Unfortunately, the provincial government’s dithering over the past decade will not help you answer these important questions.

Manitoba’s e-commerce legislation, called The Electronic Commerce and Information Act, was passed in the Manitoba Legislature in 2000. It was then billed as a cutting edge law that would help Manitobans to prosper in the online world.

Read more>>

ComputerWorld is reporting today that an IT staffing firm has accused one of its former employees of violating her non-compete undertaking through her conduct on LinkedIn. I’m not aware of any similar lawsuit to date in Canada so it’ll be interesting to see how this particular case evolves in the U.S. This case and others that I’ve previously noted highlight the blurring line between online and offline worlds. Businesses should consider whether or not, and to what extent, they should try to enforce such restrictive covenants in the social networking world. Stay tuned…

Manitoba’s Ombudsman is investigating these explosive allegations. If they are true, it is very hard to image a legal defence. But can the use of covert video surveillance ever be legal?

Read more>>

As the Commissioner notes, “the dominant theme of [the OPC's] work in 2009 was the protection of privacy in an increasingly online, borderless world. A case in point was the investigation that resulted in more public attention than any other in [the OPC's] history: Facebook.”  The Commissioner notes two key issues, namely, Data without borders and Risks remaining in the wake of mortgage broker breaches.

From today’s news release:

The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), today announced two steps that the Government of Canada is taking to enhance the safety and security of the online marketplace. Together, the tabling of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the reintroduction of anti-spam legislation in the House of Commons (the proposed Fighting Internet and Wireless Spam Act, or FISA) are important steps towards positioning Canada as a leader in the digital economy.

Here’s the full Industry Canada news release.

(Hat tip to David Fraser’s Canadian Privacy Law Blog )

Related information on this blog that may be of interest to you includes this audio link to my recent CJOB|68 radio interview with Human Resources specialist Barbara Bowes in which we discuss privacy issues in the workplace. You may also want to read this article I penned with my colleague Andrew Buck entitled Monitoring Employee Email: A Privacy Primer. And, of course, you can use the blog’s “Tags” to navigate to specific content of interest.

Read more>>

The “fuel” for many gadgets currently in the workplace is data, which may or may not relate to the employer. And I’m not just thinking of Smartphones provided by the employer.  I’m also thinking of social media websites such as Facebook and Twitter, which are often accessed after work hours on employees’ home computers.

What happens when an employer uses data gleaned from a company-owed iPhone or Blackberry to monitor an employee in the workplace? What about monitoring an employee’s Facebook page? After all, it’s not uncommon for information about an employer or its clients to appear on an employee’s Facebook page. Further, some employees have no second thoughts whatsoever about posting personal messages during paid company time. Many employers are introducing social media policies to mitigate the resulting legal risks. But how far should employers go to protect their interests?

Today’s post is the first in a series that I’ll publish in the coming weeks to provide you with an overview of legal developments regarding monitoring in the workplace, with a focus on employer monitoring of employee social media and Smartphone activities. Upcoming posts will also examine workplace privacy issues related to email, video and GPS monitoring. Stay tuned… 

In the meantime, click here to listen to my recent CJOB|68 radio interview with Human Resources specialist Barbara Bowes in which we discuss privacy issues in the workplace. You may also want to attend a complimentary Social Media in the Workplace webinar that I’ll be providing with a few of my colleagues next week (May 19th). Click here for info and to register (space is limited so register soon).

Elizabeth Denham

Denham has served as Canada’s Assistant Privacy Commissioner since 2007. Since then, and as reported by Times Colonist, she has “spearheaded a high-profile investigation into the way Facebook handles user information, which pushed the company to revamp the way it handles and shares personal information from more than 200 million users worldwide. She launched a follow-up investigation into Facebook early this year after a complaint that the default setting of the new privacy options presented to users actually made a person’s information more readily available than before the changes.”

I’ve had the pleasure of working on matters with Elizabeth Denham. She is very practical in her approach to privacy and is an extremely personable individual. As a result, B.C. will be well-served by her as she embarks in her new role. Congratulations Commissioner Denham!

Continuing a series of blog posts that I’m calling “A Conversation with…“, I’m really pleased to post the following conversation with the Information and Privacy Commissioner of Saskatchewan, Gary Dickson, Q.C.

Gary Dickson was appointed as Saskatchewan’s first full-time Information and Privacy Commissioner back in 2003, and he was re-appointed in 2009 for a further five-year term.  That’s great news because Gary Dickson has been outstanding in his role as Commissioner. On a personal note, I’ve been thrilled to watch his many successes as Commissioner. I’ve known Gary for many years. In fact, it was he who suggested that I get involved with the Canadian Bar Association at a time when some of us were trying to form what is now the CBA’s National Privacy and Access Law Section. 

Thanks to Commissioner Dickson for agreeing to take part in this online Q & A conversation.  CFL fans may find some humour in the last Q & A below. Go Bombers! If you’d like to learn more about Commissioner Dickson or the Office of the Saskatchewan Information and Privacy Commissioner (“IPC”), I’d encourage you to visit the IPC’s website.

Q. You were previously an Alberta MLA. In that capacity, you were involved in privacy law development as the critic for the Freedom of Information and the Protection of Privacy portfolio, and also on several important privacy law committees and panels. What’s it like to now be involved with privacy as the Information and Privacy Commissioner of Saskatchewan?

A. The experience is exciting, stimulating, and almost always challenging. I am very fortunate that our office has a committed team of excellent staff who are focused on ensuring that Saskatchewan residents enjoy the full benefit of our provincial access and privacy laws. I’m very lucky to continue to be involved with such a fascinating area but from a very different perspective than that of a lawmaker. It has been very useful to have had that experience in the development of access and privacy legislation before I assumed the new Commissioner role in Saskatchewan. I hope that I am more aware and more sympathetic to the challenges and issues that arise with any access and privacy law for front line workers. It has certainly motivated me to promote wherever possible making such laws simpler and more accessible to the people who must administer them and for those who are the ‘data subjects’. I have also enjoyed the opportunity to modestly influence the way that our access and privacy laws are viewed and understood. My experience in Saskatchewan has been that those who work in public bodies or health trustee organizations genuinely want to do the ‘right thing’ in terms of transparency and privacy protection but are often unsure on where the line is drawn and are unfamiliar with best practices that have evolved over the last 26 years in Canada. As a result, a major focus for my initial five years in Saskatchewan has been on raising awareness and creating tools to assist those workers meet their statutory responsibilities.

Q. While Alberta, Quebec, British Columbia and Ontario (for personal health information only) have provincial privacy laws that are “substantially similar” to PIPEDA, Saskatchewan does not. Is it time for that to change?

