Buses, bingo and bins. Probably not the first things that come to your mind when you think of privacy.
Yet in recent days, privacy issues have impacted school buses, casinos and garbage bins. This may seem odd when most privacy news stories these days deal with Facebook and other websites. But the world of privacy is increasingly affecting just about every segment of society. Read more>>
Leave a Comment » | 
Due Diligence, Monitoring, Personal Information, Privacy, Technology | Tagged: Due Diligence, Privacy, Technology | 
Permalink
Posted by Brian Bowman
CTV News has an excellent article that discusses important issue of how to monitor your reputation on social networks. While including some practical tips, the article discusses the importance of being proactive with your online reputation and privacy in what is described as “this Wild West world”.
Leave a Comment » | Defamation, Due Diligence, Facebook, Internet, Monitoring, Social Networking Websites | Tagged: Due Diligence, Facebook, Google, Internet, Online Reputation Management, Social Networking | Permalink
Posted by Brian Bowman
B.C.’s Privacy Commissioner, Elizabeth Denham, has just released Privacy Guidelines for Landlords and Tenants.
In B.C., landlords and property managers acting on their behalf must comply with B.C.’s Personal Information Protection Act (“B.C.’s PIPA”). The guidelines are intended to assist landlords and property managers in discharging their duties under B.C.’s Residential Tenancy Act in a manner that respects the privacy of tenants and promotes transparency in the operation of landlord and tenant relationships.
Despite the B.C. focus, landlords and property managers in other jurisdictions would be well-served by reading the guidelines – especially given that B.C.’s PIPA is “substantially similar” to PIPEDA.
Leave a Comment » | PIPA, Privacy, Privacy Commissioner | Tagged: Due Diligence, Privacy, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.
In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.
The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:
Leave a Comment » | Privacy, Access to Information, Privacy Breach, Security Breach, Safekeeping, Government, Safeguarding, Due Diligence, Training, Data Protection, Privacy Commissioner of Canada | Tagged: Access to Information, Due Diligence, Personal Information, Privacy Commissioner, Privacy Compliance, Safeguarding | Permalink
Posted by Brian Bowman
CBC News is reporting that ”[g]arbage bags filled with confidential financial information were found blowing around in a [Winnipeg] North End back lane Tuesday, and people living in the area say they’re furious because of it. The bags contain tax return documents that include people’s names, social insurance numbers and in many cases, addresses and other sensitive financial information.”
This and other similar news stories should serve as a reminder that PIPEDA requires organizations to exercise care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information (for example, don’t dispose of sensitive tax information records in a back lane). Other provincial laws, such as Alberta’s PIPA and B.C.’s PIPA, have similar requirements. Disposal or destruction policies and procedures should focus on physical, organizational and technological measures.
Leave a Comment » | Identity Theft, PIPEDA, Privacy, Privacy Breach, Security Breach | Tagged: Due Diligence, Identity Theft, PIPEDA, Privacy Compliance, Safeguarding | Permalink
Posted by Brian Bowman
PriceWaterhouseCoopers (PWC) has just released its Global State of Information Security Survey, which says that corporate spending on data security will increase sharply in the coming years. ComputerWeekly.com reports that more than half of respondents to the PWC survey say that their companies plan to spend more on technological defences against security breaches, an increase of 14% from last year. The survey also reveals that the impact of security breaches is growing. According to ComputerWeekly.com ”the number of companies reporting financial losses from data breaches increased 6% in the past year to 20%, up from only 8% in 2008. Intellectual property theft has increased to effect 15% of companies reporting data breaches, up from just 5% in 2008. An increase in the number of sophisticated attacks aimed at stealing information from specific companies is also driving increased security spending according to the Financial Times.”
The PWC survey demonstrates that spending is shifting to monitoring of company networks, at a time when more employees are bringing their own PDA’s and computers into the workplace. But as PWC states, businesses should be making employees the first line of defence against data leaks.
The PWC survey and commentary serves as a reminder of the need to focus resources for data security (and privacy law compliance) strategically. This means investing in technological safeguards but it should mean investing in privacy training for your staff. It’s an important point because so many of the privacy breaches these days result from mistakes, or human error, by one’s own employees. I’d suggest that you compare your organization’s line item for network monitoring with your line item (if it exists) for privacy training. Are your privacy risk mitigation efforts as strategic as they could be?
