Supreme Court issues groundbreaking workplace privacy decision: Interview with Charles Adler (AUDIO)

October 26, 2012

Last week the Supreme Court of Canada delivered a groundbreaking decision (Her Majesty the Queen v. Richard Cole) that will have significant implications for workplace privacy rights of employees in Canada. In its decision the SCC declared that employees have an expectation of privacy with regard to personal information contained on workplace computers where the personal use of such computers is permitted or reasonably expected. To learn more please click here>> to listen to my interview with Charles Adler of CJOB|68 radio in which we discuss this important decision.


Buses, bingo and bins – and the need for privacy to be designed

January 21, 2011

Buses, bingo and bins. Probably not the first things that come to your mind when you think of privacy.

Yet in recent days, privacy issues have impacted school buses, casinos and garbage bins. This may seem odd when most privacy news stories these days deal with Facebook and other websites. But the world of privacy is increasingly affecting just about every segment of society. Read more>>


How to monitor your reputation on social networks

November 15, 2010

CTV News has an excellent article that discusses important issue of how to monitor your reputation on social networks. While including some practical tips, the article discusses the importance of being proactive with your online reputation and privacy in what is described as “this Wild West world”.


B.C.’s Privacy Commissioner releases Privacy Guidelines for Landlords and Tenants

October 22, 2010

B.C.’s Privacy Commissioner, Elizabeth Denham, has just released Privacy Guidelines for Landlords and Tenants.

In B.C., landlords and property managers acting on their behalf must comply with B.C.’s Personal Information Protection Act (“B.C.’s PIPA”). The guidelines are intended to assist landlords and property managers in discharging their duties under B.C.’s Residential Tenancy Act in a manner that respects the privacy of tenants and promotes transparency in the operation of landlord and tenant relationships.

Despite the B.C. focus, landlords and property managers in other jurisdictions would be well-served by reading the guidelines – especially given that B.C.’s PIPA is “substantially similar” to PIPEDA.


Lessons from the Veteran Affairs Canada privacy breach

October 8, 2010

The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.

In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.

The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:

  • “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
  • Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only.  Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
  • Provide training for employees about appropriate personal information-handling practices.
  • Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”

Another day, another privacy breach…

October 6, 2010

CBC News is reporting that ”[g]arbage bags filled with confidential financial information were found blowing around in a [Winnipeg] North End back lane Tuesday, and people living in the area say they’re furious because of it. The bags contain tax return documents that include people’s names, social insurance numbers and in many cases, addresses and other sensitive financial information.”

This and other similar news stories should serve as a reminder that PIPEDA requires organizations to exercise care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information (for example, don’t dispose of sensitive tax information records in a back lane). Other provincial laws, such as Alberta’s PIPA and B.C.’s PIPA, have similar requirements. Disposal or destruction policies and procedures should focus on physical, organizational and technological measures.


Data Security Budgets to Rocket

September 16, 2010

PriceWaterhouseCoopers (PWC) has just released its Global State of Information Security Survey, which says that corporate spending on data security will increase sharply in the coming years.   ComputerWeekly.com reports that more than half of respondents to the PWC survey say that their companies plan to spend more on technological defences against security breaches, an increase of 14% from last year.  The survey also reveals that the impact of security breaches is growing.  According to ComputerWeekly.com ”the number of companies reporting financial losses from data breaches increased 6% in the past year to 20%, up from only 8% in 2008.  Intellectual property theft has increased to effect 15% of companies reporting data breaches, up from just 5% in 2008.  An increase in the number of sophisticated attacks aimed at stealing information from specific companies is also driving increased security spending according to the Financial Times.” 

The PWC survey demonstrates that spending is shifting to monitoring of company networks, at a time when more employees are bringing their own PDA’s and computers into the workplace.  But as PWC states, businesses should be making employees the first line of defence against data leaks. 

The PWC survey and commentary serves as a reminder of the need to focus resources for data security (and privacy law compliance) strategically. This means investing in technological safeguards but it should mean investing in privacy training for your staff.  It’s an important point because so many of the privacy breaches these days result from mistakes, or human error, by one’s own employees.  I’d suggest that you compare your organization’s line item for network monitoring with your line item (if it exists) for privacy training. Are your privacy risk mitigation efforts as strategic as they could be?


Rite Aid Fined $1 Million (U.S.) for Improperly Disposing Personal Information

August 9, 2010

Hogan Lovells LLP is reporting that Ride Aid has agreed to pay $1 million dollars (U.S.) to settle violations of U.S. health information privacy requirements. Interestingly, the FTC has ordered Rite Aid to cease misrepresenting its information security practices to customers and establish other personal information management securities safeguards.

As I have previously posted, we’ve seen million dollar privacy awards here in Canada but what’s interesting is the fact that the FTC took issue with an organization “misrepresenting” its privacy protection practices. It’s a good reminder that simply having a privacy policy doesn’t cut it. Businesses must ensure that internal policies and procedures exist and are enforced on an ongoing basis in order to live up to commitments made in privacy policies.


Copy machines, a security risk?

May 11, 2010

CBS News has an excellent investigative report here (on YouTube) about the security risks associated with copy machines. Members of the Privacy Forum will already know about this issue because we’ve previously highlighted it and relevant risk mitigation steps in the Canadian privacy law context. However, if you’re not aware of the issue then this report is a “must-see”.


Today’s “buzz” on Google Buzz offers lesson for new service roll-outs

April 20, 2010

Canada’s Privacy Commissioner, Jennifer Stoddart, has teamed up with nine other country’s privacy watchdogs today to warn Google and other organizations to better respect people’s privacy rights. The privacy commissioners have sent a letter to Google, accusing it of overlooking privacy values and legislation in launching new online products.

The privacy commissioners’ letter states, “we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws… Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured… We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:

  • collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
  • providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
  • creating privacy-protective default settings;
  • ensuring that privacy control settings are prominent and easy to use;
  • ensuring that all personal data is adequately protected, and
  • giving people simple procedures for deleting their accounts and honouring their requests in a timely way.”
  • The privacy commissioners’ demand that Google and other organizations better incorporate privacy into the design of new online services underscores the need for the “Privacy by Design” initiative that Ontario’s Information and Privacy Commissioner recently discussed in my “A Conversation with Dr. Ann Cavoukian” post. All organizations, regardless of their size (after all, we’re all not Google), would be well-advised to learn from today’s “buzz” about Google Buzz.


    Follow

    Get every new post delivered to your Inbox.

    Join 104 other followers