A Conversation with Frank Work, Alberta’s Information and Privacy Commissioner

February 3, 2010

Continuing a series of blog posts that I’m calling “A Conversation with…” (the first being A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada), I’m delighted to post the following conversation with Frank Work.

Commissioner Work is as personable as he is professional. I’ve had the pleasure to speak at privacy conferences with Commissioner Work and let’s just say that I’m glad I presented first!  As privacy professionals will know, he’s a plain spoken, intelligent speaker and so his sessions are always a “must attend”.

Thanks to Commissioner Work for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Frank Work, the Office of the Information and Privacy Commissioner of Alberta (the “Alberta OIPC”) or the issues raised in this conversation, I’d encourage you to visit the Alberta OIPC’s website.

Q.  Your office has investigated identity theft arising from crystal meth abuse. What’s the link between the two?

A.  A couple of years ago the Edmonton police raided a hang out for meth users.  They found a lot of papers from businesses in the area, which they gave to us.  Cell phone contracts, credit bureau checks, credit card information and so on.  The police told me that meth users, unlike some other substance abusers, are pretty alert when they are high.  They don’t sleep.  They have lots of time to do the kind of detailed work necessary to engineer credit card fraud and identity theft.

Q.  So what can the public do to protect itself from that kind of identity theft?

A.  Individuals should shred bank and credit card statements.  They shouldn’t carry certain ID, like birth certificates, on them. These kinds of foundation documents are very useful for identity theft.  Always report lost or stolen credit cards, but also lost or stolen driver’s licences, birth certificates, and passports.  Check your bank and credit card statements to make sure someone else isn’t using them.  Do a credit bureau reference on yourself maybe once a year.  If your score is lower than you think, find out why.  If your score changes from one year to the next, find out why. Sometimes it can be identity theft (someone using your good name). Sometimes it can be an error on the part of the credit bureau.

The other side of the problem is organizations that have peoples’ info.  They must take proper care of it.  As I said, we have been given credit reports, draft mortgages, cell phone contracts, purchase of goods contracts and bookkeepers files, all thrown away.  These papers all have potential for fraudulent use.  Businesses need to shred this stuff.  Furthermore, for businesses that have customer databases, how well secured is it?  Who on their staff has access to it?  We have had cases where someone in the business is taking the info and using or selling it for fraud and identity theft.

Q.  Alberta’s private sector privacy legislation was recently amended to include mandatory breach notification. How will this impact privacy regulation in, and outside of, Alberta?

A.  It is early days yet.  Hopefully it will make organizations extra careful with personal information.  Will that raise the bar for organizations in other provinces?  Maybe.  If you are going to change your practices here, you might as well change them everywhere.  Possibly more provinces will legislate.  A big piece of the picture will be when the Federal government amends PIPEDA in this regard.  Maybe this will increase pressure to do so.  It will be a challenge to figure out what “a real risk of significant harm” is.  It will be a challenge to figure out in which cases there should be notice given and what kind of notice.

Q.  You’ve worked as a lawyer in different countries around the world. How does Canada’s approach to privacy compare to your experience in other places?

A.  We aren’t perfect but we are way ahead of most other jurisdictions.  The “commissioner” system of enforcement has served us well because we do not have the kind of well funded civil society organizations which can advocate for privacy.  Commissioners can and do advocate.  I mean, I would love to have an ACLU, or and EPIC or an EFF in Canada.  Our civil liberties people, like FIPA in BC do great work with the resources they have but resources are scarce.  We need some rich people to endow some of these groups.  The other thing is that I think, relative to other societies, Canadians have a disposition towards privacy.  We get it to some extent.  I like to think it is because we are, yes, polite, and respectful of other people.  That makes us respect each other’s space.  We must not lose that as the world becomes one big facebook/google culture.  Teach your children well.

Q.  Looking forward, what kind of privacy developments should we watch for in 2010?

A.  Cyber attacks, hacks and other losses will continue.  Governments will continue to bring surveillance technologies to bear every time anything bad happens. I will continue to get judicially reviewed.  I would like to think people will start resisting surveillance and other intrusions into their lives but I don’t see it happening.  Governments like surveillance.  Heck, the public likes surveillance because we are just so bad at risk assessment.  We are scared of everything it seems and we want someone to keep an eye on everything for us.  It will be interesting to see if technology begins to fail us.  For example, what if there is another airplane bombing attempt and the technology doesn’t prevent it?  They bring in new technology.  And that doesn’t prevent the next one (God forbid).  Maybe they run out of technology, although, for the money involved I don’t see that happening.  Someone will come up with a new toy.  Will someone ever say “this technology isn’t doing what we want it to and it is costing us a bundle?”  I think that will be a social shock.

