Mandatory privacy breach notification requirement inevitable

December 15, 2009

For years now, Ontario’s Personal Health Information Protection Act has contained provisions requiring health custodians to notify individuals if their personal health information is stolen, lost or accessed by unauthorized persons.  Until now, such mandatory privacy breach notification provisions have been limited to the sphere of health care in Ontario. That’s about to change.

The federal Personal Information Protection and Electronic Documents Act will likely contain mandatory privacy breach notification provisions in the near future. Since 2006, Special Committees at both the Federal and Provincial (Alberta and B.C.) levels have convened and generated a series of recommendations relating to breach notification.  For further information on these recommendations, see the final reports of the Federal , Alberta and B.C. committees.

The most important recommendation independently generated by each of the committees provides that organizations should be under a statutory breach notification duty.  On October 27, 2009, the initial step toward implementing this recommendation was taken in the Alberta Legislature with the first reading of Bill 54: Personal Information Protection Amendment Act, 2009.  The Alberta privacy breach notification provisions will soon come into force. British Columbia and the Feds are expected to follow suit and implement similar requirements in the near future. When that occurs, private sector organizations across Canada will be required by applicable law to notify affected individuals when privacy breaches occur.

The best advice is to make sure that privacy protection policies, procedures and training are implemented and enforced… now.

Leave a Comment » | Personal Information, PHIA, PIPEDA, Privacy, Privacy Breach | Tagged: , , , , | Permalink
Posted by Brian Bowman

Manitoba private sector privacy legislation: An insurmountable goal?

December 11, 2009

University of Manitoba law student, Courtney Pope, has just drafted an in-depth paper (below) on Bill 219The Personal Information Protection and Identity Theft Protection Act. As I’ve previously posted here, Bill 219 seeks to regulate the management of personal information by organizations in the Manitoba private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). 

Courtney’s paper, entitled “Bill 219: An Insurmountable Goal”, argues that the law is necessary in order to “effectively protect the privacy rights of all Manitobans”.  The paper outlines the main features of the Bill; examines the role of PIPEDA and the concept of “substantially similar” legislation; and analyzes the main arguments advanced for and against the Bill, as expressed in Hansard and in the context of the Bill’s legislative history. Courtney also advances theories regarding the major impediments to its passing.

Courtney was a summer student at Pitblado LLP this past summer and will (fortunately for us) be returning in the New Year to complete her Articles.  Thanks to Courtney for sharing her paper, which you can read by clicking on the hyperlink below.

Bill 219: An Insurmountable Goal

Leave a Comment » | Bill 219, Personal Information, PIPEDA, Privacy | Tagged: , , , , | Permalink
Posted by Brian Bowman

Redactions gone terribly wrong

December 9, 2009

CTV News is reporting that the U.S. federal government improperly posted an internal guide to its airport passenger screening procedures on the Internet in a way that could offer valuable tools to terrorists. The guide was posted on the U.S. Federal Business Opportunity website, but the sensitive information (which was electronically redacted, or blacked out) was not properly protected.  Some websites, using widely available software, were able to uncover the original text of sections that had been redacted.

This situation is an example of redactions gone terribly wrong!  And it should serve as a reminder to public and private sector organizations to take extra care when making redactions in documents that will be released to third parties. Different redaction strategies can be implemented depending on the circumstances. One strategy that I implement when records will be posted online is to make my redactions and then physically scan the document and save it as a PDF. It’s a basic way to protect sensitive portions of records.  Please feel free to post a Comment below with other suggested strategies for making secure redactions.

Leave a Comment » | Airport Security, Data Protection, Personal Information, Privacy, Redactions, Safeguarding, Security, Security Breach | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Anti-Spam Bill passed in House of Commons

December 1, 2009

Bill C-27, commonly referred to as the ”Anti-Spam Bill”, passed third reading in the House of Commons yesterday and has been referred to the Senate. I originally posted about the Anti-Spam Bill being introduced back in April, so don’t count on speedy passage through the Senate.

(Hat tip to @privacylawyer David Fraser for the heads-up!)

2 Comments | Internet, Marketing, Privacy, Spam | Tagged: , , | Permalink
Posted by Brian Bowman

Follow

Get every new post delivered to your Inbox.

Join 77 other followers