A. I have for the last six years encouraged the former provincial government and now the current government to carefully consider the advantages of adopting a PIPA type law based on the B.C. and Alberta experience. As it stands, our fundraising foundations and NGOs, including those that deal with significant amounts of sensitive, prejudicial personal information are effectively unregulated. We often hear complaints from employees working in private businesses (not federal works, undertakings, etc.) who are extremely disappointed and upset when we tell them that they do not have the same privacy protection guaranteed to all public sector employees in Saskatchewan. I must acknowledge that the federal Privacy Commissioner has recently undertaken a pilot project in Saskatchewan to raise awareness of PIPEDA but this exercise also has highlighted how big the knowledge deficit is in the small and medium sized business sector. I remain of the view that Saskatchewan individuals, businesses and charitable NGOs should all benefit from a simple private sector privacy law. This could be designed to complement and harmonize with our public sector FOIP and Local Authority FOIP Acts and our Health Information Protection Act. It would allow for a more seamless kind of privacy protection that would be simpler for those organizations and for residents. I notice that the impetus for PIPA in BC and Alberta was really business organizations such as Chambers of Commerce realizing that PIPEDA is in some respects cumbersome and deficient for the SME sector. Business organizations in Saskatchewan do not appear to have adopted that view.

Q. The Saskatchewan Gaming Corporation has been recognized as a positive privacy story. What has it done, and what role has your office had in this development?

A. This is a good example of how an Information and Privacy Commission office can perhaps achieve more through consultation than by emphasizing the enforcement role. We started out a year ago with a complaint that the Casino Box Office in Regina required anyone purchasing a ticket for a show to provide name and contact information even if purchasing the ticket with cash. When we followed up with the Saskatchewan Gaming Corporation that operates the casinos in Regina and Moose Jaw, we found no senior identified FOIP Coordinator or Privacy Officer, no appropriate policies and procedures and no comprehensive training program for staff. Instead of focusing solely on the collection of personal information by the Box Office, we spent the better part of the year working with the Corporation in fundamentally reorganizing to meet its FOIP responsibilities as a ‘government institution’. With the assistance of a Portfolio Officer from our OIPC, the Corporation made a senior Vice President the new Privacy Officer and FOIP Coordinator. Comprehensive policies were put in place and a new FOIP training program rolled out. In the casino, the Box Office now only collects personal information if the ticket purchaser volunteered that information but it is no longer mandatory. In addition, prominent signage now advises customers of the Corporation’s information collection practices. There is also new literature readily available to customers. I think that as a result of our collaboration the Corporation and its leadership now view our office as a useful resource and as an office genuinely committed to operating on the basis of cooperation and collaboration.

Q. You’ve published a best practices guide for mobile device security. It’s getting easier to collect and store personal information, but are we keeping up with our privacy responsibilities in the meantime?

A. I’m afraid that privacy risks are not always top-of-mind for organizations embarking on new IT programs, systems, etc. Although we have developed a Privacy Impact Assessment tool available on our website, there is no statutory requirement that a PIA be done by a public body or health trustee before proceeding with new technology. What is perhaps even more troubling is that we see problems with old technology. Our office brought out a FAX advisory after we found a number of health information trustees didn’t appreciate that when the modern multi-use copier machine is sold as surplus equipment it likely will contain memory of the documents it has processed and perhaps substantial amount of personal health information. Look at the number of cases that have come to Information and Privacy Commissioners across the country that involved theft of unencrypted laptops. So, the short answer is that many organizations are not keeping up with their privacy responsibilities. The education and compliance challenge continues apace.

Q. Your office opened more than double the amount of case files in 2009 than it did in 2008. Is this number going up because of inadequate privacy practices, because the public is becoming more aware of its privacy rights, or both?

A. Good question. I think the answer is some of both. I believe there is significantly higher privacy awareness with the organizations that my office oversees and also greater public awareness. The difficult question is how accurately we can assess what is going with all approximate 3000 organizations that we oversee given that we are largely in a reactive role. In any given year if we are dealing with 200 organizations are these just the few ‘bad apples’ or is this indicative of widespread non-compliance. We simply don’t have the resources to be able to accurately assess and catalogue privacy compliance province wide. At the end of the day however, whatever the reason for the large increase in case files there is an indication that a lot more work is yet to be done to move to a more pervasive privacy protective culture.

Q. Looking forward, what kind of privacy developments should we watch for in 2010?

A. One of the interesting ‘growth’ areas will be the electronic health record. Our office just issued our first Investigation Report (H2010-001) dealing with our electronic health record now in development. This involved a pharmacist who entered the Pharmaceutical Information Program database on nine different occasions to view medication profiles for three individuals who were not patients/customers of that pharmacist of the pharmacy he worked for. We identified a number of problems in terms of HIPA compliance with the pharmacy, the regional health authority and the Ministry of Health. We also issued more than 20 recommendations for remedial action. Since the electronic health record is still some distance from completion, I anticipate that there may be more of this type of complaints touching on some element or another of the E.H.R. In fact, at the end of my Investigation Report, I included a Postscript which incorporated a number of broader considerations that this particular case highlighted.

We will be carefully monitoring changes to our health information regulations that enable regional health authorities to disclose certain personal health information of patients to hospital foundations without prior consent of those patients.

Finally, we are witnessing a number of new information and data-sharing initiatives with Executive Government and we expect to be busy considering these initiatives in the next few years.

Q. And, finally, how many points do you think the Winnipeg Blue Bombers will beat the Saskatchewan Roughriders this year in the Labour Day Classic game?

A. I love the fact that all of those Bomber fans come to Regina and generously spend their dollars in our hotels and restaurants and I always feel badly for their long drive back to Winnipeg. Sorry Brian but I don’t see that the return trip to Winnipeg is likely to be any more joyous in 2010!!

Canadian employees – in ever increasing numbers – are blogging, tweeting and accessing social networking websites. These forms of social media are increasing the legal risks for Canadian businesses. These risks include disgruntled employees intentionally revealing trade secrets, defaming supervisors, harassing co-workers, or posting negative information about their employers’ business. There are even additional threats resulting from loyal employees who inadvertently disclose information online that runs afoul of security, privacy and competition laws. Join us for this 75 minute webinar during which we will discuss:

• The legal do’s and don’ts of monitoring employee social media activities during and after work hours;
• Tips for creating meaningful social media policies;
• Tips for dealing with privacy and competition law, and securities regulatory risks; and
• How to deal with potential civil liability resulting from employee social media activities.

Space is limited so please register here soon.