5 Comments | Airport Security, Identity Theft, Personal Information, PIPA, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada

January 25, 2010

I’m very pleased to be able to post the following conversation with Jennifer Stoddart

Since becoming Canada’s Privacy Commissioner in 2003, Commissioner Stoddart has undoubtedly raised the value of privacy in a time when security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information. I might add that she has accomplished this admirable feat with passion and professionalism.  As a result, Canadians have been exceptionally well-served.

Of course, I’d like to thank Commissioner Stoddart for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Jennifer Stoddart, the Office of the Privacy Commissioner of Canada (the “OPC”) or the issues raised in this conversation, I’d encourage you to visit the OPC’s website and blog.

Q. How did you get involved in the world of privacy?

A. Back in the spring of 2000, I happened to read an article in the New York Times Magazine by the noted American legal scholar Jeffrey Rosen. Prof. Rosen was explaining how personal privacy was being subtly eroded in the digital age. I was fascinated.

I was working at the Quebec Human Rights Commission at the time. The next week, I was asked to head up Quebec’s Access to Information and Privacy Commission, and that’s the field I’ve been in ever since.

Q. But it’s coming to an end.

A. Sadly. My seven-year term as Privacy Commissioner will wind up this year. On the plus side, though, I can look back with considerable pride at the progress we’ve made. The encroachments on privacy in this digital era really are staggering, but that doesn’t mean we’re letting them bowl us over.

Last year’s investigation into a complaint against Facebook was surely the most high-profile example of the kind of influence we have. And beyond that I would say that we’re making a meaningful difference, in countless other ways, every day of the year.

Q. What are the most rewarding aspects of being the Privacy Commissioner of Canada?

A. Certainly one of the most rewarding things for me is to know that our work matters, that it has a real and positive impact on the lives of Canadians.

As you know, it’s become fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism. But I think that’s totally wrong. And the best evidence for that was the worldwide response to our Facebook investigation.

Privacy may look different today than it did a generation – or even a decade – ago. But it remains an incredibly important and cherished value to Canadians. And to the extent that my Office can help protect that value, and advance privacy rights, I would say that is the most rewarding aspect of my job.

Q. What do you consider to be the greatest challenges for the Office of the Privacy Commissioner of Canada?

A. Our biggest challenges are the same that preoccupy data-protection authorities around the world: How to safeguard privacy rights in the face of so many rapidly changing technologies. You yourself have blogged about many of them – cloud computing, behavioural marketing, genetic technologies, to name just a few.

We’re seeing unimaginable quantities of data flash around the world, including to countries where data-protection laws are slim to non-existent. We’re also seeing technologies employed in the service of national security and law enforcement, but they’re guarded behind a wall of secrecy.

So the challenges are real, and they are huge.

Q. So how does an Office like yours keep up?

A. I guess the short answer is: By working smarter. We have zeroed in on four priority privacy challenges that are shaping and streamlining our work for the years ahead: information technology, genetic technology, national security and the protection of identity integrity.

We are re-engineering our internal processes to better handle the complaints and inquiries that come to our Office. We’re picking and choosing our privacy audits and our communications and public outreach efforts in order to maximize our impact. We’re ramping up our issuance of guidance, on the theory that an ounce of prevention outweighs a pound of cure. And we’re working with the global data-protection community, since so many of the challenges are international in scope.

But, most important of all, we’ve recently attracted an infusion of very bright, very knowledgeable – and in many cases young – new employees to key positions in our Office. They are really making a difference.

Q. If you could make a few recommendations for Canadian business leaders, what would you say?

A. First I’d thank them for having embraced PIPEDA, the Personal Information Protection and Electronic Documents Act as it came into force over the past nine years. When I look at the situation of our neighbours to the south, where there is no single law at the federal level to protect the personal information of consumers in a commercial setting, I am deeply gratified by the way things can work up here.

Beyond that, I would encourage business leaders to continue to consult the guidelines we issue on specific topics for the purpose of clarifying the responsibilities of organizations under PIPEDA. And we invite them to work with us to fill any other information gaps they may have encountered.

I also want to take this opportunity to mention that data breach notification will become mandatory – and I suspect that will happen sooner rather than later. So I would encourage business leaders to start giving some thought now to how they can bring their processes into compliance. 