Leave a Comment » | Due Diligence, Intellectual Property, Privacy, Privacy Breach, Safeguarding, Security, Security Breach, Technology, Theft, Training | Tagged: Due Diligence, Employees, Information Technology, Intellectual Property, Safeguarding, Security, Technology | Permalink
Posted by Brian Bowman
Hogan Lovells LLP is reporting that Ride Aid has agreed to pay $1 million dollars (U.S.) to settle violations of U.S. health information privacy requirements. Interestingly, the FTC has ordered Rite Aid to cease misrepresenting its information security practices to customers and establish other personal information management securities safeguards.
As I have previously posted, we’ve seen million dollar privacy awards here in Canada but what’s interesting is the fact that the FTC took issue with an organization “misrepresenting” its privacy protection practices. It’s a good reminder that simply having a privacy policy doesn’t cut it. Businesses must ensure that internal policies and procedures exist and are enforced on an ongoing basis in order to live up to commitments made in privacy policies.
Leave a Comment » | Privacy | Tagged: Due Diligence, Privacy Breach, Privacy Compliance | Permalink
Posted by Brian Bowman
CBS News has an excellent investigative report here (on YouTube) about the security risks associated with copy machines. Members of the Privacy Forum will already know about this issue because we’ve previously highlighted it and relevant risk mitigation steps in the Canadian privacy law context. However, if you’re not aware of the issue then this report is a “must-see”.
1 Comment | Security, Privacy, Identity Theft, Technology, Safekeeping, Safeguarding, Due Diligence, Data Encryption | Tagged: Security, Identity Theft, Privacy, Safeguarding, Information Technology, Due Diligence | Permalink
Posted by Brian Bowman
Canada’s Privacy Commissioner, Jennifer Stoddart, has teamed up with nine other country’s privacy watchdogs today to warn Google and other organizations to better respect people’s privacy rights. The privacy commissioners have sent a letter to Google, accusing it of overlooking privacy values and legislation in launching new online products.
The privacy commissioners’ letter states, “we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws… Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured… We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:
The privacy commissioners’ demand that Google and other organizations better incorporate privacy into the design of new online services underscores the need for the “Privacy by Design” initiative that Ontario’s Information and Privacy Commissioner recently discussed in my “A Conversation with Dr. Ann Cavoukian” post. All organizations, regardless of their size (after all, we’re all not Google), would be well-advised to learn from today’s “buzz” about Google Buzz.
Leave a Comment » | Data Protection, Due Diligence, Ontario's Information and Privacy Commissioner, Personal Information, Privacy, Privacy Commissioner of Canada, Social Networking Websites, Technology | Tagged: Due Diligence, Google, Internet, Personal Information, Privacy, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
Imagine this scenario… The police show up at your office and demand access to records relating to one of your customers. You want to help the police (as you should), but are concerned about violating your customer’s privacy rights. What should you do?
Well, the first thing you should do is ask the police for written documentation relating to their request. You should also immediately contact a lawyer with appropriate expertise because this type of scenario can be a legal minefield. For example, are you actually dealing with the police or some bold scam artist? Do the police have the legal authority to demand the requested information? Should they have a warrant?
Presuming that you end up providing the records to the police, you’ll need to ensure that you’re not providing too much information. If the records of your customer are co-mingled with another individual, you’ll need to consider whether you can legally provide the police with access to the other person’s information. Are you then barred from telling the customer that the police were at your office? What sort of internal records should you keep to document that the police accessed your files? How long do you need to keep those internal records?
It’s never fun to say “no” to the police. They are, after all, typically armed. But hopefully the police will make it easy for you to satisfy yourself, and your lawyer, that working cooperatively with them won’t violate your customer’s privacy and unnecessarily exposing your business to liability.
2 Comments | Access to Information, Due Diligence, Lawful Access, Privacy | Tagged: Access to Information, Due Diligence, Law enforcement, Privacy, Security | Permalink
Posted by Brian Bowman
