A Conversation with Elizabeth Denham, British Columbia’s Information and Privacy Commissioner

October 12, 2010

Continuing a series of blog posts that I’m calling “A Conversation with…”, I’m delighted to post the following conversation with British Columbia’s new Information and Privacy Commissioner, Elizabeth Denham

Canada’s privacy community will know that Commissioner Denham brings to her new role a wealth of experience and accomplishment. Her resume includes Assistant Privacy Commissioner of Canada and Director, Private Sector, for the Office of the Information and Privacy Commissioner of Alberta. I’ve had the pleasure of knowing Commissioner Denham for some time and have always appreciated her practicality and great sense of humour. B.C. will undoubtedly be well-served.

Of course, I’d like to thank Commissioner Denham for agreeing to engage in this online conversation.  If you’d like to learn more about Elizabeth Denhem or B.C.’s Information and Privacy Commissioner’s Office (“OIPC”), I’d encourage you to visit the OIPC’s website (www.oipc.bc.ca).

Q – You served as Assistant Privacy Commissioner of Canada until being appointed BC’s Information and Privacy Commissioner in July 2010. How are things going in your new role?

A – It is a good thing that I am a recreational runner, because I have certainly hit the ground running! This is an extremely busy office, due to the scope and nature of the work and to the fact that I have inherited one of the leanest oversight agencies in the country. I am very lucky to have a team of hardworking, enthusiastic and seasoned professionals to support me.

While I do have “in the trenches” FOI experience, that was more than 10 years ago, forcing a quick re-immersion into the duties of ensuring accountable and transparent government. Since my appointment I have issued a report on the timeliness of government responses to access requests, worked on a strategy for government-wide proactive disclosure and executed our annual tribute to open government, Right to Know Week.

However, in my view the biggest challenge facing me in this term is public sector privacy issues. The government has ambitious plans for data sharing across ministries, to create linked electronic databases. It is my immediate priority to ensure that privacy is baked into BC’s e-government programs, including e-health.

Q – I’ve long considered BC one of the most progressive privacy jurisdictions in Canada. How has this happened and what can other provinces/territories learn from BC’s privacy community?

A – I think there are a number of factors that has put BC out in front with respect to privacy. My two predecessors, David Flaherty and David Loukidelis, are without a doubt two of the top privacy experts, and their ability to break trail has benefited all of BC. The former Commissioners were very skilled at making privacy a common topic of discussion and spreading the word about privacy rights and obligations. BC also has active and engaged civil society pushing hard for access and privacy rights, and I am referring to the BC Freedom of Information and Privacy Association as well as the BC Civil Liberties Association as key thought leaders. Finally, the citizens of BC have a reputation for being politically aware and engaged, and unafraid to bring burning issues to the forefront. I think the key learning outcome for other jurisdictions is work hard at capacity building and public outreach, and encourage other groups to actively enter the policy debates around access and privacy. We need other voices. Regulators cannot do it alone.

Q – Given that BC has a provincial privacy law (PIPA) that is “substantially similar” to PIPEDA, and considering that many readers of this blog are from outside BC (and Canada), can you briefly highlight the most important things that businesses should know about BC’s private sector regime?

I think the three most important points are these:

First, make sure you have a legitimate operational need to collect any personal information. This requires ongoing monitoring to ensure the operational requirement still exists, and routinely and safely purging personal information no longer required. Personal information is both an asset and a liability, and collecting and retaining personal information when no reason exists is a huge business risk.

Second, be transparent about what you are doing with the personal information you collect in the course of your operations, and ensure that anyone that you hire on your behalf behaves in the same manner.

Finally, data safeguards, or rather the lack thereof, remain the primary source of privacy breaches and a threat to your business brand. Safeguards are much more than passwords and locked cabinets—they include proper and ongoing staff training, privacy audits and assessing the privacy impacts of new policies, programs or services. Safeguarding personal information requires ongoing attention, and a willingness and ability to adjust the safeguard strategy when needed.