Q. Do you have any “privacy-related” predictions for 2010?

A. I don’t think you need a crystal ball to conclude that national security will continue to dominate the privacy landscape in the year ahead. The controversy that erupted over Transport Canada’s deployment of millimetre-wave scanners at Canadian airports was just the first of the privacy-related issues that we can expect to be hearing about in 2010.

And stay tuned for more during and after the Vancouver Olympics. There, one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all the cameras and recordings after the flame is extinguished.

I’ll just mention two other issues of particular interest to our Office, because we will be consulting Canadians on them in the next few months. The first will focus on the tracking, profiling and targeting of consumers by marketers and other businesses, and we’ll be hosting consultation forums on that topic in Toronto in April and Montreal in May. Soon after, we’ll organize another forum to discuss the privacy implications of cloud computing.

10 Comments | Airport Security, Government, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Commissioner of Canada, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Privacy folks crying wolf on scanners

January 7, 2010

Will the virtual strip-search scanners soon to be operational in Winnipeg’s Richardson International Airport be an invasion of privacy? Absolutely. Should they be installed despite privacy concerns? Absolutely.

Read more>>

You may note that the above link takes you to the Winnipeg Sun.  I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis.  I hope you find them of interest!

1 Comment | Airport Security, Personal Information, Privacy, Privacy Commissioner, Security | Tagged: , , , | Permalink
Posted by Brian Bowman

Monitoring employee e-mail: A privacy primer

January 4, 2010

Since e-mail has become the dominant form of business correspondence, employers have been increasingly forced to deal with issues related to e-mail use, monitoring and access. It’s crucial that organizations stay on top of the legal landscape as it relates to e-mail monitoring, especially as it relates to privacy issues.

Unfortunately, privacy law does not offer black and white answers to the legal issues raised by e-mail monitoring practices. Instead, and like most other privacy law issues, the standard of “reasonableness” rules the day.

I recently penned an article on point (link below) with my colleague Andrew Buck (who is currently completing his Articles at Pitblado LLP) for the Canadian Bar Association’s National Privacy & Access Law section newsletter, Privacy Pages. Our article examines some of the case law and commentary that has arisen from e-mail monitoring with a view towards setting out practical solutions for the creation of “reasonable” e-mail monitoring practices. If you’re interested in reading the full article, please click on the link below.

Monitoring employee e-mail: a privacy primer

1 Comment | Access to Information, E-mail, Employee Monitoring, Monitoring, Personal Information, PIPA, PIPEDA, Privacy, Technology | Tagged: , , , | Permalink
Posted by Brian Bowman

Mandatory privacy breach notification requirement inevitable

December 15, 2009

For years now, Ontario’s Personal Health Information Protection Act has contained provisions requiring health custodians to notify individuals if their personal health information is stolen, lost or accessed by unauthorized persons.  Until now, such mandatory privacy breach notification provisions have been limited to the sphere of health care in Ontario. That’s about to change.

The federal Personal Information Protection and Electronic Documents Act will likely contain mandatory privacy breach notification provisions in the near future. Since 2006, Special Committees at both the Federal and Provincial (Alberta and B.C.) levels have convened and generated a series of recommendations relating to breach notification.  For further information on these recommendations, see the final reports of the Federal , Alberta and B.C. committees.

The most important recommendation independently generated by each of the committees provides that organizations should be under a statutory breach notification duty.  On October 27, 2009, the initial step toward implementing this recommendation was taken in the Alberta Legislature with the first reading of Bill 54: Personal Information Protection Amendment Act, 2009.  The Alberta privacy breach notification provisions will soon come into force. British Columbia and the Feds are expected to follow suit and implement similar requirements in the near future. When that occurs, private sector organizations across Canada will be required by applicable law to notify affected individuals when privacy breaches occur.

The best advice is to make sure that privacy protection policies, procedures and training are implemented and enforced… now.

Leave a Comment » | Personal Information, PHIA, PIPEDA, Privacy, Privacy Breach | Tagged: , , , , | Permalink
Posted by Brian Bowman

Manitoba private sector privacy legislation: An insurmountable goal?

December 11, 2009

University of Manitoba law student, Courtney Pope, has just drafted an in-depth paper (below) on Bill 219The Personal Information Protection and Identity Theft Protection Act. As I’ve previously posted here, Bill 219 seeks to regulate the management of personal information by organizations in the Manitoba private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). 