Other presenters (in addition to yours truly):

• Robert A. Watchman
• Philip Watts
• Matthew T. Duffy 

The privacy commissioners’ letter states, “we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws… Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured… We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:

The privacy commissioners’ demand that Google and other organizations better incorporate privacy into the design of new online services underscores the need for the “Privacy by Design” initiative that Ontario’s Information and Privacy Commissioner recently discussed in my “A Conversation with Dr. Ann Cavoukian” post. All organizations, regardless of their size (after all, we’re all not Google), would be well-advised to learn from today’s “buzz” about Google Buzz.

Yours truly was interviewed by Canadian Business Online for this article and, as you’ll see, I comment that I’m not aware of whether, or to what extent, the big banks and credit card companies are using personal information that’s publicly available on social networking websites to determine credit worthiness.  That being said, in the insurance industry “using information from social-networking sites has already become commonplace”. The message that I’d take from this article is that Canadians’ understanding of privacy, and the ground rules for managing publicly available personal information that we willingly post online, is rapidly evolving.  

Read the Canadian Business Online article here>.

Well, the first thing you should do is ask the police for written documentation relating to their request. You should also immediately contact a lawyer with appropriate expertise because this type of scenario can be a legal minefield. For example, are you actually dealing with the police or some bold scam artist? Do the police have the legal authority to demand the requested information? Should they have a warrant?

Presuming that you end up providing the records to the police, you’ll need to ensure that you’re not providing too much information. If the records of your customer are co-mingled with another individual, you’ll need to consider whether you can legally provide the police with access to the other person’s information. Are you then barred from telling the customer that the police were at your office? What sort of internal records should you keep to document that the police accessed your files? How long do you need to keep those internal records?

It’s never fun to say “no” to the police. They are, after all, typically armed. But hopefully the police will make it easy for you to satisfy yourself, and your lawyer, that working cooperatively with them won’t violate your customer’s privacy and unnecessarily exposing your business to liability.

There’s still plenty of  “grey areas” in Internet law. Hopefully, the Supreme Court of Canada will provide more definitive guidance for legal practitioners and website operators in the growing area of online reputation management. In the meantime, website operators should seek legal advice prior to hyperlinking to any potentially defamatory materials on the Internet.

CNET is reporting today that “a broad coalition of companies including Google, Microsoft, and AT&T, joined by liberal and conservative advocacy groups, will announce a major push [today] to update federal privacy laws to protect mobile and cloud computing users”.

Of course, in Canada cloud computers have the benefit of PIPEDA and – where they exist – substantially similar provincial privacy laws. To learn more about cloud computing, and related privacy law implications, you may want to check out this previous post.

But what if some individual witnesses don’t have privacy concerns and actually want their testimony broadcast to the world?

Read More>>

I’ve previously commented on social networking websites and employer-employee relationships.  This BBC report is just one more example of a situation which may have been prevented with better employee training and a clear social networking policy.  Common sense should, and typically does, guide employees in determining what to post online. Yet, if an Israeli soldier can’t think twice before posting the details of a planned operation it’s easy to see how some employees of Canadian businesses – perhaps yours - unintentionally post valuable corporate information online.

This really is the kind of personal information that identity thieves love so the OPC article is a useful read. In fact, businesses whose employees create accounts on their behalf would be well-advised to have employees read the OPC article.

The case is interesting because it deals with the important privacy issue of what constitutes a “reasonable expectation of privacy” (in this case, in one’s own bathroom).  Read the story here>>

Canada’s proposed anti-spam legislation, called the Electronic Consumer Protection Act, is about to fundamentally alter online marketing activities in Canada. It’s perhaps the most comprehensive type of anti-spam legislation in the world, which will regulate commercial electronic messages and impose stiff new anti-spyware provisions. It’ll also amend Canada’s PIPEDA and Competition Act. Is your business ready?

Learn more during this webinar, at which time we’ll survey the following:

• The ECPA‘s scope
• New consent obligations, and related exemptions
• Anti-spyware provisions
• Amendments to PIPEDA
• Amendments to the Competition Act
• The regulatory enforcement regime
• Penalties and the new private right of action
• Steps you can take now to prepare for the ECPA

Please register here>>

Webinar registration fee: $100 (plus applicable taxes)

The identities of the teachers have been widely reported. Now the question is: Could the teachers sue the students for violating their privacy?

Read more>>

Dr. Cavoukian leads a dynamic team of professionals at the IPC who are at the forefront of addressing today’s privacy challenges.  Her depth of understanding of privacy issues combined with her passion for privacy has made for a powerful and learned force in Canada’s privacy world.

Thanks to Dr. Cavoukian for agreeing to take part in this online Q & A conversation.  If you’d like to learn more about Dr. Cavoukian, the IPC, or the issues raised in this conversation, I’d encourage you to visit the IPC’s website.

Q. In one of my previous blog posts, Jennifer Stoddart explained how she got involved in the world of privacy.  How about you?

A.  I have always had an interest in human rights, but my direct introduction to the privacy world came as a result of my work as the Chief of Research for the Attorney General of Ontario. As part of the role I completed a program evaluation of the Public Complaints Commission headed by (now Justice) Sidney B. Linden. He was aware of my work with the Canadian Civil Liberties Association, among other things, and when Justice Linden was appointed as the first Information and Privacy Commissioner of Ontario in 1987, he asked me to join him as the Director of Investigations. I haven’t looked back since!

Q.  One of your significant achievements has been your development and advocacy of “Privacy by Design”. Can you explain the concept behind Privacy by Design?

A.  The privacy landscape of the early ‘90s had become increasingly challenging – the volume of personal information collected was growing, as were the risks posed by increasingly sophisticated and interconnected technologies.  It became clear to me that relying solely on compliance with regulation and legislation would no longer be sufficient to safeguard the protection of personal information.  Instead, organizations would need to operate in an environment of default privacy protection.  Those which could do so, I recognized, would gain a competitive advantage.

This is the context in which I developed Privacy by Design (PbD), my philosophy of embedding privacy into the design of three broad application areas:  information technology; business practices; and physical design/infrastructure.  Instead of treating privacy as an afterthought – “bolting” it on after the fact – I argued that privacy should be regarded as a design feature and built right into the system, from the outset.  PbD shatters the zero-sum paradigm which trades off privacy against security and functionality.  It is positive-sum, or doubly-enabling “win-win” in nature, demonstrating that it is possible to protect privacy without compromising other legitimate requirements, such as security or functionality.

You can find our “7 Foundational Principles” of PbD at www.privacybydesign.ca.  To summarize, PbD seeks to establish privacy as the default by embedding it in system design.  It is proactive in nature – already in place when data is first collected, it describes a comprehensive “cradle to grave” approach to information management.  In being proactive, it seeks to prevent data breaches from occurring, rather than prescribing remedial actions.  Importantly, it demonstrates respect for user privacy by ensuring that its component parts and operations are transparent and subject to independent verification.

