that refers to the use of Internet-hosted computer services. Think of your server — instead of having one in-house server located on company premises, an organization might opt to buy space on a third-party provider’s server. Other options include software hosting and data storage. By purchasing computing services from a variety of Internet-based providers, your computer needs are housed within a larger “cloud” of computer services.
Some organizations are opting for ”Software as a service” (SaaS), and allowing their data to reside on other company’s servers, or “the cloud“. Users only have to buy the space they need, which allows organizations to save money on their technology costs. Other benefits include access to people with technological know-how, flexibility and reduced maintenance costs.
Cloud computing is not new, but is now embedded into the fabric of modern business operations. In fact, the Los Angeles Times has reported that the city of Los Angeles is considering using Google applications for all of its software needs.
Privacy issues related to cloud computing, however, are profound. For example, many of the security questions that relate to traditional third-party data hosting were raised when a hacker broke into a Twitter employee’s work e-mail account and stole confidential company documents. The World Privacy Forum, meanwhile, has released a 28-page report on some of the privacy issues that relate to cloud computing. The report concludes that sharing information may expose some business users to liability, and emphasizes the importance of checking a cloud provider’s terms of service, privacy policy, and location.
Canadian businesses that engage in cloud computing should be reminded that they must do so in compliance with applicable privacy laws. For example, the Personal Information and Protection of Electronic Documents Act obliges organizations that transfer personal information to third parties to ensure appropriate security safeguards are in place.
They should also be mindful of the raging debate about the perils of cloud computing that has been underway now for some time. While cloud computing has the potential to provide benefits, organizations should ask themselves whether it is worth the risks it poses. You might save money in the short run, but is it worth the potential of a massive privacy breach?
1 Comment | Internet, PIPEDA, Privacy, Technology | Tagged: Businesses, Corporate Information, Information Technology, Internet, Outsourcing, Personal Information, PIPEDA, Privacy, Privacy Compliance, Technology | Permalink
Posted by Brian Bowman
The Office of the Privacy Commissioner of Canada (the “OPC”) has just released an in-depth investigation report into a wide-ranging PIPEDA complaint by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) about the privacy practices of Facebook. There is extensive domestic and international media coverage on this today including a story just posted by New York based Bloomberg News, which includes commentary by yours truly.
While the OPC’s Facebook investigation should be a “must read” for all Facebook users, it also provides some insightful information for Canadian organizations regulated by PIPEDA. The lessons that can be learned from the investigation can be applied by Canadian businesses regardless of whether their activities are online or offline.
Despite the fact that “[i]t’s clear that privacy issues are top of mind for Facebook…” federal Privacy Commissioner Jennifer Stoddart says that the OPC has found “serious privacy gaps in the way the site operates”. According to Stoddart, in order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care. An overarching concern of the OPC was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers. The OPC recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.
The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found. The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.
The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts, which is a violation of PIPEDA. The law requires organizations to retain personal information only for as long as is necessary to meet appropriate purposes. Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.
Click here to read the OPC’s News Release, here for the full investigation report and here to read a helpful backgrounder. If you’d like to read more about Facebook, please click on the Facebook link under this blog’s Tags (below).
Leave a Comment » | Access to Information, Facebook, Internet, Online Reputation Management, PIPEDA, Privacy, Safekeeping, Security, Social Networking Websites | Tagged: Access to Information, Facebook, Internet, Online Reputation Management, OPC, Personal Information, PIPEDA, Safekeeping, Security, Social Networking Websites | Permalink
Posted by Brian Bowman
The Australian and New Zealand Privacy Commissioners recently released studies examining the use of Portable Storage Devices (PSDs) by their governmental agencies. The aim was to examine the risks to personal information posed by the use of PSDs. PSDs are small, convenient devices that are capable of storing large amounts of information including laptops, cell phones, USBs, hard drives and iPods.
The studies found that government agencies often keep track of the PSDs they issue but seldom do audit checks on those devices. Policies regulating the proper usage are often developed, but rarely enforced. Hardware controls (i.e. sealing off ports and disabling cables) are used less frequently than software controls (i.e. blocking access to certain databases, monitoring access and information downloaded, etc.).
The majority of agencies (like most private sector businesses in Canada) also allow the use of private PSDs for work (i.e. a cell phone which is used for both personal and business purposes). The studies found that policies regarding the use of private PSDs were less common and much less enforceable than policies for agency-issued PSDs. Even though these studies only analyzed governmental use, the New Zealand Privacy Commissioner stated that she believed the findings were equally applicable to private sector businesses as well.
As I’ve commented in previous posts, there are privacy risks associated with the use of PSDs. First of all, there have been numerous incidents of stolen laptops and other PSDs that contained personal information. Secondly, devices such as USBs are easy to lose. Thirdly, disgruntled employees can easily use PSDs to steal personal information and other confidential corporate information from employers. For example, an employee can simply click a button and download a company’s entire database in a matter of minutes. This is called “pod-slurping” and is especially a threat given the fact that many government agencies and private companies do not have the software capability to track when data has been downloaded to a PSD.
In order to avoid a privacy breach and resulting damage to your business, consider implementing some of the suggestions contained in a 2006 investigation by the Alberta Privacy Commissioner (which I would add should, of course, be implemented in accordance with your organization’s privacy policy and applicable law):
Leave a Comment » | Access to Information, PSDs, Privacy, Safekeeping, Security, Technology | Tagged: Access to Information, Personal Information, Privacy, Privacy Breach, PSDs, Safekeeping, Security, Technology | Permalink
Posted by Brian Bowman
Recently, an interesting article in the Globe and Mail dealt with the issue of smartphone etiquette. Business professionals fidgeting with their BlackBerrys and iPhones in meetings, walking through airports with eyes glued to their small glowing screens and operating their devices in restrooms may seem unrealistic at first blush, but is it really? The reality is that smartphones have permeated the business world. They are everywhere, they are powerful and have the potential to be extremely damaging.
Breaches of confidential corporate data and personal information are nothing new to the business world, but smartphones have brought a new dimension to the problem. Smartphones are starting to make appearances in Canadian court cases in a supporting role, but it won’t be long before they are squarely in the spotlight. The latest iPhone model has up to 32GB of memory while BlackBerrys can store vast amounts of data on memory cards. The equivalent of entire filing cabinets can now be carried around conveniently in your shirt pocket. This reality has increased the risk for massive privacy breaches in the blink of an eye.
The big question is how involved should employers be in regulating and monitoring their employees use of smartphones? All encompassing monitoring of employee smartphone use is a touchy area, but the permeation of smartphones in today’s corporate world and the corresponding risks to businesses necessitates (at the very least) that relevant guidelines concerning their use in the workplace should be implemented by employers. All it takes to damage a business is for one employee to misplace their smartphone without having first activated their security settings.
1 Comment | Employee Monitoring, Privacy, Privacy Breach, Security, Security Breach, Smartphones | Tagged: BlackBerrys, Businesses, Employee Monitoring, iPhones, Privacy, Privacy Breach, Security, Security Breach, Smartphones | Permalink
Posted by Brian Bowman
Your business has insurance for typical business risks, but will your insurance protect you from liability arising from privacy law compliance?
People are increasingly aware of their privacy rights. This heightened awareness has translated into a greater willingness to initiate costly and time-consuming privacy complaints. Thanks to laws like the Personal Information Protection and Electronic Documents Act (PIPEDA), the reality for businesses is that non-compliance with privacy laws can take a chunk out of the bottom line. Given the costs associated with failing to meet legal standards, it’s not surprising that many insurers now offer privacy insurance coverage. But what is privacy insurance, and will it actually protect your business when you need it most? The scope of coverage offered varies depending on the provider, so it’s important to read the fineprint.
Be sure to ask what the policy covers. Some policies limit privacy insurance to protection from hacker attacks. But while hackers are a serious issue for any business, your insurance plan may need to do more. Depending on your jurisdiction and the applicable privacy laws, you may want to look for protection against any costs that can be imposed by the regulatory agencies that oversee compliance with privacy legislation. Otherwise, you might find you’re on your own for your businesses’s failure to fully meet the legal requirements for personal information under your control, including obligations to respond to access to information requests, obtain consents and ensure the accuracy of personal information holdings. It’s also a good idea to evalute your existing protection. Your current business insurance may already provide you with the coverage you need. If, for example, your errors and omissions insurance already protects you against privacy breaches, purchasing additional insurance may not be necessary.
Consider what the privacy insurance plan won’t cover. Many plans don’t cover illegal or fraudulent employee conduct, and some stop short of protecting against anything beyond the unauthorized release of personal information. Court defence costs may also be excluded. Make sure you read the plan or have your lawyer go over it before you buy it.
