Social media: Is your organization’s head in the sand?

October 26, 2010

Is your organization in the social media world?

If your answer is “no” you’re wrong. Sorry, but it was a trick question. Whether your organization admits it or not, it is in the social media world.  Clients, prospective clients, employees and even competitors are almost certainly engaging in conversations about your organization on Facebook and LinkedIn. The question is whether you’re a part (or even aware) of those conversations. The second question is what are you going to do to shape those conversations, to the extent that you can?

The reality is that Canadian employees, for example, are blogging, tweeting and accessing social networking websites with increasing frequency. And the result is increased legal risks for Canadian businesses. These risks include disgruntled employees intentionally revealing trade secrets, defaming supervisors, harassing co-workers, or posting negative information about their employers’ business. There are even additional threats resulting from loyal employees who inadvertently disclose information online that runs afoul of privacy and competition laws. These threats won’t go away if your company has its head in the sand regarding social media.

One important step to dealing with and leveraging social media is to implement a social media policy within your organization. Doing so won’t address every potential headache related to social media, but it will help to manage online discussions that are occurring during and after work hours by your own employees. And since some of the greatest risks I’ve mentioned above stem from your employees, my best advice is to implement a social media policy. Key components in a social media policy should include:

  • defining the scope of prohibited activities;
  • clarifying to whom the policy applies;
  • addressing how infringing content should be removed from social media sites;
  • spelling out who, when and how monitoring of social media sites occurs; and
  • advising of penalties and enforcement of the policy.

3 Comments | Blogs, Employee Monitoring, Facebook, Monitoring, Online Reputation Management, Social Networking Websites | Tagged: , , , , | Permalink
Posted by Brian Bowman

B.C.’s Privacy Commissioner releases Privacy Guidelines for Landlords and Tenants

October 22, 2010

B.C.’s Privacy Commissioner, Elizabeth Denham, has just released Privacy Guidelines for Landlords and Tenants.

In B.C., landlords and property managers acting on their behalf must comply with B.C.’s Personal Information Protection Act (“B.C.’s PIPA”). The guidelines are intended to assist landlords and property managers in discharging their duties under B.C.’s Residential Tenancy Act in a manner that respects the privacy of tenants and promotes transparency in the operation of landlord and tenant relationships.

Despite the B.C. focus, landlords and property managers in other jurisdictions would be well-served by reading the guidelines – especially given that B.C.’s PIPA is “substantially similar” to PIPEDA.

Leave a Comment » | PIPA, Privacy, Privacy Commissioner | Tagged: , , , | Permalink
Posted by Brian Bowman

How safe is your scan? Hard drives on copy machines pose risk

October 20, 2010

Does your office have a copy machine? If so, then this post is worth reading.  CBC news has just released the results of an investigation that exposes the security risks associated with modern copy machines, specifically, the ease at which information scanned into certain copiers can be tapped. Just think about the information that gets scanned into your office copier. Personal information. Confidential corporate information such as client data. Even intellectual property. It’s a scary thought if you haven’t done your due diligence, especially considering that privacy laws can apply to certain data undoubtedly scanned into your copy machine. Check out CBC’s online story here or TV segment here. And if you’d like to learn more, you may also want to read my post from earlier this year which provided a link to a similar CBS news story.

Leave a Comment » | Data Encryption, Data Protection, Identity Theft, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security, Technology | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Frenemies a big threat to your privacy: New privacy rules required?

October 18, 2010

Who is the biggest threat to your privacy? Government bodies? No. Businesses? Nope. How about your supposed friends, or “frenemies”? Absolutely.

No one knows more detailed personal information about you than your Facebook friends. So do we need new privacy laws to protect you from violations perpetrated by other individuals? Read more>>

 

Leave a Comment » | Facebook, Online Reputation Management, Privacy, Social Networking Websites | Tagged: , , , | Permalink
Posted by Brian Bowman

Court says University sanction over Facebook postings violated Charter

October 15, 2010

An Alberta Court of Queen’s Bench has issued a precedent setting ruling that relates to Facebook comments and, specifically, whether the Charter of Rights and Freedoms can apply to universities.  In the case of Pridgen v. University of Calgary, the court ruled that the post-secondary institution violated two students’ Charter rights when it sanctioned them for posting critical comments about a professor on Facebook.  The students were found by the University to have committed non-academic misconduct and were placed on probation as a result of their Facebook comments.  They applied for judicial review to set aside that decision on various grounds, including that their right to free expression under the Charter.  The University argued before the court that the students had committed acts of defamation on Facebook. 