Q.  Who should be aware of, and consider following, the principles of Privacy by Design?

A.  Broad spectrums of people within most organizations should be aware of Privacy by Design – certainly anyone with influence over how personal information is managed.

Personal information is an asset, the value of which is protected and enhanced by a suite of security practices and business processes. Regardless of industry sector, whether the organization is large or small, public or private, whether it is retained in house or out-sourced, executive leadership and managers responsible for the management of personal information need to carefully consider how to build privacy protections directly into their operations.

I have a new title for those who commit themselves and their organizations to the principles of Privacy by Design – I am appointing them as PbD Ambassadors.  Those who wish to learn more can visit our Privacy by Design website, which houses all of the PbD resources developed by my Office over the years.  While there, I hope people will take the time to share their own PbD experiences or questions with our growing PbD community on the Global Forum.  You can now also follow PbD on Twitter @embedprivacy.

I remind people that Privacy by Design was not developed for use in an ivory tower.  I always intended it to result in real and positive changes in our everyday lives.

Q.  So can you give us an example of the “win-win” approach of Privacy by Design in action?

A.  An example that really brought Privacy by Design to life is the work being undertaken by our mass transit system – the Toronto Transit Commission (TTC), in testing and deploying encryption-based video surveillance technology.

In the autumn of 2007, the Toronto Transit Commission (TTC) announced plans to expand its video surveillance program on both surface vehicles and within the subway system. In response to a formal complaint, I launched an investigation. I found that the TTC’s expansion of its video surveillance system did not contravene any applicable laws. However, I strongly urged the TTC to adopt privacy-enhancing video surveillance technology that was being developed at the University of Toronto by Karl Martin and Professor Kostas Plataniotis.

Using innovative object-based encryption, the technology completely obscures the images of individuals who appear as the subjects of video surveillance. However, unlike current permanent masking techniques, the technology enables the images to be decrypted at a later time, only by authorized staff, when an incident occurs that demands further investigation for safety or security purposes.

This new technology, in its essence, lays to rest the outdated zero-sum paradigm, where one party wins and one party loses. It ushers in a new era in “positive-sum” thinking where both parties may “win” and neither party must, by necessity, lose. Positive-sum privacy-enhancing technologies (I call them PETs Plus) ultimately enable the co-existence of privacy and security, side by side, without forfeiting one for the other, “win-win,” not “win-lose.”

For the full report, see Privacy and Video Surveillance in Mass Transit Systems: A Special Investigation Report.

Q.  One of the first virtual strip search scanners was recently installed at Toronto’s Lester B. Pearson International Airport. What are your thoughts about the privacy implications of these scanners?

A.  I feel it’s important that we understand exactly what this technology does. The public should know what types of images are being produced of them, and what happens with those images. That’s why I chose to personally experience the Whole Body Imaging (WBI) system in both Toronto and Washington D.C. – to assess first-hand how passengers are treated.

From a privacy perspective, my WBI experience highlighted several important points. The scanned images displayed are not actual pictures and do not contain any unique personal identifiers (there is no way for someone to identify the image as my own). The screening site where the scanner images are viewed is located in a windowless, secure room located a significant distance away from the open scanning area. The personnel viewing the images are not able to visually connect images with the actual passengers being scanned. Also, the machines are not able to record, copy or store any images. Finally, the personnel who review the scanned images are not allowed to have cameras, cell phones or any other recording devices in the secure viewing room.

I have always believed that privacy needs to be built directly into technology – privacy by default. Improved airport security need not come at the expense of privacy – both may be achieved together, in a positive-sum manner.

Q.  Business professionals consult this blog (at least, I like to think they do!). Based on your experience as Ontario’s Information and Privacy Commissioner, can you identify an area where businesses fall short in the realm of privacy and provide tips to help address the problem?

A.  It is a sad fact that many privacy breaches occur largely because of poor information management practices by organizations, and the volume of the information at risk grows with the ever increasing collection of personal information.

As Commissioner, half of the Health Orders that I have issued under Ontario’s Personal Health Information Protection Act (PHIPA) were the result of personal health records being abandoned or disposed of in an unsecure manner. Identity theft is one of the fastest growing forms of consumer fraud in North America, costing Canadians millions of dollars a day and billions of dollars a year.

That is why it is crucial for all organizations, large, medium or small, to engage in the practice of “secure destruction.” The goal of secure destruction is to have records containing any personal information permanently destroyed or erased in an irreversible manner which ensures that the record cannot be reconstructed in any way.

For the effective secure destruction of records, organizations need to ensure that they match the destruction method to the media. For paper records this means using cross-cut shredders which do not allow for records to be reconstructed. For electronic media such as DVD’s or USB keys, the media should be physically destroyed.

Further, if an organization is hiring an external agent to destroy records, they need to be selective. Look for a provider that is accredited by an industrial trade association or is willing to commit to upholding its principles, including undergoing independent audits. Always check references, and insist on a signed contract spelling out the terms of the relationship, to ensure end-to-end lifecycle protection. Remember, you can outsource the service, but you can never outsource accountability.

For more information, please see Fact Sheet #10, Secure Destruction of Personal Information .

Q.  Looking forward, what kind of privacy developments should we watch for in 2010?

A.  The privacy landscape is continually changing and posing new challenges – particularly in this age of information technology where personal information about individuals is increasingly collected and stored indefinitely.

In addition to daily developments on the “Cloud” and Web 2.0, one of the areas we are focusing on in 2010 is the Smart Grid – the modernization of the current electrical grid with a view to more efficient energy usage and delivery. This will involve the increased collection, use and disclosure of end users’ personal information. I have identified privacy as the real “sleeper issue” in this area, which causes me great concern. The Smart Grid is still in a nascent stage, not only here in Ontario and across North America, but around the world. So now is the time to bake in privacy right from the outset. With that in mind, we are proactively working with local energy distributors, and government officials, to ensure that privacy is top of mind as we move toward the Smart Grid. It is the ideal time to proactively build in privacy – by design. 

Privacy advocates are already voicing concern.  But unlike previous public debates regarding privacy and surveillance cameras, I expect that the concerns that’ll be raised during and after the 2010 Olympics will be more comprehensive than the traditional “privacy vs security” debate. For instance,  Jennifer Stoddart, Canada’s Privacy Commissioner, recently commented on this blog that “one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all of the cameras and recordings after the flame is extinguished.”

