October 8, 2010
The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.
In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.
The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:
- “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
- Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only. Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
- Provide training for employees about appropriate personal information-handling practices.
- Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”
Leave a Comment » | 
Privacy, Access to Information, Privacy Breach, Security Breach, Safekeeping, Government, Safeguarding, Due Diligence, Training, Data Protection, Privacy Commissioner of Canada | Tagged: Access to Information, Due Diligence, Personal Information, Privacy Commissioner, Privacy Compliance, Safeguarding | 
Permalink
Posted by Brian Bowman
September 16, 2010
PriceWaterhouseCoopers (PWC) has just released its Global State of Information Security Survey, which says that corporate spending on data security will increase sharply in the coming years. ComputerWeekly.com reports that more than half of respondents to the PWC survey say that their companies plan to spend more on technological defences against security breaches, an increase of 14% from last year. The survey also reveals that the impact of security breaches is growing. According to ComputerWeekly.com ”the number of companies reporting financial losses from data breaches increased 6% in the past year to 20%, up from only 8% in 2008. Intellectual property theft has increased to effect 15% of companies reporting data breaches, up from just 5% in 2008. An increase in the number of sophisticated attacks aimed at stealing information from specific companies is also driving increased security spending according to the Financial Times.”
The PWC survey demonstrates that spending is shifting to monitoring of company networks, at a time when more employees are bringing their own PDA’s and computers into the workplace. But as PWC states, businesses should be making employees the first line of defence against data leaks.
The PWC survey and commentary serves as a reminder of the need to focus resources for data security (and privacy law compliance) strategically. This means investing in technological safeguards but it should mean investing in privacy training for your staff. It’s an important point because so many of the privacy breaches these days result from mistakes, or human error, by one’s own employees. I’d suggest that you compare your organization’s line item for network monitoring with your line item (if it exists) for privacy training. Are your privacy risk mitigation efforts as strategic as they could be?
Leave a Comment » | Due Diligence, Intellectual Property, Privacy, Privacy Breach, Safeguarding, Security, Security Breach, Technology, Theft, Training | Tagged: Due Diligence, Employees, Information Technology, Intellectual Property, Safeguarding, Security, Technology | Permalink
Posted by Brian Bowman
February 10, 2010
Computerworld has just published an excellent article which highlights the top five (5) mistakes that companies often make when educating employees about data protection.
Read the Computerworld article here!
Leave a Comment » | Data Protection, Privacy, Training | Tagged: Due Diligence, Employees, Privacy | Permalink
Posted by Brian Bowman
November 23, 2009
I’ll be hosting a 2010 Privacy Prep Webinar on Tuesday, January 12th from 12:00 – 12:30 PM (CST). (FULL) Due to high demand, new dates added: Wednesday, January 13th from 12:00 – 12:30 PM (CST) and Thursday, January 14th from 12:00 – 12:30 PM (CST).
This complimentary 30 minute webinar will provide a plain language overview of the most significant privacy issues/events of 2009 and, more importantly, prepare you and your business for 2010. Among other things, I’ll highlight notable court cases and privacy commissioner findings from 2009 as well as point out anticipated privacy issues likely to affect Canadian businesses in the coming year.
Space is limited so please RSVP early by emailing me at bowman@pitblado.com.
Leave a Comment » | Due Diligence, Privacy, Training | Tagged: Due Diligence, Privacy Compliance | Permalink
Posted by Brian Bowman
November 13, 2009
In the words of Jerry Maguire, “Help me help you!”
I’d like to know what topics you want discussed on this blog. So please join the conversation by giving me your ideas on my new Submit a Topic! page. I’ll then consider drafting a post on your topic!
I may not be able to “Show you the Money!”, but I’ll do my best to address cutting edge legal issues of interest to you and your business.
Leave a Comment » | Blogs, Social Networking Websites, Training, Website Discussion Boards | Permalink
Posted by Brian Bowman
May 29, 2009
It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca. Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics. Here’s what we covered…
On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week. The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.
On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter. As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.
On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions. For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.
On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.
And last but not least, today Adam Herstein posted “Manitoba: Innovative Fighter of Child Sexual Exploitation”, which focuses on Manitoba’s recent enactment of The Child and Family Services Amendment Act (Child Pornography Reporting) (Manitoba) and how Manitoba is the first province in Canada to enact legislation that makes it mandatory for a person who encounters child pornography to report it to authorities. Adam also notes that Canada has a national tipline called Cybertip.ca for reporting the sexual exploitation of children.
Thanks to slaw.ca for the opportunity to contribute!
1 Comment | Blogs, Copyright, Facebook, Government, Intellectual Property, PIPEDA, Privacy, Social Networking Websites, Technology, Training | Tagged: Businesses, Copyright, Corporate Information, Employees, Facebook, Information Technology, Intellectual Property, Internet, Inventions, Manitoba, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Compliance, Safeguarding, Social Networking, Technology | Permalink
Posted by Brian Bowman
May 25, 2009
The posting of a YouTube video of a woman throwing a tantrum at the Hong Kong International Airport should serve as a reminder to Canadian businesses that employees these days can (and do) easily record and post videos online from their mobile phones.
