The Australian and New Zealand Privacy Commissioners recently released studies examining the use of Portable Storage Devices (PSDs) by their governmental agencies. The aim was to examine the risks to personal information posed by the use of PSDs. PSDs are small, convenient devices that are capable of storing large amounts of information including laptops, cell phones, USBs, hard drives and iPods.
The studies found that government agencies often keep track of the PSDs they issue but seldom do audit checks on those devices. Policies regulating the proper usage are often developed, but rarely enforced. Hardware controls (i.e. sealing off ports and disabling cables) are used less frequently than software controls (i.e. blocking access to certain databases, monitoring access and information downloaded, etc.).
The majority of agencies (like most private sector businesses in Canada) also allow the use of private PSDs for work (i.e. a cell phone which is used for both personal and business purposes). The studies found that policies regarding the use of private PSDs were less common and much less enforceable than policies for agency-issued PSDs. Even though these studies only analyzed governmental use, the New Zealand Privacy Commissioner stated that she believed the findings were equally applicable to private sector businesses as well.
As I’ve commented in previous posts, there are privacy risks associated with the use of PSDs. First of all, there have been numerous incidents of stolen laptops and other PSDs that contained personal information. Secondly, devices such as USBs are easy to lose. Thirdly, disgruntled employees can easily use PSDs to steal personal information and other confidential corporate information from employers. For example, an employee can simply click a button and download a company’s entire database in a matter of minutes. This is called “pod-slurping” and is especially a threat given the fact that many government agencies and private companies do not have the software capability to track when data has been downloaded to a PSD.
In order to avoid a privacy breach and resulting damage to your business, consider implementing some of the suggestions contained in a 2006 investigation by the Alberta Privacy Commissioner (which I would add should, of course, be implemented in accordance with your organization’s privacy policy and applicable law):
Develop policies on proper usage of PSDs (whether company-issued or private) and train employees about these policies. Include detailed instructions about retention and deletion of personal information;
Limit the amount of personal information that is stored on PSDs;
Use encryption on all PSDs that store personal information. Password protection alone is not sufficient as there are free software programs available on the Internet which can crack passwords;
Monitor the use of PSDs through software (i.e. install software that tracks data downloaded from a database onto a PSD);
Instead of using PSDs, implement technologies that allow employees to access a database through a secure network;
With respect to laptop thefts, consider installing tracking software that can trace the location of a lost laptop. Also consider installing a “kill switch” so that the computer will self-destruct if an individual tries to gain unauthorized access; and
Stress to employees the need to use appropriate safeguards at all times, even when at home.
Today’s National Post story about a Nova Scotia judge’s decision to allow the publication of a private conversation between Natural Resources Minister Lisa Raitt and her former aide casts a spotlight on a murky area of privacy law.
As reported by the National Post, the unusual case raises questions about what constitutes a “reasonable expectation” of privacy in a world where digital recorders and handheld wireless devices are omnipresent. As I’m quoted in the story, “[researchers] said some years ago that new privacy rules were going to put existing business practices under a microscope. I think what we’re seeing now is technologies are putting existing legal principles under a microscope.” Fellow blogger Dan Michaluk is also quoted.
The posting of a YouTube video of a woman throwing a tantrum at the Hong Kong International Airport should serve as a reminder to Canadian businesses that employees these days can (and do) easily record and post videos online from their mobile phones.
The three minute video shows a Cathay Pacific customer yelling and flailing her limbs as she lies on the floor after missing her flight from Hong Kong to San Francisco. I’ve been upset at missing a flight before, but the woman in this video takes things to an entirely new level. The video has drawn over five millions views and nearly 21,000 comments, which has resulted in some incredibly cruel and objectionable online commentary about the woman. Since the release of the video, Cathay Pacific has disciplined the gate worker who recorded the video on his mobile phone (although the video was posted on YouTube by a third party) and the company has issued a formal apology to the woman.
The video is noteworthy because it demonstrates the power of new technologies such as YouTube and the corresponding risks to Canadian businesses. Had the video been recorded by an employee of a Canadian business, subject to Canadian privacy laws, the potential privacy complaint and/or lawsuit by the woman in the video could have been substantial.