Of course, there are legal tests that governments (and businesses) should use to determine the appropriateness of installing surveillance cameras in the first place. But once any organization has decided to install surveillance cameras there’s a corresponding requirement to appropriately manage the data that’s collected. For instance, organizations must ensure that they have security, retention and destruction policies in place. This is the “devil in the detail” that’s often overlooked.

I expect public scrutiny of the surveillance cameras being used during the 2010 Olympics. And such scrutiny will increase public expectations on businesses to properly manage data that they too collect by surveillance cameras.

In her remarks, Stoddart discussed the challenge of technology, globalized data flows and social change. While reflecting on her years as Canada’s “village elder” in the privacy community, Stoddart commented:

“When I took over as Privacy Commissioner, Facebook didn’t exist. Neither did Twitter, Flickr, YouTube, Google Street View, Foursquare, iPods and all the many novel ways in which people now routinely connect with the rest of the world. And it’s not just technology that’s different; it’s other drivers of change as well. Like real-time globalization, for instance, and the instantaneous worldwide flow of data. It’s the way people embrace and respond to technology. Their expectations of what the technology can do for them, and at what cost. Is it desirable, for example, to buy greater convenience at the cost of less privacy? In light of these colossal changes over the past decade alone, it would be foolish to try to predict what the next decade will hold. But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is already being sorely tested.”

Read the Privacy Commissioner’s full remarks here.

Read the Computerworld article here!

Irene Hamilton, and her team of professionals at the Office of the Manitoba Ombudsman (the Ombudsman’s Office”), provides excellent service to Manitobans. Thanks to Irene Hamilton’s leadership, the Ombudsman’s Office has made a number of improvements to its operations over the years. I’m looking forward to seeing the changes to the Ombudsman’s Office website referenced below.

Thanks to Irene Hamilton for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Irene Hamilton, the Ombudsman’s Office, or the issues raised in this conversation, I’d encourage you to visit the Ombudsman’s Office website.

Q.  In most other provinces, privacy oversight is performed by an Information and Privacy Commissioner. How does the role of the Ombudsman compare to these positions?

A.  In Manitoba, the Ombudsman is the Information and Privacy Commissioner as well. The role and function of the Ombudsman is similar to 10 of the 15 federal, provincial and territorial jurisdictions in Canada that have access to information and protection of privacy laws. In these 10 jurisdictions, the Information and Privacy Commissioner has “ombudsman” powers – that is, the power to comment proactively, investigate complaints and make recommendations to public bodies, but not the power to issue orders. In Prince Edward Island, Quebec, Ontario, Alberta and British Columbia, the Commissioners can issue orders in relation to access to information and protection of privacy.

There are other differences among the jurisdictions as well. With The Personal Health Information Act or “PHIA”, Manitoba had the first information privacy statute in North America dealing specifically with personal health information (as opposed to Manitoba’s Freedom of Information and Protection of Privacy Act, or “FIPPA”, that concerns access to and privacy of other kinds of information). Four other Canadian provinces have enacted similar legislation to PHIA since 1998, when PHIA first came into force here.

Q.  The Freedom of Information and Protection of Privacy Act (“FIPPA”) includes, as its title suggests, both access to information and privacy mechanisms. On the face of it, these two terms seem inconsistent. How do we bring them together?

A.  The application of the provisions of FIPPA do not create the inconsistency that one might infer from the title.

FIPPA has a set of rules concerning access to information and a set of rules concerning privacy of personal information. These two sets of rules are contained in two distinct parts of the Act and are administered separately.

There is a set of rules on how an individual can formally request access to a particular record under the control of provincial and municipal governments and other public bodies and how the public body is to respond. The general rule is that an individual has the right to see or receive a copy of the requested record, but specific exceptions can apply. One of those exceptions relates to protecting the privacy of information about another individual. The idea is to provide as much of the requested information as possible. This particular set of rules is triggered only when a person makes a formal FIPPA request for information.

The other set of rules in FIPPA is always in operation. These rules set out how provincial and municipal governments and other public bodies are to handle records containing personal information that are in their control while conducting their duties. These rules describe in what situations a public body can collect, use or share personal information and the basic rule is that the most limited amount of personal information necessary is to be handled for a particular situation. While an individual can expect certain privacy, there are specific situations where records about them can be collected, used or shared without their consent — for example for safety, public policy and specific operational reasons.

Q.  Your office supports the “Right to Know” initiative. What is “Right to Know” about and why do you support it?

A.  “Right to Know” is an international celebration observed annually in late September, to remind people that governments have legislation allowing people to obtain information held by government and other public bodies. The right of access, when used by individuals or organizations like media, helps to improve knowledge about government, scrutinize government and address public issues. “Right to Know”, with its public events and media focus, reinforces the commitment to a culture and spirit of openness, and promotes public awareness of access to information principles and the resources that assist in adherence to the legislation.

Q.  Manitoba, like other provincial governments, has introduced Enhanced Identification Cards (“EIC”) to respond to increased security demands at U.S. border crossings. What role has your office played in the development and rollout of EICs?

A.  Together with my Privacy Commissioner colleagues, I am of the view that the Enhanced Identification Card or “EIC” — a voluntary identity document for entry into the U.S. by road or water — raises privacy implications. I am pleased to say that my office was consulted early in the development of the Manitoba Enhanced Identification Card and we continued to be involved as the Manitoba Enhanced Drivers License was introduced as well. Through our participation we wanted to accomplish two main goals: 1. to fulfill our oversight role in relation to new government programs or initiatives by providing our comments to ensure the protection of personal information to the extent possible; and, 2. to bring the perspective of the public to the process by asking questions that people might have. In the process, we have promoted providing detailed information to the public so that they can determine if the EIC or EDL is the right card for them. We have also produced a “privacy awareness fact sheet” for persons considering obtaining an EIC or EDL.  This is on our web site, at www.ombudsman.mb.ca.

Q.  Your office releases summaries of selected access and privacy cases on its website. What is the most common area you investigate and report on?

A.  One of our goals for this year is to redesign our website and include regular postings of our reports online for the reference of information privacy professionals as well as the public that will provide a better understanding of how we interpret various sections of the acts, and the basis upon which we come to our conclusions. Having said that, since June 2005 our office has produced dozens of “practice notes” about interpreting and administering various sections and principles of FIPPA and PHIA, probably of greater interest to information privacy professionals than to the public. These, too, are on our Manitoba Ombudsman web site.

We find that the greatest number of complaints that we receive are refusals of access to information under FIPPA. This includes not only responses by public bodies refusing access, but also failures to respond to the applicant. Unfortunately, we also receive numerous complaints about privacy breaches under PHIA.