One of the big issues in the case related to whether or not the Charter applies to universities.  The University argued that the Charter only applies to government institutions and did not apply in this particular case because the University is not part of the government and was engaged in regulating its own internal affairs when disciplining the students.  Earlier court decisions have left open the possibility that the Charter might apply to subordinate bodies created and supported by the government, including “many forms of delegated legislation, regulations, orders in council, possibly municipal by-laws, and by-laws and regulations of other creatures of Parliament and the legislatures”.  In this particular case, the court declared that “the University is not a Charter free zone”.  As a result, and considering the particular facts of this case, the court ruled that the students’ Charter rights were infringed by the manner in which they were sanctioned for their online behavior.  A University spokesman has indicated that its legal staff will review the decision to determine whether there will be an appeal.

Leave a Comment » | Defamation, Facebook, Online Reputation Management, Social Networking Websites, Website Discussion Boards | Tagged: , , , | Permalink
Posted by Brian Bowman

A Conversation with Elizabeth Denham, British Columbia’s Information and Privacy Commissioner

October 12, 2010

Continuing a series of blog posts that I’m calling “A Conversation with…”, I’m delighted to post the following conversation with British Columbia’s new Information and Privacy Commissioner, Elizabeth Denham

Canada’s privacy community will know that Commissioner Denham brings to her new role a wealth of experience and accomplishment. Her resume includes Assistant Privacy Commissioner of Canada and Director, Private Sector, for the Office of the Information and Privacy Commissioner of Alberta. I’ve had the pleasure of knowing Commissioner Denham for some time and have always appreciated her practicality and great sense of humour. B.C. will undoubtedly be well-served.

Of course, I’d like to thank Commissioner Denham for agreeing to engage in this online conversation.  If you’d like to learn more about Elizabeth Denhem or B.C.’s Information and Privacy Commissioner’s Office (“OIPC”), I’d encourage you to visit the OIPC’s website (www.oipc.bc.ca).

Q – You served as Assistant Privacy Commissioner of Canada until being appointed BC’s Information and Privacy Commissioner in July 2010. How are things going in your new role?

A – It is a good thing that I am a recreational runner, because I have certainly hit the ground running! This is an extremely busy office, due to the scope and nature of the work and to the fact that I have inherited one of the leanest oversight agencies in the country. I am very lucky to have a team of hardworking, enthusiastic and seasoned professionals to support me.

While I do have “in the trenches” FOI experience, that was more than 10 years ago, forcing a quick re-immersion into the duties of ensuring accountable and transparent government. Since my appointment I have issued a report on the timeliness of government responses to access requests, worked on a strategy for government-wide proactive disclosure and executed our annual tribute to open government, Right to Know Week.

However, in my view the biggest challenge facing me in this term is public sector privacy issues. The government has ambitious plans for data sharing across ministries, to create linked electronic databases. It is my immediate priority to ensure that privacy is baked into BC’s e-government programs, including e-health.

Q – I’ve long considered BC one of the most progressive privacy jurisdictions in Canada. How has this happened and what can other provinces/territories learn from BC’s privacy community?

A – I think there are a number of factors that has put BC out in front with respect to privacy. My two predecessors, David Flaherty and David Loukidelis, are without a doubt two of the top privacy experts, and their ability to break trail has benefited all of BC. The former Commissioners were very skilled at making privacy a common topic of discussion and spreading the word about privacy rights and obligations. BC also has active and engaged civil society pushing hard for access and privacy rights, and I am referring to the BC Freedom of Information and Privacy Association as well as the BC Civil Liberties Association as key thought leaders. Finally, the citizens of BC have a reputation for being politically aware and engaged, and unafraid to bring burning issues to the forefront. I think the key learning outcome for other jurisdictions is work hard at capacity building and public outreach, and encourage other groups to actively enter the policy debates around access and privacy. We need other voices. Regulators cannot do it alone.

Q – Given that BC has a provincial privacy law (PIPA) that is “substantially similar” to PIPEDA, and considering that many readers of this blog are from outside BC (and Canada), can you briefly highlight the most important things that businesses should know about BC’s private sector regime?

I think the three most important points are these:

First, make sure you have a legitimate operational need to collect any personal information. This requires ongoing monitoring to ensure the operational requirement still exists, and routinely and safely purging personal information no longer required. Personal information is both an asset and a liability, and collecting and retaining personal information when no reason exists is a huge business risk.