Finally, don’t forget that the best insurance policy is to take as many proactive steps as possible to get your privacy house in order. If you’re reading this blog, chances are you already have some of these measures in place. If not, consider comprehensive privacy policies and procedures that are reviewed and updated on (at least) an annual basis by legal counsel with expertise in privacy law. Staff privacy training is another excellent proactive step. As the saying goes, the best offence is a good defence!
Leave a Comment » | PIPEDA, Privacy, Privacy Insurance, Security | Tagged: Businesses, PIPEDA, Privacy, Privacy Insurance, Privacy Training, Security | Permalink
Posted by Brian Bowman
The Manitoba Ombudsman’s Office recently released its annual report outlining the activities of its Access and Privacy Division in 2008. Here are some highlights…
Of the 198 new access complaints that were launched, 134 (68%) dealt with “refused access”. This indicates that the provincial government and public bodies either have to be more willing to grant access when requested or do a better job at explaining their rationale for refusing access. Of the 207 cases that were closed in 2008, 38% of the complaints were supported by the Ombudsman, 35% were not supported and 5% were resolved before the Ombudsman could issue a finding. This indicates that all of the complaints brought to the Ombudsman are not without merit. The public appears to have a relatively good understanding of what their rights are under FIPPA and PHIA.
The Ombudsman has also been proactively involved in the development stages of legislation and programs in order to address potential privacy issues. For example, the Ombudsman expressed concerns about the technology used in Enhanced Drivers Licenses (EIC). Radio Frequency Identification chips store the necessary information on the EICs, but the chips are always “on”, meaning that they can be read by unauthorized individuals. This concern is being addressed by providing the cardholder with a protective sleeve. However, if the sleeve is ripped, torn or used improperly, it will not provide the necessary protection. Therefore, the Ombudsman has stressed that it is essential that individuals understand the privacy implications of opting into the EIC program.
The Ombudsman was also been involved in assessing the use of closed-circuit television monitoring by Winnipeg Police, who have agreed to follow the recommendations of the Ombudsman and will not live-monitor the cameras and will work towards developing retention policies and technology to “sever” individuals from images which are not relevant.
Overall, the Ombudsman largely applauds public bodies and government agencies for addressing privacy concerns in the development phases of new programs and legislation. However, it is clear that public bodies need to do a better job of dealing with access requests.
Leave a Comment » | Access to Information, Government, Ombudsman, Privacy | Tagged: Access to Information, Enchanced Drivers Licenses (EIC), FIPPA, Government, Manitoba, Manitoba Ombudsman, PHIA, Privacy | Permalink
Posted by Brian Bowman
Rock legend Eddie Van Halen, best known as the lead guitarist of Van Halen, is reportedly taking legal action against Nike over the alleged use of his signature guitar color scheme on Nike’s new Nike Dunk runners. Van Halen had the red, white and black splattered design most commonly associated with his “frankenstrat” guitar copyrighted in 2001. Van Halen is claiming that the Nike shoes are damaging his image and “causing irreparable harm and damage” to his design. Nike has refuted the allegations and stated that “the Dunk shoe design is not substantially similar to any of the Van Halen designs, and Nike has not referenced the Van Halen name or image as part of any marketing campaign or promotional material associated with the shoe.” Interestingly, Van Halen recently released his own shoe line called or EVH shoes, which feature the recognizable pattern.
This case is noteworthy because it demonstrates the importance of intellectual property rights and how some protect such assets. Having a copyright gives Van Halen the right to control how his design can or cannot be used. Intellectual property rights allow owners to protect their assets against infringement and defend their rights in court. A successful claim may result in monetary damages, an injunction from the use of the infringing material or destruction of the infringing material. Van Halen is taking advantage of the court process by claiming damages and the destruction of all products associated with the Nike Dunk runners. On the other hand, lawsuits can be expensive and that in order to infringe the materials have to be substantially similar. It’s questionable whether the Nike Dunks bare a substantial similarity to Van Halen’s guitar design. Remember the high profile decision between The Wyrd Sisters, a Winnipeg folk group, and Warner Bros. Entertainment Inc. that saw the band lose a considerable amount of money (including $140,000 in costs) when the judge ruled that the band’s name would not be confused with a band in one of the Harry Potter movies.
Finally, Van Halen may be “running with the devil” and inviting himself up to his own copyright infringement lawsuit. The EVH shoe line has been argued by some as bearing a striking resemblance to Converse All-Stars, a company that just happens to be owned by – you guessed it – Nike.
3 Comments | Copyright, Industrial Design, Intellectual Property, Marketing | Tagged: Copyright, Industrial Design, Infringement, Intellectual Property, Marketing, Nike, Van Halen | Permalink
Posted by Brian Bowman
Today’s National Post story about a Nova Scotia judge’s decision to allow the publication of a private conversation between Natural Resources Minister Lisa Raitt and her former aide casts a spotlight on a murky area of privacy law.
As reported by the National Post, the unusual case raises questions about what constitutes a “reasonable expectation” of privacy in a world where digital recorders and handheld wireless devices are omnipresent. As I’m quoted in the story, “[researchers] said some years ago that new privacy rules were going to put existing business practices under a microscope. I think what we’re seeing now is technologies are putting existing legal principles under a microscope.” Fellow blogger Dan Michaluk is also quoted.
Read the full story here…
Leave a Comment » | Privacy, Safeguarding, Safekeeping, Technology | Tagged: Information Technology, Mobile devices, Privacy, Safeguarding, Technology | Permalink
Posted by Brian Bowman
I was delighted to learn that IP Osgoode has named this blog the “Pick of the Week”!
IP Osgoode at Osgood Hall Law School in Toronto is a new, independent and authoritative voice which explores legal governance issues at the intersection of intellectual property (IP) and technology. If you haven’t yet visited the IP Osgoode website, I would encourage you to do so as it contains some great content.
If you are also interested in finding additional resources, you may want to visit the Nymity website. Of particular interest, the Nymity website has a section dedicated to recent privacy breaches and recent privacy studies. Finally, you may also want to visit the Canadian Association of Professional Access and Privacy Administrators website.
Hope these links help!
Leave a Comment » | Blogs, Intellectual Property, Privacy, Privacy Breach, Technology | Tagged: Intellectual Property, Nymity, Privacy, Privacy Breach, Technology | Permalink
Posted by Brian Bowman
As I’ve previously discussed, Social networking websites such as MySpace and Facebook are provoking new questions about the appropriate boundaries in employee-employer relationships. This is evident in a United States Federal Court case coming to a head in New Jersey. The case pertains to the conduct of a manager who logged into a private social networking website and observed employees slandering company supervisors and customers. Those same employees were later dismissed. The case exemplifies a rapidly expanding “grey area” between an employee’s work life and personal social life. It begs the question, at what point does a “private” comment to friend made outside of the office constitute defamation, and at what point are such comments simply banter between individuals? Of course, the answer is, it all depends on the facts.
For an interesting discussion on the matter, check out Myrth on a Blog, a personal journal of law, technology and social media.
Leave a Comment » | Access to Information, Blogs, Defamation, Employee Monitoring, Facebook, Internet, MySpace, Online Reputation Management, Privacy, Social Networking Websites, Technology | Tagged: Access to Information, Employee-Employer Relationship, Employees, Facebook, Internet, MySpace, Online Reputation Management, Privacy, Social Networking Websites, Technology | Permalink
Posted by Brian Bowman
It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca. Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics. Here’s what we covered…
On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week. The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.
On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter. As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.
On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions. For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.
On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.
And last but not least, today Adam Herstein posted “Manitoba: Innovative Fighter of Child Sexual Exploitation”, which focuses on Manitoba’s recent enactment of The Child and Family Services Amendment Act (Child Pornography Reporting) (Manitoba) and how Manitoba is the first province in Canada to enact legislation that makes it mandatory for a person who encounters child pornography to report it to authorities. Adam also notes that Canada has a national tipline called Cybertip.ca for reporting the sexual exploitation of children.
Thanks to slaw.ca for the opportunity to contribute!
1 Comment | Blogs, Copyright, Facebook, Government, Intellectual Property, PIPEDA, Privacy, Social Networking Websites, Technology, Training | Tagged: Businesses, Copyright, Corporate Information, Employees, Facebook, Information Technology, Intellectual Property, Internet, Inventions, Manitoba, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Compliance, Safeguarding, Social Networking, Technology | Permalink
Posted by Brian Bowman
The posting of a YouTube video of a woman throwing a tantrum at the Hong Kong International Airport should serve as a reminder to Canadian businesses that employees these days can (and do) easily record and post videos online from their mobile phones.
