December 9, 2009
CTV News is reporting that the U.S. federal government improperly posted an internal guide to its airport passenger screening procedures on the Internet in a way that could offer valuable tools to terrorists. The guide was posted on the U.S. Federal Business Opportunity website, but the sensitive information (which was electronically redacted, or blacked out) was not properly protected. Some websites, using widely available software, were able to uncover the original text of sections that had been redacted.
This situation is an example of redactions gone terribly wrong! And it should serve as a reminder to public and private sector organizations to take extra care when making redactions in documents that will be released to third parties. Different redaction strategies can be implemented depending on the circumstances. One strategy that I implement when records will be posted online is to make my redactions and then physically scan the document and save it as a PDF. It’s a basic way to protect sensitive portions of records. Please feel free to post a Comment below with other suggested strategies for making secure redactions.
September 10, 2009
A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner.
In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007. The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information. A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted.
These incidents demonstrate how easily sensitive data can be compromised when stored on laptops. Encryption is a relatively easy way to improve the security of such information. But, where do you start? There are numerous encryption options available. Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.
August 10, 2009
Have you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner.
PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years. To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested. A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.
Changes to PIPEDA may include:
- a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada;
- amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
- modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.
The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review. Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.