The three minute video shows a Cathay Pacific customer yelling and flailing her limbs as she lies on the floor after missing her flight from Hong Kong to San Francisco. I’ve been upset at missing a flight before, but the woman in this video takes things to an entirely new level. The video has drawn over five millions views and nearly 21,000 comments, which has resulted in some incredibly cruel and objectionable online commentary about the woman. Since the release of the video, Cathay Pacific has disciplined the gate worker who recorded the video on his mobile phone (although the video was posted on YouTube by a third party) and the company has issued a formal apology to the woman.
The video is noteworthy because it demonstrates the power of new technologies such as YouTube and the corresponding risks to Canadian businesses. Had the video been recorded by an employee of a Canadian business, subject to Canadian privacy laws, the potential privacy complaint and/or lawsuit by the woman in the video could have been substantial.
Canadian businesses should be reminded of the need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy policies and procedures.
Canadian businesses don’t need to look too far to find examples where more effective employee privacy training may have mitigated, or even prevented, privacy complaints.
Read the rest of this entry »
1 Comment | Internet, Online Reputation Management, PIPEDA, Privacy, Safeguarding, Safekeeping, Technology, Training, Video Surveillance, You Tube | Tagged: Customers, Employees, Internet, Mobile devices, Online Reputation Management, Personal Information, Privacy, Privacy Compliance, Safeguarding, YouTube | Permalink
Posted by Brian Bowman
April 13, 2009
Ongoing privacy training is a vital tool to assist with privacy law compliance. In this respect, the following Canadian privacy law conferences in the coming months may be of interest to you or others in your organization:
On May 20, 2009, the
Manitoba Bar Association will be hosting an IP/Technology Section luncheon where I will be speaking about emerging privacy issues. Of course, you need to be a member or a guest of the Manitoba Bar Association to attend.
If there are other Canadian privacy law conferences in the coming months that I haven’t listed, please post a Comment or drop me an e-mail so I can update this post. If you, or your industry association, are interested in more focussed privacy training, please let me know as I regularly conduct in-house privacy training sessions for clients.
Leave a Comment » | PIPEDA, Privacy, Training | Tagged: Due Diligence, Employees, Manitoba, PIPEDA, Privacy, Privacy Compliance | Permalink
Posted by Brian Bowman
March 16, 2009
If you’re a privacy professional, you’re likely overwhelmed with the ongoing task of staying on top of legal, industry and technology developments. As you know, there’s no shortage of issues these days. Hopefully, this blog is helping your efforts!
But if you work for a private sector organization and haven’t yet signed up for the federal Privacy Commissioner‘s e-newsletter entitled Privacy Perspectives, I’d suggest you do. It contains great information and helps to stay on top of things.
If you’re in Manitoba and work for a public body, the Winter 2009 Issue of Manitoba OmbudsNews was published last Friday on the Manitoba Ombudsman‘s website. It’s also a great resource.
If you’re still in need of ongoing assistance and aren’t already a member of the Privacy Forum, you may want to touch base with me to learn more. It has been a super venue over the last 6 years for information sharing and the current members are an excellent group of individuals and first rate privacy professionals.
Leave a Comment » | Ombudsman, PIPEDA, Privacy, Training | Tagged: FIPPA, Manitoba, Ombudsman, PHIA, PIPEDA, Privacy, Privacy Commissioner, Privacy Compliance, Privacy Forum | Permalink
Posted by Brian Bowman
February 25, 2009
I chaired a lively Privacy Forum member meeting yesterday, which included a great discussion on how to get staff “buy-in” on privacy compliance. It’s an important topic because an organization can have comprehensive privacy policies and procedures, but if employees don’t “buy-in” they won’t implement the policies and procedures properly.
The important thing is to develop a culture of privacy within the workplace. Fostering a workplace culture where privacy is valued and respected contributes to good employee morale and mutual trust. It also helps employees to identify privacy issues before they become privacy complaints (which can result in costly grievances, lawsuits or settlements). After all, it’s employees that are on the front line with customers and how employees respond to privacy related questions or concerns can make a big difference.
When I conduct privacy training sessions for clients, I always remind employees that while privacy compliance is the law, it’s also important because good privacy practices can improve customer relations, increase efficiencies and mitigate time-consuming and costly privacy complaints. I also try to make privacy compliance fun! No, this is not a misprint…I said “fun”. Privacy Forum members had some great suggestions on how to make privacy compliance fun and, in doing so, help to get staff “buy-in” on privacy compliance.
Please post a Comment below on ways that you or your organization tries to get staff “buy-in” on privacy.
Leave a Comment » | PIPEDA, Privacy, Training | Tagged: Employees, PIPEDA, Privacy, Privacy Compliance, Privacy Forum, Privacy Policy, Training | Permalink
Posted by Brian Bowman
The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.