The three minute video shows a Cathay Pacific customer yelling and flailing her limbs as she lies on the floor after missing her flight from Hong Kong to San Francisco. I’ve been upset at missing a flight before, but the woman in this video takes things to an entirely new level. The video has drawn over five millions views and nearly 21,000 comments, which has resulted in some incredibly cruel and objectionable online commentary about the woman. Since the release of the video, Cathay Pacific has disciplined the gate worker who recorded the video on his mobile phone (although the video was posted on YouTube by a third party) and the company has issued a formal apology to the woman.
The video is noteworthy because it demonstrates the power of new technologies such as YouTube and the corresponding risks to Canadian businesses. Had the video been recorded by an employee of a Canadian business, subject to Canadian privacy laws, the potential privacy complaint and/or lawsuit by the woman in the video could have been substantial.
Canadian businesses should be reminded of the need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy policies and procedures.
Canadian businesses don’t need to look too far to find examples where more effective employee privacy training may have mitigated, or even prevented, privacy complaints.
1 Comment | Internet, Online Reputation Management, PIPEDA, Privacy, Safeguarding, Safekeeping, Technology, Training, Video Surveillance, You Tube | Tagged: Customers, Employees, Internet, Mobile devices, Online Reputation Management, Personal Information, Privacy, Privacy Compliance, Safeguarding, YouTube | Permalink
Posted by Brian Bowman
The Manitoba Legislature is currently debating Bill 219 – The Personal Information Protection and Identity Theft Protection Act.
The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised. Such a requirement would be groundbreaking in Canada (notwithstanding Ontario’s Personal Health Information Protection Act, which has a mandatory breach notification requirement).
Regrettably, the Government of Manitoba indicated in the Legislative Assembly debate last week that it has two primary concerns with the Bill. The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. Legislative rules prevent private member’s Bills from containing financial penalties and so the Bill could not contain such provisions. However, the government could add those provisions in amendments. In fact, I assisted with the drafting of the Bill and would happily provide the government with the relevant provisions. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. However, PIPEDA does not apply to the activities of private sector organizations in provinces such as Alberta and British Columbia, both of whom have Personal Information Protection Acts, because PIPEDA does not apply where “substantially similar” provincial legislation exists.
The Bill was first introduced in 2005 and since that time the need for such a law has significantly grown. It’s modelled after Alberta’s Personal Information Protection Act, which provides a more business-friendly and clear legislative scheme than PIPEDA. As I’ve previously argued, it would be good policy for the Government of Manitoba to support the Bill and I once again urge them to do so.
If you want a more business-friendly privacy law in Manitoba, I’d strongly encourage you to contact the Government of Manitoba and Mavis Taillieu to indicate your support.
Additional coverage on this topic by the Canadian HR Reporter here.
2 Comments | Employee Monitoring, Government, Identity Theft, Ombudsman, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security Breach | Tagged: Employees, Government, Identity Theft, Manitoba, Personal Information, PIPEDA, Privacy, Privacy Commissioner | Permalink
Posted by Brian Bowman
You have probably seen the ® or ™ symbol on products or in advertisements. But what do these symbols mean and when is it appropriate to use them?
Generally, the ® or ™ symbols are used in connection with a trade-mark, which is a word, symbol or design used to distinguish the wares or services of one person or organization from those of others. Trade-marks can be valuable intellectual property.
The Trade-marks Act (Canada) (the “TM Act”) does not contain any marking requirements. However, trade-mark owners often indicate their registration through certain symbols, namely, ® (registered) or ™ (trade-mark). Although the TM Act does not require the use of these symbols, in Canada, the ™ and ® symbols may be used whether the trade-mark is registered or not. However, while this is not a requirement of the TM Act, the ® should be used only if the mark is registered with the Canadian Intellectual Property Office. If the ® is used and the mark is not in fact registered, it may be possible for someone to argue its use amounts to false advertising. The ™ suggests the mark is not registered, but can help establish distinctiveness in the mark.
One should be especially careful using the ® outside in Canada. In certain jurisdictions, including the U.S., ® may only be used by the owner of a mark following registration with that jurisdiction’s trade-mark office. For example, if a Canadian company is marketing a product in the U.S. and its mark is not registered with the U.S. Patent and Trademark Office, it would not be able to use the ® in connection with its mark and could only use the ™, even if the company has been using ® in Canada all along.
Businesses should consider having their intellectual property “audited” by legal counsel with an expertise in the field and, in doing so, developing an appropriate trade-marks business strategy. When I advise my clients on trade-marks matters I often rely on the expert counsel of my friends and colleagues Jolin Spencer (whom I should thank for this blog post), Robert Watchman and Howard Nerman, all of whom have expertise in trade-marks law.
1 Comment | Copyright, Due Diligence, Industrial Design, Intellectual Property, Marketing, Patent, Trademark | Tagged: Copyright, Due Diligence, Industrial Design, Intellectual Property, Marketing, Patents, Trade Marks | Permalink
Posted by Brian Bowman
This month’s Canadian Lawyer magazine’s feature article, entitled The Privacy Dance, profiles Canada’s Privacy Commissioner, Jennifer Stoddart. The article provides an excellent overview of contemporary privacy issues in the context of featuring the esteemed career of Stoddart.
In my view, Canada is very well served by Stoddart and her team at the Office of the Privacy Commissioner of Canada. As a result, it’s nice to see that Stoddart’s ongoing efforts to protect and promote the privacy rights of Canadians are being recognized by the Canadian Lawyer Magazine.
Leave a Comment » | Government, Privacy | Tagged: Privacy, Privacy Commissioner | Permalink
Posted by Brian Bowman
Earlier this year, the Internet Corporation for Assigned Names and Numbers (“ICANN”) announced that they will be opening up the generic Top Level Domain extensions (the “gTLDs”) to allow for personalized extensions. I could (for a mere US$185,000.00+) now apply for a .brian or even a .privacy. And while the chances of me starting a .brian are very slim, it will be interesting to see how many organizations pay the application fee and create their own .blank extension. Opening up the gTLDs will likely force trademark owners to evaluate their brand strategies and, in doing so, weigh the costs and benefits of buying any or all gTLDs related to their brand.
If you’re a trademark owner and you want to approach your strategy conservatively, then you may want to take a defensive position and register any of the gTLDs that relate to the business in which you’re engaged. The list of commercial gTLDs would include .com, .net., .info, .org, .tel, .biz, .mobi, .tv and any other TLDs that seem to have a commercial application. Additionally, you may want to register and maintain the country code domain names (ccTLDs) in the jurisdictions where your organization offers, or plans to offer, its products or services. Once this is completed, you should then register any known variations of your trademark.
While, in theory, this is a very effective strategy – in practice, this strategy will be more difficult to execute. For example, the owners of Lego currently own 450 domain names within the TLDs. They recently pursued and won a WIPO arbitration decision against a cybersquatter who had registered the domains Justlegos.com, legosonly.com, and onlylegos.com; illustrating that even the most vigilant defensive strategy for the registration of domains names cannot prevent all infringements. As such, any brand strategy should be accompanied by vigorous monitoring and enforcement. The decision about which TLDs to register is a business decision that must weigh the cost of brand enforcement from a defensive position and an offensive position.
Leave a Comment » | Domain Names, Due Diligence, Intellectual Property, Internet, Technology, Trademark | Tagged: Domain Names, Due Diligence, Internet, Technology | Permalink
Posted by Brian Bowman
Are you a parent with children who use the Internet? Do your children have a better understanding of this new and constantly changing technology? Have your children ever texted “fts” or told you to “bma” in an online message ? I sure hope not!
If you have children, I’d encourage you to visit the Internet 101 website, which provides some great information to increase your computer knowledge. The site provides excellent resources including Tutorials to help you learn more about the online world, Technical Tips to help keep your computer secure, Chat Lingo to help you learn the online lingo, Popular Online Activities to expose you to what today’s youth are doing online, and an Internet Agreement to be signed between parents and children to help your family stay safe in the online world.
Even if you don’t have children, there is some valuable information on the site worth reading.
Leave a Comment » | Blogs, Facebook, Identity Theft, Internet, Privacy, Safeguarding, Social Networking Websites, Technology, Youth | Tagged: E-mail, Facebook, Information Technology, Internet, Social Networking, Youth | Permalink
Posted by Brian Bowman
Over the past couple of years, the world has been preparing for a pandemic. Most experts believed that the avian flu was the most significant threat that faced the world, but recent declarations of a potential pandemic with confirmation of cases in Mexico, the U.S. and Canada from a swine flu have led to fears that the next pandemic is upon us. In the event of a pandemic, the government of Canada has set up a website, which will provide information to the public.