Q.  Looking forward, what kind of privacy developments should we watch for in 2010?

A.  The file that will be most time consuming for us will be privacy protection of personal health information in the electronic health record that has been under development in Manitoba and across Canada for some time. Significant funds have been made available to Departments of Health throughout the country to build electronic systems that will connect to provide instantaneous access to health records. The system is designed to promote better care and eliminate administrative repetitiveness. Our view is that the public needs to understand what the electronic health record or “EHR” is, its scope and how their personal health information will be used and shared within that system.

Read more>>

The above link takes you to the Winnipeg Sun.  I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis.  I hope you find them of interest!

Commissioner Work is as personable as he is professional. I’ve had the pleasure to speak at privacy conferences with Commissioner Work and let’s just say that I’m glad I presented first!  As privacy professionals will know, he’s a plain spoken, intelligent speaker and so his sessions are always a “must attend”.

Thanks to Commissioner Work for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Frank Work, the Office of the Information and Privacy Commissioner of Alberta (the “Alberta OIPC”) or the issues raised in this conversation, I’d encourage you to visit the Alberta OIPC’s website.

Q.  Your office has investigated identity theft arising from crystal meth abuse. What’s the link between the two?

A.  A couple of years ago the Edmonton police raided a hang out for meth users.  They found a lot of papers from businesses in the area, which they gave to us.  Cell phone contracts, credit bureau checks, credit card information and so on.  The police told me that meth users, unlike some other substance abusers, are pretty alert when they are high.  They don’t sleep.  They have lots of time to do the kind of detailed work necessary to engineer credit card fraud and identity theft.

Q.  So what can the public do to protect itself from that kind of identity theft?

A.  Individuals should shred bank and credit card statements.  They shouldn’t carry certain ID, like birth certificates, on them. These kinds of foundation documents are very useful for identity theft.  Always report lost or stolen credit cards, but also lost or stolen driver’s licences, birth certificates, and passports.  Check your bank and credit card statements to make sure someone else isn’t using them.  Do a credit bureau reference on yourself maybe once a year.  If your score is lower than you think, find out why.  If your score changes from one year to the next, find out why. Sometimes it can be identity theft (someone using your good name). Sometimes it can be an error on the part of the credit bureau.

The other side of the problem is organizations that have peoples’ info.  They must take proper care of it.  As I said, we have been given credit reports, draft mortgages, cell phone contracts, purchase of goods contracts and bookkeepers files, all thrown away.  These papers all have potential for fraudulent use.  Businesses need to shred this stuff.  Furthermore, for businesses that have customer databases, how well secured is it?  Who on their staff has access to it?  We have had cases where someone in the business is taking the info and using or selling it for fraud and identity theft.

Q.  Alberta’s private sector privacy legislation was recently amended to include mandatory breach notification. How will this impact privacy regulation in, and outside of, Alberta?

A.  It is early days yet.  Hopefully it will make organizations extra careful with personal information.  Will that raise the bar for organizations in other provinces?  Maybe.  If you are going to change your practices here, you might as well change them everywhere.  Possibly more provinces will legislate.  A big piece of the picture will be when the Federal government amends PIPEDA in this regard.  Maybe this will increase pressure to do so.  It will be a challenge to figure out what “a real risk of significant harm” is.  It will be a challenge to figure out in which cases there should be notice given and what kind of notice.

Q.  You’ve worked as a lawyer in different countries around the world. How does Canada’s approach to privacy compare to your experience in other places?

A.  We aren’t perfect but we are way ahead of most other jurisdictions.  The “commissioner” system of enforcement has served us well because we do not have the kind of well funded civil society organizations which can advocate for privacy.  Commissioners can and do advocate.  I mean, I would love to have an ACLU, or and EPIC or an EFF in Canada.  Our civil liberties people, like FIPA in BC do great work with the resources they have but resources are scarce.  We need some rich people to endow some of these groups.  The other thing is that I think, relative to other societies, Canadians have a disposition towards privacy.  We get it to some extent.  I like to think it is because we are, yes, polite, and respectful of other people.  That makes us respect each other’s space.  We must not lose that as the world becomes one big facebook/google culture.  Teach your children well.

Q.  Looking forward, what kind of privacy developments should we watch for in 2010?

A.  Cyber attacks, hacks and other losses will continue.  Governments will continue to bring surveillance technologies to bear every time anything bad happens. I will continue to get judicially reviewed.  I would like to think people will start resisting surveillance and other intrusions into their lives but I don’t see it happening.  Governments like surveillance.  Heck, the public likes surveillance because we are just so bad at risk assessment.  We are scared of everything it seems and we want someone to keep an eye on everything for us.  It will be interesting to see if technology begins to fail us.  For example, what if there is another airplane bombing attempt and the technology doesn’t prevent it?  They bring in new technology.  And that doesn’t prevent the next one (God forbid).  Maybe they run out of technology, although, for the money involved I don’t see that happening.  Someone will come up with a new toy.  Will someone ever say “this technology isn’t doing what we want it to and it is costing us a bundle?”  I think that will be a social shock.

We’ve just launched a new firm blog, called PitbLAWg, that’s intended to provide readers with practical commentary regarding timely and relevant legal issues affecting you and your business. 

I hope you visit PitbLAWg by clicking here.

I’m very pleased to be able to post the following conversation with Jennifer Stoddart. 

Since becoming Canada’s Privacy Commissioner in 2003, Commissioner Stoddart has undoubtedly raised the value of privacy in a time when security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information. I might add that she has accomplished this admirable feat with passion and professionalism.  As a result, Canadians have been exceptionally well-served.

Of course, I’d like to thank Commissioner Stoddart for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Jennifer Stoddart, the Office of the Privacy Commissioner of Canada (the “OPC”) or the issues raised in this conversation, I’d encourage you to visit the OPC’s website and blog.

Q. How did you get involved in the world of privacy?

A. Back in the spring of 2000, I happened to read an article in the New York Times Magazine by the noted American legal scholar Jeffrey Rosen. Prof. Rosen was explaining how personal privacy was being subtly eroded in the digital age. I was fascinated.

I was working at the Quebec Human Rights Commission at the time. The next week, I was asked to head up Quebec’s Access to Information and Privacy Commission, and that’s the field I’ve been in ever since.

Q. But it’s coming to an end.

A. Sadly. My seven-year term as Privacy Commissioner will wind up this year. On the plus side, though, I can look back with considerable pride at the progress we’ve made. The encroachments on privacy in this digital era really are staggering, but that doesn’t mean we’re letting them bowl us over.

Last year’s investigation into a complaint against Facebook was surely the most high-profile example of the kind of influence we have. And beyond that I would say that we’re making a meaningful difference, in countless other ways, every day of the year.