Q – Your work in the area of social networking as been outstanding, which in the case of Facebook resulted in a number of changes to the social networking site—changes that were implemented on a global basis. Some readers may presume that a privacy commissioner such as you wouldn’t use social networking sites. In my case, I’m active on LinkedIn. How about you?

A – I have several accounts with social networks, including Facebook and LinkedIn. I first joined the networks because I wanted to deeply understand the services, and their functionality; this was critical to my work. But Facebook also helps me keep track of my far-flung 20-something children who live their lives on-line! But I am a savvy consumer of these services, and obviously avail myself to all of the privacy controls they offer. I do not post anything on either of those sites that is not already publicly available or any information that I would not hesitate to make public. I am very careful before downloading any third party application—carefully scrutinizing their privacy policies beforehand.

Q - In your view, what kind of privacy developments should we watch for in the coming year in British Columbia?

A – On the government side, I think the primary issues will be an increase in the development of linked data networks containing personal information bringing risks to transparency, appropriate access, use and disclosure and a heightened risk of transmission of inaccurate and incomplete information.

On the private sector side, I know we will see more collaboration and cooperative oversight between the federal and provincial commissioners. New technologies and business models challenge the ability of any office to “go it alone”. Canada is a leading voice on privacy and new technologies. I look forward to working with my colleagues on smart, relevant and timely oversight.

1 Comment | Facebook, Internet, Personal Information, PIPA, Privacy, Privacy Commissioner, Social Networking Websites | Tagged: , , , , | Permalink
Posted by Brian Bowman

Social Media and the Workplace webinar: Watch now!

May 20, 2010

Thanks to everyone from Europe, the U.S. and across Canada who attended last week’s Social Media and the Workplace webinar. If you didn’t have a chance to attend, you can now watch the webinar here.

Related information on this blog that may be of interest to you includes this audio link to my recent CJOB|68 radio interview with Human Resources specialist Barbara Bowes in which we discuss privacy issues in the workplace. You may also want to read this article I penned with my colleague Andrew Buck entitled Monitoring Employee Email: A Privacy Primer. And, of course, you can use the blog’s “Tags” to navigate to specific content of interest.

2 Comments | Employee Monitoring, Facebook, Monitoring, Privacy, Social Networking Websites | Tagged: , , | Permalink
Posted by Brian Bowman

Employee monitoring in today’s workplace

May 10, 2010

There’s no question that as we dive deeper into the information age technology will continue to permeate the workplace. Tech gadgets such as iPhones and Blackberries are cheaper and more convenient than ever before.  But as the workplace becomes inundated with these tech tools, businesses increasingly have to ask themselves how they can manage the corresponding legal risks inevitably raised by empowering a legion of employees armed with Smartphones. If only there was “an app for that”!

The “fuel” for many gadgets currently in the workplace is data, which may or may not relate to the employer. And I’m not just thinking of Smartphones provided by the employer.  I’m also thinking of social media websites such as Facebook and Twitter, which are often accessed after work hours on employees’ home computers.

What happens when an employer uses data gleaned from a company-owed iPhone or Blackberry to monitor an employee in the workplace? What about monitoring an employee’s Facebook page? After all, it’s not uncommon for information about an employer or its clients to appear on an employee’s Facebook page. Further, some employees have no second thoughts whatsoever about posting personal messages during paid company time. Many employers are introducing social media policies to mitigate the resulting legal risks. But how far should employers go to protect their interests?

Today’s post is the first in a series that I’ll publish in the coming weeks to provide you with an overview of legal developments regarding monitoring in the workplace, with a focus on employer monitoring of employee social media and Smartphone activities. Upcoming posts will also examine workplace privacy issues related to email, video and GPS monitoring. Stay tuned… 

In the meantime, click here to listen to my recent CJOB|68 radio interview with Human Resources specialist Barbara Bowes in which we discuss privacy issues in the workplace. You may also want to attend a complimentary Social Media in the Workplace webinar that I’ll be providing with a few of my colleagues next week (May 19th). Click here for info and to register (space is limited so register soon).