In times of fear, governments and citizens alike often overreact to address a threat. It is times like this that individuals, in addition to heeding advice about how to avoid the flu, should be vigilant about what measures the government may be taking to address this health crisis. Last summer, Canada experienced another health crisis when a strain of listeria was found in certain meat products. Tragically, by the time it was over, 21 people had reportedly died. The public health crisis was announced mid-August, but a team of researchers at Google later found that searches for the term listeriosis spiked in Canada about a month before the public announcement. An article published in the Canadian Medical Association Journal indicated that those searches lined up with the peak of the outbreak while the public announcement came while new cases were on the decline.
The analysis of aggregated search trends has been proposed as a means to fight pandemics and outbreaks of illnesses. However, even those proposing this analysis have admitted this type of analysis is complicated because it is difficult to know who is searching and why. In the Government of Canada’s News Release on April 26, 2009, a short privacy policy was cited stating that although Service Canada does not normally use cookies, if you have cookie notifications set on your browser, you would be notified. However, earlier this month, the same site indicated that the Pandemic Influenza Portal did not normally use cookies to track visitors to the site and that the system would notify you before any cookies were used so you could refuse them with no reference to what your computer settings were.
This change is a minor one but it may possibly be an indication of the small bits of privacy that Canadians will be expected to give up during these times of concern.
Leave a Comment » | Government, Health Crisis, Internet, Privacy, Security | Tagged: Cookies, Flu, Google, Government, Health, Internet, Pandemic, Privacy | Permalink
Posted by Brian Bowman
The Government of Canada announced today the introduction of anti-spam legislation called the Electronic Commerce Protection Act (“ECPA”) that “aims to boost confidence in online commerce by protecting the privacy and personal security concerns that are associated with spam, counterfeit websites and spyware.”
According to the government’s News Release, the ECPA would allow businesses and individuals to initiate civil actions against anyone who violates the law. The ECPA deals with unsolicited text messages, or “cellphone spam”, as a form of “unsolicited commercial electronic message”.
It would establish a regulatory enforcement regime that would enable the CRTC to impose penalties of up to $1 million for individuals and $10 million in all other cases. The Competition Bureau would use a penalty regime already provided for in the Competition Act, and the federal Privacy Commissioner’s powers to cooperate and exchange information with her counterparts would be expanded in respect of the Personal Information Protection and Electronic Documents Act.
The ECPA is nearly 70 pages long. Stay tuned to this blog. As soon as I’ve been able to digest the content I’ll post again on how the ECPA is likely going to affect Canadian businesses, especially those enaged in online marketing.
1 Comment | Government, Identity Theft, Internet, Marketing, Online Shopping, PIPEDA, Privacy, Spam | Tagged: Businesses, Customers, Identity Theft, Information Technology, Internet, Marketing, PIPEDA, Privacy, Privacy Commissioner, Privacy Compliance, Spam | Permalink
Posted by Brian Bowman
The current global economic climate has led to a growing number of bankruptcy and insolvency proceedings, particularly in the U.S. In dealing with these proceedings, many business leaders have not paid enough attention to the role of privacy law and its impact on the bottom line.
A prime example is the bankruptcy of U.S. online toy retailer, Toysmart.com. Toysmart.com had collected vast amounts of personal information from its online consumers in accordance with its privacy policy, which stated that the company would never share its database with third parties. Despite the promise, Toysmart.com then made attempts to sell the database. The U.S. Federal Trade Commission (“FTC”) then sued Toysmart.com seeking injunctive and declaratory relief to prevent the sale of the database by Toysmart.com. The complaint alleged that Toysmart.com had violated U.S. law by misrepresenting to consumers that personal information would never be shared with third parties, and then disclosing, selling and offering that information for sale. Toysmart.com later settled with the FTC. The settlement agreement forbid the sale of the database except under very limited circumstances.
Of course, Canadian companies are subject to Canadian privacy laws such as PIPEDA, which require the consent of individuals for the disclosure of personal information to third parties. In structuring privacy policies, Canadian companies should consider all outcomes including bankruptcy. As a result, privacy policies should be carefully drafted with consideration of the possibility that personal information may be shared with third parties in the event of bankruptcy. Doing so will almost certainly not be enough to fully comply with Canadian legal requirements, but it’s a prudent step in the right direction – especially in these uncertain economic times.
Leave a Comment » | Due Diligence, Internet, PIPEDA, Privacy, Privacy Breach, Sale Transactions | Tagged: Businesses, Customers, Due Diligence, Personal Information, PIPEDA, Privacy, Privacy Compliance | Permalink
Posted by Brian Bowman
The Lawyers Weekly (a national newspaper for the Canadian legal profession) recently approached me to publish an article for their “Focus on Information Technology” section of the newspaper. The request gave me pause to think about the impact on Canadians’ privacy of recent technological advances such as e-mail, instant messaging, online forums, blogs and social networking websites (such as Facebook and Twitter). Upon reflection, I concluded that these technological advances are the driving force for what I argue are increasing calls for a “third wave” of privacy laws.
The “first wave” of privacy laws (such as the federal Privacy Act) were introduced decades ago to protect the privacy of individuals in respect of public sector government bodies. The “second wave” of privacy laws (such as PIPEDA) were introduced more recently to protect the privacy of individuals in respect of private sector businesses. Arguably, the only missing link in this chain of privacy protection, and what could be the focus of a “third wave” of privacy laws, is protecting individuals from violations of privacy by other individuals in the non-commercial sphere. My goal with the article was not to promote a “third wave” of privacy laws, but rather to engage Canadians in a debate about whether such laws are required.
I hope you click here to read the full article!
I also encourage you to share your thoughts on whether – in the era of Facebook and Twitter – the status quo is sufficient or whether a “third wave” of privacy laws are needed.
1 Comment | Blogs, Defamation, Facebook, Internet, Online Reputation Management, Privacy, Social Networking Websites, Technology | Tagged: Facebook, Internet, Inventions, Online Reputation Management, Personal Information, Privacy | Permalink
Posted by Brian Bowman
Businesses are increasingly being asked to reduce their “carbon footprint”. And while many customers are interested in doing business with organizations that are trying to reduce their carbon footprint, many customers are also concerned about their own “digital footprints“.
The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!
Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”. It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.
Leave a Comment » | Due Diligence, Identity Theft, Internet, PIPEDA, Privacy, Safeguarding, Safekeeping, Security, Technology | Tagged: Businesses, Customers, Due Diligence, Identity Theft, Information Technology, Personal Information, PIPEDA, Privacy Compliance, Retention, Safeguarding | Permalink
Posted by Brian Bowman
Does PIPEDA apply to non-Canadians? It’s a common question.
PIPEDA applies to organizations that collect, use, or disclose “personal information” in the course of a commercial activity. The definition of “personal information” does not specify the residency of the individual to whom the personal information must relate. As a result, organizations are well-advised to manage their personal information holdings in accordance with all of the obligations set forth in PIPEDA regardless of the residency of the individuals to whom information relates. If they don’t, non-Canadians (including U.S. residents) may initiate privacy complaints to the Office of the Privacy Commissioner of Canada.
Leave a Comment » | Due Diligence, PIPEDA, Privacy, Privacy Breach | Tagged: Businesses, Personal Information, PIPEDA, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
Ongoing privacy training is a vital tool to assist with privacy law compliance. In this respect, the following Canadian privacy law conferences in the coming months may be of interest to you or others in your organization:
If there are other Canadian privacy law conferences in the coming months that I haven’t listed, please post a Comment or drop me an e-mail so I can update this post. If you, or your industry association, are interested in more focussed privacy training, please let me know as I regularly conduct in-house privacy training sessions for clients.
Leave a Comment » | PIPEDA, Privacy, Training | Tagged: Due Diligence, Employees, Manitoba, PIPEDA, Privacy, Privacy Compliance | Permalink
Posted by Brian Bowman
Another day, another development in the Google Street View story. Canada’s Privacy Commissioner and several provincial privacy commissioners have commented on street level imaging technology by releasing a timely Fact Sheet on the related privacy issues.
The commissioners point out that ”a common misconception is that a company doesn’t need your permission to take your photograph in a public place. In fact, one of your key protections under Canadian privacy law is that you should know when your picture is being taken for commercial reasons, and what your image will be used for. Your consent is also needed.”