Second, be transparent about what you are doing with the personal information you collect in the course of your operations, and ensure that anyone that you hire on your behalf behaves in the same manner.

Finally, data safeguards, or rather the lack thereof, remain the primary source of privacy breaches and a threat to your business brand. Safeguards are much more than passwords and locked cabinets—they include proper and ongoing staff training, privacy audits and assessing the privacy impacts of new policies, programs or services. Safeguarding personal information requires ongoing attention, and a willingness and ability to adjust the safeguard strategy when needed.

Q – Your work in the area of social networking as been outstanding, which in the case of Facebook resulted in a number of changes to the social networking site—changes that were implemented on a global basis. Some readers may presume that a privacy commissioner such as you wouldn’t use social networking sites. In my case, I’m active on LinkedIn. How about you?

A – I have several accounts with social networks, including Facebook and LinkedIn. I first joined the networks because I wanted to deeply understand the services, and their functionality; this was critical to my work. But Facebook also helps me keep track of my far-flung 20-something children who live their lives on-line! But I am a savvy consumer of these services, and obviously avail myself to all of the privacy controls they offer. I do not post anything on either of those sites that is not already publicly available or any information that I would not hesitate to make public. I am very careful before downloading any third party application—carefully scrutinizing their privacy policies beforehand.

Q - In your view, what kind of privacy developments should we watch for in the coming year in British Columbia?

A – On the government side, I think the primary issues will be an increase in the development of linked data networks containing personal information bringing risks to transparency, appropriate access, use and disclosure and a heightened risk of transmission of inaccurate and incomplete information.

On the private sector side, I know we will see more collaboration and cooperative oversight between the federal and provincial commissioners. New technologies and business models challenge the ability of any office to “go it alone”. Canada is a leading voice on privacy and new technologies. I look forward to working with my colleagues on smart, relevant and timely oversight.

1 Comment | Facebook, Internet, Personal Information, PIPA, Privacy, Privacy Commissioner, Social Networking Websites | Tagged: , , , , | Permalink
Posted by Brian Bowman

Lessons from the Veteran Affairs Canada privacy breach

October 8, 2010

The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.

In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.

The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:

  • “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
  • Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only.  Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
  • Provide training for employees about appropriate personal information-handling practices.
  • Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”

Leave a Comment » | Access to Information, Data Protection, Due Diligence, Government, Privacy, Privacy Breach, Privacy Commissioner of Canada, Safeguarding, Safekeeping, Security Breach, Training | Tagged: , , , , , | Permalink
Posted by Brian Bowman

Another day, another privacy breach…

October 6, 2010

CBC News is reporting that ”[g]arbage bags filled with confidential financial information were found blowing around in a [Winnipeg] North End back lane Tuesday, and people living in the area say they’re furious because of it. The bags contain tax return documents that include people’s names, social insurance numbers and in many cases, addresses and other sensitive financial information.”

This and other similar news stories should serve as a reminder that PIPEDA requires organizations to exercise care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information (for example, don’t dispose of sensitive tax information records in a back lane). Other provincial laws, such as Alberta’s PIPA and B.C.’s PIPA, have similar requirements. Disposal or destruction policies and procedures should focus on physical, organizational and technological measures.

Leave a Comment » | Identity Theft, PIPEDA, Privacy, Privacy Breach, Security Breach | Tagged: , , , , | Permalink
Posted by Brian Bowman

Privacy Commissioner of Canada releases Annual Report on Privacy Act

October 5, 2010

Canada’s Privacy Commissioner, Jennifer Stoddart, released her 2009 – 2010 Annual Report to Parliament on the Privacy Act today. In her Annual Report, Stoddart says that “[t]he federal government’s use of handheld communications devices and its practices for disposing of unneeded paper documents and surplus computers could expose the personal information of Canadians to unauthorized disclosure”.

Key lessons for the private sector from today’s Annual Report include, among other things, (1) a reminder of the need to assess the threats/risks inherent in wireless communications and to fill any gaps in policies and/or practices related to smart phones, Wi-Fi networks and data stored on mobile devices and (2) ensuring that policies and procedures are in place for paper shredding and the disposal of surplus computer equipment.

Read the full Annual Report here>>.

Leave a Comment » | Government, Mobile devices, Privacy, Privacy Commissioner of Canada | Tagged: , | Permalink
Posted by Brian Bowman

Follow

Get every new post delivered to your Inbox.

Join 104 other followers