The NDP’s decade of dithering on e-commerce

July 9, 2010

Have you ever wondered if an electronic document like an e-mail or a scanned image can be used instead of a paper document to meet a legal requirement? How about using an electronic signature as opposed to a written signature?

Unfortunately, the provincial government’s dithering over the past decade will not help you answer these important questions.

Manitoba’s e-commerce legislation, called The Electronic Commerce and Information Act, was passed in the Manitoba Legislature in 2000. It was then billed as a cutting edge law that would help Manitobans to prosper in the online world.

Read more>>

Leave a Comment » | Government, Internet, Online Shopping, Sale Transactions, Technology | Tagged: , , , | Permalink
Posted by Brian Bowman

NDP dragging its heels on our privacy

February 5, 2010

It’s safe to say that the Alberta provincial government is regarded as being right wing. But Manitoba’s? Not at all. So why then is Alberta light years ahead of Manitoba at protecting workers’ privacy?

Read more>>

The above link takes you to the Winnipeg Sun.  I’m delighted to have been asked by Sun Media Corp. to provide Comment columns like today’s on a monthly basis.  I hope you find them of interest!

Leave a Comment » | Employee Monitoring, Government, Identity Theft, PIPA, PIPEDA, Personal Information, Privacy, Privacy Commissioner | Tagged: , , , , | Permalink
Posted by Brian Bowman

A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada

January 25, 2010

I’m very pleased to be able to post the following conversation with Jennifer Stoddart

Since becoming Canada’s Privacy Commissioner in 2003, Commissioner Stoddart has undoubtedly raised the value of privacy in a time when security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information. I might add that she has accomplished this admirable feat with passion and professionalism.  As a result, Canadians have been exceptionally well-served.

Of course, I’d like to thank Commissioner Stoddart for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Jennifer Stoddart, the Office of the Privacy Commissioner of Canada (the “OPC”) or the issues raised in this conversation, I’d encourage you to visit the OPC’s website and blog.

Q. How did you get involved in the world of privacy?

A. Back in the spring of 2000, I happened to read an article in the New York Times Magazine by the noted American legal scholar Jeffrey Rosen. Prof. Rosen was explaining how personal privacy was being subtly eroded in the digital age. I was fascinated.

I was working at the Quebec Human Rights Commission at the time. The next week, I was asked to head up Quebec’s Access to Information and Privacy Commission, and that’s the field I’ve been in ever since.

Q. But it’s coming to an end.

A. Sadly. My seven-year term as Privacy Commissioner will wind up this year. On the plus side, though, I can look back with considerable pride at the progress we’ve made. The encroachments on privacy in this digital era really are staggering, but that doesn’t mean we’re letting them bowl us over.

Last year’s investigation into a complaint against Facebook was surely the most high-profile example of the kind of influence we have. And beyond that I would say that we’re making a meaningful difference, in countless other ways, every day of the year.

Q. What are the most rewarding aspects of being the Privacy Commissioner of Canada?

A. Certainly one of the most rewarding things for me is to know that our work matters, that it has a real and positive impact on the lives of Canadians.

As you know, it’s become fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism. But I think that’s totally wrong. And the best evidence for that was the worldwide response to our Facebook investigation.

Privacy may look different today than it did a generation – or even a decade – ago. But it remains an incredibly important and cherished value to Canadians. And to the extent that my Office can help protect that value, and advance privacy rights, I would say that is the most rewarding aspect of my job.

Q. What do you consider to be the greatest challenges for the Office of the Privacy Commissioner of Canada?

A. Our biggest challenges are the same that preoccupy data-protection authorities around the world: How to safeguard privacy rights in the face of so many rapidly changing technologies. You yourself have blogged about many of them – cloud computing, behavioural marketing, genetic technologies, to name just a few.

We’re seeing unimaginable quantities of data flash around the world, including to countries where data-protection laws are slim to non-existent. We’re also seeing technologies employed in the service of national security and law enforcement, but they’re guarded behind a wall of secrecy.

So the challenges are real, and they are huge.