The Winnipeg Free Press is also running an excellent story in today’s newspaper, which highlights some of the broader issues related to Google Street View. Arthur Schafer, a professor at the University of Manitoba and director of the Centre for Professional and Applied Ethics, comments in the story about the related ethical issues while I comment in the story about the related legal issues.
1 Comment | Internet, PIPEDA, Privacy, Technology | Tagged: Businesses, Google, Information Technology, Internet, Personal Information, PIPEDA, Privacy, Privacy Commissioner, Privacy Compliance, Technology | Permalink
Posted by Brian Bowman
The looming battle between privacy advocates and Google Street View could have implications beyond Google and its Canadian-based service providers, who are currently taking detailed photos of Canadian cities. I’m quoted in today’s Winnipeg Sun article on this issue, where I argue that the implications of the Google Street View battle could extend to how Canadian privacy laws are interpreted and enforced.
If you’re not ramped up on Google Street View, you may want to read the Wikipedia description, which does a good job of explaining the Google service. David Fraser also has an illustrative blog post, which highlights the remaining privacy issues despite Google’s efforts to blur faces and licence plates.
Despite the fact that Google’s Canadian-based service providers are taking pictures in public places, Canadian privacy laws generally require the consent of individuals for the collection of their personal information. In fact, the first ever Case Summary under PIPEDA dealt with video surveillance activities in public places. In the Case Summary, the former Privacy Commissioner advised the company being investigated that its intended public video surveillance for commercial purposes was unlawful and should not be pursued. More recently, and on point, Canada’s Privacy Commissioner, Jennifer Stoddart, has sent a letter to Google outlining the concerns about Google Street View from a Canadian privacy law perspective.
Stay tuned… this story is just beginning.
Leave a Comment » | Internet, PIPEDA, Privacy, Technology, Video Surveillance | Tagged: Businesses, Google, Internet, Personal Information, PIPEDA, Privacy, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
The following was published on April 1st, 2009 (April Fool’s Day)…
I’m pleased to announce that after 9 years in private practice, I have decided to leave the profession of law.
I’ve really enjoyed practice, especially my work in the areas of privacy and access to information law. Effective immediately, however, I’ve joined the offshore data mining firm, PrivacyInvader Inc., who have retained me on a full-time basis to help them “navigate” around Canadian and international privacy laws in a commercially viable manner. As a result, I will not be continuing my practice or this blog.
If you believe the above announcement, April Fools!
In fact, I’m pleased to advise that I’ve been invited to join the partnership of Pitblado LLP effective January 1, 2009. A formal announcement will be made in the coming weeks.
The reality is that I’ve truly enjoyed working at Pitblado LLP and look forward to continuing at the firm for many more years. I’ve been blessed with a wonderful group of clients whom I have the privilege of providing counsel to on a day to day basis. The best part of my practice is getting to work with personable and professional colleagues and clients, many of whom have become good friends. I’m very excited to continue my practice, albeit in my new role as a partner.
2 Comments | Privacy | Permalink
Posted by Brian Bowman
As you know, instant messaging, text messaging, blog postings, online chat forums and social networking websites (such as Facebook and MySpace) have changed the way in which people communicate. Regrettably, however, many of these new communications tools (in particular, online forums and social networking websites) are being used to defame not only individuals, but businesses as well. It should not be forgotten that businesses can be defamed.
In general, the defamation (written and spoken) of a business occurs when a party lowers the reputation of a business in the estimation of other members of society or an industry. Since a business doesn’t have “feelings”, defamation cases related to businesses focus on the damage to a business’ reputation or goodwill due to the comments of another party. The following court cases are worth checking out, both of which confirm that a business can be defamed and, as a result, is entitled to receive monetary compensation.
In Barrick Gold v. Lopehandia, the defendant was found liable for a massive online defamation campaign initiated by the defendant against the plaintiff. The defendant had posted comments on gold and mineral investor related online forums defaming the plaintiff. The Ontario Court of Appeal noted that Internet defamation is different than traditional written forms of defamation since online defamation, or “cyber libel”, is often taken at face value, and is capable of instantly reaching an unlimited number of persons around the globe. The plaintiff corporation was awarded $75,000 in general damages for damage to its reputation and goodwill, $50,000 in punitive damages, and a permanent injunction to prevent further postings.
In WeGo Kayaking Ltd. et al v. Sewid, the British Columbia Supreme Court awarded $250,000 in general damages to the plaintiff corporation in relation to “review” comments posted online that incorrectly and intentionally classified the plaintiff as a “bad” tour company.
Defamation doesn’t just happen to individuals. These cases serve as a reminder to businesses that they are capable of being defamed and, as a result, should diligently protect their online reputations.
1 Comment | Facebook, Internet, Online Reputation Management, Social Networking Websites | Tagged: Businesses, Court, Defamation, Facebook, Internet, MySpace, Online Reputation Management, Social Networking | Permalink
Posted by Brian Bowman
I recently discussed with Nymity News some of the privacy issues related to third party opt-out websites. Specifically, I highlighted in the interview the risks facing organizations who honour requests from such websites. Marketing research organizations such as those that are members of the MRIA may find the interview of particular interest, but it’s still worth reading regardless of what industry your business operates in if you’re not yet aware of these types of third party opt-out websites.
Leave a Comment » | Internet, PIPEDA, Privacy | Tagged: Customers, Marketing, National DNCL, Personal Information, PIPEDA, Privacy, Privacy Compliance | Permalink
Posted by Brian Bowman
In terms of privacy, as with many other things, each step forward seems to come with a catch that makes the step forward a little smaller than one would hope. Google, in response to demands from privacy advocates and users, has taken a progressive step forward and created a means for users of Google to opt out of their targeted advertising by allowing a user to access Google Ad Preferences to change settings or to opt out completely.
At the same time, Google has announced plans to launch a new type of targeted advertising. Currently, when an Internet user visits a webpage with Google Adsense, Google will store cookies on a user’s computer and remember their interests from previous searches. The example used by Google is that if you have an interest in gardening, you may be shown gardening ads along with those related to the site you are visiting.
While Google’s addition of its Ad Preferences program is encouraging for privacy advocates, it does come in the wake of an entirely new and -according to privacy advocates – more invasive means of targeting ads at users. As part of this new initiative, Google has asked all Google Adsense publishers to update their privacy policies to notify users of their site of the fact that interest-based advertising will be displayed.
The Privacy Commissioner once noted that although PIPEDA (and other privacy legislation) imposes obligations on organizations to take appropriate measures in protecting personal information, sometimes the more important role of privacy legislation is to help people shape their view of privacy.
By revising their privacy policies, businesses will be taking steps to comply with applicable privacy laws; but whether these steps are enough to address the expectations of their customers regarding privacy is a matter to be best considered by each business. In the meantime, if a business using Adsense has any questions about this change or requires any assistance in updating their Privacy Policy, I would encourage you to contact me to discuss.
Leave a Comment » | Access to Information, Internet, Privacy, Security, Technology | Tagged: Access to Information, Google, Internet, Personal Information, PIPEDA, Privacy, Security, Technology | Permalink
Posted by Brian Bowman
Bell Canada recently announced that it would acquire The Source, a national electronics dealer. Bell has indicated that it will be acquiring substantially all of the assets of The Source.
I don’t know what those assets will be, but I think it is an interesting example of the fact that even in recessions we still see acquisitions of companies. When an organization’s assets are bought, one of the most valuable assets that are purchased is often its customer list.
PIPEDA and other applicable privacy laws, of course, govern transactions involving personal information. In the course of such transactions some companies are now implementing concepts once used only to secure physical assets. For example, many organizations are choosing to employ “escrow” arrangements to ensure the security of personal information.
Most businesses now understand that the implications of violating applicable privacy laws can be very serious to the reputation and bottom line of both the vendor and purchaser. As part of a sale of a customer list, and depending on the specific circumstances, both parties may agree that the customer list be placed in escrow until the transaction is completed. This ensures that what is likely the most valuable asset in the transaction – the customer list – is protected from unintended disclosures prior to the actual transfer of the business.
1 Comment | Access to Information, Due Diligence, Privacy, Sale Transactions, Security | Tagged: Access to Information, Businesses, Customers, Due Diligence, Personal Information, PIPEDA, Privacy, Sale Transactions, Security | Permalink
Posted by Brian Bowman
If you’re a privacy professional, you’re likely overwhelmed with the ongoing task of staying on top of legal, industry and technology developments. As you know, there’s no shortage of issues these days. Hopefully, this blog is helping your efforts!
But if you work for a private sector organization and haven’t yet signed up for the federal Privacy Commissioner’s e-newsletter entitled Privacy Perspectives, I’d suggest you do. It contains great information and helps to stay on top of things.