2 Comments | Employee Monitoring, Facebook, Mobile devices, Privacy, Smartphones, Social Networking Websites | Tagged: , , , | Permalink
Posted by Brian Bowman

Why the banks want to be your Facebook friend: Canadian Business Online

April 13, 2010

Canadian Business Online is asking if you “ever wonder who’s checking your Facebook profile? Sure, there are probably the old standbys, like your high-school crush and your nosy co-worker, but you should be aware that there might be someone else checking you out: your banker. Financial institutions of all stripes have been scouring social-networking sites since the days when MySpace was all the rage; now they troll Facebook, Twitter and blogs to find out more about their customers. Don’t be surprised if soon they take the information they’ve found about you and use it to determine your creditworthiness.”

Yours truly was interviewed by Canadian Business Online for this article and, as you’ll see, I comment that I’m not aware of whether, or to what extent, the big banks and credit card companies are using personal information that’s publicly available on social networking websites to determine credit worthiness.  That being said, in the insurance industry “using information from social-networking sites has already become commonplace”. The message that I’d take from this article is that Canadians’ understanding of privacy, and the ground rules for managing publicly available personal information that we willingly post online, is rapidly evolving.  

Read the Canadian Business Online article here>.

Leave a Comment » | Facebook, Online Reputation Management, Privacy, Social Networking Websites | Tagged: , , , , | Permalink
Posted by Brian Bowman

Israeli military ‘unfriends’ soldier after Facebook leak: BBC

March 18, 2010

In what should serve as a valuable reminder of the need to educate employees about what constitutes acceptable postings on social networking websites, BBC is reporting that “the Israeli military cancelled a planned raid on a Palestinian village after one of its soldiers posted details of the operation on Facebook. The unnamed soldier revealed the time and place of the raid and the name of his unit on the social networking site.”

I’ve previously commented on social networking websites and employer-employee relationships.  This BBC report is just one more example of a situation which may have been prevented with better employee training and a clear social networking policy.  Common sense should, and typically does, guide employees in determining what to post online. Yet, if an Israeli soldier can’t think twice before posting the details of a planned operation it’s easy to see how some employees of Canadian businesses – perhaps yours - unintentionally post valuable corporate information online.

Leave a Comment » | Facebook, Internet, MySpace, Online Reputation Management, Social Networking Websites | Tagged: , , , , | Permalink
Posted by Brian Bowman

No clear cut protection from YouTube

March 5, 2010

Over the past two weeks nearly a million people around the globe have viewed a couple of YouTube videos filmed and posted by Churchill High School students, which show two of their teachers performing a simulated lap dance.

The identities of the teachers have been widely reported. Now the question is: Could the teachers sue the students for violating their privacy?

Read more>>

Leave a Comment » | Facebook, Internet, Online Reputation Management, Privacy, Social Networking Websites, You Tube | Tagged: , , , , , | Permalink
Posted by Brian Bowman

Facebook criticized by Canada’s Privacy Commissioner: Canadian businesses can learn from high profile investigation

July 16, 2009

Academics - teachingThe Office of the Privacy Commissioner of Canada (the “OPC”) has just released an in-depth investigation report into a wide-ranging PIPEDA complaint by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) about the privacy practices of Facebook.  There is extensive domestic and international media coverage on this today including a story just posted by New York based Bloomberg News, which includes commentary by yours truly. 

While the OPC’s Facebook investigation should be a “must read” for all Facebook users, it also provides some insightful information for Canadian organizations regulated by PIPEDA. The lessons that can be learned from the investigation can be applied by Canadian businesses regardless of whether their activities are online or offline. 

