Canada’s Privacy Commissioner has just released the final report of her Office’s consultations on the online tracking, profiling and targeting of consumers by marketers and other businesses. “Most people have no idea about the rich trail of data they leave behind when they browse the Internet, use social networking sites, or engage the geo-location functions of their mobile devices,” the Commissioner observed. Organizations that track the online activities of Canadians must be more upfront about their practices, Privacy Commissioner Jennifer Stoddart has concluded… “it comes down to meaningful consent, which entails informed consent”.
Fines needed to help stem growing data breaches, Privacy Commissioner says
May 4, 2011
The Privacy Commissioner of Canada has called for legislation empowering her to impose substantial fines against major corporations that fail to adequately protect Canadians’ personal information from preventable breaches.
“I am deeply troubled by the large number of major breaches we are seeing, including serious incidents in recent weeks that have affected hundreds of thousands of Canadians,’’ Jennifer Stoddart said in a speech today at the Canada 3.0 forum in Stratford, Ont. “It seems to me that it’s time to begin imposing fines – significant, attention-getting fines – on companies when poor privacy and security practices lead to breaches.” To learn more, read the complete news release.
Canada’s Privacy Commissioner releases latest Privacy Perspectives e-newsletter
March 16, 2011
Canada’s Privacy Commissioner has just released her latest e-newletter, Privacy Perspectives. Today’s installment includes:
Lessons from the Veteran Affairs Canada privacy breach
October 8, 2010
The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.
In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.
The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:
- “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
- Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only. Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
- Provide training for employees about appropriate personal information-handling practices.
- Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”
Privacy Commissioner of Canada releases Annual Report on Privacy Act
October 5, 2010
Canada’s Privacy Commissioner, Jennifer Stoddart, released her 2009 – 2010 Annual Report to Parliament on the Privacy Act today. In her Annual Report, Stoddart says that “[t]he federal government’s use of handheld communications devices and its practices for disposing of unneeded paper documents and surplus computers could expose the personal information of Canadians to unauthorized disclosure”.
Key lessons for the private sector from today’s Annual Report include, among other things, (1) a reminder of the need to assess the threats/risks inherent in wireless communications and to fill any gaps in policies and/or practices related to smart phones, Wi-Fi networks and data stored on mobile devices and (2) ensuring that policies and procedures are in place for paper shredding and the disposal of surplus computer equipment.
Read the full Annual Report here>>.
Privacy Commissioner tables Annual Report on PIPEDA
June 8, 2010
Earlier today, Canada’s Privacy Commissioner, Jennifer Stoddart, submitted to Parliament the OPC’s Annual Report on PIPEDA for the period from January 1 to December 31, 2009.
As the Commissioner notes, “the dominant theme of [the OPC's] work in 2009 was the protection of privacy in an increasingly online, borderless world. A case in point was the investigation that resulted in more public attention than any other in [the OPC's] history: Facebook.” The Commissioner notes two key issues, namely, Data without borders and Risks remaining in the wake of mortgage broker breaches.
OPC asks “how many unused profiles do you have online?”
March 12, 2010
The Office of the Privacy Commissioner of Canada has just posted this excellent article about the dangers of forgetting about personal information submitted to create online profiles.
This really is the kind of personal information that identity thieves love so the OPC article is a useful read. In fact, businesses whose employees create accounts on their behalf would be well-advised to have employees read the OPC article.
Businesses should learn from 2010 Olympics surveillance camera debate
February 16, 2010
The 2010 Olympics are finally here! So too are the reportedly pervasive crowd surveillance cameras that are monitoring spectators’ every move.
Privacy advocates are already voicing concern. But unlike previous public debates regarding privacy and surveillance cameras, I expect that the concerns that’ll be raised during and after the 2010 Olympics will be more comprehensive than the traditional “privacy vs security” debate. For instance, Jennifer Stoddart, Canada’s Privacy Commissioner, recently commented on this blog that “one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all of the cameras and recordings after the flame is extinguished.”
Of course, there are legal tests that governments (and businesses) should use to determine the appropriateness of installing surveillance cameras in the first place. But once any organization has decided to install surveillance cameras there’s a corresponding requirement to appropriately manage the data that’s collected. For instance, organizations must ensure that they have security, retention and destruction policies in place. This is the “devil in the detail” that’s often overlooked.
I expect public scrutiny of the surveillance cameras being used during the 2010 Olympics. And such scrutiny will increase public expectations on businesses to properly manage data that they too collect by surveillance cameras.
Canada’s Privacy Commissioner delivers landmark speech on the future of privacy regulation
February 10, 2010
Jennifer Stoddart, Canada’s Privacy Commissioner, delivered a landmark speech today at the 11th Annual Privacy and Security Conference in Victoria, B.C.
In her remarks, Stoddart discussed the challenge of technology, globalized data flows and social change. While reflecting on her years as Canada’s “village elder” in the privacy community, Stoddart commented:
“When I took over as Privacy Commissioner, Facebook didn’t exist. Neither did Twitter, Flickr, YouTube, Google Street View, Foursquare, iPods and all the many novel ways in which people now routinely connect with the rest of the world. And it’s not just technology that’s different; it’s other drivers of change as well. Like real-time globalization, for instance, and the instantaneous worldwide flow of data. It’s the way people embrace and respond to technology. Their expectations of what the technology can do for them, and at what cost. Is it desirable, for example, to buy greater convenience at the cost of less privacy? In light of these colossal changes over the past decade alone, it would be foolish to try to predict what the next decade will hold. But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is already being sorely tested.”
Read the Privacy Commissioner’s full remarks here.
Posted by Brian Bowman 