Q. What are the most rewarding aspects of being the Privacy Commissioner of Canada?

A. Certainly one of the most rewarding things for me is to know that our work matters, that it has a real and positive impact on the lives of Canadians.

As you know, it’s become fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism. But I think that’s totally wrong. And the best evidence for that was the worldwide response to our Facebook investigation.

Privacy may look different today than it did a generation – or even a decade – ago. But it remains an incredibly important and cherished value to Canadians. And to the extent that my Office can help protect that value, and advance privacy rights, I would say that is the most rewarding aspect of my job.

Q. What do you consider to be the greatest challenges for the Office of the Privacy Commissioner of Canada?

A. Our biggest challenges are the same that preoccupy data-protection authorities around the world: How to safeguard privacy rights in the face of so many rapidly changing technologies. You yourself have blogged about many of them – cloud computing, behavioural marketing, genetic technologies, to name just a few.

We’re seeing unimaginable quantities of data flash around the world, including to countries where data-protection laws are slim to non-existent. We’re also seeing technologies employed in the service of national security and law enforcement, but they’re guarded behind a wall of secrecy.

So the challenges are real, and they are huge.

Q. So how does an Office like yours keep up?

A. I guess the short answer is: By working smarter. We have zeroed in on four priority privacy challenges that are shaping and streamlining our work for the years ahead: information technology, genetic technology, national security and the protection of identity integrity.

We are re-engineering our internal processes to better handle the complaints and inquiries that come to our Office. We’re picking and choosing our privacy audits and our communications and public outreach efforts in order to maximize our impact. We’re ramping up our issuance of guidance, on the theory that an ounce of prevention outweighs a pound of cure. And we’re working with the global data-protection community, since so many of the challenges are international in scope.

But, most important of all, we’ve recently attracted an infusion of very bright, very knowledgeable – and in many cases young – new employees to key positions in our Office. They are really making a difference.

Q. If you could make a few recommendations for Canadian business leaders, what would you say?

A. First I’d thank them for having embraced PIPEDA, the Personal Information Protection and Electronic Documents Act as it came into force over the past nine years. When I look at the situation of our neighbours to the south, where there is no single law at the federal level to protect the personal information of consumers in a commercial setting, I am deeply gratified by the way things can work up here.

Beyond that, I would encourage business leaders to continue to consult the guidelines we issue on specific topics for the purpose of clarifying the responsibilities of organizations under PIPEDA. And we invite them to work with us to fill any other information gaps they may have encountered.

I also want to take this opportunity to mention that data breach notification will become mandatory – and I suspect that will happen sooner rather than later. So I would encourage business leaders to start giving some thought now to how they can bring their processes into compliance. 

Q. Do you have any “privacy-related” predictions for 2010?

A. I don’t think you need a crystal ball to conclude that national security will continue to dominate the privacy landscape in the year ahead. The controversy that erupted over Transport Canada’s deployment of millimetre-wave scanners at Canadian airports was just the first of the privacy-related issues that we can expect to be hearing about in 2010.

And stay tuned for more during and after the Vancouver Olympics. There, one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all the cameras and recordings after the flame is extinguished.

I’ll just mention two other issues of particular interest to our Office, because we will be consulting Canadians on them in the next few months. The first will focus on the tracking, profiling and targeting of consumers by marketers and other businesses, and we’ll be hosting consultation forums on that topic in Toronto in April and Montreal in May. Soon after, we’ll organize another forum to discuss the privacy implications of cloud computing.

As I previously posted last July, cloud computing is certainly on the rise. The privacy issues are profound and, as a result, we’re spending more time these days working on cloud computing related agreements. In any event, I’d encourage you to review the Technology Predictions 2010 as it provides some great insight that might help your business.

Read more>>

You may note that the above link takes you to the Winnipeg Sun.  I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis.  I hope you find them of interest!

It was particularly heart-warming to receive the nomination from fellow Manitoban blogger, Donna Seale (who writes an excellent blog called Human Rights in the Workplace). Congratulations to all of the award winners and finalists. The Canadian Law Blog Awards are a project started back in 2006 with the goal of highlighting great blogs published by the Canadian legal industry. Thanks to Steve Matthews of Stem Legal for his leadership in this regard.

Most importantly, thanks to you for reading my blog and to many of you for your ongoing topic suggestions and feedback. I hope you continue to check out my blog as it develops in 2010! In the meantime, I’d highly recommend checking out some of the other Canadian law blogs profiled on the Canadian Law Blog Awards website.

Unfortunately, privacy law does not offer black and white answers to the legal issues raised by e-mail monitoring practices. Instead, and like most other privacy law issues, the standard of “reasonableness” rules the day.

I recently penned an article on point (link below) with my colleague Andrew Buck (who is currently completing his Articles at Pitblado LLP) for the Canadian Bar Association’s National Privacy & Access Law section newsletter, Privacy Pages. Our article examines some of the case law and commentary that has arisen from e-mail monitoring with a view towards setting out practical solutions for the creation of “reasonable” e-mail monitoring practices. If you’re interested in reading the full article, please click on the link below.

Monitoring employee e-mail: a privacy primer

The federal Personal Information Protection and Electronic Documents Act will likely contain mandatory privacy breach notification provisions in the near future. Since 2006, Special Committees at both the Federal and Provincial (Alberta and B.C.) levels have convened and generated a series of recommendations relating to breach notification.  For further information on these recommendations, see the final reports of the Federal , Alberta and B.C. committees.

The most important recommendation independently generated by each of the committees provides that organizations should be under a statutory breach notification duty.  On October 27, 2009, the initial step toward implementing this recommendation was taken in the Alberta Legislature with the first reading of Bill 54: Personal Information Protection Amendment Act, 2009.  The Alberta privacy breach notification provisions will soon come into force. British Columbia and the Feds are expected to follow suit and implement similar requirements in the near future. When that occurs, private sector organizations across Canada will be required by applicable law to notify affected individuals when privacy breaches occur.

The best advice is to make sure that privacy protection policies, procedures and training are implemented and enforced… now.

Courtney’s paper, entitled “Bill 219: An Insurmountable Goal”, argues that the law is necessary in order to “effectively protect the privacy rights of all Manitobans”.  The paper outlines the main features of the Bill; examines the role of PIPEDA and the concept of “substantially similar” legislation; and analyzes the main arguments advanced for and against the Bill, as expressed in Hansard and in the context of the Bill’s legislative history. Courtney also advances theories regarding the major impediments to its passing.

Courtney was a summer student at Pitblado LLP this past summer and will (fortunately for us) be returning in the New Year to complete her Articles.  Thanks to Courtney for sharing her paper, which you can read by clicking on the hyperlink below.