Q. So how does an Office like yours keep up?

A. I guess the short answer is: By working smarter. We have zeroed in on four priority privacy challenges that are shaping and streamlining our work for the years ahead: information technology, genetic technology, national security and the protection of identity integrity.

We are re-engineering our internal processes to better handle the complaints and inquiries that come to our Office. We’re picking and choosing our privacy audits and our communications and public outreach efforts in order to maximize our impact. We’re ramping up our issuance of guidance, on the theory that an ounce of prevention outweighs a pound of cure. And we’re working with the global data-protection community, since so many of the challenges are international in scope.

But, most important of all, we’ve recently attracted an infusion of very bright, very knowledgeable – and in many cases young – new employees to key positions in our Office. They are really making a difference.

Q. If you could make a few recommendations for Canadian business leaders, what would you say?

A. First I’d thank them for having embraced PIPEDA, the Personal Information Protection and Electronic Documents Act as it came into force over the past nine years. When I look at the situation of our neighbours to the south, where there is no single law at the federal level to protect the personal information of consumers in a commercial setting, I am deeply gratified by the way things can work up here.

Beyond that, I would encourage business leaders to continue to consult the guidelines we issue on specific topics for the purpose of clarifying the responsibilities of organizations under PIPEDA. And we invite them to work with us to fill any other information gaps they may have encountered.

I also want to take this opportunity to mention that data breach notification will become mandatory – and I suspect that will happen sooner rather than later. So I would encourage business leaders to start giving some thought now to how they can bring their processes into compliance. 

Q. Do you have any “privacy-related” predictions for 2010?

A. I don’t think you need a crystal ball to conclude that national security will continue to dominate the privacy landscape in the year ahead. The controversy that erupted over Transport Canada’s deployment of millimetre-wave scanners at Canadian airports was just the first of the privacy-related issues that we can expect to be hearing about in 2010.

And stay tuned for more during and after the Vancouver Olympics. There, one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all the cameras and recordings after the flame is extinguished.

I’ll just mention two other issues of particular interest to our Office, because we will be consulting Canadians on them in the next few months. The first will focus on the tracking, profiling and targeting of consumers by marketers and other businesses, and we’ll be hosting consultation forums on that topic in Toronto in April and Montreal in May. Soon after, we’ll organize another forum to discuss the privacy implications of cloud computing.

9 Comments | Airport Security, Government, PIPEDA, Personal Information, Privacy, Privacy Breach, Privacy Commissioner, Privacy Commissioner of Canada, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Anti-Spam Bill passed in House of Commons

December 1, 2009

Bill C-27, commonly referred to as the ”Anti-Spam Bill”, passed third reading in the House of Commons yesterday and has been referred to the Senate. I originally posted about the Anti-Spam Bill being introduced back in April, so don’t count on speedy passage through the Senate.

(Hat tip to @privacylawyer David Fraser for the heads-up!)

2 Comments | Internet, Marketing, Privacy, Spam | Tagged: , , | Permalink
Posted by Brian Bowman

“Crossing the picket lines” to privacy

September 8, 2009

On StrikeCall off the strike, some trade unions are protecting more than their members’ collective bargaining rights. In fact, many unions have taken a proactive approach to privacy by creating policies that attempt to comply with the benchmarks set out in the federal Personal Information Protection and Electronic Documents Act (“PIPEDA). However, there hasn’t yet been a case summary or court action under PIPEDA that definitively determines whether a union that collects personal information in their general capacity is obligated to observe the rules outlined in the legislation. As a result, some unions are complying with PIPEDA’s obligations to protect their members’ privacy and, regrettably, some unions are not.

The application of PIPEDA is dependent on the existence of a “commercial activity.” Although this term is vague, the case is strong that most union activities are, in fact, captured by PIPEDA. What is certain is the application of Alberta’s privacy legislation, the Personal Information Protection Act (“Alberta’s PIPA”), to the management of personal information by unions. The application of Alberta’s PIPA is not dependent on the existence of a “commercial activity”. As a result, a 2006 Investigation Report from the Alberta Information and Privacy Commissioner found that the collection of personal information by unions in their general capacity subjects them to the requirements found in Alberta’s PIPA. Manitoba’s Bill 219, The Personal Information Protection and Identity Theft Protection Act (the “Manitoba Bill”) is modeled after Alberta’s PIPA. Similar to Alberta’s PIPA, the application of the Manitoba Bill does not depend on whether an organization is engaged in a “commercial activity.”