Courtney’s paper, entitled “Bill 219: An Insurmountable Goal”, argues that the law is necessary in order to “effectively protect the privacy rights of all Manitobans”.  The paper outlines the main features of the Bill; examines the role of PIPEDA and the concept of “substantially similar” legislation; and analyzes the main arguments advanced for and against the Bill, as expressed in Hansard and in the context of the Bill’s legislative history. Courtney also advances theories regarding the major impediments to its passing.

Courtney was a summer student at Pitblado LLP this past summer and will (fortunately for us) be returning in the New Year to complete her Articles.  Thanks to Courtney for sharing her paper, which you can read by clicking on the hyperlink below.

Bill 219: An Insurmountable Goal

Leave a Comment » | Bill 219, Personal Information, PIPEDA, Privacy | Tagged: , , , , | Permalink
Posted by Brian Bowman

Redactions gone terribly wrong

December 9, 2009

CTV News is reporting that the U.S. federal government improperly posted an internal guide to its airport passenger screening procedures on the Internet in a way that could offer valuable tools to terrorists. The guide was posted on the U.S. Federal Business Opportunity website, but the sensitive information (which was electronically redacted, or blacked out) was not properly protected.  Some websites, using widely available software, were able to uncover the original text of sections that had been redacted.

This situation is an example of redactions gone terribly wrong!  And it should serve as a reminder to public and private sector organizations to take extra care when making redactions in documents that will be released to third parties. Different redaction strategies can be implemented depending on the circumstances. One strategy that I implement when records will be posted online is to make my redactions and then physically scan the document and save it as a PDF. It’s a basic way to protect sensitive portions of records.  Please feel free to post a Comment below with other suggested strategies for making secure redactions.

Leave a Comment » | Airport Security, Data Protection, Personal Information, Privacy, Redactions, Safeguarding, Security, Security Breach | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Rogue employees pose risk to privacy compliance, corporate info

November 18, 2009

The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies.  Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.

As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.

3 Comments | Data Protection, Due Diligence, Personal Information, PIPA, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security | Tagged: , , , , , , , , , , | Permalink
Posted by Brian Bowman

“Identity theft” law comes into force

October 27, 2009

You may know someone who has been a victim of identity theft. What you may not know is that, before today, police couldn’t charge fraudsters with “identity theft”. That changed when Bill S-4 was given Royal Assent by Parliament earlier today.

Thanks to the bill, titled An Act to amend the Criminal Code (identity theft and related misconduct), there are now three new Criminal Code offences related to identity theft:

  • Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime;
  • Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information; and
  • Unlawfully possessing or trafficking in government-issued identity documents that contain information of another person.

Before Bill S-4 came into effect, police had to use other Criminal Code provisions to target identity theft. Today’s development should help law enforcement officials attack a growing problem: the Canadian Council of Better Business Bureaus has estimated that identity theft may cost Canadians more than $2 billion annually.

Leave a Comment » | Data Protection, Identity Theft, Personal Information, Phishing, Privacy | Tagged: , , | Permalink
Posted by Brian Bowman

Privacy vs. security in the Internet age

October 19, 2009

Access to information 10The Federal Government’s recent initiative to modernize law enforcement related legislation for the Internet age has (at least within law enforcement and privacy circles) once again propelled the issue of privacy vs. security to the forefront. The issues are incredibly important for Canadians, yet there has been little debate within the wider public. That being said, I’m pleased to read Ian MacLeod’s recent Ottawa Citizen article, which (even if you don’t agree with some of the points) does a good job of raising the issues in plain language. For a more technical analysis of the legal issues, you may want to read fellow blogger David Fraser’s post regarding the debate about warrantless access to ISP customer information.

The debate surrounding the “lawful access” legislation stems from real challenges affecting Canada’s law enforcement agencies and their need for access to personal information in the course of investigations. What is concerning, however, is the prospect of warrantless searches without judicial oversight. As a citizen in a free and democratic society, it troubles me to see any legislative initiative that could lead to investigations without appropriate checks and balances.  Privacy and security don’t need to be mutually exclusive. Let’s hope that through the upcoming Parliamentary Hearings on the “lawful access” legislation we see a balance emerge between privacy and security in such a way that empowers law enforcement agencies while preserving the judicial oversight that Canadians have come to rightfully expect in our society.

Leave a Comment » | Access to Information, Internet, Lawful Access, Online Reputation Management, Personal Information, Privacy, Security | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

« Previous Entries
Next Entries »
Follow

Get every new post delivered to your Inbox.

Join 77 other followers