Despite the fact that “[i]t’s clear that privacy issues are top of mind for Facebook…” federal Privacy Commissioner Jennifer Stoddart says that the OPC has found “serious privacy gaps in the way the site operates”. According to Stoddart, in order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care.  An overarching concern of the OPC was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers. The OPC recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.

The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found. The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.

The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts, which is a violation of PIPEDA. The law requires organizations to retain personal information only for as long as is necessary to meet appropriate purposes. Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.

Click here to read the OPC’s News Release, here for the full investigation report and here to read a helpful backgrounder.  If you’d like to read more about Facebook, please click on the Facebook link under this blog’s Tags (below).

Leave a Comment » | Access to Information, Facebook, Internet, Online Reputation Management, PIPEDA, Privacy, Safekeeping, Security, Social Networking Websites | Tagged: , , , , , , , , , | Permalink
Posted by Brian Bowman

Social networking websites and employer-employee relationships

June 2, 2009

As I’ve previously discussedSocial networking websites such as MySpace and Facebook are provoking new questions about the appropriate boundaries in employee-employer relationships. This is evident in a United States Federal Court case coming to a head in New Jersey. The case pertains to the conduct of a manager who logged into a private social networking website and observed employees slandering company supervisors and customers. Those same employees were later dismissed. The case exemplifies a rapidly expanding “grey area” between an employee’s work life and personal social life. It begs the question, at what point does a “private” comment to friend made outside of the office constitute defamation, and at what point are such comments simply banter between individuals?  Of course, the answer is, it all depends on the facts. 

For an interesting discussion on the matter, check out Myrth on a Blog, a personal journal of law, technology and social media.

1 Comment | Access to Information, Blogs, Defamation, Employee Monitoring, Facebook, Internet, MySpace, Online Reputation Management, Privacy, Social Networking Websites, Technology | Tagged: , , , , , , , , , | Permalink
Posted by Brian Bowman

Information & Ideas team speaks out on slaw.ca

May 29, 2009

It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca.  Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics.  Here’s what we covered…

On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week.  The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.

On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter.  As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.

On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions.  For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.

On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.

And last but not least, today Adam Herstein posted “Manitoba: Innovative Fighter of Child Sexual Exploitation”, which focuses on Manitoba’s recent enactment of The Child and Family Services Amendment Act (Child Pornography Reporting) (Manitoba) and how Manitoba is the first province in Canada to enact legislation that makes it mandatory for a person who encounters child pornography to report it to authorities.  Adam also notes that Canada has a national tipline called Cybertip.ca for reporting the sexual exploitation of children.

Thanks to slaw.ca for the opportunity to contribute!

1 Comment | Blogs, Copyright, Facebook, Government, Intellectual Property, PIPEDA, Privacy, Social Networking Websites, Technology, Training | Tagged: , , , , , , , , , , , , , , , , , , | Permalink
Posted by Brian Bowman

Do you know Internet 101?

April 30, 2009

classes-learningAre you a parent with children who use the Internet? Do your children have a better understanding of this new and constantly changing technology? Have your children ever texted “fts” or told you to “bma” in an online message ? I sure hope not!

If you have children, I’d encourage you to visit the Internet 101 website, which provides some great information to increase your computer knowledge. The site provides excellent resources including Tutorials to help you learn more about the online world, Technical Tips to help keep your computer secure, Chat Lingo to help you learn the online lingo, Popular Online Activities to expose you to what today’s youth are doing online, and an Internet Agreement to be signed between parents and children to help your family stay safe in the online world.

Even if you don’t have children, there is some valuable information on the site worth reading.

Leave a Comment » | Blogs, Facebook, Identity Theft, Internet, Privacy, Safeguarding, Social Networking Websites, Technology, Youth | Tagged: , , , , , | Permalink
Posted by Brian Bowman

« Previous Entries
Next Entries »
Follow

Get every new post delivered to your Inbox.

Join 77 other followers