As I’ve argued in previous posts, the Manitoba Government should support the Manitoba Bill (which was introduced as a private member’s bill by opposition member, Mavis Taillieu). The Manitoba Bill creates a level of certainty with regards to the privacy rights of union members. That’s one of the many reasons why the Manitoba government should ”cross the picket lines” to privacy and support the Manitoba Bill in this fall session of the Manitoba Legislature.

Leave a Comment » | Government, PIPA, PIPEDA, Personal Information, Privacy | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Manitoba Ombudsman’s 2008 Annual Report Released

June 25, 2009

ResultsThe Manitoba Ombudsman‘s Office recently released its annual report outlining the activities of its Access and Privacy Division in 2008. Here are some highlights…

Of the 198 new access complaints that were launched, 134 (68%) dealt with “refused access”. This indicates that the provincial government and public bodies either have to be more willing to grant access when requested or do a better job at explaining their rationale for refusing access. Of the 207 cases that were closed in 2008, 38% of the complaints were supported by the Ombudsman, 35% were not supported and 5% were resolved before the Ombudsman could issue a finding. This indicates that all of the complaints brought to the Ombudsman are not without merit. The public appears to have a relatively good understanding of what their rights are under FIPPA and PHIA.

The Ombudsman has also been proactively involved in the development stages of legislation and programs in order to address potential privacy issues. For example, the Ombudsman expressed concerns about the technology used in Enhanced Drivers Licenses (EIC). Radio Frequency Identification chips store the necessary information on the EICs, but the chips are always “on”, meaning that they can be read by unauthorized individuals. This concern is being addressed by providing the cardholder with a protective sleeve. However, if the sleeve is ripped, torn or used improperly, it will not provide the necessary protection. Therefore, the Ombudsman has stressed that it is essential that individuals understand the privacy implications of opting into the EIC program.

The Ombudsman was also been involved in assessing the use of closed-circuit television monitoring by Winnipeg Police, who have agreed to follow the recommendations of the Ombudsman and will not live-monitor the cameras and will work towards developing retention policies and technology to “sever” individuals from images which are not relevant.

Overall, the Ombudsman largely applauds public bodies and government agencies for addressing privacy concerns in the development phases of new programs and legislation. However, it is clear that public bodies need to do a better job of dealing with access requests.

Leave a Comment » | Access to Information, Government, Ombudsman, Privacy | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Private-sector privacy law debated in Manitoba

May 21, 2009

The Manitoba Legislature is currently debating Bill 219The Personal Information Protection and Identity Theft Protection Act.

The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).  It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised.  Such a requirement would be groundbreaking in Canada (notwithstanding Ontario’s Personal Health Information Protection Act, which has a mandatory breach notification requirement).

Regrettably, the Government of Manitoba indicated in the Legislative Assembly debate last week that it has two primary concerns with the Bill.  The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. Legislative rules prevent private member’s Bills from containing financial penalties and so the Bill could not contain such provisions.  However, the government could add those provisions in amendments.  In fact, I assisted with the drafting of the Bill and would happily provide the government with the relevant provisions. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. However, PIPEDA does not apply to the activities of private sector organizations in provinces such as Alberta and British Columbia, both of whom have Personal Information Protection Acts, because PIPEDA does not apply where “substantially similar” provincial legislation exists.

The Bill was first introduced in 2005 and since that time the need for such a law has significantly grown.  It’s modelled after Alberta’s Personal Information Protection Act, which provides a more business-friendly and clear legislative scheme than PIPEDA.  As I’ve previously argued, it would be good policy for the Government of Manitoba to support the Bill and I once again urge them to do so. 

If you want a more business-friendly privacy law in Manitoba, I’d strongly encourage you to contact the Government of Manitoba and Mavis Taillieu to indicate your support. 

Additional coverage on this topic by the Canadian HR Reporter here.