Canadian businesses should be reminded of the need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy policies and procedures.
Canadian businesses don’t need to look too far to find examples where more effective employee privacy training may have mitigated, or even prevented, privacy complaints.
The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised. Such a requirement would be groundbreaking in Canada (notwithstanding Ontario’s Personal Health Information Protection Act, which has a mandatory breach notification requirement).
Regrettably, the Government of Manitoba indicated in the Legislative Assembly debate last week that it has two primary concerns with the Bill. The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. Legislative rules prevent private member’s Bills from containing financial penalties and so the Bill could not contain such provisions. However, the government could add those provisions in amendments. In fact, I assisted with the drafting of the Bill and would happily provide the government with the relevant provisions. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. However, PIPEDA does not apply to the activities of private sector organizations in provinces such as Alberta and British Columbia, both of whom have Personal Information Protection Acts, because PIPEDA does not apply where “substantially similar” provincial legislation exists.
The Bill was first introduced in 2005 and since that time the need for such a law has significantly grown. It’s modelled after Alberta’s Personal Information Protection Act, which provides a more business-friendly and clear legislative scheme than PIPEDA. As I’ve previously argued, it would be good policy for the Government of Manitoba to support the Bill and I once again urge them to do so.
If you want a more business-friendly privacy law in Manitoba, I’d strongly encourage you to contact the Government of Manitoba and Mavis Taillieu to indicate your support.
Additional coverage on this topic by the Canadian HR Reporter here.
Businesses are increasingly being asked to reduce their “carbon footprint”. And while many customers are interested in doing business with organizations that are trying to reduce their carbon footprint, many customers are also concerned about their own “digital footprints“.
The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!
Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”. It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.
My September 3, 2008 column in the Winnipeg Free Press reports on the findings of the Privacy Commissioner of Canada regarding canada.com’s outsourcing to a U.S. based service provider. The finding highlights the complexities of Canadian and U.S. laws as they relate to the personal information of customers and reminds Canadian businesses of the need to have legal agreements with third party service providers, especially those located in the U.S.
My December 3, 2008 column in the Winnipeg Free Press details the problems businesses can get in to when they keep every single piece of information on their customers, even when they no longer need it.
My April 5, 2006 column in the Winnipeg Free Press reports on the implication of Canadian businesses using American companies to store Canadian personal information.
In today’s economy, information is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. My September 6, 2006 column for the Winnipeg Free Press discusses the importance of protecting corporate information.
This blog provides practical assistance to Canadian businesses so they can better deal with issues related to privacy, access to information and social media law. I hope you subscribe to this blog via RSS (below) or via e-mail (below) so that you can receive timely updates to new posts. Thanks, Brian
This blog is presented for informational purposes only. Content does not constitute legal advice or solicitation and does not create solicitor-client relationship. Views expressed are solely the author's and should not be attributed to any other party, including Pitblado LLP or its clients. The author makes no guarantees regarding the accuracy or adequacy of the information contained herein or linked to via this blog. The author is not able to provide free legal advice. If you are seeking advice on specific matters, please contact Brian Bowman at (204) 956.3520 or bowman@pitblado.com, but please be aware that any unsolicited information sent to the author cannot be considered to be solicitor-client privileged. Comments published on this blog do not reflect the views of Brian Bowman, Pitblado LLP or its clients.
The Australian and New Zealand Privacy Commissioners recently released studies examining the use of Portable Storage Devices (PSDs) by their governmental agencies. The aim was to examine the risks to personal information posed by the use of PSDs. PSDs are small, convenient devices that are capable of storing large amounts of information including laptops, cell phones, USBs, hard drives and iPods.
Posted by Brian Bowman 
Today’s 
The 
Businesses are increasingly being asked to reduce their “carbon footprint”. And while many customers are interested in doing business with organizations that are trying to reduce their carbon footprint, many customers are also concerned about their own “
Canada, U.S. laws on privacy complex
Data “packrats” failing customers: Companies need policies on retention
Outsourcing comes with risks; U.S. service providers bring privacy concerns 
Information requires safekeeping
