In her remarks, Stoddart discussed the challenge of technology, globalized data flows and social change. While reflecting on her years as Canada’s “village elder” in the privacy community, Stoddart commented:

“When I took over as Privacy Commissioner, Facebook didn’t exist. Neither did Twitter, Flickr, YouTube, Google Street View, Foursquare, iPods and all the many novel ways in which people now routinely connect with the rest of the world. And it’s not just technology that’s different; it’s other drivers of change as well. Like real-time globalization, for instance, and the instantaneous worldwide flow of data. It’s the way people embrace and respond to technology. Their expectations of what the technology can do for them, and at what cost. Is it desirable, for example, to buy greater convenience at the cost of less privacy? In light of these colossal changes over the past decade alone, it would be foolish to try to predict what the next decade will hold. But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is already being sorely tested.”

Read the Privacy Commissioner’s full remarks here.

In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.

Have you heard the term “cloud computing“, but aren’t really clear what it means?

Cloud computing is an umbrella term that refers to the use of Internet-hosted computer services. Think of your server — instead of having one in-house server located on company premises, an organization might opt to buy space on a third-party provider’s server. Other options include software hosting and data storage. By purchasing computing services from a variety of Internet-based providers, your computer needs are housed within a larger “cloud” of computer services.

Some organizations are opting for ”Software as a service” (SaaS), and allowing their data to reside on other company’s servers, or “the cloud“. Users only have to buy the space they need, which allows organizations to save money on their technology costs. Other benefits include access to people with technological know-how, flexibility and reduced maintenance costs.

Cloud computing is not new, but is now embedded into the fabric of modern business operations.  In fact, the Los Angeles Times has reported that the city of Los Angeles is considering using Google applications for all of its software needs. 

Privacy issues related to cloud computing, however, are profound. For example, many of the security questions that relate to traditional third-party data hosting were raised when a hacker broke into a Twitter employee’s work e-mail account and stole confidential company documents. The World Privacy Forum, meanwhile, has released a 28-page report on some of the privacy issues that relate to cloud computing. The report concludes that sharing information may expose some business users to liability, and emphasizes the importance of checking a cloud provider’s terms of service, privacy policy, and location.

Canadian businesses that engage in cloud computing should be reminded that they must do so in compliance with applicable privacy laws. For example, the Personal Information and Protection of Electronic Documents Act obliges organizations that transfer personal information to third parties to ensure appropriate security safeguards are in place.

They should also be mindful of the raging debate about the perils of cloud computing that has been underway now for some time. While cloud computing has the potential to provide benefits, organizations should ask themselves whether it is worth the risks it poses. You might save money in the short run, but is it worth the potential of a massive privacy breach? 

As reported by the National Post, the unusual case raises questions about what constitutes a “reasonable expectation” of privacy in a world where digital recorders and handheld wireless devices are omnipresent. As I’m quoted in the story, “[researchers] said some years ago that new privacy rules were going to put existing business practices under a microscope. I think what we’re seeing now is technologies are putting existing legal principles under a microscope.” Fellow blogger Dan Michaluk  is also quoted.

Read the full story here…

It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca.  Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics.  Here’s what we covered…

On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week.  The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.

On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter.  As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.

On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions.  For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.

On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.

And last but not least, today Adam Herstein posted “Manitoba: Innovative Fighter of Child Sexual Exploitation”, which focuses on Manitoba’s recent enactment of The Child and Family Services Amendment Act (Child Pornography Reporting) (Manitoba) and how Manitoba is the first province in Canada to enact legislation that makes it mandatory for a person who encounters child pornography to report it to authorities.  Adam also notes that Canada has a national tipline called Cybertip.ca for reporting the sexual exploitation of children.

Thanks to slaw.ca for the opportunity to contribute!

If you have children, I’d encourage you to visit the Internet 101 website, which provides some great information to increase your computer knowledge. The site provides excellent resources including Tutorials to help you learn more about the online world, Technical Tips to help keep your computer secure, Chat Lingo to help you learn the online lingo, Popular Online Activities to expose you to what today’s youth are doing online, and an Internet Agreement to be signed between parents and children to help your family stay safe in the online world.

Even if you don’t have children, there is some valuable information on the site worth reading.

According to the government’s News Release, the ECPA would allow businesses and individuals to initiate civil actions against anyone who violates the law.  The ECPA deals with unsolicited text messages, or “cellphone spam”, as a form of “unsolicited commercial electronic message”.

It would establish a regulatory enforcement regime that would enable the CRTC to impose penalties of up to $1 million for individuals and $10 million in all other cases.  The Competition Bureau would use a penalty regime already provided for in the Competition Act, and the federal Privacy Commissioner‘s powers to cooperate and exchange information with her counterparts would be expanded in respect of the Personal Information Protection and Electronic Documents Act.

The ECPA is nearly 70 pages long.  Stay tuned to this blog.  As soon as I’ve been able to digest the content I’ll post again on how the ECPA is likely going to affect Canadian businesses, especially those enaged in online marketing.

The Discovery Channel has an interesting online tool that allows you to play a simple scenario by conducting your normal transactions as you would on any given day. Doing so shows you how often you provide your personal information to businesses and governments. You can then play the scenario again to try to reduce your digital footprint. Click here to play!