If you’re in Manitoba and work for a public body, the Winter 2009 Issue of Manitoba OmbudsNews was published last Friday on the Manitoba Ombudsman’s website. It’s also a great resource.
If you’re still in need of ongoing assistance and aren’t already a member of the Privacy Forum, you may want to touch base with me to learn more. It has been a super venue over the last 6 years for information sharing and the current members are an excellent group of individuals and first rate privacy professionals.
Leave a Comment » | Ombudsman, PIPEDA, Privacy, Training | Tagged: FIPPA, Manitoba, Ombudsman, PHIA, PIPEDA, Privacy, Privacy Commissioner, Privacy Compliance, Privacy Forum | Permalink
Posted by Brian Bowman
If you’re a privacy professional you will know that Canada’s privacy laws are in place to protect the privacy rights of individuals, not businesses.
Despite this fact and that Canada’s federal privacy law, PIPEDA, has been in force since 2001, it’s surprising how many others are confused on this point.
For instance, I recently had a client make an information request to an organization for access to corporate information. When the organization responded, they denied access to the requested information and claimed that PIPEDA required that they do so in order to protect the privacy interests of a business.
There may be circumstances where organizations have other legitimate reasons for denying access to certain information. There may also be circumstances where privacy laws such as PIPEDA should be cited in denying access to certain business records where releasing the information could unlawfully disclose the personal information of another individual. Organizations should not, however, cite Canada’s privacy laws as a justification to deny access to information requests on account of the privacy rights of a business.
If you encounter this scenario you may be dealing with someone who either doesn’t understand privacy laws or who is perhaps being disingenuous. After all, the general thrust of Canada’s privacy laws is to encourage organizations to create a culture of privacy in order to protect the privacy of individuals whose personal information is collected, used, retained or disclosed by such organizations.
2 Comments | Access to Information, Due Diligence, PIPEDA, Privacy | Tagged: Access to Information, Businesses, Corporate Information, PIPEDA, Privacy | Permalink
Posted by Brian Bowman
How is your business dealing with metadata? If you’re scratching your head and asking “what the heck is metadata?” or if you’re drawing a blank about what your business may (or may not) be doing to manage its metadata, then you should definitely read on.
For the basics on metadata, read here. As you’ll learn in more detail, “metadata” is data about data. It’s detailed information that is automatically created about an electronic document when you use Microsoft Word, PowerPoint or Excel. It can include the name of the person or organization that created a document, the date that it was created, the identities of people who modified a document, including the time and day they did so, the name of the computer that was used to create a document and detailed revisions to a document, including past modifications and deleted text not visible on your computer screen. If not properly managed, metadata can help other businesses steal your intellectual property, learn about your business processes and view personal information that you’re legally required to protect under privacy laws.
One practical way to deal with metadata is to use metadata scrubber software. Some are costly but well worth it, including Payne Metadata Assistant and Workshare Protect. There are also free tools available including a Microsoft one (but it is only for Office 2007) and one offered by Javacool Software. Of course, I’d recommend that you work with technology professionals to determine the best metadata scrubber software for your business. Regardless of whether you use one of these or other tools, it’s important that you deal with metadata in some fashion. I hope these links help provide you with a good place to start! Feel free to Leave a Comment below if you know of other metadata scrubber software worth recommending.
Leave a Comment » | Attorney-Client Privilege, Intellectual Property, Metadata, Privacy, Safeguarding, Technology | Tagged: Attorney-Client Privilege, Copyright, Corporate Information, Due Diligence, Information Technology, Intellectual Property, Metadata, Personal Information, PIPEDA, Privacy, Privacy Compliance, Safeguarding, Technology | Permalink
Posted by Brian Bowman
The Office of the Privacy Commissioner of Canada (OPC) has published some useful Guidelines for Processing Personal Data Across Borders to explain how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to third parties, including third parties operating outside of Canada, for processing.
As the OPC points out, PIPEDA does not prohibit organizations in Canada from transferring personal information to organizations in other jurisdictions for processing, but Canadian organizations are still accountable and the OPC can investigate complaints and audit privacy practices of Canadian organizations.
PIPEDA provides that
an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The primary means by which an organization can protect personal information that it transfers to a third party for processing is through a contract. Organizations must also be transparent about their privacy practices, including advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.
Check out the OPC’s Guidelines, and if your business hasn’t yet signed privacy contracts with all third parties to whom you transfer or disclose personal information, now may be the time.
2 Comments | Due Diligence, PIPEDA, Privacy, Safeguarding | Tagged: Border Protection, Due Diligence, Outsourcing, Personal Information, PIPEDA, Privacy, Privacy Commissioner, Privacy Compliance, Safeguarding, U.S. Patriot Act | Permalink
Posted by Brian Bowman
Most Canadian businesses these days supply their employees with devices such as laptops, cellphones and PDAs that are then often used by employees after work hours for personal use. In most cases, this isn’t a problem for either the employer or the employee. But too many businesses that issue cellphones, laptops or PDAs to their employees have not taken the necessary steps to mitigate the associated legal risks.
These legal risks can include the fact that employees can use these devices to distribute emails or text messages that defame other parties or that include illegal sexual or racial content (which in Manitoba could give rise to employee and employer liability under The Human Rights Code). Employees may also use these devices to intentionally or unintentionally leak personal or corporate information. Employees, however, may have an expectation or legal right of privacy depending on the circumstances, so wholesale monitoring by employers may not be in the cards.
Doug Cornelius recently wrote on Compliance Building about a U.S. court decision (Quon v. Arch Wireless) concerning police conduct in accessing personal texts sent from a police-issued cellphone:
In that case the court found that a police department had violated the Fourth Amendment and state constitutional rights of employees and the people they exchanged text messages with, when they reviewed “personal” text messages created on devices owned and issued by the police department. It also found that the text messaging provider, Arch Wireless, violated the Stored Communications Act (SCA), 18 U.S.C. §§2701-2711, by providing transcripts of these messages to the employer.
Although this decision is based on U.S. law, similar results could happen in Canada. As a result, Canadian businesses should ensure that their employees clearly understand what they can and cannot do with the devices issued to them. One of the best ways to accomplish this goal is to develop appropriate policies and procedures, which will minimize the chances of being taken to court by third parties or employees.
3 Comments | Employee Monitoring, Privacy, Technology | Tagged: Employees, Mobile devices, Personal Information, Privacy, Risks, Technology, Workplace Surveillance | Permalink
Posted by Brian Bowman
Do you ever wish you were Jack Bauer from the TV show 24? Here’s your chance!
There are a growing number of articles that are highlighting the threat of “cyber-terrorism”. It’s a scary topic that is surely consuming the time of government technology infrastructure professionals in the U.S. and Canada. Some of these articles discuss the remote possibility that terrorists may perpetrate cyber-attacks against critical online government and corporate infrastructure. Other articles discuss the very real possibility that terrorists may simply use the Internet (and the information contained online) to plan attacks in the real world. Don Cavender, a special agent and instructor with the FBI’s Computer Training Unit at Quantico, Virginia, is quoted in an excellent ZDNet article and says that “the worry right now is not so much a cyberterrorism event…but when the terrorists use the Internet to facilitate the planning of these attacks.”
We all know that the Internet is filling up with vast amounts of data including people’s personal information, as well as corporate and government data. The lesson that I take from all of these “cyber-terrorism” related articles is that businesses should make sure that they are working with technology professionals to secure their databases and limit the amount of personal information and corporate data available online. Of course, there are many reasons for businesses to secure their databases and to limit what information is available online. For example, privacy laws such as Canada’s PIPEDA regulate the safeguarding of personal information. And, there are good business reasons to limit the availability of proprietary corporate data online. But, if you ever wished you were Jack Bauer, then here’s your chance to fight terrorism…one corporate move at a time.
Leave a Comment » | Internet, Online Reputation Management, Safeguarding, Security, Technology | Tagged: Corporate Information, Information Technology, Internet, Online Reputation Management, Personal Information, PIPEDA, Safeguarding, Security, Terrorism, U.S. Patriot Act | Permalink
Posted by Brian Bowman
I chaired a lively Privacy Forum member meeting yesterday, which included a great discussion on how to get staff “buy-in” on privacy compliance. It’s an important topic because an organization can have comprehensive privacy policies and procedures, but if employees don’t “buy-in” they won’t implement the policies and procedures properly.
The important thing is to develop a culture of privacy within the workplace. Fostering a workplace culture where privacy is valued and respected contributes to good employee morale and mutual trust. It also helps employees to identify privacy issues before they become privacy complaints (which can result in costly grievances, lawsuits or settlements). After all, it’s employees that are on the front line with customers and how employees respond to privacy related questions or concerns can make a big difference.
