March 25, 2009
I recently discussed with Nymity News some of the privacy issues related to third party opt-out websites. Specifically, I highlighted in the interview the risks facing organizations who honour requests from such websites. Marketing research organizations such as those that are members of the MRIA may find the interview of particular interest, but it’s still worth reading regardless of what industry your business operates in if you’re not yet aware of these types of third party opt-out websites.
March 24, 2009
In terms of privacy, as with many other things, each step forward seems to come with a catch that makes the step forward a little smaller than one would hope. Google, in response to demands from privacy advocates and users, has taken a progressive step forward and created a means for users of Google to opt out of their targeted advertising by allowing a user to access Google Ad Preferences to change settings or to opt out completely.
At the same time, Google has announced plans to launch a new type of targeted advertising. Currently, when an Internet user visits a webpage with Google Adsense, Google will store cookies on a user’s computer and remember their interests from previous searches. The example used by Google is that if you have an interest in gardening, you may be shown gardening ads along with those related to the site you are visiting.
While Google’s addition of its Ad Preferences program is encouraging for privacy advocates, it does come in the wake of an entirely new and -according to privacy advocates – more invasive means of targeting ads at users. As part of this new initiative, Google has asked all Google Adsense publishers to update their privacy policies to notify users of their site of the fact that interest-based advertising will be displayed.
The Privacy Commissioner once noted that although PIPEDA (and other privacy legislation) imposes obligations on organizations to take appropriate measures in protecting personal information, sometimes the more important role of privacy legislation is to help people shape their view of privacy.
March 23, 2009
Bell Canada recently announced that it would acquire The Source, a national electronics dealer. Bell has indicated that it will be acquiring substantially all of the assets of The Source.
I don’t know what those assets will be, but I think it is an interesting example of the fact that even in recessions we still see acquisitions of companies. When an organization’s assets are bought, one of the most valuable assets that are purchased is often its customer list.
PIPEDA and other applicable privacy laws, of course, govern transactions involving personal information. In the course of such transactions some companies are now implementing concepts once used only to secure physical assets. For example, many organizations are choosing to employ “escrow” arrangements to ensure the security of personal information.
Most businesses now understand that the implications of violating applicable privacy laws can be very serious to the reputation and bottom line of both the vendor and purchaser. As part of a sale of a customer list, and depending on the specific circumstances, both parties may agree that the customer list be placed in escrow until the transaction is completed. This ensures that what is likely the most valuable asset in the transaction – the customer list – is protected from unintended disclosures prior to the actual transfer of the business.
March 16, 2009
If you’re a privacy professional, you’re likely overwhelmed with the ongoing task of staying on top of legal, industry and technology developments. As you know, there’s no shortage of issues these days. Hopefully, this blog is helping your efforts!
But if you work for a private sector organization and haven’t yet signed up for the federal Privacy Commissioner‘s e-newsletter entitled Privacy Perspectives, I’d suggest you do. It contains great information and helps to stay on top of things.
If you’re in Manitoba and work for a public body, the Winter 2009 Issue of Manitoba OmbudsNews was published last Friday on the Manitoba Ombudsman‘s website. It’s also a great resource.
If you’re still in need of ongoing assistance and aren’t already a member of the Privacy Forum, you may want to touch base with me to learn more. It has been a super venue over the last 6 years for information sharing and the current members are an excellent group of individuals and first rate privacy professionals.
March 9, 2009
If you’re a privacy professional you will know that Canada’s privacy laws are in place to protect the privacy rights of individuals, not businesses.
Despite this fact and that Canada’s federal privacy law, PIPEDA, has been in force since 2001, it’s surprising how many others are confused on this point.
For instance, I recently had a client make an information request to an organization for access to corporate information. When the organization responded, they denied access to the requested information and claimed that PIPEDA required that they do so in order to protect the privacy interests of a business.
There may be circumstances where organizations have other legitimate reasons for denying access to certain information. There may also be circumstances where privacy laws such as PIPEDA should be cited in denying access to certain business records where releasing the information could unlawfully disclose the personal information of another individual. Organizations should not, however, cite Canada’s privacy laws as a justification to deny access to information requests on account of the privacy rights of a business.
If you encounter this scenario you may be dealing with someone who either doesn’t understand privacy laws or who is perhaps being disingenuous. After all, the general thrust of Canada’s privacy laws is to encourage organizations to create a culture of privacy in order to protect the privacy of individuals whose personal information is collected, used, retained or disclosed by such organizations.
March 3, 2009
The Office of the Privacy Commissioner of Canada (OPC) has published some useful Guidelines for Processing Personal Data Across Borders to explain how the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to transfers of personal information to third parties, including third parties operating outside of Canada, for processing.
As the OPC points out, PIPEDA does not prohibit organizations in Canada from transferring personal information to organizations in other jurisdictions for processing, but Canadian organizations are still accountable and the OPC can investigate complaints and audit privacy practices of Canadian organizations.
PIPEDA provides that
an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
The primary means by which an organization can protect personal information that it transfers to a third party for processing is through a contract. Organizations must also be transparent about their privacy practices, including advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction, it may be accessed by the courts, law enforcement and national security authorities.
Check out the OPC’s Guidelines, and if your business hasn’t yet signed privacy contracts with all third parties to whom you transfer or disclose personal information, now may be the time.
March 2, 2009
Most Canadian businesses these days supply their employees with devices such as laptops, cellphones and PDAs that are then often used by employees after work hours for personal use. In most cases, this isn’t a problem for either the employer or the employee. But too many businesses that issue cellphones, laptops or PDAs to their employees have not taken the necessary steps to mitigate the associated legal risks.
These legal risks can include the fact that employees can use these devices to distribute emails or text messages that defame other parties or that include illegal sexual or racial content (which in Manitoba could give rise to employee and employer liability under The Human Rights Code). Employees may also use these devices to intentionally or unintentionally leak personal or corporate information. Employees, however, may have an expectation or legal right of privacy depending on the circumstances, so wholesale monitoring by employers may not be in the cards.
Doug Cornelius recently wrote on Compliance Building about a U.S. court decision (Quon v. Arch Wireless) concerning police conduct in accessing personal texts sent from a police-issued cellphone:
In that case the court found that a police department had violated the Fourth Amendment and state constitutional rights of employees and the people they exchanged text messages with, when they reviewed “personal” text messages created on devices owned and issued by the police department. It also found that the text messaging provider, Arch Wireless, violated the Stored Communications Act (SCA), 18 U.S.C. §§2701-2711, by providing transcripts of these messages to the employer.
Although this decision is based on U.S. law, similar results could happen in Canada. As a result, Canadian businesses should ensure that their employees clearly understand what they can and cannot do with the devices issued to them. One of the best ways to accomplish this goal is to develop appropriate policies and procedures, which will minimize the chances of being taken to court by third parties or employees.