Businesses can help reduce their customer’s digital footprints by ensuring they only collect the personal information of customers necessary for the purposes identified by the organization and required for particular transactions. Additionally, businesses should avoid collecting personal information indiscriminately. As I’ve mentioned in a previous post, reducing the volume of personal information that a business collects (and is then responsible for safeguarding and destroying in accordance with applicable privacy laws) helps customers to reduce their “digital footprints”.  It also helps businesses to comply with privacy laws like PIPEDA and improve customer relations.

The commissioners point out that ”a common misconception is that a company doesn’t need your permission to take your photograph in a public place.  In fact, one of your key protections under Canadian privacy law is that you should know when your picture is being taken for commercial reasons, and what your image will be used for.  Your consent is also needed.”

The Winnipeg Free Press is also running an excellent story in today’s newspaper, which highlights some of the broader issues related to Google Street View.   Arthur Schafer, a professor at the University of Manitoba and director of the Centre for Professional and Applied Ethics, comments in the story about the related ethical issues while I comment in the story about the related legal issues.

For the basics on metadata, read here. As you’ll learn in more detail, “metadata” is data about data. It’s detailed information that is automatically created about an electronic document when you use Microsoft Word, PowerPoint or Excel. It can include the name of the person or organization that created a document, the date that it was created, the identities of people who modified a document, including the time and day they did so, the name of the computer that was used to create a document and detailed revisions to a document, including past modifications and deleted text not visible on your computer screen. If not properly managed, metadata can help other businesses steal your intellectual property, learn about your business processes and view personal information that you’re legally required to protect under privacy laws.

One practical way to deal with metadata is to use metadata scrubber software. Some are costly but well worth it, including Payne Metadata Assistant and Workshare Protect. There are also free tools available including a Microsoft one (but it is only for Office 2007) and one offered by Javacool Software. Of course, I’d recommend that you work with technology professionals to determine the best metadata scrubber software for your business. Regardless of whether you use one of these or other tools, it’s important that you deal with metadata in some fashion. I hope these links help provide you with a good place to start!  Feel free to Leave a Comment below if you know of other metadata scrubber software worth recommending.

There are a growing number of articles that are highlighting the threat of “cyber-terrorism”.  It’s a scary topic that is surely consuming the time of government technology infrastructure professionals in the U.S. and Canada.  Some of these articles discuss the remote possibility that terrorists may perpetrate cyber-attacks against critical online government and corporate infrastructure.  Other articles discuss the very real possibility that terrorists may simply use the Internet (and the information contained online) to plan attacks in the real world. Don Cavender, a special agent and instructor with the FBI’s Computer Training Unit at Quantico, Virginia, is quoted in an excellent ZDNet article and says that “the worry right now is not so much a cyberterrorism event…but when the terrorists use the Internet to facilitate the planning of these attacks.” 

We all know that the Internet is filling up with vast amounts of data including people’s personal information, as well as corporate and government data.  The lesson that I take from all of these “cyber-terrorism” related articles is that businesses should make sure that they are working with technology professionals to secure their databases and limit the amount of personal information and corporate data available online.  Of course, there are many reasons for businesses to secure their databases and to limit what information is available online.  For example, privacy laws such as Canada’s PIPEDA regulate the safeguarding of personal information.  And, there are good business reasons to limit the availability of proprietary corporate data online.  But, if you ever wished you were Jack Bauer, then here’s your chance to fight terrorism…one corporate move at a time.

After mentioning to a few colleagues that I’d like them to subscribe to this blog using RSS, I realized that I was probably talking to them in “Venusian”. So for all the newbies, here’s a brief explanation of RSS.

RSS stands for “really simple syndication” (or “rich site summary”, depending on which explanation you read). It’s a method of alerting the subscriber to new content. Instead of receiving an email when there’s a new post on a blog, you check your feed reader.

Now, I can hear some people thinking, why would I want to check another site when I’m checking my email a couple of times a day? To that, I say, how much email do you receive? How many newsletters that you get by email do you actually read? The beauty of RSS technology is it lets you do your reading when you’re ready to do it.

As I mentioned, there is one more step you have to take, and that is to set up a feed reader. Fortunately, at least two browsers (IE7 and Firefox) offer built-in readers. Select the “Subscribe via RSS” button

and follow the directions.

If that still doesn’t make sense, here’s what Wikipedia says. For those of you who like a visual explanation, check out RSS in Plain English from the folks at the Common Craft store.  I’m now subscribing to other blogs using RSS.  If RSS isn’t your thing, you can always subscribe to this blog by e-mail.  RSS or e-mail subscription options are provided on the right hand side of the page – I hope you subscribe!

New push to educate on online privacy: Youth can get info on important website

My July 2, 2008 column in the Winnipeg Free Press announces the Privacy Commission of Canada’s new youth privacy site, My Privacy. This is a great site for both parents and their children to view, to help youthful Internet users to be aware of the dangers of ignoring privacy settings as they’re filling out personal information on sites like Facebook and MySpace.

Identity theft, loss of privacy face people in a wired world

My February 7, 2005 column in the Winnipeg Free Press concerns identity theft and workplace surveillance.

Privacy protection should be at top of resolutions: develop policies, procedures in a customer-friendly way

My January 4, 2006 column for the Winnipeg Free Press suggests three cutting edge new year’s resolutions for corporate success.