2 Comments | Employee Monitoring, Government, Identity Theft, Ombudsman, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security Breach | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Pandemics and privacy

April 27, 2009

disease-2Over the past couple of years, the world has been preparing for a pandemic. Most experts believed that the avian flu was the most significant threat that faced the world, but recent declarations of a potential pandemic with confirmation of cases in Mexico, the U.S. and Canada from a swine flu have led to fears that the next pandemic is upon us.   In the event of a pandemic, the government of Canada has set up a website, which will provide information to the public. 

In times of fear, governments and citizens alike often overreact to address a threat.   It is times like this that individuals, in addition to heeding advice about how to avoid the flu, should be vigilant about what measures the government may be taking to address this health crisis.  Last summer, Canada experienced another health crisis when a strain of listeria was found in certain meat products.  Tragically, by the time it was over, 21 people had reportedly died.   The public health crisis was announced mid-August, but a team of researchers at Google later found that searches for the term listeriosis spiked in Canada about a month before the public announcement.  An article published in the Canadian Medical Association Journal indicated that those searches lined up with the peak of the outbreak while the public announcement came while new cases were on the decline. 

The analysis of aggregated search trends has been proposed as a means to fight pandemics and outbreaks of illnesses.  However, even those proposing this analysis have admitted this type of analysis is complicated because it is difficult to know who is searching and why.   In the Government of Canada’s News Release on April 26, 2009, a short privacy policy was cited stating that although Service Canada does not normally use cookies, if you have cookie notifications set on your browser, you would be notified.  However, earlier this month, the same site indicated that the Pandemic Influenza Portal did not normally use cookies to track visitors to the site and that the system would notify you before any cookies were used so you could refuse them with no reference to what your computer settings were. 

This change is a minor one but it may possibly be an indication of the small bits of privacy that Canadians will be expected to give up during these times of concern.

Leave a Comment » | Government, Health Crisis, Internet, Privacy, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Right to privacy worth $1 million (Cdn)

February 13, 2009

money-2British Columbia’s Supreme Court has awarded a record-setting judgment of over $1 million to a B.C. businessman for invasion of privacy as reported by Canwest News Service.

In 2005, Hal Neumann’s home was searched by the Canada Revenue Agency, who were looking for records and documents he’d already given to the government. The CRA is studying the decision to determine if they will appeal. 

This judgement is significant because it demonstrates that Canadian courts are now willing to award substantial damages for an invasion of privacy.  Public bodies or private sector organizations in Canada that think privacy rights don’t have teeth should reconsider after seeing this groundbreaking decision.

Leave a Comment » | Government, Privacy | Tagged: , , , , | Permalink
Posted by Brian Bowman

To release or not to release: The Brian Sinclair tragedy

February 12, 2009

question-21If you’re from Winnipeg, you’re well aware of the terrible tragedy of Brian Sinclair, who passed away in the emergency department of the Health Sciences Centre after waiting to see a doctor for 34 hours. Manitoba’s NDP government and the Winnipeg Regional Health Authority (WRHA) have been dealing with the political and legal consequences since Mr. Sinclair’s death last fall.

I was asked yesterday to provide comment to the Winnipeg Sun on the validity of the government’s recent claim that it could not release the first administrative review into the tragedy because of privacy concerns. The story serves as a reminder to government bodies and businesses of the challenges (and need for expert legal counsel) when dealing with access to information and related privacy matters.

A separate story reported at TechCrunch demonstrates the risks when releasing redacted documents to the public.  Canadian privacy laws typically require organizations to blackout, or redact, portions of documents that contain someone else’s personal information unless that person consents to its disclosure.  It’s a time-consuming, but important, step that organizations need to take before disclosing documents under access to information legislation.  But, as this story points out, organizations need to be very careful about how they redact!

Leave a Comment » | Access to Information, Privacy | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Feel you have no privacy?

February 5, 2009

spyingFeel you have no privacy? You’re not alone

My May 3, 2006 column in the Winnipeg Free Press examines the Manitoba Ombudsman’s 2003 report, which included a survey indicating that 60% of Manitobans believe that they have less personal privacy than they did in 1998.

Leave a Comment » | Privacy, Security | Tagged: , , , , , | Permalink
Posted by Brian Bowman