Bill 219: An Insurmountable Goal

This situation is an example of redactions gone terribly wrong!  And it should serve as a reminder to public and private sector organizations to take extra care when making redactions in documents that will be released to third parties. Different redaction strategies can be implemented depending on the circumstances. One strategy that I implement when records will be posted online is to make my redactions and then physically scan the document and save it as a PDF. It’s a basic way to protect sensitive portions of records.  Please feel free to post a Comment below with other suggested strategies for making secure redactions.

(Hat tip to @privacylawyer David Fraser for the heads-up!)

More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information.  The favoured medium for stealing corporate information is a USB memory stick followed by e-mail. 

As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping.  In today’s economy, information is the most valuable corporate asset.  For this reason, businesses of all sizes should take proactive steps to protect corporate data.  Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.

The Global Recession and its effect on Work Ethics

This complimentary 30 minute webinar will provide a plain language overview of the most significant privacy issues/events of 2009 and, more importantly, prepare you and your business for 2010.  Among other things, I’ll highlight notable court cases and privacy commissioner findings from 2009 as well as point out anticipated privacy issues likely to affect Canadian businesses in the coming year.

Space is limited so please RSVP early by emailing me at bowman@pitblado.com.

As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.

I’d like to know what topics you want discussed on this blog.  So please join the conversation by giving me your ideas on my new Submit a Topic! page.  I’ll then consider drafting a post on your topic!

I may not be able to “Show you the Money!”, but I’ll do my best to address cutting edge legal issues of interest to you and your business.

To prove defamation, a claimant must demonstrate that a defendant “published” defamatory words. Currently in Canada it’s clear that a person who posts defamatory comments about another person or business on a discussion board can be liable for defamation.  It’s also clear, as I’ve mentioned in a previous post, that a person or business may be liable in certain circumstances if they hyperlink to defamatory content on another website.  But what about defamatory comments made by others on your website? The answer is less than clear, primarily because of two generally competing public policy views. One view is that website operators should not be liable for defamatory content posted on their discussion boards because the task of monitoring is too onerous for most businesses; and that website operators aren’t “publishing” the defamatory content but are merely “distributing” (which generally doesn’t attract liability for defamation). The other view is that website operators should be liable because the potential for instantaneous and severe damage to claimant’s reputations caused by online defamation should compel website operators to monitor, and be responsible for, their discussion boards.

After American courts struggled with these competing public policy views, the U.S. Congress passed legislation granting immunity to businesses that operate website discussion boards, regardless of the level of control that website operators may have regarding posted comments.  The case of Finkel v. Facebook is a recent example of the immunity that can be provided to U.S. based companies. There is no similar “immunity” legislation in Canada, and the specific issue has not yet come before a Canadian court.  Of course, each case is decided on its own facts, and one would anticipate that key factors a Canadian court would consider would be a website’s Terms of Use, the degree of control and content monitoring by a website operator, and any actions a website operator took (or didn’t take) in response to a notice from a third party regarding defamatory comments.

This is a rapidly emerging area of law, and businesses should consult a lawyer with relevant expertise to assist in drafting adequate Terms of Use and to discuss potential risks prior to launching, or continuing to host, a website discussion board.

As originally drafted, the Anti-Spam Bill didn’t clearly define which types of electronic communication would be subject to regulation. While spyware and phishing would clearly be outlawed, questions arose as to whether other decidedly non-Spam and legitimate activities could possibly be caught within the scope of regulation. That’s because the Anti-Spam Bill was drafted to regulate “commercial activity”. Unfortunately, it didn’t clearly explain what this term meant. Here’s where the misconception comes in.

Some think “marketing research” is the same thing as telemarketing. In reality, the two activities have very little in common. Legitimate marketing research organizations do not try to sell products or services (in fact, if they are members of Canada’s Marketing Research and Intelligence Association (the “MRIA”), they are bound by a professional code of conduct which expressly prohibits such activities). Maybe you’ve heard of “mugging” (marketing under the guise of research) and “sugging” (selling under the guise of research). Let’s be clear: legitimate marketing research organizations do neither. If someone is trying to sell you something under the guise of a survey, they are not conducting legitimate marketing research. Nevertheless, comparisons of online marketing research to telemarketing abound, even though the Anti-Spam Bill will regulate online activity, not telephone calls.

Polls tell us that Canadians support the Anti-Spam Bill. How do we know this?  Because members of the MRIA were able to conduct marketing research, quite likely, using an online survey. These surveys are fuel for polls that provide valuable and timely information to Canadian decision-makers. What’s more, online surveys are quick and convenient for participants. I have the privilege of serving as the MRIA’s legal counsel, and am also a member, so I ‘ve seen marketing research activities first hand and know the value they provide to Canadians.

My understanding and reading of the Anti-Spam Bill is that online marketing research is not intended to be caught by the law. But that’s the problem: given the ambiguity of the Anti-Spam Bill, it’s impossible to definitively say that online marketing research would not be regulated. Ambiguity leads to uncertainty, which is good for no one. The Personal Information Protection and Electronic Documents Act, for instance, has been criticized for being far too subjective. We should learn from this experience and cut as much ambiguity as possible from the Anti-Spam Bill. That’s why the Anti-Spam Bill should be clarified to ensure it’s clear that it won’t apply to online marketing research. Doing so would not create loopholes, as some have argued; it would simply ensure that online marketing research is not lumped into the annoying Spam that everyone wants to ban. Bringing clarity to the Anti-Spam Bill would also be consistent with the actions of other countries that have already created specific exemptions for marketing research in their anti-spam laws. 

The bottom line is that no one likes Spam, except perhaps for these guys from Monty Python. Parliament still has an opportunity to clarify misconceptions and introduce a strong, effective law. Marketing research isn’t Spam, however, and the Anti-Spam Bill should clearly reflect this fact.

Case in point is the recent coverage that Assistant Privacy Commissioner of Canada, Chantal Bernier, has approved the use of airport scanners that can see through your clothes.  Who would have thought that the Office of the Privacy Commissioner of Canada would ever approve what have been refered to as “naked” airport scanners?  But if you look at the manner in which the scanners will apparently be rolled out, there appears to be a balance between security and privacy considerations.  As I’ve previously posted, “Privacy by Design” can help those with a “can-do” attitude. 

Regardless of whether I agree that the “naked” airport scanners are lawful (and regardless of whether I’ll choose to walk through one of these scanners myself), it’s great to see an attempt at “Privacy by Design” in action. To be honest, however, my greatest concern is for the poor airport security professionals who may one day have to look at my less than stellar outline.  I’m not sure how much they get paid, but it’s probably not enough!