When I conduct privacy training sessions for clients, I always remind employees that while privacy compliance is the law, it’s also important because good privacy practices can improve customer relations, increase efficiencies and mitigate time-consuming and costly privacy complaints. I also try to make privacy compliance fun! No, this is not a misprint…I said “fun”. Privacy Forum members had some great suggestions on how to make privacy compliance fun and, in doing so, help to get staff “buy-in” on privacy compliance.
Please post a Comment below on ways that you or your organization tries to get staff “buy-in” on privacy.
Leave a Comment » | PIPEDA, Privacy, Training | Tagged: Employees, PIPEDA, Privacy, Privacy Compliance, Privacy Forum, Privacy Policy, Training | Permalink
Posted by Brian Bowman
Last week’s headlines regarding Facebook (see post below) really seemed to raise the awareness of Facebook users about its Terms of Use. The troubling reality that many Facebook users haven’t read its Terms of Use illustrates the all too common practice of website users not reading the Terms of Use of websites they visit.
Website Terms of Use are important to read, especially if you’re then going to post information on or through the website. If you’re a Facebook user, read its Terms of Use to determine if you actually agree to them. If not, you may want to reconsider continuing to be a Facebook user or you may want to simply refrain from posting content that you don’t want to fall under the scope of its Terms of Use.
If your business has a website, check to see if it has a comprehensive Terms of Use document that’s been customized accordingly. Terms of Use are vital documents for websites because they set out the ground rules regarding – among other things – the ownership of content, licence rights, use of the website by minors, user submissions/postings and intellectual property rights. They are intended to serve as legally binding contracts between website operators and users, so they’re pretty important!
Facebook may have suffered a public relations setback last week, but for a commercial enterprise it was on the right path when it reviewed and tried to customize its Terms of Use to meet its business objectives. All businesses that have websites should review and, if necessary, modify their Terms of Use on a regular basis.
2 Comments | Copyright, Facebook, Intellectual Property, Internet, Online Reputation Management, Social Networking Websites | Tagged: Copyright, Facebook, Intellectual Property, Internet, Online Reputation Management, Social Networking, Terms of Use | Permalink
Posted by Brian Bowman
Are you new to social media? If so, you probably feel like people are talking in a whole different language. Blogs, wikis, RSS, Twitter – this is English? Or is it Venusian?
After mentioning to a few colleagues that I’d like them to subscribe to this blog using RSS, I realized that I was probably talking to them in “Venusian”. So for all the newbies, here’s a brief explanation of RSS.
RSS stands for “really simple syndication” (or “rich site summary”, depending on which explanation you read). It’s a method of alerting the subscriber to new content. Instead of receiving an email when there’s a new post on a blog, you check your feed reader.
Now, I can hear some people thinking, why would I want to check another site when I’m checking my email a couple of times a day? To that, I say, how much email do you receive? How many newsletters that you get by email do you actually read? The beauty of RSS technology is it lets you do your reading when you’re ready to do it.
As I mentioned, there is one more step you have to take, and that is to set up a feed reader. Fortunately, at least two browsers (IE7 and Firefox) offer built-in readers. Select the “Subscribe via RSS” button
and follow the directions.
If that still doesn’t make sense, here’s what Wikipedia says. For those of you who like a visual explanation, check out RSS in Plain English from the folks at the Common Craft store. I’m now subscribing to other blogs using RSS. If RSS isn’t your thing, you can always subscribe to this blog by e-mail. RSS or e-mail subscription options are provided on the right hand side of the page – I hope you subscribe!
Leave a Comment » | Blogs, Internet, Social Networking Websites, Technology | Tagged: Blogs, Information Technology, Internet, Social Networking, Technology | Permalink
Posted by Brian Bowman
Privacy professionals will know first hand the importance of conducting regular staff privacy training, which can mitigate customer privacy complaints and (as a result) the overall costs of privacy compliance. I certainly know from my practice that the costs to businesses can be quite significant when having to deal with serious privacy complaints. These costs can include settlements, legal fees and lost productivity. Obviously, it’s better to be proactive and reduce the chances of having to deal with privacy complaints. That’s where regular staff privacy training comes in! Businesses really should conduct staff privacy training on a regular basis – in my view, at least on an annual basis.
In a recent speech to the 10th Annual Privacy and Security Conference in Victoria, B.C., Privacy Commissioner Jennifer Stoddart commented, “Polling for my Office in 2007 found that only a third of all businesses reported having trained staff about their responsibilities under Canada’s privacy laws. This is a huge concern! We recently conducted an analysis of 86 breaches reported to my Office and found that employee awareness and training was the most important contributing factor. It was an issue in more than half of the spills we examined! We found that very basic mistakes – human errors – often lead to breaches. Breaches are caused mostly by employee misconduct and human error, not technological weaknesses.” The full speech is entitled, “A Privacy Check Up For Canadians: Is the Glass Half Empty or Half Full?” and is definitely worth reading.
Leave a Comment » | PIPEDA, Privacy, Training | Tagged: Businesses, Due Diligence, Employees, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance, Privacy Forum, Training | Permalink
Posted by Brian Bowman
After several days of intense media scrutiny, Facebook has backed down on controversial changes to its Terms of Service (TOS). Both CTV Winnipeg and the Winnipeg Free Press asked me to comment on this timely story, which provides a lesson for other businesses that operate websites to be mindful that TOS (and privacy policies) must be able to withstand legal scrutiny but also user expectations.
3 Comments | Facebook, Internet, Marketing, Online Reputation Management, Privacy, Social Networking Websites | Tagged: Businesses, Facebook, Internet, Marketing, Online Reputation Management, Personal Information, Privacy, Social Networking | Permalink
Posted by Brian Bowman
British Columbia’s Supreme Court has awarded a record-setting judgment of over $1 million to a B.C. businessman for invasion of privacy as reported by Canwest News Service.
In 2005, Hal Neumann’s home was searched by the Canada Revenue Agency, who were looking for records and documents he’d already given to the government. The CRA is studying the decision to determine if they will appeal.
This judgement is significant because it demonstrates that Canadian courts are now willing to award substantial damages for an invasion of privacy. Public bodies or private sector organizations in Canada that think privacy rights don’t have teeth should reconsider after seeing this groundbreaking decision.
Leave a Comment » | Government, Privacy | Tagged: Businesses, Case law, CRA, Government, Privacy | Permalink
Posted by Brian Bowman
If you’re from Winnipeg, you’re well aware of the terrible tragedy of Brian Sinclair, who passed away in the emergency department of the Health Sciences Centre after waiting to see a doctor for 34 hours. Manitoba’s NDP government and the Winnipeg Regional Health Authority (WRHA) have been dealing with the political and legal consequences since Mr. Sinclair’s death last fall.
I was asked yesterday to provide comment to the Winnipeg Sun on the validity of the government’s recent claim that it could not release the first administrative review into the tragedy because of privacy concerns. The story serves as a reminder to government bodies and businesses of the challenges (and need for expert legal counsel) when dealing with access to information and related privacy matters.
A separate story reported at TechCrunch demonstrates the risks when releasing redacted documents to the public. Canadian privacy laws typically require organizations to blackout, or redact, portions of documents that contain someone else’s personal information unless that person consents to its disclosure. It’s a time-consuming, but important, step that organizations need to take before disclosing documents under access to information legislation. But, as this story points out, organizations need to be very careful about how they redact!
Leave a Comment » | Access to Information, Privacy | Tagged: Access to Information, FIPPA, Government, Manitoba, Personal Information, Privacy, WRHA | Permalink
Posted by Brian Bowman
Canada, U.S. laws on privacy complex
My September 3, 2008 column in the Winnipeg Free Press reports on the findings of the Privacy Commissioner of Canada regarding canada.com’s outsourcing to a U.S. based service provider. The finding highlights the complexities of Canadian and U.S. laws as they relate to the personal information of customers and reminds Canadian businesses of the need to have legal agreements with third party service providers, especially those located in the U.S.
Leave a Comment » | Due Diligence, Government, Privacy, Safekeeping | Tagged: Customers, Due Diligence, E-mail, Outsourcing, PIPEDA, Privacy, Safeguarding, U.S. Patriot Act | Permalink
Posted by Brian Bowman
Online shopping a risky transaction: Protect yourself from identity thieves
My November 5, 2008 column in the Winnipeg Free Press provides some tips on how to be a savvy online shopper and the benefits to online retailers of having sercure websites and comprehensive online privacy policies.
Leave a Comment » | Identity Theft, Internet, Online Reputation Management, Online Shopping, Safeguarding, Security | Tagged: Businesses, Identity Theft, Internet, Online Reputation Management, Online Shopping, Personal Information, Privacy Policy, Safeguarding, Security | Permalink
Posted by Brian Bowman
Privacy matters to most customers: Staff should be able to handle concerns
My October 1, 2008 column in the Winnipeg Free Press reports on a survey released by the Privacy Commissioner of Canada and the vital need for businesses to train their staff to identify and deal with privacy issues. Privacy training, or lack thereof, can affect the bottom line.
Leave a Comment » | Marketing, Privacy, Safeguarding, Sale Transactions, Security | Tagged: Businesses, Customers, Employees, Marketing, Privacy, Privacy Commissioner, Privacy Training, Safeguarding, Security | Permalink
Posted by Brian Bowman
Data “packrats” failing customers: Companies need policies on retention
My December 3, 2008 column in the Winnipeg Free Press details the problems businesses can get in to when they keep every single piece of information on their customers, even when they no longer need it.
2 Comments | Due Diligence, PIPEDA, Privacy, Safekeeping, Security | Tagged: Businesses, Due Diligence, Personal Information, PIPEDA, Privacy Breach, Retention, Safeguarding, Security | Permalink
Posted by Brian Bowman
Privacy chief important role in modern firm
My August 18, 2008 column in the Winnipeg Free Press provides a definition of the position of Chief Privacy Officer (CPO) as well as some tips to help determine the scope of the role in particular firms.
Leave a Comment » | Access to Information, Privacy | Tagged: Access to Information, Businesses, Chief Privacy Officer, Personal Information, Privacy, Privacy Compliance, Privacy Forum | Permalink
Posted by Brian Bowman
New push to educate on online privacy: Youth can get info on important website
My July 2, 2008 column in the Winnipeg Free Press announces the Privacy Commission of Canada’s new youth privacy site, My Privacy. This is a great site for both parents and their children to view, to help youthful Internet users to be aware of the dangers of ignoring privacy settings as they’re filling out personal information on sites like Facebook and MySpace.
Leave a Comment » | Internet, Online Reputation Management, Privacy, Security, Technology, Youth | Tagged: Educate, Information Technology, Internet, Online Reputation Management, Personal Information, Privacy, Privacy Commissioner, Privacy Policy, Security, Social Networking, Technology, Youth | Permalink
Posted by Brian Bowman
Guidelines aid in use of surveillance cameras
My column of June 4, 2008 in the Winnipeg Free Press describes the guidelines published by the Privacy Commissioner of Canada jointly with the privacy commissioners of British Columbia and Alberta, and how businesses can use them to remain compliant with the law.
Leave a Comment » | Privacy, Security, Technology, Video Surveillance | Tagged: Businesses, Privacy, Privacy Commissioner, Security, Technology, Video Surveillance, Workplace Surveillance | Permalink
Posted by Brian Bowman
Privacy law update good: Job needs full-time commissioner
My May 7, 2008 column in the Winnipeg Free Press explains the difference between Manitoba’s Information and Privacy Adjudicator and a privacy commissioner, as appointed in almost every other province and at the federal level.
Leave a Comment » | Access to Information, Ombudsman, PIPEDA, Privacy | Tagged: Access to Information, Ajudicator, FIPPA, Manitoba, Ombudsman, PHIA, Privacy, Privacy Commissioner | Permalink
Posted by Brian Bowman
Recording telephone calls could be a risky business
My April 2, 2008 column in the Winnipeg Free Press discusses the privacy implications resulting from recording telephone calls, and why it is important to let your customers know if you are recording their calls to you.
Leave a Comment » | Government, PIPEDA, Privacy | Tagged: Businesses, Customers, PIPEDA, Privacy, Privacy Compliance, Recording, Rights | Permalink
Posted by Brian Bowman
Get your company’s privacy policy in order: Potential purchasers will need to know
My March 5, 2008 column in the Winnipeg Free Press discusses some of the problems that can occur when trying to sell a business, if you haven’t put privacy policies in place.
Leave a Comment » | Access to Information, Due Diligence, Privacy, Sale Transactions | Tagged: Access to Information, Acquisitions, Businesses, Mergers, Personal Information, Privacy, Privacy Compliance, Selling Business | Permalink
Posted by Brian Bowman
My December 5, 2007 column in the Winnipeg Free Press discusses the role of the Manitoba Ombudsman, and the need for a separate privacy commissioner.
Leave a Comment » | Government, Privacy | Tagged: FIPPA, Manitoba, Ombudsman, PHIA, Privacy, Privacy Commissioner | Permalink
Posted by Brian Bowman
Businesses face challenge in winning people’s trust
My November 7, 2007 column in the Winnipeg Free Press discusses the Privacy Commissioner of Canada’s annual report and what it means to private sector businesses.
Leave a Comment » | Access to Information, PIPEDA, Privacy, Safeguarding, Security | Tagged: Access to Information, Businesses, PIPEDA, Privacy, Privacy Commissioner, Privacy Impact Assessments, Safeguarding, Security | Permalink
Posted by Brian Bowman
Privacy ultimately your responsibility
My October 3, 2007 column in the Winnipeg Free Press emphasizes the importance of protecting your personal information by not handing it over to strangers, among other strategies.
Leave a Comment » | Access to Information, Facebook, Privacy, Security | Tagged: Access to Information, Facebook, Personal Information, Privacy, Safeguarding, Security, Social Networking | Permalink
Posted by Brian Bowman
Privacy is not a fad, laws are misunderstood
My September 5, 2007 column in the Winnipeg Free Press highlights the common misconceptions surrounding privacy law, under the backdrop of the Virginia Tech tragedy.
Leave a Comment » | Privacy, Security | Tagged: International Privacy Awareness Week, Personal Information, Privacy, Security | Permalink
Posted by Brian Bowman
Incubator nurtures local digital gaming
My February 13, 2008 column in the Winnipeg Free Press reports on Canada’s first digital gaming business incubator, Fortune Cat Games Studio, and its efforts to assist entrepreneurs in this potentially lucrative field.
Leave a Comment » | Gaming, Intellectual Property, Marketing, Technology | Tagged: Businesses, Digital Gaming, Entrepreneurs, Fortune Cat Games Studio, Gaming Industry, Intellectual Property, Manitoba, Marketing, Technology | Permalink
Posted by Brian Bowman
My January 2, 2008 column in the Winnipeg Free Press makes some suggestions for businesses to improve their privacy efforts before legislation forces them to make them.
Leave a Comment » | Access to Information, Privacy, Safeguarding, Security | Tagged: Access to Information, Personal Information, Privacy, Resolutions, Safeguarding, Security | Permalink
Posted by Brian Bowman
Mobile devices prone to I.D. theft
My August 1, 2007 column in the Winnipeg Free Press points out the security risks inherent with mobile data holders such as USB drives, laptops and portable hard drives.
Leave a Comment » | Identity Theft, Privacy, Safeguarding, Security, Technology | Tagged: Corporate Information, Identity Theft, Laptops, Mobile devices, Personal Information, Privacy, Safeguarding, Security | Permalink
Posted by Brian Bowman
Businesses must take steps to prevent I.D. theft
My July 4, 2007 column in the Winnipeg Free Press points out the fine-tuning to PIPEDA and what businesses will have to do to remain compliant.
Leave a Comment » | Access to Information, Identity Theft, PIPEDA, Privacy, Security | Tagged: Access to Information, Breach Notification, Businesses, Identity Theft, PIPEDA, Privacy, Privacy Breach, Privacy Compliance | Permalink
Posted by Brian Bowman
Facebook website not all fun and games
My June 6, 2007 column in the Winnipeg Free Press examines the effect of access to social networking sites like Facebook have in the workplace.
1 Comment | Facebook, Online Reputation Management, Social Networking Websites | Tagged: Employees, Facebook, Online Reputation Management, Social Networking, Workplace | Permalink
Posted by Brian Bowman
Province failing on privacy issues; citizens deserve better protection
My May 2, 2007 column in the Winnipeg Free Press poses a challenge to the participants in the upcoming provincial election of May 22, 2007 to follow through on promises of a Manitoba privacy commissioner.
Leave a Comment » | Access to Information, Identity Theft, Privacy, Security | Tagged: Access to Information, Election, Identity Theft, Manitoba, Privacy, Privacy Commissioner, Security | Permalink
Posted by Brian Bowman
Ombudsman vital to public’s rights, but Doer forgets his 1999 promise to appoint a privacy commissioner
Privacy resolutions for 2008
